2

I've been trying to figure out GPO settings for a couple of days and cannot figure out how to apply a filter of some sort to Windows Firewall to turn it ON when any employee is not on the domain (10.0.-.-), which happens when either on VPN, working from home, etc.

Windows Firewall Settings in GPO

Am I in the correct spot? I figured I could apply a filter somehow on the "Windows Firewall: Protect all network connections" but I cannot find a correct way to go about this.

arieljannai
  • 225
  • 1
  • 3
  • 9
Manieri
  • 123
  • 2
  • 1
    You could also approach it from the direction of configuring Windows Firewall on the domain correctly, then you won't have to toggle the firewall off and on. You could also test connectivity to a certain server with powershell, then use powershell to turn on windows firewall if you don't see it active. Schedule the powershell script to run through task manager, and setup the script and task through GPO. – Nixphoe Jul 06 '18 at 15:11
  • @Nixphoe Thank you for the detailed response. I'm fairly new to the job and have never worked with GPO's really -- from my understanding they have a firewall-alternative and when Windows Firewall is in use it messes with it; hence having it disabled. So I think the firewall is configured correctly for their needs technically? The PowerShell script seems interesting though, so every X minutes it checks to see if connected to IP 10.0.-.- and if not then enables firewall? – Manieri Jul 06 '18 at 15:14
  • so they have a network firewall or a windows firewall alternative? If they have a Windows Firewall alternative, why can't you use that when off the network? Using scanning for a 10.0 network address can be tricky because other networks could also be using that network address – Nixphoe Jul 06 '18 at 15:18

1 Answers1

1

Disabling Protect All Network connections from Domain Profile does exactly what you want. Also check that this setting for Standard Profile is enabled. The network profile determination is not done by the subnet and mask: the domain computers will be protected outside corporate network even when the network has the same IP address range. The Network Location Awareness (NLA) service does this determination. Since Windows 7, the process has been this:

  1. The Connection Specific DNS Name is compared to a registry key. (Win XP used this alone).

    HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\History\NetworkName

  2. On match NLA tries to contact a Domain Controller using LDAP. On 1+2: Domain Profile.

  3. If both didn't match, NLA will evaluate network charasteristics for know network profiles.

  4. If the network is not known, user gets promted to choose between network profiles:

    • Home network
    • Work network
    • Public network

  5. Once the network profile is determined, correct firewall profile Public / Private gets applied.

Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129