For several years now, the Windows firewall has been one of Windows' first lines of defense against network-based attacks. As a channel reseller, your customers may ask you to configure the Windows firewall to allow access to a particular resource. But this isn't always as simple as it seems. There are various conditions that can prevent you from reconfiguring a Windows firewall. This article explains how to troubleshoot Windows XP firewall configuration problems.
Before I get started, I want to quickly point out that the configuration interfaces for the Windows XP and the Windows Vista firewalls differ. Because the vast majority of companies are still using Windows XP, this article focuses on troubleshooting the Windows XP firewall. However, if your customer happens to be using Windows Vista, all is not lost. Although the steps that I walk you through are intended for use in Windows XP, the basic concepts are relevant to Windows Vista as well.
Difficulty configuring firewall settings
As someone who has written numerous technical articles over the years, I receive a tremendous amount of email from readers seeking assistance with various technical issues. By far, the one firewall-related issue that I get the most mail about is Windows firewall configuration.
Under normal circumstances, you should be able to open the Control Panel and click on the Security Center link, followed by the Windows Firewall link. This causes Windows to display the Windows Firewall properties sheet, shown in Figure A. You should be able to use this properties sheet to make any necessary firewall configuration changes.
This is the Windows Firewall properties sheet.
In some cases, the various configuration options might be grayed out, preventing you from changing the Windows XP firewall configuration. There are two conditions that cause the firewall settings to be unavailable: lack of permissions -- you must have local administrative permissions to change Windows firewall settings -- or a group policy setting.
Keep in mind that group policies are hierarchical in nature. Group policy settings can be applied to the local computer, or they can be applied at the site, domain or Organizational Unit level of the Active Directory. Therefore, if you suspect that a group policy setting may be causing the firewall configuration problem, you may need to check several different group policies before you find the problematic setting.
To check the firewall-related group policy settings, open the Group Policy Object Editor and select the policy that you want to examine. You can find the firewall-related settings at: Computer Configuration | Administrative Templates | Network | Network Connections | Windows Firewall.
If you look at Figure B, you can see that there are two subcontainers within the Windows Firewall container: Domain Profile and Standard Profile. Windows is designed so that you can use completely different firewall configuration settings, depending on whether or not a user is logged in to the domain. This is important, because a computer could be left completely unprotected during idle times, if firewall settings were only in effect when a user logged into a domain.
Having a domain and a standard firewall profile allows you to enforce firewall settings regardless of whether a user is logged in or not. These settings are particularly important for mobile users, who often connect their laptops to untrusted networks. For these users, you could establish a stringent firewall policy that's implemented through the standard profile and a more relaxed policy that's used for the domain profile.
I am telling you all this to make a point. If you are having trouble configuring a Windows XP firewall, then it's worth paying attention to how you logged into the computer. If you're logging in locally, then your problem is either that the local account lacks the necessary permissions or that a security setting (most likely in the local group policy) within the firewall's domain profile is blocking the modification.
About the author
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer he has written for Microsoft, CNET, ZDNet, TechTarget, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at www.brienposey.com.