SP2 firewall and group policy

[sharyn]

Hi,

I have configured the sp2 firewall via group policy to allow file and printer sharing for a specified range of IP addresses.

When I log onto the local machine that I am testing this on, although the settings on the firewall for file and printer sharing are greyed out (because they are getting the settings from group policy)when I check to see what is being allowed to access the open ports, the radial button that says any (including internet machines) is marked.

This is obviously not the setting that I have in group policy. Is this a bug or can I just ignore what the local machine is reporting as being set to?

Thanks,
Sharyn

 

[bcastner]

If File and Printer sharing is enabled on a workstation, there are a number of ports that need to be open.

http://support.microsoft.com/?kbid=832017

 

[sharyn]

Yes, I know.

That isn't the issue. The issue is that the local machine firewall setting is reporting that those ports are open to "any", not just the IP addresses/subnets that I have configured in group policy.

FYI, when you configure the xp firewall to allow file and printer sharing, using that setting, it automatically opens all the necessary ports.

Sharyn

 

[bcastner]

I am aware it will open the ports.
I you double-click File and Printer Sharing, and then click 'Change Scope' what happens.

 

[sharyn]

You can't configure any of the local firewall settings if they are configured in group policy..they are greyed out.

It's ok, though. I have fixed this, and I blame MS for the error.

If you look at the configuration screen using the Group Policy Managment console, it tells you to specify entire subnets using the / notation, as in 192.168.0.0/16.

If you actually open the firewall setting properties on the local machine, it tells you to configure your custom list using the entire subnet mask, as in 192.168.0.0/255.255.0.0

If you use this full subnet mask, instead of the / notation, in the group policy mgmt console, it works exactly the way it's supposed to.

Ah well, live and learn..all fixed now.

Sharyn

 

[bcastner]

Thank you Sharyn.
After your first response I was certain I was not "getting" the problem raised.

Please take the time to submit your finding to:

http://windowsbeta.microsoft.com/xpsp2feedback/default.aspx

 

[sharyn]

I did!

thanks!
Sharyn

 

[bcastner]

You are a gem.

I have been so busy "pushing" out SP2, that the new Group Policy features have gone on the back burner.

Be certain you spend some time exploring the changes in Netsh.exe.

And see the "Cable Guy"

http://www.microsoft.com/technet/community/columns/cableguy/cg0204.mspx

I had the opportunity to meet him in May, and you could not have met a nicer guy.

 

[sharyn]

I haven't tested sp2 fully enough to start pushing it out.

So far, I've put it on a non-production machine, and my work laptop. I have yet to put it on my work desktop.

I don't like nasty surprises and would be afraid to roll it out to my users until I had the opportunity to fully test it, not to mention get the firewall configured properly for use in my network.

I have read about some of the changes but have yet to actually play with them, as I have been working on this firewall issue first.

All in all, Im pretty impressed with it. Thanks for the cable guy link.

Sharyn

 

[bcastner]

Sharyn,

I have been running the various release candidates of Service Pack 2 since late April, and SP2 final since last friday.

I know there were some horror stories about Service Pack 1, but I just simply do not see a repeat of that experience with SP2.

Just do it.