Step 5: Adding the Setting that Prevents Local Administrators from Applying Conflicting Rules

Updated: December 7, 2009

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

In this step, you configure and test a setting that prevents firewall rules created by local administrators from being applied to the computer and possibly conflicting with the GPO-deployed rules.

By default members of the local Administrators group on the computer can use Windows Firewall with Advanced Security to create and enable firewall and connection security rules. These local rules are then merged with the rules received from Group Policy and applied to the computer's active configuration. The setting described in this section prevents the locally defined rules from merging with the rules that are contained in the deployed GPOs.

Important

Although this setting prevents a local administrator from applying a rule, it also prevents Windows Firewall with Advanced Security from prompting the user about a new program and creating an inbound rule when the user approves. If you enable this setting then you must make sure that every program that requires firewall rules has the correct rules defined in your GPOs.

To confirm that a local administrator can create a conflicting rule

  1. On CLIENT1, at the administrator command prompt, run ping dc1.

    The ping command works, which indicates that CLIENT1 can communicate with DC1.

  2. Start the Windows Firewall with Advanced Security snap-in.

  3. Under Windows Firewall with Advanced Security, right-click Outbound Rules, and then click New Rule.

  4. On the Rule Type page of the New Outbound Rule Wizard, click Custom, and then click Next.

  5. On the Program page, select All programs, and then click Next.

  6. On the Protocol and Ports page, use the default settings, and then click Next.

  7. On the Scope page, use the default settings, and then click Next.

  8. On the Action page, use the default settings, and then click Next.

  9. On the Profile page, clear the check boxes for Private and Public, but leave Domain selected, and then click Next.

  10. On the Name page, enter the name A Test Rule (use an 'A' as the first character to ensure the rule appears at the top of the list), and then click Finish.

    This creates a firewall rule that blocks all network traffic, effectively breaking communications for the computer.

  11. Return to the Command Prompt window, and run ping dc1 again.

    The ping command fails, as shown in the lower half of the following figure, because the local firewall rule blocks outgoing communications.

  12. In the Windows Firewall with Advanced Security snap-in, click Outbound Rules in the navigation pane, right-click A Test Rule, and then click Disable Rule. You must disable the rule to re-enable communication for the next steps.

  13. Leave the Administrator: Command Prompt window and Windows Firewall with Advanced Security snap-in open.

In the next procedure, you modify the GPO assigned to the client computer to prevent locally defined rules from being merged and applied to the active firewall configuration. Also, you disable the notification that asks the user whether to allow a program for which there are no rules.

To prevent the computer from using rules and settings defined by local administrators

  1. On MBRSVR1, in Group Policy Management, click Group Policy Objects, right-click Firewall Settings for Windows Clients, and then click Edit.

  2. In Group Policy Management Editor, expand Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, and then expand Windows Firewall with Advanced Security.

  3. Right-click Windows Firewall with Advanced Security - LDAP://cn={GUID},cn=policies,cn=system,DC=contoso,DC=com, and then click Properties.

  4. On the Domain Profile tab, in the Settings section, click Customize.

  5. Change the Display a notification setting to No. This prevents Windows from displaying a notification to the user whenever a program is blocked.

  6. In the Rule merging section, change the Apply local firewall rules list to No.

  7. In the Rule merging section, change the Apply local connection security rules list to No.

  8. Click OK two times to return to Group Policy Management Editor.

In the next step, you refresh Group Policy on CLIENT1, and then confirm that locally defined rules cannot block network communications.

To test your new restrictions on local administrators

  1. On CLIENT1, in Administrator: Command Prompt, run gpupdate /force. Wait until the command finishes.

  2. In the Windows Firewall with Advanced Security snap-in, in the list of Outbound Rules, right-click A Test Rule, and then click Enable Rule.

  3. In Administrator: Command Prompt, run ping dc1.

    The ping command works even though A Test Rule appears to be enabled. The rule is listed as enabled on the local computer, but when you set the Apply local firewall rules to No on the GPO in the previous procedure, you blocked the merging of local rules with the rules delivered in the GPO.

  4. In the navigation pane of the Windows Firewall with Advanced Security snap-in, expand Monitoring, and then click Firewall to see the list of rules active on the local computer.

    No rules are listed. You have not yet created any rules applied by GPO, and no local rules are active because of the settings that you included in the GPO.

  5. Before proceeding, delete your rule. On CLIENT1, in the navigation pane, click Outbound Rules. In the results pane, right-click A Test Rule, click Delete, and then click Yes on the confirmation dialog box.

  6. Leave both Administrator: Command Prompt and the Windows Firewall with Advanced Security snap-in open.

Next step: Step 6: Configuring the Rest of Your Client Computer Firewall Settings