Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: XP SP2 & GPO controlled firewall gets activated for unknown reasons.

from [Sullivan Tim P] Network Security [Permanent Link]
Subject: RE: XP SP2 & GPO controlled firewall gets activated for unknown reasons...
Date: Thu, 2 Dec 2004 20:56:45 -0700 
Double check the setting for 'Prohibit use of Internet Connection
Firewall on your DNS domain network'. If it's at regular intervals that
the firewall disables itself, does it coincide with your GPO refresh
rate? What does the machines event viewer logs look like?

Also, have you ruled out the user as the one who is changing the
settings? A user with administrative rights can change the settings. 

Tim

-----Original Message-----
From: Michael van Zwieten [mailto:mvanzwieten@gmail.com] 
Sent: Thursday, December 02, 2004 12:40 PM
To: focus-ms@securityfocus.com
Subject: XP SP2 & GPO controlled firewall gets activated for unknown
reasons...

Hi Everyone,

I configured GroupPolicy to control the XP SP2 Firewall using the
standard and domain profiles.  In the standard profile, the firewall is
on... in the Domain profile, the firewall is off.

We have come to find that for some unknown reason, random workstations
throughout our organization will simply turn their domain profile off,
and turn their firewall on.  This makes remote admin/support impossible
in our situation...

Doing a 'netsh firewall show state' shows that the firewall is on when
it should be off, since the workstation is sitting on a LAN hooking into
our domain.  When we reboot, or do a 'gpupdate /force' and a reboot will
usually turn the firewall off, and normal operations are resumed...
until it randomly drops again, and turns the firewall on.

Like others that I'm in contact with have found, this problem only
occurs sometimes, not always... and it seems random.  When looking at
client settings, they are no different from ones that work, to ones that
don't work.  Nothing in the event log.

Apparently SP2 does some sort of network discovery to see if it belongs
to the same DNS suffix as the domain it belongs to in AD.  The clients
aren't dropping off the network, and never lose connection. 
Clients aren't hibernating, nic cards aren't going to sleep, etc.

Does anyone have any ideas on how to make this GP controlled XP Firewall
mess a bit more reliable?

Thanks for your help,
Mike

------------------------------------------------------------------------
---
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Disable Network ID and Change button, Marc Fossi
Next by Date:  Re: XP SP2 & GPO controlled firewall gets activated for unknown reasons..., Michael van Zwieten
Previous by Thread:  XP SP2 & GPO controlled firewall gets activated for unknown reasons..., Michael van Zwieten
Next by Thread:  Re: XP SP2 & GPO controlled firewall gets activated for unknown reasons..., Michael van Zwieten
Indexes:  [Date] [Thread] [Top] [All Lists]