Restrict stopping of XP Firewall service?

  • Thread starter Thread starter Greg
  • Start date Start date


I have applied Group Policies for XP Firewall in 'Computer
Configuration\Administrative Templates\Network\Network Connections\Windows
Firewall\Domain Profile', however users can easily subvert these by simply
turning off the firewall service.

I tried restricting access to the Firewall/ICS service via 'Computer
Configuration\Windows Settings\Security Settings\System Services', however
now the Firewall/ICS service on the client affected by this policy won't
start. I get " Error 0x80004015: The class is configured to run as a
security id different from the caller", which leads me to this KB article:;en-us;892199

I followed the directions, but it doesn't seem to resolve my problem, well
it does if I delete the SD registry key for the 'SharedAccess' service
entirely and don't restore it. Then it behaves like I expected, the service
will start upon restart and the policy doesn't allow the user to stop the
service. However I don't want to remove this key on all my existing and new
users, it seems wrong. There must be a more appropriate resolution...

Any clue anyone?


when will all you supposed admins realize that if the local user really
wants to they can override anything you can come up with. believe it or not
our admins locked OFF the xp firewall because they 'thought' it was causing
problems. they would not unlock it on a laptop that i was going to travel
with so i had to bypass their gpo to turn it on for my travel(and it is
still off automatically on the lan, let them try to figure that out!). if
you don't have physical control over the machine your next level of control
is a disciplined user, if you can't discipline the user you are flat out of
Hi Greg,

Thanks for posting here.

I understand that you want to lock the Windows Firewall Service on the
Windows XP SP2 computer to be on. If I am off base, please do not hesitate
to let me know.

Based on my research, the Group Policy defined on the domain controller
does have the function to lock this service as always on. There could only
be three options

1. Automatic
2. Manual
3. Disable

However, no mater you choose Automatic and Manual method, user could still
start/stop the service freely. If you choose the "Disable", then the users
can no longer start this service.

Currently, I think there is no other workarounds for this issue and on my
point of view you should educate your users and clients with the importance
to enable the Windows Firewall.

You could also let me know your questions or concerns on this issue. I
would also be happy to help as possible as I can. Thanks for your

I look forward to your reply.

Thanks & Regards

Amanda Wang[MSFT]

Microsoft Online Partner Support

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
Business-Critical Phone Support (BCPS) provides you with technical phone
support at no charge during critical LAN outages or "business down"
situations. This benefit is available 24 hours a day, 7 days a week to all
Microsoft technology partners in the United States and Canada.

This and other support options are available here:

If you are outside the United States, please visit our International
Support page:
This posting is provided "AS IS" with no warranties, and confers no rights.
Greg said:
I have applied Group Policies for XP Firewall in 'Computer
Configuration\Administrative Templates\Network\Network
Connections\Windows Firewall\Domain Profile', however users can
easily subvert these by simply turning off the firewall service.

Not if they don't have admin rights. And they shouldn't.
Greg said:
I have applied Group Policies for XP Firewall in 'Computer
Configuration\Administrative Templates\Network\Network Connections\Windows
Firewall\Domain Profile', however users can easily subvert these by simply
turning off the firewall service.

I tried restricting access to the Firewall/ICS service via 'Computer
Configuration\Windows Settings\Security Settings\System Services', however
now the Firewall/ICS service on the client affected by this policy won't
start. I get " Error 0x80004015: The class is configured to run as a
security id different from the caller", which leads me to this KB article:;en-us;892199

I followed the directions, but it doesn't seem to resolve my problem, well
it does if I delete the SD registry key for the 'SharedAccess' service
entirely and don't restore it. Then it behaves like I expected, the service
will start upon restart and the policy doesn't allow the user to stop the
service. However I don't want to remove this key on all my existing and new
users, it seems wrong. There must be a more appropriate resolution...

Hey Greg,

I'm not at work right now so I can't be 100% sure of everything I'm saying but
I've ran into your SD problem just a week ago and I had issues with a Ghost
client service being killed off and users not able to restart it due to
permissions on the service. In my environment I have the firewall set to
autmoatic using group policy under the Security Settings in System services.
When you explicitly set permissions like that the default permissions don't
include the Authenticated Users group, which is the group that the user who
runs the Firewall service belongs to. I don't remember the user but I think
it's Network Service. When you remove that group then the firewall is started
with a different SID than what it is configured for and it fails to start.
For me since Authenticated Users weren't included they were't allowed to start
up the GHost client whenever it got killed off (that's another story that we
eventually solved).

It sounds like I may have to see at work whether some of our users are able to
turn the firewall off , at least those users who have access to do so. By that
I mean I turn off access to the Control Panel icons (all except DIsplay) and I
turn off the Manage entry on the menu when you right click on My Computer.
They also aren't allowed to run anything I don't want them to by explicitly
listing application binary names. All those things are in Group Policies I
setup. I suggest you attempt to do the same if you can so that users can't
turn things off/on that you don't want them to. There shouldn't be anything in
Control Pnael they need to access but it is granular within the GP setting.
They shouldn't need access to anything under Manage either from My Computer.
As far as application binaries, you can set an explicity list of allowed or
denied applications so you don't have to worry about listing EVERYTHING they
are allowed to run, you could just list stuff they aren't allowed to run (like
mmc.exe for example)
