0

I found an interesting issue where I set a GPO to control the firewall policy to "Block (default)" the inbound connections, however that setting is not completely enforced. It still allows an administrator to alter it from "Block (default)" to "Block all connections".

Why is the GPO not forcing the setting I provided?

In more detail:

The settings i'm referring to are in:

  1. Go to Windows Advanced Firewall
  2. Right click on properties
  3. Under any profile tab, in my case Domain Profile
  4. State > Inbound Connections

The GPO is set explicitly to "Block (default)", however this option can still be changed once the GPO is applied.

Thanks,

Paul

Paweł Czopowik
  • 199
  • 1
  • 9

1 Answers1

0

In almost all cases, an administrator can change whatever is set by GPO - it's just a registry setting and one way or another an administrator on a PC can change any registry setting. If your intent is to lock these machines down, then users shouldn't be local admins.

MDMarra
  • 100,734
  • 32
  • 197
  • 329
  • The other settings are respected and enforced (grayed out). This is the only setting that allows one to change it to a more restrictive setting. – Paweł Czopowik Feb 04 '14 at 22:00
  • My point was that an administrator can get around the greyed-out items fairly easily if they wanted. – MDMarra Feb 04 '14 at 22:10
  • Thank you for the feedback but this does not address why the GPO setting does not restrict this option. Perhaps its a mechanism to be able to turn off the firewall temporarily in case of emergency without relying on a new GPO being applied? – Paweł Czopowik Feb 05 '14 at 15:26
  • But then again, the setting of "Allow" is enforced and does not allow for such a change. – Paweł Czopowik Feb 05 '14 at 15:37