How to configure the windows firewall using group policies

如何使用组策略配置Windows防火墙


文章出自:

http://www.lansweeper.com/kb/6/firewall.html

 

The easiest way to configure the windows firewall is to use group policies. (Requires an Active Directory domain)

You need to change the Windows firewall - domain policy (this policy applies to computers when they are connected to your domain)

After creating the policy it can take several hours before it takes effect on your workstations.



The setting that you need to enable is "Windows Firewall: Allow remote administration exception" or "Windows Firewall: Allow inbound remote administration exception"

You can choose "*" for all machines or just the IP address of your Lansweeper server.



To verify if the policy is applied on a workstation you can use the "netsh firewall show state" command

验证是否策略在客户端应用,你可以使用“netsh firewall show state”

C:\>netsh firewall show state

Firewall status:
-------------------------------------------------------------------
Profile = Domain
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Group policy version = Windows Firewall
Remote admin mode = Enable


Please read this technet article about problems when the domain profile is not working : http://technet.microsoft.com/en-ca/library/bb878049.aspx

To view which GPO's are applied to the client you can use the gpresult.exe command.

If for some reason you can't apply group policies you can use the following commands to configure the windows firewall. (save as firewall.cmd)

call netsh firewall set service RemoteAdmin enable
call netsh firewall add portopening protocol=tcp port=135 name=DCOM_TCP135