Newer System.adm ?

  • Thread starter Thread starter Pat Riley
  • Start date Start date
P

Pat Riley

I'm trying to add an exception to the XP SP2 firewall. I understand that
the correct location in the registry for this is:

hklm\system\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List

However, my system.adm (3/24/2005) has the list at

hklm\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List

I've tested the first key by manually adding a exception and that worked,
but my GPO is based on the system.adm, and it seems to use the second key
(as revealed by GPMC).

So my question is - is there a newer system.adm? Or, am I overlooking
something completely. Surely I'm not the only person that is trying to use
a GPO to open a port exception in the XP SP2 firewall?

TIA.

Pat.
 
Hello Pat,

There is nothing wrong with your system.adm nor needs updating. You could
configure firewall exceptions thru your Administrative Template.
He will be more explicit if you read the text below.

"True Policies and Preferences
The Administrative Templates CSE has control over a part of the registry for
both user and computer registry hives and treats these specially. These parts
are for the computer and user hives respectively:

• HKEY_LOCAL_MACHINE\SOFTWARE\policies (preferred location)

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies

• HKEY_CURRENT_USER\SOFTWARE\policies (preferred location)

• HKEY_ CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies


These trees cannot be modified by a non-administrator. Because all keys and
values beneath these paths are erased before applying the resultant registry
policy settings, the registry policies applied in these subtrees will only
persist as long as a valid Group Policy setting exists. Policy settings that
are stored in these specific locations of the registry are known as true
policies.

All the policy settings in the standard Administrative Template files that
shipped with Windows 2000 Server and Windows Server 2003 use true policies.
This prevents the behavior that was often present in Windows NT 4.0, whereby
System Policies resulted in persistent settings in the user and computer
registry. The policy remained in effect until the value was reversed, either
by a counteracting policy or by editing the registry. These settings are
stored outside the approved registry locations listed and are known as
preferences."

You can read more at
http://www.microsoft.com/technet/pr...Ref/74635e11-a0e2-42e0-b3c6-a5ccbc43c931.mspx

Regards,
 
I tried configuring the firewall with gpmc, but the policies for the
firewall do not seem to work. I have set other policies that work fine, but
the policy for the firewall to open an additional port does not work. When I
inspect the registry of a computer that is operating on the domain and under
the policies, I see nothing that shows that the policies are in place. I've
read the tech doc link you provided, but it only explains how it should work
(policies vs preferences). It doesn't explain why it doesn't work for the
ports I have tried to open. While investigating this I found that if I
manually add a port to this link:

hklm\system\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List

Then of course it works ( a workstation preference), but when the policy is
set, there are no additions to this link. While trying to figure out why I
discovered that the system.adm template actually edits this link:

hklm\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts\List'

This link does not exist in my workstation registries - there is no
"WindowsFirewall" key anywhere.

Maybe this means that the group policy engine on the client side is not
processing policies for additional firewall ports correctly. Has anyone
else set a policy to add an additional port to the XP SP2 firewall?

I'm using a W2K3 DC with SP1, and XP SP2. I also use GPMC SP1.

TIA

Pat.
 
Pat,

The referencies that I indicated only show the diferences betwen registry
locations that seemed to be your doubt.
Now I see that is not your question.

I made a quick test with XPSP2 and Windows 2003 Without :-( SP1 running on
Virtual PC

I create a new GPO and linked to computer OU because Firewall settings are
applied to computer.
In this new OU I only have configured Domain Profile Windows Firewall:
Protect all Network connections (set to enable) and Domain Profile Windows
Firewall: Define ports exceptions (set to enable and add the following
exception 80:TCP:*:enabled:Web Servive). Microsoft recommendation is to
configure both, domain and standard profile as you could see in Deploying
Windows Firewall Settings for Microsoft Windows XP with Service Pack 2 at
http://www.microsoft.com/downloads/...bdcd-499f73a637d1&displaylang=en&Hash=XGT9Y3C.
Then I have restart the client computer and i have verified that firewall
state has change to on and have a port exception for webservice.

I did not have problems with the implementation.

if you could be more detailed in description of your environment it becomes
more easy for the community to help with your problem.
 
Thank you for the follow-up. I believe you have helped me to find my error.
I was editing the GPO for the users, and not a GPO for the computers - this
is most likely why my testing failed. I'll give it a go tomorrow and let
you know. Thanks again for your help. Pat.
 
Back
Top