4

I have managed to block port 445 in the windows firewall using Group Policy, now the server that has this GPO applied is unable to read further GPO updates from the domain controller.

Is there any way to fix this short of dropping it from the domain, fixing it, then adding it back to the domain? Or would that even work?

MartinC
  • 345
  • 1
  • 3
  • 11
  • I'm curious why you blocked port 445 to begin with? – TheCleaner Oct 27 '14 at 18:48
  • Wanted to block file-sharing. I didn't think about it very hard before I blocked the port. – MartinC Oct 27 '14 at 18:50
  • 3
    Can you nuke the Firewall policy keys `HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall` and restart the firewall service? A `gpupdate /force` might also be worth trying. I'll have to get to a Windows machine to test. – jscott Oct 27 '14 at 18:55
  • I can't yet downvote, but this is a special case duplication of http://serverfault.com/questions/593937/can-i-override-domain-group-policy-with-local-group-policy-as-a-local-admin Just override with local policy, make sure you've changed the applied policy, refresh, then remove the local policy. – austinian Oct 27 '14 at 18:56
  • 2
    @austinian not really. I tried to use local policy, however in the case of the firewall, Block Policies will always take precedence over any allow policies, and due to the nature of the issue I am no longer able to edit the domain GPO. So it does not appear that article is particularly helpful, feel free to correct me if I'm wrong. – MartinC Oct 27 '14 at 19:01
  • @jscott I have been using gpupdate /force, but with port 445 blocked it fails to read the GPO from SYSVOL. – MartinC Oct 27 '14 at 19:02
  • @MartinC Do a `gpupdate` *after* deleting the policy key above and restarting the Firewall service. – jscott Oct 27 '14 at 19:02
  • @jscott Okay, I'll try that. – MartinC Oct 27 '14 at 19:05
  • Right, you can't block port 445 and expect your domain to work properly. It's a port used by Directory Services, in addition SMB sharing and a number of other things. The fix is to correct your GPO and disable the firewall long enough to fetch policy that doesn't block port 445. – HopelessN00b Oct 27 '14 at 19:12
  • @HopelessN00b GPO prevents the domain profile from being disabled, it is a rackmount server in a different city so I am RDP'ed into it. At least I was until I tried to restart the firewall service. I have someone going to reboot the server now. :) I'm pretty experienced in networking/programming, but server admin is pretty new to me. – MartinC Oct 27 '14 at 19:16
  • In that case I'll second @jscott's suggestion, although it is remarkably similar to the first result when you search for "override firewall group policy" in google – austinian Oct 27 '14 at 19:20
  • @jscott Aside from the snafu of losing remote access, it worked perfectly! Post it as an answer and I will gladly mark it as such. – MartinC Oct 27 '14 at 19:32
  • @austinian Indeed. I should expect any decent google search for "override GPO *x*" to included an answer of "delete the policy key" or "add a Deny Read ACE to the policy key". – jscott Oct 27 '14 at 19:38
  • 1
    @jscott I think the keyword I may have been missing was "override" As that does provide a significant number of helpful results. – MartinC Oct 27 '14 at 19:48

1 Answers1

7

As with many Group Policies, the setting are stored in a Policies key in the registry. The Windows Firewall machine policy key is located at: HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall

If you delete this key the "old" GP firewall settings are gone. If you restart the machine, it should able to pull down a fresh copy of your firewall GPO.

jscott
  • 24,484
  • 8
  • 79
  • 100