Windows Group Policy – Disable The Local Windows Firewall

KB ID 0001090

Problem

I’ve got nothing against the Windows firewall, it’s certainly a lot easier to manage now than it was back in the XP SP2 days. But I find a lot of clients still just ‘want it gone’ and, providing they have a decent corporate firewall in front of them that’s fair enough.

Solution

1. On a domain controller or a client running the remote administration tools > Windows Key+R > gpmc.msc {Enter} > The Group Policy Management Console will open.

2. Select the OU that contains the ‘Computers’ you want to enforce this policy on, (or here I’m choosing the entire domain) > Right Click > ‘Create GPO in this domain, and link it here..’.

3. Give the policy a sensible name so you can see what it is doing later.

4. Right click your new policy > Edit.

5. Navigate to;

[box]

Computer Configuration > Policies > Administrative Templates > Network > Network connections > Windows Firewall > Domain Profile > Windows Firewall: Protect all network connections

[/box]

6. Set the policy to disabled.

7. Close the Group Policy Management Editor. If you have a Windows 2012 domain you can force the policy refresh on a particular OU like so.

9. Or simply run gpupdate /force on the target machine, (or you could also wait a couple of hours, or reboot the target machines).

SBS Note

An (SBS) Small Business Server domain enables the client firewall by default! The policy us called Windows Firewall Policy, which is usually linked to the computer OU under  ‘My Business’.

Related Articles, References, Credits, or External Links

Windows – Open a Firewall Port with Group Policy

Windows – Open a Firewall Port with Group Policy

Define Inbound Port Exceptions

KB ID 0000979 

Problem

For everyone who simply does not disable the Windows firewall, then you need to be able to manage what ports are open on your machines. The simplest way to do this is via group policy. This week I had to open TCP port 9503 on the local firewall of my McAfee Move Offload Servers. Below I will open that port on all my machines, but in production I will only apply the GPO to the OU with my Move Offload servers in it.

Solution

1. On a domain controller or a client running the remote administration tools > Windows Key+R > gpmc.msc {Enter} > The Group Policy Management Console will open.

2. Select the OU that contains the ‘Computers’ you want to enforce this policy on, (or here I’m choosing the entire domain) > Right Click > ‘Create GPO in this domain, and link it here..’.

3. Give the policy a sensible name so you can see what it is doing later.

4. Right click your new policy > Edit.

5. Navigate to;

[box]

Computer configuration > Policies >Administrative Templates > Network > Network Connections >Windows Firewall > Domain Profile > Windows Firewall: Define inbound port exceptions

[/box]

6. Open the policy and enable it > Show.

7. As this is a new policy the list will be empty, (you can return and add multiple entries to this policy later if you require further ports opening). In the example below I’ve opened port 9053, over TCP, the asterisk means ‘from anywhere’, I’ve Enabled the rule, and called it McAfee Move.

Port Exception Syntax

<Port>:<Transport>:<Scope>:<Name>

  • <Port>: Number in decimal from 0 to 65,335
  • <Transport>: TCP or UDP
  • <Scope>: Where the traffic is coming from, i.e 192.168.1.1, or 192.168.1.0/24, or simply ‘localsubnet’ or ‘*’ for everywhere. You can enter multiple values separated with a comma.
  • <Name>: A simple text entry to define what the exception is.

8. OK > Apply > OK > Close the Group Policy Management Editor. If you have a Windows 2012 domain you can force the policy refresh on a particular OU like so.

9. Or simply run gpupdate /force on the target machine, (or you could also wait a couple of hours, or reboot the target machines.)

10. To make sure it has worked on the target machine > Windows Key+R > WF.msc {Enter} > Inbound Rules > Your rule should be visible.

11. If you open the rule you can see its been applied by group policy, and check the correct port has been defined.

 

Related Articles, References, Credits, or External Links

Windows Group Policy – Disable The Local Windows Firewall

Migrating Local Profiles to Domain Profiles

KB ID 0001235 

Problem

Moving a machine onto a Windows domain, is a simple task, I’ve done this for a lot of clients. The main complaint (post migration,) is that something is missing. This is because your-account-name on your PC or laptop, and your-account-name in the domain are TWO DIFFERENT ACCOUNTS, (even if they have the same name). 

Microsoft have produced some tools help you, but I challenge you to start reading the USMT documentation for  more than 15 minutes without losing the will to live. 

Below is a list of things people have complained to me about losing post migration;

  • Desktop wallpaper.
  • Files & Folders from the desktop.
  • My Documents.
  • Internet Favorites.
  • My Pictures.
  • Outlook Signatures.
  • Outlook Mail Accounts.
  • Word Custom Dictionaries.
  • Work Autocomplete Settings.
  • MS Access Macro settings.

So I setup a test Windows 10 machine, with all of the above setup, and used two tools to migrate my local profile into my domain profile.

 

Solution

Test 1 ForensIT User Profile Wizard

Software is free (there are paid for versions) but I plumbed for the free one, you don’t have to install anything as it runs from an executable, (which is a bonus if you have a lot to do). Its VERY fast, and simple to use.

I’ve joined my target machine to the new domain and logged on once as the domain user and created a blank profile, then logged back on as the domain admin to carry out the following.

Launch the software > Next > Select the profile you want to copy from.

Select your domain name > Enter the logon name for the ‘DOMAIN USER’ you want to copy the profile to > Next > Next.

Verdict: Of the two, this ones quicker, more intuitive and free.

Test 2 USMT GUI 10

This is a graphical wrapper that sits on-top of the Microsoft USMT tools, I donated $10.00 for the cheapest version, and repeated the tests above. 

First you have to take a backup of the local profile(s).

I’m just choosing one (Pete) > RUN > My profile was 177Mb and it took about 5 minutes.

Now resort the profile back to your domain profile, as you can see that’s a little more complicated, but not that difficult > RUN.

At this point it ran thought and gave me an error, even though it did migrate the profile successfully.

Verdict: Well it does the job, it’s probably a lot more versatile than the first tool, but nowhere near as intuitive, and it costs $10. I know that’s cheap, and the dev deserves to be paid for their hard work, but I prefer the free one.

Related Articles, References, Credits, or External Links

NA

Windows Server 2012 – Install and Configure an FTP Server

KB ID 0000847

Problem

FTP might be an ages old solution for moving files around, but a lot of people swear by it. With Windows Server it’s still supported, even if it is hidden as a ‘role service’.

Solution

Create a Security Group For Domain FTP Access

Note: For a Standalone/Workgroup server see below for setting up users and groups.

1. Launch Server Manager > Tools > Active Directory Administrative Center.

2. New > Group.

3. Give the group a sensible name.

4. Here I’m going to create a user to test with, in production you would just use the domain users who you want to give access to.

5. I will simply create a user called ‘ftpuser’.

6. Add the domain user(s) to your new security group.

7. Create a folder that will be the ‘root’ of your FTP site.

8. Grant your security group rights to this folder (Note: By default they will only get Read rights, you will need to add ‘Write’ if you want your users to be able to ‘put’ files).

Create a Security Group For Workgroup / Standalone FTP Access

1. From Server Manager > Tools >Computer Management.

2. System Tools > Local Users and Groups > Groups.

3. Give the group a sensible name.

4. I’m going to create a test user called ftpuser, this is done in Local users and groups > Users.

5. Place the user(s) you want to grant access to, into your local security group.

6. Crete a folder that will be the ‘root’ of your FTP site and open its properties.

7. On the security Tab > Advanced > Grant your security group rights to this folder (Note: By default they will only get Read rights, you will need to add ‘Write’ if you want your users to be able to ‘put’ files).

Windows Server 2012 Install FTP

1. From Server Manager > Tools > Add Roles and Features.

2. Next.

3. Next

4. Next

5. Select Web Server (IIS) > Select Add (when prompted) > Next.

6. Next

7. Next

8. Locate and Select FTP Server AND FTP Extensibility > Next.

9. Install

10. Close.

11. Reboot the server. This is because some of the firewall settings have a habit of not enabling until the server has restarted, this does not happen all the time, so you may be lucky and not need to reboot. But I’m a firm believer in ‘If something can go wrong, it will go wrong’.

Windows Server 2012 Configure FTP

1. Windows Key > Internet Information Services (IIS) Manager.

3. Expand the servername > Right click ‘Sites’ > Add FTP Site.

4. Give the site a name > Browse to the folder you are going to use as the FTP ‘root’ folder > Next.

5. Select No SSL (I’m not going to secure the site with web certificates) > Next.

6. Authentication = Basic > Allow Access to = Selected roles or user groups > Permissions = Select read and write as appropriate > Finish.

7. Windows Key+R > firewall.cpl > Allow an app or feature through Windows Firewall.

8. Ensure FTP Server is allowed for the ‘profile’ that your network card has been allocated.

9. Advanced Settings.

10. Incoming Rules.

11. There should be three FTP Settings, by default they should be enabled (for FTP Port 21, Passive Ports, and Secure FTP / TCP 990).

Windows 2012 FTP Server – Testing Access

1. You can test the firewall is open by opening a telnet session to the server on port 21;

[box]

telnet {ip address or name of server} 21

[/box]

2. This is what you should see (or in some cases a blinking cursor, if you are going through a firewall or device that suppresses response headers).

3. Or you can use a web browser and navigate to ftp://{ip address or name of the FTP server}.

4. Or from command line you can use the direct ftp command like so;

[box]
ftp {ip address or name of server}[/box]

Windows 2012 FTP Server – Testing External Access

To access the server externally (from the internet), requires your remote users to know either the public IP address or the public name of the server. In addition FTP (TCP Port 21) needs to be open to that IP address. This can be done by giving the server its own public IP address, or by Port Forwarding FTP from your public IP address to the private IP address of the FTP server. How that is done will differ depending on your firewall or router.

Note: If you have a Cisco Firewall, I’ll put the links you require on the bottom of the page.

1. Here I’m on an external machine, and I’m using FileZilla (a free FTP client) to connect to my FTP server.

2. Just to test I’ll drag a file to the FTP server, to make sure I can write/put files.

3. Here is the file uploaded.

4. Back on the server, in the ‘root’ folder you can see the file successfully uploaded.

 

Related Articles, References, Credits, or External Links

Cisco Firewall (ASA/PIX) – Granting Access to an FTP Server

Cisco PIX / ASA Port Forwarding

Add a Static (One to One) NAT Translation to a Cisco ASA 5500 Firewall