Announcement

Collapse
No announcement yet.

Managing Windows Firewall with Group Policy

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Managing Windows Firewall with Group Policy

    I have a client with a corporate office and approximately 70 remote sites. The corporate office operates in a 2008 R2 AD environment. The remote sites are all workgroups and are being added to the AD environment over the next several weeks. Each remote site exists in its own private address space: 192.168.x.0/24 where x is the store number. The only domain controllers exist at the corporate office and will not be implemented at a remote site. Connectivity between corporate and remote sites is implemented with an MPLS network.

    I would like to eventually apply a monolithic Group Policy to the remote sites to modify their Windows Firewall settings. One of the firewall settings I would like to implement opens a port between an application server and some workstations. The application server has the same IP at each location: 192.168.x.25. The same group of workstations from each location need to talk to the app server: 192.168.x.1-10. I wanted to be able to use a wildcard setting in Windows Firewall to represent the store number -- in other words, allow traffic on a specific port between 192.168.*.25 and 192.168.*.1-10. Currently the only way I see to implement this in Group Policy is to add every IP, instead of using a wildcard (192.168.1.25, 192.168.2.25, and so on). Does anyone know if there is an easier way?

  • #2
    Re: Managing Windows Firewall with Group Policy

    You might be able to make 2 changes without specifying source/destination IPs: set a policy to define all client traffic to servers utilize only a specific port range for TCP and UDP traffic, and a second policy on the servers to only recognize incoming requests from that port range to the specific port or even application name the server is hosting. It may not be as tightly controlled as the granularity you mention, but it does lock things down without the minutia.

    To change the random ports used by a client when it initiates traffic to a server, use a netsh command: "netsh int ipv4 dynamicport tcp start=8500 num=500" will give you a TCP port range from 8500 to 9000. Issue the same command again and replace 'tcp' with 'udp' to assign the same port range for UDP ports. Or you could assign one range for TCP traffic, and a different range for UDP. As long as your firewalls are set to accept the right protocol on the right port ranges, it works. For more detail, see this MS article:
    "http://support.microsoft.com/kb/929851"

    Just be certain to apply the rules in a test scenario where you have direct access to both clients and servers to work out the migration sequence to be certain your system doesn't stop working altogether, before rolling out to remote sites. I am using this principle now, including routers between vlans, without incident.
    *RicklesP*
    MSCA (2003/XP), Security+, CCNA

    ** Remember: credit where credit is due, and reputation points as appropriate **

    Comment


    • #3
      Re: Managing Windows Firewall with Group Policy

      RicklesP: thanks for the reply. That method may be too fraught with potential trouble for us to implement at this time.
      Any other suggestions?

      Comment


      • #4
        Re: Managing Windows Firewall with Group Policy

        I think you are over thinking about this implementation.. I have simular environment...

        Here is what you should do, but you do have to.
        In your AD structure, create OU based on the site.
        Each site has an OU in your AD.
        In that OU, create two sub OUs for Computers and Users.
        Move the computers and Users that belong to the site to its OU.
        Createa GPO for each site or one GPO for all site.
        Modify the firewall setting in that GPO.
        Link the GPO to the Computer OU for each site.

        As easy as cake

        HN

        Comment


        • #5
          Re: Managing Windows Firewall with Group Policy

          Humannetwork: actually we thought of that. However, with the company adding new remote sites at the rate of 7-10 per year the management overhead becomes very high. Additionally, if there were changes across the board to group policy that applied to all sites (which there easily could be) that method requires changing 70+ policies, a management nightmare.
          If Microsoft allowed wildcards in their IP ranges this would be so much easier ...

          Comment


          • #6
            Re: Managing Windows Firewall with Group Policy

            Originally posted by Humannetwork View Post
            I think you are over thinking about this implementation.. I have simular environment...

            Here is what you should do, but you do have to.
            In your AD structure, create OU based on the site.
            Each site has an OU in your AD.
            ....
            Link the GPO to the Computer OU for each site.

            As easy as cake

            HN
            Anyone for Site Level GPOs here?

            As far as the rules and wildcards go, perhaps a script could take care of that?
            Tom Jones
            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
            PhD, MSc, FIAP, MIITT
            IT Trainer / Consultant
            Ossian Ltd
            Scotland

            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment

            Working...
            X