Strange XP Firewall issue with GPO

Hi, I am having some issues with deploying XP firewall with GPO. The
GPO is applied, gpresult on the client shows this. FW settings in
control panel are greyed out as expected and cant be edited. So it
looks like everything is applying ok, but the actual FW exceptions are
not working; for example i have a port exepection of 3389 for RDP and
have also allow ICMP Echo request, this traffoc does not get through
the FW on the client.

My domain is 2003 R2. clients are XP SP2/3.

GPO created OK
GPO applied to test OU, with some PCs in there.
Run gpupdate /force on client
try to ping or RDP - No conenction allowed
Try to telnet on port 3389, connection refused.

I ran netsh command to see FW state - output below:

C:\Documents and Settings\laurco>netsh firewall show state

Firewall status:
-------------------------------------------------------------------
Profile = Domain
Operational mode = Enable
Exception mode = Disable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Group policy version = Windows Firewall
Remote admin mode = Enable

Ports currently open on all network interfaces:
Port Protocol Version Program
-------------------------------------------------------------------
135 TCP IPv4 (null)
137 UDP IPv4 (null)
139 TCP IPv4 (null)
138 UDP IPv4 (null)
3389 TCP IPv4 (null)
445 TCP IPv4 (null)
2869 TCP IPv4 (null)
1900 UDP IPv4 C:\WINDOWS\system32\svchost.exe

I have configured the firewall excpetins in the group policy in the
following manner:

Port #:TCP:Scope:Enabled:Description

I look forward to hearing any suggestions what the issue may be??!!

Thanks very much.

cheers.

In news:2739167e-a059-4a1d-91b0-5aad441d3592@j38g2000yqa.googlegroups.com,
colin.laurie@googlemail.com <colin.laurie@googlemail.com>, posted the
following:
> Hi, I am having some issues with deploying XP firewall with GPO. The
> GPO is applied, gpresult on the client shows this. FW settings in
> control panel are greyed out as expected and cant be edited. So it
> looks like everything is applying ok, but the actual FW exceptions are
> not working; for example i have a port exepection of 3389 for RDP and
> have also allow ICMP Echo request, this traffoc does not get through
> the FW on the client.
>
> My domain is 2003 R2. clients are XP SP2/3.
>
> GPO created OK
> GPO applied to test OU, with some PCs in there.
> Run gpupdate /force on client
> try to ping or RDP - No conenction allowed
> Try to telnet on port 3389, connection refused.
>
> I ran netsh command to see FW state - output below:
>
> C:\Documents and Settings\laurco>netsh firewall show state
>
> Firewall status:
> -------------------------------------------------------------------
> Profile = Domain
> Operational mode = Enable
> Exception mode = Disable
> Multicast/broadcast response mode = Enable
> Notification mode = Enable
> Group policy version = Windows Firewall
> Remote admin mode = Enable
>
> Ports currently open on all network interfaces:
> Port Protocol Version Program
> -------------------------------------------------------------------
> 135 TCP IPv4 (null)
> 137 UDP IPv4 (null)
> 139 TCP IPv4 (null)
> 138 UDP IPv4 (null)
> 3389 TCP IPv4 (null)
> 445 TCP IPv4 (null)
> 2869 TCP IPv4 (null)
> 1900 UDP IPv4 C:\WINDOWS\system32\svchost.exe
>
> I have configured the firewall excpetins in the group policy in the
> following manner:
>
> Port #:TCP:Scope:Enabled:Description
>
> I look forward to hearing any suggestions what the issue may be??!!
>
> Thanks very much.
>
> cheers.


Hi Colin,

Is the GPO set on the OU where the computers exist? Are there any Event log
errors on the clients or the DCs? Are you only using the internal DNS on all
AD machines (no ISP DNS addresses internally)? Is there a 3rd party AV
installed that may be blocking traffic (McAfee and Symantec will do that if
not configured properly).

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCT
Microsoft Certified Trainer
aceman@mvps.RemoveThisPart.org

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

On 20 Feb, 18:26, "Ace Fekay [Microsoft Certified Trainer]"
<firstnamelastn...@hotmail.com> wrote:
> Innews:2739167e-a059-4a1d-91b0-5aad441d3592@j38g2000yqa.googlegroups.com,
> colin.lau...@googlemail.com <colin.lau...@googlemail.com>, posted the
> following:
>
>
>
>
>
> > Hi, I am having some issues with deploying XP firewall with GPO. The
> > GPO is applied, gpresult on the client shows this. FW settings in
> > control panel are greyed out as expected and cant be edited. So it
> > looks like everything is applying ok, but the actual FW exceptions are
> > not working; for example i have a port exepection of 3389 for RDP and
> > have also allow ICMP Echo request, this traffoc does not get through
> > the FW on the client.
>
> > My domain is 2003 R2. clients are XP SP2/3.
>
> > GPO created OK
> > GPO applied to test OU, with some PCs in there.
> > Run gpupdate /force on client
> > try to ping or RDP - No conenction allowed
> > Try to telnet on port 3389, connection refused.
>
> > I ran netsh command to see FW state - output below:
>
> > C:\Documents and Settings\laurco>netsh firewall show state
>
> > Firewall status:
> > -------------------------------------------------------------------
> > Profile * * * * * * * * * * * * * = Domain
> > Operational mode * * * * * * * * *= Enable
> > Exception mode * * * * * * * * * *= Disable
> > Multicast/broadcast response mode = Enable
> > Notification mode * * * * * * * * = Enable
> > Group policy version * * * * * * *= Windows Firewall
> > Remote admin mode * * * * * * * * = Enable
>
> > Ports currently open on all network interfaces:
> > Port * Protocol *Version *Program
> > -------------------------------------------------------------------
> > 135 * *TCP * * * IPv4 * * (null)
> > 137 * *UDP * * * IPv4 * * (null)
> > 139 * *TCP * * * IPv4 * * (null)
> > 138 * *UDP * * * IPv4 * * (null)
> > 3389 * TCP * * * IPv4 * * (null)
> > 445 * *TCP * * * IPv4 * * (null)
> > 2869 * TCP * * * IPv4 * * (null)
> > 1900 * UDP * * * IPv4 * * C:\WINDOWS\system32\svchost.exe
>
> > I have configured the firewall excpetins in the group policy in the
> > following manner:
>
> > Port #:TCP:Scope:Enabled:Description
>
> > I look forward to hearing any suggestions what the issue may be??!!
>
> > Thanks very much.
>
> > cheers.
>
> Hi Colin,
>
> Is the GPO set on the OU where the computers exist? Are there any Event log
> errors on the clients or the DCs? Are you only using the internal DNS on all
> AD machines (no ISP DNS addresses internally)? Is there a 3rd *party AV
> installed that may be blocking traffic (McAfee and Symantec will do that if
> not configured properly).
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCT
> Microsoft Certified Trainer
> ace...@mvps.RemoveThisPart.org
>
> For urgent issues, you may want to contact Microsoft PSS directly. Please
> checkhttp://support.microsoft.comfor regional support phone numbers.- Hide quoted text -
>
> - Show quoted text -

Hi Ace, thanks for the reply.

In answer to your questions:

yes, the GPO is applies only to a 'test OU'; this has 2 computers in
there whcih i am usng for testing.
yes, internal DNS only; this is handed out using DHCP Scope options.
When i do an ipconfig/all on the target computer the dns suffix is
correct.
There are no 3rd party apps for firewall/AV - just a vanilla XP
install.
I have looked at Event Logs on client & DC's they are very 'clean'
nothing to suggest a problem has occurred.

As i say the gpo has been applied correctly, gpresult shows this, as
well i can see the FW is on and the exceptions appear in the FW list
- very odd indeed.

Many thanks,

Colin Laurie
MCSE, MCSA, CCNP

In news:fe08d65d-dad5-4f8d-8880-fc8756464209@v15g2000yqn.googlegroups.com,
cdlaurie <colin.laurie@googlemail.com>, posted the following:
>
> Hi Ace, thanks for the reply.
>
> In answer to your questions:
>
> yes, the GPO is applies only to a 'test OU'; this has 2 computers in
> there whcih i am usng for testing.
> yes, internal DNS only; this is handed out using DHCP Scope options.
> When i do an ipconfig/all on the target computer the dns suffix is
> correct.
> There are no 3rd party apps for firewall/AV - just a vanilla XP
> install.
> I have looked at Event Logs on client & DC's they are very 'clean'
> nothing to suggest a problem has occurred.
>
> As i say the gpo has been applied correctly, gpresult shows this, as
> well i can see the FW is on and the exceptions appear in the FW list
> - very odd indeed.
>
> Many thanks,
>
> Colin Laurie
> MCSE, MCSA, CCNP

Hi Colin,

Very interesting, indeed. It shows it is applying, yet not working. How
about any other settings from a parent, such as an IPSec settting, or
anything else? When you are testing it, such as with echo requests, I assume
you are simply pinging the client test machine? From what machine are you
pinging it? Any rules on that machine?

Ace

Perhaps the key is "Exception Mode: Disabled" as reported by netsh firewall
show state command.

In the GPO, do you have "Do not allow exceptions" set to "Enabled"? If so,
in Control Panel, Windows Firewall, the "Don't allow exceptions" with have a
check mark and it will be "greyed out" even for administrators.

If this is the case, the firewall will block all incoming connections
regardless of what port and what "exceptions" are active.

If you want to prevent local administrators from adding exceptions, set
these settings to Disabled in the GPO:
Windows Firewall: Allow locol program exceptions
Windows Firewall: Allow local port exceptions

If you haven't already, you might want to enable logging:
Advanced tab in Control Panel, Windows Firewall
or the setting Windows Firewall: Allow logging in the GPO.

--
Bruce Sanderson
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.



<colin.laurie@googlemail.com> wrote in message
news:2739167e-a059-4a1d-91b0-5aad441d3592@j38g2000yqa.googlegroups.com...
> Hi, I am having some issues with deploying XP firewall with GPO. The
> GPO is applied, gpresult on the client shows this. FW settings in
> control panel are greyed out as expected and cant be edited. So it
> looks like everything is applying ok, but the actual FW exceptions are
> not working; for example i have a port exepection of 3389 for RDP and
> have also allow ICMP Echo request, this traffoc does not get through
> the FW on the client.
>
> My domain is 2003 R2. clients are XP SP2/3.
>
> GPO created OK
> GPO applied to test OU, with some PCs in there.
> Run gpupdate /force on client
> try to ping or RDP - No conenction allowed
> Try to telnet on port 3389, connection refused.
>
> I ran netsh command to see FW state - output below:
>
> C:\Documents and Settings\laurco>netsh firewall show state
>
> Firewall status:
> -------------------------------------------------------------------
> Profile = Domain
> Operational mode = Enable
> Exception mode = Disable
> Multicast/broadcast response mode = Enable
> Notification mode = Enable
> Group policy version = Windows Firewall
> Remote admin mode = Enable
>
> Ports currently open on all network interfaces:
> Port Protocol Version Program
> -------------------------------------------------------------------
> 135 TCP IPv4 (null)
> 137 UDP IPv4 (null)
> 139 TCP IPv4 (null)
> 138 UDP IPv4 (null)
> 3389 TCP IPv4 (null)
> 445 TCP IPv4 (null)
> 2869 TCP IPv4 (null)
> 1900 UDP IPv4 C:\WINDOWS\system32\svchost.exe
>
> I have configured the firewall excpetins in the group policy in the
> following manner:
>
> Port #:TCP:Scope:Enabled:Description
>
> I look forward to hearing any suggestions what the issue may be??!!
>
> Thanks very much.
>
> cheers.
>

In news:udyPc$rmJHA.4140@TK2MSFTNGP05.phx.gbl,
Bruce Sanderson <bsanders@community.nospam>, posted the following:
> Perhaps the key is "Exception Mode: Disabled" as reported by netsh
> firewall show state command.
>
> In the GPO, do you have "Do not allow exceptions" set to "Enabled"?
> If so, in Control Panel, Windows Firewall, the "Don't allow
> exceptions" with have a check mark and it will be "greyed out" even
> for administrators.
>
> If this is the case, the firewall will block all incoming connections
> regardless of what port and what "exceptions" are active.
>
> If you want to prevent local administrators from adding exceptions,
> set these settings to Disabled in the GPO:
> Windows Firewall: Allow locol program exceptions
> Windows Firewall: Allow local port exceptions
>
> If you haven't already, you might want to enable logging:
> Advanced tab in Control Panel, Windows Firewall
> or the setting Windows Firewall: Allow logging in the GPO.
>

Bruce, good catch on the Exception settings!

Ace

On 2 Mar, 05:50, "Ace Fekay [Microsoft Certified Trainer]"
<firstnamelastn...@hotmail.com> wrote:
> Innews:udyPc$rmJHA.4140@TK2MSFTNGP05.phx.gbl,
> Bruce Sanderson <bsand...@community.nospam>, posted the following:
>
>
>
>
>
> > Perhaps the key is "Exception Mode: Disabled" as reported by netsh
> > firewall show state command.
>
> > In the GPO, do you have "Do not allow exceptions" set to "Enabled"?
> > If so, in Control Panel, Windows Firewall, the "Don't allow
> > exceptions" with have a check mark and it will be "greyed out" even
> > for administrators.
>
> > If this is the case, the firewall will block all incoming connections
> > regardless of what port and what "exceptions" are active.
>
> > If you want to prevent local administrators from adding exceptions,
> > set these settings to Disabled in the GPO:
> > * Windows Firewall: Allow locol program exceptions
> > * Windows Firewall: Allow local port exceptions
>
> > If you haven't already, you might want to enable logging:
> > Advanced tab in Control Panel, Windows Firewall
> > or the setting Windows Firewall: Allow logging in the GPO.
>
> Bruce, good catch on the Exception settings!
>
> Ace- Hide quoted text -
>
> - Show quoted text -

Hi All, thanks for your replies.

yes indeed it was mwe being stupid and wasn't allowing that one option
to allow exceptions in the GPO - doh.

Thanks again for you help.

cheers.

In news:f4b6381b-b9fe-48ca-9154-da52fd8ebfba@w9g2000yqa.googlegroups.com,
cdlaurie <colin.laurie@googlemail.com>, posted the following:
>
> Hi All, thanks for your replies.
>
> yes indeed it was mwe being stupid and wasn't allowing that one option
> to allow exceptions in the GPO - doh.
>
> Thanks again for you help.
>
> cheers.

My ppleasure, but the credit goes to Bruce for catching that setting!

Ace