|
|
Our Hot Pick: Rising Antivirus 2006 - Certified by TUV & Checkmark! Get 10% discount by entering this coupon code: ONDISCOUNT10
I have tried endlessly to get this "firewall' to work. Maybe it's a firewall
against my attempts!
Many access avenues (control panel, admin tools) but each unable to do what
I want. Endless lists of cryptic blocked 'things' on varous networks
(private, domain, public).But I don't know what they are even after reading
the help. My compliments to the help writers. I have an BS in Mechanical
Engineering and have set up many networks. Maybe the US university education
system isn't up to MS standards.
But I quit....sorry. I'll get a simple 3rd party firewall that is one
interface, not three and hopefully will be compatible with Vista (unlike
Outpost). Now to see if I can totally remove all of the alleged firewall.
Hopefully the "service" will be a good start.
|
|
LOL, you got a point to all that?
John wrote:
[Quoted Text] > I have tried endlessly to get this "firewall' to work. Maybe it's a
> firewall against my attempts!
>
> Many access avenues (control panel, admin tools) but each unable to
> do what I want. Endless lists of cryptic blocked 'things' on varous
> networks (private, domain, public).But I don't know what they are
> even after reading the help. My compliments to the help writers. I
> have an BS in Mechanical Engineering and have set up many networks.
> Maybe the US university education system isn't up to MS standards.
>
> But I quit....sorry. I'll get a simple 3rd party firewall that is one
> interface, not three and hopefully will be compatible with Vista
> (unlike Outpost). Now to see if I can totally remove all of the
> alleged firewall. Hopefully the "service" will be a good start.
|
|
The point is an the windows firewall, to me, is an overly complex format for
a simple concept.
The old adage of KISS is no longer part of sofware design. New products have
to have new bells and whistles. It's not only a software issuue but also an
automobile issue--look at the latest electronics in cars. Maybe some people
have endless hours to try and figure out how it should work. As a Win2000
user with 3rd party firewalls, I know what I do like and unfortunately the
Vista firewall does not suit my taste. But I respect those who love it.
They're much brighter than I am.
"Poprivet" <poprivet[ at ]devnull.spamcop.net> wrote in message
news:ujfK79jpHHA.3880[ at ]TK2MSFTNGP04.phx.gbl...
[Quoted Text] > LOL, you got a point to all that?
>
> John wrote:
>> I have tried endlessly to get this "firewall' to work. Maybe it's a
>> firewall against my attempts!
>>
>> Many access avenues (control panel, admin tools) but each unable to
>> do what I want. Endless lists of cryptic blocked 'things' on varous
>> networks (private, domain, public).But I don't know what they are
>> even after reading the help. My compliments to the help writers. I
>> have an BS in Mechanical Engineering and have set up many networks.
>> Maybe the US university education system isn't up to MS standards.
>>
>> But I quit....sorry. I'll get a simple 3rd party firewall that is one
>> interface, not three and hopefully will be compatible with Vista
>> (unlike Outpost). Now to see if I can totally remove all of the
>> alleged firewall. Hopefully the "service" will be a good start.
>
>
>
|
|
What is it you're trying to set up?
Depending on the complexity of what you want, we might be able to narrow
down the tools and options. Eg, 'this is my home machine that never leaves
the den and is only connected to the internet' would require a much lower
complexity than 'this is my laptop that docks at home, goes to work with me,
and surfs the web at the coffee shop during lunch'.
So, some basic items to know are:
1) mobility of device
2) access requirements from external locations, eg file sharing, home web
site
3) IPv6 usage
It's quite possible that for your needs, having everything turned off except
the 'notify me whan an application wants to receive connections' will do the
trick.
--
David
Microsoft Windows Networking
This posting is provided "AS IS" with no warranties, and confers no rights.
"John" <me[ at ]myhome.net> wrote in message
news:uzx%23HsjpHHA.4112[ at ]TK2MSFTNGP04.phx.gbl...
[Quoted Text] >I have tried endlessly to get this "firewall' to work. Maybe it's a
>firewall against my attempts!
>
> Many access avenues (control panel, admin tools) but each unable to do
> what I want. Endless lists of cryptic blocked 'things' on varous networks
> (private, domain, public).But I don't know what they are even after
> reading the help. My compliments to the help writers. I have an BS in
> Mechanical Engineering and have set up many networks. Maybe the US
> university education system isn't up to MS standards.
>
> But I quit....sorry. I'll get a simple 3rd party firewall that is one
> interface, not three and hopefully will be compatible with Vista (unlike
> Outpost). Now to see if I can totally remove all of the alleged firewall.
> Hopefully the "service" will be a good start. *
|
|
I appreciate your reply, David. I have a home computer on a local house
networs with DSL access to the Internet via a wireless router.
I have setup my account with Administrative privileges.
Now my first obstacle in the Control Panel Windows Firewall applet is
reading "For your secutity some settings are controlled by Group Policy".
Okay, I'm an administrator so I should still have full access to all
firewall settings yet I am unable to even turn on the firewall due to the
choices in Windows Firewall Settings being greyed. So I guess I am not
running the firewall according to this applet. The Firewall service is
running so what's happening?
Okay, then off to Admin Tools Applet for some relief. I open Windows
Firewall With Advanced Security on the Local Computer. Again I am greeted
by "For your secutity some settings are controlled by Group Policy". But
now I wonder if there is another "Group" besides User Groups. Well I keep
going forward anyway.
Domain and Private profile are both OFF while Public is ON. Why was I told
Windows firewall was off in the Control Panel applet if Public is on? Is it
really ON? Which applet do I believe? Again, too many ways to access one
program, IMHO--KISS.
Fair enough. But when I choose the Domain Profile tab it's all greyed out?
Have I hit the Group Policy demon here? Same with Private tab. Even the
Public Profile only lets me change the Inbound Connections through the
dropdown-Block(default) or Block All. I guess the difference is one Block
uses rules where the Block All doesn't, but that's just a guess. Why is
everything greyed? How can I configure what I can't access?
Then I look at the Inbound Rules for each Setting-Public, Private and
Domain. Forgive me but I don't think anyone other than a software engineer
would understand what those rules mean and if I want them enforced. If
someone were trying to troubleshoot a firewall issue, he/she'd need a PhD.
Possibly something's missing in my laptop setup that came with Vista
preinstalled. There's certainly enough extra software garbage to start a
land fill courtesy of MS, Lenovo and others. I may give the firewall another
try if I ever figure out how to even turn it on and off and configure it. I
applaud all of those who understand this application and hope it's working
as you think it should because until you understand all those cryptic rules,
do you really know what you're letting in and out of your computer?
Respectfully,
John
----- Original Message -----
From: "David Beder [MSFT]" <dbeder[ at ]online.microsoft.com>
Newsgroups: microsoft.public.windows.networking.firewall
Sent: Monday, June 04, 2007 1:00 AM
Subject: Re: I Guess I Don't Get it.
[Quoted Text] > What is it you're trying to set up?
>
> Depending on the complexity of what you want, we might be able to narrow
> down the tools and options. Eg, 'this is my home machine that never leaves
> the den and is only connected to the internet' would require a much lower
> complexity than 'this is my laptop that docks at home, goes to work with
> me, and surfs the web at the coffee shop during lunch'.
>
> So, some basic items to know are:
> 1) mobility of device
> 2) access requirements from external locations, eg file sharing, home web
> site
> 3) IPv6 usage
>
> It's quite possible that for your needs, having everything turned off
> except the 'notify me whan an application wants to receive connections'
> will do the trick.
>
> --
> David
> Microsoft Windows Networking
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
|
|
Sounds like there is another firewall installed on the box, or had been.
The 'settings controlled by Group Policy' in the absence of you actually
defining such settings, typically points to some other software trying its
best to keep you from enabling Windows Firewall. This in itself isn't
necessarily malicious behavior as having multiple firewalls competing on a
machine can be problematic to proper internet connectivity. However if that
other firewall is not running, it's rather rude to leave Windows Firewall in
such a hobbled state.
As for profiles (Domain, Public, Private) being 'on', this is a concept
that's not directly linked to the state of the firewall, but instead to the
'location' state of the machine itself. Since this is a home machine, not
joined to a corporate domain, while maintaining a direct link to the
internet via your wireless DSL, the computer considers itself to be in a
Public environment. This decision can be overwritten should you decide
that's of interest, but let's leave that to a separate discussion. The
snap-in is simply indicating this global setting as a hint to which set of
out-of-box settings might be applicable, thus saving one from configuring
settings that would never be applied.
Under typical circumstances the control panel should be sufficient to get
you going such that you wouldn't need to know the advanced snap-in exists.
That interface is intended for advanced users who want to really fine tune
behavior in both directions (inbound and outbound connections) and
'location', as well as define IPsec protection policies. In most scenarios,
the intended user is a company IT professional. As for needing a PhD, I
certainly understand that sentiment, though personally I can attest that
simply having a masters in aerospace (ie rocket science) is sufficient.:)
Ok, so we've established that the Windows Firewall service is running
(otherwise you encounter other errors) but that some out of box settings
have locked it down from working. The next step is to determine whether
indeed a different set of software is securing your computer. Once that's
established you can decide whether you prefer that solution over Windows
Firewall, or whether you want to remove the Group Policy lockdown settings.
To that end, launch the Security Center control panel and see what it lists
as your installed firewall. There should be a tray icon, probably in the
shape of a yellow sheild with a ! in the middle. I'll have to leave it to
you to decide if the software registered is what you want.
If it isn't what you want, launch regedit and delete the
HKLM\Software\Policies\Microsoft\Windows Firewall key. This should unblock
the control panel so that you can select the 'on' option on the General tab
and select the 'notify me' checkbox on the Exceptions tab. I'd leave all the
default exceptions unchecked until you bump into certain types of conections
that require them.
At this point WF would be enabled so go back to the other firewall and turn
it off. If that software package provides other services like Anti-Virus, do
not disable those features as Windows Firewall does not provide that
functionality. If needed, go back to Security Center and tell it that
Windows Firewall is your current firewall, that way it doesn't pop up
security warnings about the other software being turned off, and will indeed
warn you if something re-hobbles Windows Firewall.
yeah, ok, as a last paranoid step, reboot and re-launch the Windows Firewall
control panel just to make sure something hasn't gone and reset the regkey
underneath you.
--
David
Microsoft Windows Networking
This posting is provided "AS IS" with no warranties, and confers no rights.
"John" <me[ at ]myhome.net> wrote in message
news:u3EYS6spHHA.208[ at ]TK2MSFTNGP05.phx.gbl...
[Quoted Text] >I appreciate your reply, David. I have a home computer on a local house
> networs with DSL access to the Internet via a wireless router.
> I have setup my account with Administrative privileges.
>
> Now my first obstacle in the Control Panel Windows Firewall applet is
> reading "For your secutity some settings are controlled by Group Policy".
> Okay, I'm an administrator so I should still have full access to all
> firewall settings yet I am unable to even turn on the firewall due to the
> choices in Windows Firewall Settings being greyed. So I guess I am not
> running the firewall according to this applet. The Firewall service is
> running so what's happening?
>
> Okay, then off to Admin Tools Applet for some relief. I open Windows
> Firewall With Advanced Security on the Local Computer. Again I am greeted
> by "For your secutity some settings are controlled by Group Policy". But
> now I wonder if there is another "Group" besides User Groups. Well I keep
> going forward anyway.
>
> Domain and Private profile are both OFF while Public is ON. Why was I told
> Windows firewall was off in the Control Panel applet if Public is on? Is
> it
> really ON? Which applet do I believe? Again, too many ways to access one
> program, IMHO--KISS.
>
> Fair enough. But when I choose the Domain Profile tab it's all greyed out?
> Have I hit the Group Policy demon here? Same with Private tab. Even the
> Public Profile only lets me change the Inbound Connections through the
> dropdown-Block(default) or Block All. I guess the difference is one Block
> uses rules where the Block All doesn't, but that's just a guess. Why is
> everything greyed? How can I configure what I can't access?
>
> Then I look at the Inbound Rules for each Setting-Public, Private and
> Domain. Forgive me but I don't think anyone other than a software engineer
> would understand what those rules mean and if I want them enforced. If
> someone were trying to troubleshoot a firewall issue, he/she'd need a PhD.
>
> Possibly something's missing in my laptop setup that came with Vista
> preinstalled. There's certainly enough extra software garbage to start a
> land fill courtesy of MS, Lenovo and others. I may give the firewall
> another
> try if I ever figure out how to even turn it on and off and configure it.
> I
> applaud all of those who understand this application and hope it's working
> as you think it should because until you understand all those cryptic
> rules,
> do you really know what you're letting in and out of your computer?
>
> Respectfully,
>
> John
>
> ----- Original Message -----
> From: "David Beder [MSFT]" <dbeder[ at ]online.microsoft.com>
> Newsgroups: microsoft.public.windows.networking.firewall
> Sent: Monday, June 04, 2007 1:00 AM
> Subject: Re: I Guess I Don't Get it.
>
>
>> What is it you're trying to set up?
>>
>> Depending on the complexity of what you want, we might be able to narrow
>> down the tools and options. Eg, 'this is my home machine that never
>> leaves the den and is only connected to the internet' would require a
>> much lower complexity than 'this is my laptop that docks at home, goes to
>> work with me, and surfs the web at the coffee shop during lunch'.
>>
>> So, some basic items to know are:
>> 1) mobility of device
>> 2) access requirements from external locations, eg file sharing, home web
>> site
>> 3) IPv6 usage
>>
>> It's quite possible that for your needs, having everything turned off
>> except the 'notify me whan an application wants to receive connections'
>> will do the trick.
>>
>> --
>> David
>> Microsoft Windows Networking
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>>
>
|
|
David, you are a scholar and a gentleman for taking the time and giving me
such a thorough explanation of the intricacies of Windows Firewall.
I did install and then uninstall another firewall-Outpost. Possibly that's
what's causing the Control Panel Windows Firewall applet to not allow me
access to turning on the Windows Firewall (WF). I get the "Security Center
can't turn on WF." I then choose the "Turn of Manually" which leads to the
greyed out Windows Firewall Settings dialog box. However the Public Profile
box in the Administrative Tools: WF and Advanced Security applet shows the
firewall on. However when I specifically block an installed application and
then try to use that application, it is able to access the Internet. So
apparently WF is not on despite what the WF and Advanced Security applet
shows.
I have gone through the registry and weeded all references to the previous
Outpost Installation. Possibly there's still a registry key I need to change
to WF does not think there's another firewall present in the system. I am
also going to review the properties of my network connection to be sure
Windows sees it as a Public Policy network. I'll let you know how things go.
Many thanks for all your assistance.
Maybe I should attack the problem through Group Policy Editor.
"David Beder [MSFT]" <dbeder[ at ]online.microsoft.com> wrote in message
news:OeegCtzpHHA.4872[ at ]TK2MSFTNGP03.phx.gbl...
[Quoted Text] > Sounds like there is another firewall installed on the box, or had been.
> The 'settings controlled by Group Policy' in the absence of you actually
> defining such settings, typically points to some other software trying its
> best to keep you from enabling Windows Firewall. This in itself isn't
> necessarily malicious behavior as having multiple firewalls competing on a
> machine can be problematic to proper internet connectivity. However if
> that other firewall is not running, it's rather rude to leave Windows
> Firewall in such a hobbled state.
>
> As for profiles (Domain, Public, Private) being 'on', this is a concept
> that's not directly linked to the state of the firewall, but instead to
> the 'location' state of the machine itself. Since this is a home machine,
> not joined to a corporate domain, while maintaining a direct link to the
> internet via your wireless DSL, the computer considers itself to be in a
> Public environment. This decision can be overwritten should you decide
> that's of interest, but let's leave that to a separate discussion. The
> snap-in is simply indicating this global setting as a hint to which set of
> out-of-box settings might be applicable, thus saving one from configuring
> settings that would never be applied.
>
> Under typical circumstances the control panel should be sufficient to get
> you going such that you wouldn't need to know the advanced snap-in exists.
> That interface is intended for advanced users who want to really fine tune
> behavior in both directions (inbound and outbound connections) and
> 'location', as well as define IPsec protection policies. In most
> scenarios, the intended user is a company IT professional. As for needing
> a PhD, I certainly understand that sentiment, though personally I can
> attest that simply having a masters in aerospace (ie rocket science) is
> sufficient.:)
>
> Ok, so we've established that the Windows Firewall service is running
> (otherwise you encounter other errors) but that some out of box settings
> have locked it down from working. The next step is to determine whether
> indeed a different set of software is securing your computer. Once that's
> established you can decide whether you prefer that solution over Windows
> Firewall, or whether you want to remove the Group Policy lockdown
> settings.
>
> To that end, launch the Security Center control panel and see what it
> lists as your installed firewall. There should be a tray icon, probably in
> the shape of a yellow sheild with a ! in the middle. I'll have to leave it
> to you to decide if the software registered is what you want.
>
> If it isn't what you want, launch regedit and delete the
> HKLM\Software\Policies\Microsoft\Windows Firewall key. This should unblock
> the control panel so that you can select the 'on' option on the General
> tab and select the 'notify me' checkbox on the Exceptions tab. I'd leave
> all the default exceptions unchecked until you bump into certain types of
> conections that require them.
>
> At this point WF would be enabled so go back to the other firewall and
> turn it off. If that software package provides other services like
> Anti-Virus, do not disable those features as Windows Firewall does not
> provide that functionality. If needed, go back to Security Center and tell
> it that Windows Firewall is your current firewall, that way it doesn't pop
> up security warnings about the other software being turned off, and will
> indeed warn you if something re-hobbles Windows Firewall.
>
> yeah, ok, as a last paranoid step, reboot and re-launch the Windows
> Firewall control panel just to make sure something hasn't gone and reset
> the regkey underneath you.
>
> --
> David
> Microsoft Windows Networking
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
> "John" <me[ at ]myhome.net> wrote in message
> news:u3EYS6spHHA.208[ at ]TK2MSFTNGP05.phx.gbl...
>>I appreciate your reply, David. I have a home computer on a local house
>> networs with DSL access to the Internet via a wireless router.
>> I have setup my account with Administrative privileges.
>>
>> Now my first obstacle in the Control Panel Windows Firewall applet is
>> reading "For your secutity some settings are controlled by Group
>> Policy".
>> Okay, I'm an administrator so I should still have full access to all
>> firewall settings yet I am unable to even turn on the firewall due to the
>> choices in Windows Firewall Settings being greyed. So I guess I am not
>> running the firewall according to this applet. The Firewall service is
>> running so what's happening?
>>
>> Okay, then off to Admin Tools Applet for some relief. I open Windows
>> Firewall With Advanced Security on the Local Computer. Again I am
>> greeted
>> by "For your secutity some settings are controlled by Group Policy". But
>> now I wonder if there is another "Group" besides User Groups. Well I keep
>> going forward anyway.
>>
>> Domain and Private profile are both OFF while Public is ON. Why was I
>> told
>> Windows firewall was off in the Control Panel applet if Public is on? Is
>> it
>> really ON? Which applet do I believe? Again, too many ways to access one
>> program, IMHO--KISS.
>>
>> Fair enough. But when I choose the Domain Profile tab it's all greyed
>> out?
>> Have I hit the Group Policy demon here? Same with Private tab. Even the
>> Public Profile only lets me change the Inbound Connections through the
>> dropdown-Block(default) or Block All. I guess the difference is one Block
>> uses rules where the Block All doesn't, but that's just a guess. Why is
>> everything greyed? How can I configure what I can't access?
>>
>> Then I look at the Inbound Rules for each Setting-Public, Private and
>> Domain. Forgive me but I don't think anyone other than a software
>> engineer
>> would understand what those rules mean and if I want them enforced. If
>> someone were trying to troubleshoot a firewall issue, he/she'd need a
>> PhD.
>>
>> Possibly something's missing in my laptop setup that came with Vista
>> preinstalled. There's certainly enough extra software garbage to start a
>> land fill courtesy of MS, Lenovo and others. I may give the firewall
>> another
>> try if I ever figure out how to even turn it on and off and configure it.
>> I
>> applaud all of those who understand this application and hope it's
>> working
>> as you think it should because until you understand all those cryptic
>> rules,
>> do you really know what you're letting in and out of your computer?
>>
>> Respectfully,
>>
>> John
>>
>> ----- Original Message -----
>> From: "David Beder [MSFT]" <dbeder[ at ]online.microsoft.com>
>> Newsgroups: microsoft.public.windows.networking.firewall
>> Sent: Monday, June 04, 2007 1:00 AM
>> Subject: Re: I Guess I Don't Get it.
>>
>>
>>> What is it you're trying to set up?
>>>
>>> Depending on the complexity of what you want, we might be able to narrow
>>> down the tools and options. Eg, 'this is my home machine that never
>>> leaves the den and is only connected to the internet' would require a
>>> much lower complexity than 'this is my laptop that docks at home, goes
>>> to work with me, and surfs the web at the coffee shop during lunch'.
>>>
>>> So, some basic items to know are:
>>> 1) mobility of device
>>> 2) access requirements from external locations, eg file sharing, home
>>> web site
>>> 3) IPv6 usage
>>>
>>> It's quite possible that for your needs, having everything turned off
>>> except the 'notify me whan an application wants to receive connections'
>>> will do the trick.
>>>
>>> --
>>> David
>>> Microsoft Windows Networking
>>> This posting is provided "AS IS" with no warranties, and confers no
>>> rights.
>>>
>>>
>>
>
>
|
|
I finally found the Group Policy plugin for mmc and have begun to address
the firewall rights issue. It's the only avenue where all firewall policies
are addressable. It seems that despite an Internet connection, the Windows
Network wants to consider my network a Private Policy. So I'll continue on.
I also foung the Software-MS-Policy-Firewall reg key to open a few more
doors. I'm still getting error messages from the Control Panel Firewall
applet. But that will pass soon. Will keep everyone (who cares) informed of
my progress or lack thereof.
"John" <me[ at ]myhome.net> wrote in message
news:OEg9JQ4pHHA.2652[ at ]TK2MSFTNGP02.phx.gbl...
[Quoted Text] > David, you are a scholar and a gentleman for taking the time and giving me
> such a thorough explanation of the intricacies of Windows Firewall.
>
> I did install and then uninstall another firewall-Outpost. Possibly that's
> what's causing the Control Panel Windows Firewall applet to not allow me
> access to turning on the Windows Firewall (WF). I get the "Security Center
> can't turn on WF." I then choose the "Turn of Manually" which leads to the
> greyed out Windows Firewall Settings dialog box. However the Public
> Profile box in the Administrative Tools: WF and Advanced Security applet
> shows the firewall on. However when I specifically block an installed
> application and then try to use that application, it is able to access the
> Internet. So apparently WF is not on despite what the WF and Advanced
> Security applet shows.
>
> I have gone through the registry and weeded all references to the previous
> Outpost Installation. Possibly there's still a registry key I need to
> change to WF does not think there's another firewall present in the
> system. I am also going to review the properties of my network connection
> to be sure Windows sees it as a Public Policy network. I'll let you know
> how things go.
>
> Many thanks for all your assistance.
>
> Maybe I should attack the problem through Group Policy Editor.
> "David Beder [MSFT]" <dbeder[ at ]online.microsoft.com> wrote in message
> news:OeegCtzpHHA.4872[ at ]TK2MSFTNGP03.phx.gbl...
>> Sounds like there is another firewall installed on the box, or had been.
>> The 'settings controlled by Group Policy' in the absence of you actually
>> defining such settings, typically points to some other software trying
>> its best to keep you from enabling Windows Firewall. This in itself isn't
>> necessarily malicious behavior as having multiple firewalls competing on
>> a machine can be problematic to proper internet connectivity. However if
>> that other firewall is not running, it's rather rude to leave Windows
>> Firewall in such a hobbled state.
>>
>> As for profiles (Domain, Public, Private) being 'on', this is a concept
>> that's not directly linked to the state of the firewall, but instead to
>> the 'location' state of the machine itself. Since this is a home machine,
>> not joined to a corporate domain, while maintaining a direct link to the
>> internet via your wireless DSL, the computer considers itself to be in a
>> Public environment. This decision can be overwritten should you decide
>> that's of interest, but let's leave that to a separate discussion. The
>> snap-in is simply indicating this global setting as a hint to which set
>> of out-of-box settings might be applicable, thus saving one from
>> configuring settings that would never be applied.
>>
>> Under typical circumstances the control panel should be sufficient to get
>> you going such that you wouldn't need to know the advanced snap-in
>> exists. That interface is intended for advanced users who want to really
>> fine tune behavior in both directions (inbound and outbound connections)
>> and 'location', as well as define IPsec protection policies. In most
>> scenarios, the intended user is a company IT professional. As for needing
>> a PhD, I certainly understand that sentiment, though personally I can
>> attest that simply having a masters in aerospace (ie rocket science) is
>> sufficient.:)
>>
>> Ok, so we've established that the Windows Firewall service is running
>> (otherwise you encounter other errors) but that some out of box settings
>> have locked it down from working. The next step is to determine whether
>> indeed a different set of software is securing your computer. Once
>> that's established you can decide whether you prefer that solution over
>> Windows Firewall, or whether you want to remove the Group Policy lockdown
>> settings.
>>
>> To that end, launch the Security Center control panel and see what it
>> lists as your installed firewall. There should be a tray icon, probably
>> in the shape of a yellow sheild with a ! in the middle. I'll have to
>> leave it to you to decide if the software registered is what you want.
>>
>> If it isn't what you want, launch regedit and delete the
>> HKLM\Software\Policies\Microsoft\Windows Firewall key. This should
>> unblock the control panel so that you can select the 'on' option on the
>> General tab and select the 'notify me' checkbox on the Exceptions tab.
>> I'd leave all the default exceptions unchecked until you bump into
>> certain types of conections that require them.
>>
>> At this point WF would be enabled so go back to the other firewall and
>> turn it off. If that software package provides other services like
>> Anti-Virus, do not disable those features as Windows Firewall does not
>> provide that functionality. If needed, go back to Security Center and
>> tell it that Windows Firewall is your current firewall, that way it
>> doesn't pop up security warnings about the other software being turned
>> off, and will indeed warn you if something re-hobbles Windows Firewall.
>>
>> yeah, ok, as a last paranoid step, reboot and re-launch the Windows
>> Firewall control panel just to make sure something hasn't gone and reset
>> the regkey underneath you.
>>
>> --
>> David
>> Microsoft Windows Networking
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>>
>> "John" <me[ at ]myhome.net> wrote in message
>> news:u3EYS6spHHA.208[ at ]TK2MSFTNGP05.phx.gbl...
>>>I appreciate your reply, David. I have a home computer on a local house
>>> networs with DSL access to the Internet via a wireless router.
>>> I have setup my account with Administrative privileges.
>>>
>>> Now my first obstacle in the Control Panel Windows Firewall applet is
>>> reading "For your secutity some settings are controlled by Group
>>> Policy".
>>> Okay, I'm an administrator so I should still have full access to all
>>> firewall settings yet I am unable to even turn on the firewall due to
>>> the
>>> choices in Windows Firewall Settings being greyed. So I guess I am not
>>> running the firewall according to this applet. The Firewall service is
>>> running so what's happening?
>>>
>>> Okay, then off to Admin Tools Applet for some relief. I open Windows
>>> Firewall With Advanced Security on the Local Computer. Again I am
>>> greeted
>>> by "For your secutity some settings are controlled by Group Policy".
>>> But
>>> now I wonder if there is another "Group" besides User Groups. Well I
>>> keep
>>> going forward anyway.
>>>
>>> Domain and Private profile are both OFF while Public is ON. Why was I
>>> told
>>> Windows firewall was off in the Control Panel applet if Public is on? Is
>>> it
>>> really ON? Which applet do I believe? Again, too many ways to access one
>>> program, IMHO--KISS.
>>>
>>> Fair enough. But when I choose the Domain Profile tab it's all greyed
>>> out?
>>> Have I hit the Group Policy demon here? Same with Private tab. Even the
>>> Public Profile only lets me change the Inbound Connections through the
>>> dropdown-Block(default) or Block All. I guess the difference is one
>>> Block
>>> uses rules where the Block All doesn't, but that's just a guess. Why is
>>> everything greyed? How can I configure what I can't access?
>>>
>>> Then I look at the Inbound Rules for each Setting-Public, Private and
>>> Domain. Forgive me but I don't think anyone other than a software
>>> engineer
>>> would understand what those rules mean and if I want them enforced. If
>>> someone were trying to troubleshoot a firewall issue, he/she'd need a
>>> PhD.
>>>
>>> Possibly something's missing in my laptop setup that came with Vista
>>> preinstalled. There's certainly enough extra software garbage to start a
>>> land fill courtesy of MS, Lenovo and others. I may give the firewall
>>> another
>>> try if I ever figure out how to even turn it on and off and configure
>>> it. I
>>> applaud all of those who understand this application and hope it's
>>> working
>>> as you think it should because until you understand all those cryptic
>>> rules,
>>> do you really know what you're letting in and out of your computer?
>>>
>>> Respectfully,
>>>
>>> John
>>>
>>> ----- Original Message -----
>>> From: "David Beder [MSFT]" <dbeder[ at ]online.microsoft.com>
>>> Newsgroups: microsoft.public.windows.networking.firewall
>>> Sent: Monday, June 04, 2007 1:00 AM
>>> Subject: Re: I Guess I Don't Get it.
>>>
>>>
>>>> What is it you're trying to set up?
>>>>
>>>> Depending on the complexity of what you want, we might be able to
>>>> narrow down the tools and options. Eg, 'this is my home machine that
>>>> never leaves the den and is only connected to the internet' would
>>>> require a much lower complexity than 'this is my laptop that docks at
>>>> home, goes to work with me, and surfs the web at the coffee shop during
>>>> lunch'.
>>>>
>>>> So, some basic items to know are:
>>>> 1) mobility of device
>>>> 2) access requirements from external locations, eg file sharing, home
>>>> web site
>>>> 3) IPv6 usage
>>>>
>>>> It's quite possible that for your needs, having everything turned off
>>>> except the 'notify me whan an application wants to receive connections'
>>>> will do the trick.
>>>>
>>>> --
>>>> David
>>>> Microsoft Windows Networking
>>>> This posting is provided "AS IS" with no warranties, and confers no
>>>> rights.
>>>>
>>>>
>>>
>>
>>
>
|
|
How are things going?
--
David
Microsoft Windows Networking
This posting is provided "AS IS" with no warranties, and confers no rights.
"John" <me[ at ]myhome.net> wrote in message
news:uEusNQ7pHHA.1244[ at ]TK2MSFTNGP04.phx.gbl...
[Quoted Text] >I finally found the Group Policy plugin for mmc and have begun to address
>the firewall rights issue. It's the only avenue where all firewall policies
>are addressable. It seems that despite an Internet connection, the Windows
>Network wants to consider my network a Private Policy. So I'll continue on.
>I also foung the Software-MS-Policy-Firewall reg key to open a few more
>doors. I'm still getting error messages from the Control Panel Firewall
>applet. But that will pass soon. Will keep everyone (who cares) informed of
>my progress or lack thereof.
>
> "John" <me[ at ]myhome.net> wrote in message
> news:OEg9JQ4pHHA.2652[ at ]TK2MSFTNGP02.phx.gbl...
>> David, you are a scholar and a gentleman for taking the time and giving
>> me such a thorough explanation of the intricacies of Windows Firewall.
>>
>> I did install and then uninstall another firewall-Outpost. Possibly
>> that's what's causing the Control Panel Windows Firewall applet to not
>> allow me access to turning on the Windows Firewall (WF). I get the
>> "Security Center can't turn on WF." I then choose the "Turn of Manually"
>> which leads to the greyed out Windows Firewall Settings dialog box.
>> However the Public Profile box in the Administrative Tools: WF and
>> Advanced Security applet shows the firewall on. However when I
>> specifically block an installed application and then try to use that
>> application, it is able to access the Internet. So apparently WF is not
>> on despite what the WF and Advanced Security applet shows.
>>
>> I have gone through the registry and weeded all references to the
>> previous Outpost Installation. Possibly there's still a registry key I
>> need to change to WF does not think there's another firewall present in
>> the system. I am also going to review the properties of my network
>> connection to be sure Windows sees it as a Public Policy network. I'll
>> let you know how things go.
>>
>> Many thanks for all your assistance.
>>
>> Maybe I should attack the problem through Group Policy Editor.
>> "David Beder [MSFT]" <dbeder[ at ]online.microsoft.com> wrote in message
>> news:OeegCtzpHHA.4872[ at ]TK2MSFTNGP03.phx.gbl...
>>> Sounds like there is another firewall installed on the box, or had been.
>>> The 'settings controlled by Group Policy' in the absence of you actually
>>> defining such settings, typically points to some other software trying
>>> its best to keep you from enabling Windows Firewall. This in itself
>>> isn't necessarily malicious behavior as having multiple firewalls
>>> competing on a machine can be problematic to proper internet
>>> connectivity. However if that other firewall is not running, it's rather
>>> rude to leave Windows Firewall in such a hobbled state.
>>>
>>> As for profiles (Domain, Public, Private) being 'on', this is a concept
>>> that's not directly linked to the state of the firewall, but instead to
>>> the 'location' state of the machine itself. Since this is a home
>>> machine, not joined to a corporate domain, while maintaining a direct
>>> link to the internet via your wireless DSL, the computer considers
>>> itself to be in a Public environment. This decision can be overwritten
>>> should you decide that's of interest, but let's leave that to a separate
>>> discussion. The snap-in is simply indicating this global setting as a
>>> hint to which set of out-of-box settings might be applicable, thus
>>> saving one from configuring settings that would never be applied.
>>>
>>> Under typical circumstances the control panel should be sufficient to
>>> get you going such that you wouldn't need to know the advanced snap-in
>>> exists. That interface is intended for advanced users who want to really
>>> fine tune behavior in both directions (inbound and outbound connections)
>>> and 'location', as well as define IPsec protection policies. In most
>>> scenarios, the intended user is a company IT professional. As for
>>> needing a PhD, I certainly understand that sentiment, though personally
>>> I can attest that simply having a masters in aerospace (ie rocket
>>> science) is sufficient.:)
>>>
>>> Ok, so we've established that the Windows Firewall service is running
>>> (otherwise you encounter other errors) but that some out of box settings
>>> have locked it down from working. The next step is to determine whether
>>> indeed a different set of software is securing your computer. Once
>>> that's established you can decide whether you prefer that solution over
>>> Windows Firewall, or whether you want to remove the Group Policy
>>> lockdown settings.
>>>
>>> To that end, launch the Security Center control panel and see what it
>>> lists as your installed firewall. There should be a tray icon, probably
>>> in the shape of a yellow sheild with a ! in the middle. I'll have to
>>> leave it to you to decide if the software registered is what you want.
>>>
>>> If it isn't what you want, launch regedit and delete the
>>> HKLM\Software\Policies\Microsoft\Windows Firewall key. This should
>>> unblock the control panel so that you can select the 'on' option on the
>>> General tab and select the 'notify me' checkbox on the Exceptions tab.
>>> I'd leave all the default exceptions unchecked until you bump into
>>> certain types of conections that require them.
>>>
>>> At this point WF would be enabled so go back to the other firewall and
>>> turn it off. If that software package provides other services like
>>> Anti-Virus, do not disable those features as Windows Firewall does not
>>> provide that functionality. If needed, go back to Security Center and
>>> tell it that Windows Firewall is your current firewall, that way it
>>> doesn't pop up security warnings about the other software being turned
>>> off, and will indeed warn you if something re-hobbles Windows Firewall.
>>>
>>> yeah, ok, as a last paranoid step, reboot and re-launch the Windows
>>> Firewall control panel just to make sure something hasn't gone and reset
>>> the regkey underneath you.
>>>
>>> --
>>> David
>>> Microsoft Windows Networking
>>> This posting is provided "AS IS" with no warranties, and confers no
>>> rights.
>>>
>>>
>>> "John" <me[ at ]myhome.net> wrote in message
>>> news:u3EYS6spHHA.208[ at ]TK2MSFTNGP05.phx.gbl...
>>>>I appreciate your reply, David. I have a home computer on a local house
>>>> networs with DSL access to the Internet via a wireless router.
>>>> I have setup my account with Administrative privileges.
>>>>
>>>> Now my first obstacle in the Control Panel Windows Firewall applet is
>>>> reading "For your secutity some settings are controlled by Group
>>>> Policy".
>>>> Okay, I'm an administrator so I should still have full access to all
>>>> firewall settings yet I am unable to even turn on the firewall due to
>>>> the
>>>> choices in Windows Firewall Settings being greyed. So I guess I am not
>>>> running the firewall according to this applet. The Firewall service is
>>>> running so what's happening?
>>>>
>>>> Okay, then off to Admin Tools Applet for some relief. I open Windows
>>>> Firewall With Advanced Security on the Local Computer. Again I am
>>>> greeted
>>>> by "For your secutity some settings are controlled by Group Policy".
>>>> But
>>>> now I wonder if there is another "Group" besides User Groups. Well I
>>>> keep
>>>> going forward anyway.
>>>>
>>>> Domain and Private profile are both OFF while Public is ON. Why was I
>>>> told
>>>> Windows firewall was off in the Control Panel applet if Public is on?
>>>> Is it
>>>> really ON? Which applet do I believe? Again, too many ways to access
>>>> one
>>>> program, IMHO--KISS.
>>>>
>>>> Fair enough. But when I choose the Domain Profile tab it's all greyed
>>>> out?
>>>> Have I hit the Group Policy demon here? Same with Private tab. Even the
>>>> Public Profile only lets me change the Inbound Connections through the
>>>> dropdown-Block(default) or Block All. I guess the difference is one
>>>> Block
>>>> uses rules where the Block All doesn't, but that's just a guess. Why is
>>>> everything greyed? How can I configure what I can't access?
>>>>
>>>> Then I look at the Inbound Rules for each Setting-Public, Private and
>>>> Domain. Forgive me but I don't think anyone other than a software
>>>> engineer
>>>> would understand what those rules mean and if I want them enforced. If
>>>> someone were trying to troubleshoot a firewall issue, he/she'd need a
>>>> PhD.
>>>>
>>>> Possibly something's missing in my laptop setup that came with Vista
>>>> preinstalled. There's certainly enough extra software garbage to start
>>>> a
>>>> land fill courtesy of MS, Lenovo and others. I may give the firewall
>>>> another
>>>> try if I ever figure out how to even turn it on and off and configure
>>>> it. I
>>>> applaud all of those who understand this application and hope it's
>>>> working
>>>> as you think it should because until you understand all those cryptic
>>>> rules,
>>>> do you really know what you're letting in and out of your computer?
>>>>
>>>> Respectfully,
>>>>
>>>> John
>>>>
>>>> ----- Original Message -----
>>>> From: "David Beder [MSFT]" <dbeder[ at ]online.microsoft.com>
>>>> Newsgroups: microsoft.public.windows.networking.firewall
>>>> Sent: Monday, June 04, 2007 1:00 AM
>>>> Subject: Re: I Guess I Don't Get it.
>>>>
>>>>
>>>>> What is it you're trying to set up?
>>>>>
>>>>> Depending on the complexity of what you want, we might be able to
>>>>> narrow down the tools and options. Eg, 'this is my home machine that
>>>>> never leaves the den and is only connected to the internet' would
>>>>> require a much lower complexity than 'this is my laptop that docks at
>>>>> home, goes to work with me, and surfs the web at the coffee shop
>>>>> during lunch'.
>>>>>
>>>>> So, some basic items to know are:
>>>>> 1) mobility of device
>>>>> 2) access requirements from external locations, eg file sharing, home
>>>>> web site
>>>>> 3) IPv6 usage
>>>>>
>>>>> It's quite possible that for your needs, having everything turned off
>>>>> except the 'notify me whan an application wants to receive
>>>>> connections' will do the trick.
>>>>>
>>>>> --
>>>>> David
>>>>> Microsoft Windows Networking
>>>>> This posting is provided "AS IS" with no warranties, and confers no
>>>>> rights.
>>>>>
>>>>>
>>>>
>>>
>>>
>>
>
|
|
|