|
|
Hi,
a lot of users in our LAN have admin rights (I know it's bad but please
it is like that, so please dont blame me about that ;-)).
Some of them have the Windows XP firewall enabled and not configured
correctly. By the way, I am not able to detect those computers on the
network through a ping and I cannot force a group policy because the
firewall is blocking the trafic too; neither remotely request a service
state etc...
My question is : How can I detect computers that are running XP
firewall ?
Thanks in advance
--
Eric
|
|
Based on statement of cannot force a GPO, this hints that the workstations
are members of an Active Directory domain. Why not configure a GPO that
allows certain things to happen (e.g. Remote administration, file sharing,
..etc)?
"Eric" <Eric_m[ at ]nospam.hotmail.com> wrote in message
news:mn.8bd07d8c92e90201.70874[ at ]nospam.hotmail.com...
[Quoted Text] > Hi,
>
> a lot of users in our LAN have admin rights (I know it's bad but please it
> is like that, so please dont blame me about that ;-)).
>
> Some of them have the Windows XP firewall enabled and not configured
> correctly. By the way, I am not able to detect those computers on the
> network through a ping and I cannot force a group policy because the
> firewall is blocking the trafic too; neither remotely request a service
> state etc...
>
> My question is : How can I detect computers that are running XP firewall ?
>
> Thanks in advance
>
> --
> Eric
>
>
|
|
Hi,
thanks for your answer.
I cannot define a GPO for that because the GPO will not be applied on
those computers as the firewall is configured to block incoming trafic.
Thanks
[Quoted Text] > Based on statement of cannot force a GPO, this hints that the workstations
> are members of an Active Directory domain. Why not configure a GPO that
> allows certain things to happen (e.g. Remote administration, file sharing,
> .etc)?
>
>
> "Eric" <Eric_m[ at ]nospam.hotmail.com> wrote in message
> news:mn.8bd07d8c92e90201.70874[ at ]nospam.hotmail.com...
>> Hi,
>>
>> a lot of users in our LAN have admin rights (I know it's bad but please it
>> is like that, so please dont blame me about that ;-)).
>>
>> Some of them have the Windows XP firewall enabled and not configured
>> correctly. By the way, I am not able to detect those computers on the
>> network through a ping and I cannot force a group policy because the
>> firewall is blocking the trafic too; neither remotely request a service
>> state etc...
>>
>> My question is : How can I detect computers that are running XP firewall ?
>>
>> Thanks in advance
>>
>> -- Eric
>>
>>
--
Eric
|
|
What is your reason for wanting to detect computers running XP firewall?
If this is to correct this particular problem, then your management should
realize that you are fighting a losing battle if the users have admin
rights. You can't be considered responsible for something you are not
allowed to have the tools to enforce.
You might try running a script to ping all the computers defined in AD.
Those that do not respond either have the firewall turned on, or they are
turned off or disconnected. If you run this script regularly, you could
conclude that any computer that responds only some of the time does so
because it is turned off, not because of the firewall issue.
Do you run a logon script? If so, you could add code to detect the firewall
settings from the client side, and log the results toa server. For some
ideas, see:
http://www.rlmueller.net/Logon5.htm
/Al
"Eric" <Eric_m[ at ]nospam.hotmail.com> wrote in message
news:mn.93017d8cc5c41f5b.70874[ at ]nospam.hotmail.com...
[Quoted Text] > Hi,
>
> thanks for your answer.
>
> I cannot define a GPO for that because the GPO will not be applied on
> those computers as the firewall is configured to block incoming trafic.
>
> Thanks
>
>> Based on statement of cannot force a GPO, this hints that the
>> workstations are members of an Active Directory domain. Why not
>> configure a GPO that allows certain things to happen (e.g. Remote
>> administration, file sharing, .etc)?
>>
>>
>> "Eric" <Eric_m[ at ]nospam.hotmail.com> wrote in message
>> news:mn.8bd07d8c92e90201.70874[ at ]nospam.hotmail.com...
>>> Hi,
>>>
>>> a lot of users in our LAN have admin rights (I know it's bad but please
>>> it is like that, so please dont blame me about that ;-)).
>>>
>>> Some of them have the Windows XP firewall enabled and not configured
>>> correctly. By the way, I am not able to detect those computers on the
>>> network through a ping and I cannot force a group policy because the
>>> firewall is blocking the trafic too; neither remotely request a service
>>> state etc...
>>>
>>> My question is : How can I detect computers that are running XP firewall
>>> ?
>>>
>>> Thanks in advance
>>>
>>> -- Eric
>>>
>>>
>
> --
> Eric
>
>
|
|
Hello Eric,
You are the domain admin, so configure your firewall with GPO according to
the document (see link) and collect all the machines that you can't ping.
Or do it the harder way, disable the computer accounts in AD, so that the
users of that machines have to call your helpdesk and then you can enable
the firewall and get the GPO running. Ofcourse talk to your boss for the
disabling, so that you are on the safe site.
http://technet.microsoft.com/en-us/library/bb490626.aspx
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
[Quoted Text] > Hi,
>
> a lot of users in our LAN have admin rights (I know it's bad but
> please it is like that, so please dont blame me about that ;-)).
>
> Some of them have the Windows XP firewall enabled and not configured
> correctly. By the way, I am not able to detect those computers on the
> network through a ping and I cannot force a group policy because the
> firewall is blocking the trafic too; neither remotely request a
> service state etc...
>
> My question is : How can I detect computers that are running XP
> firewall ?
>
> Thanks in advance
>
|
|
I'm think I'm still missing something about your environment... if Windows
XP is a member of an Active Directory domain, then the member workstation
should pull the GPO every 9 hours or the next time the system boots when
connected to the corporate network.
"Eric" <Eric_m[ at ]nospam.hotmail.com> wrote in message
news:mn.93017d8cc5c41f5b.70874[ at ]nospam.hotmail.com...
[Quoted Text] > Hi,
>
> thanks for your answer.
>
> I cannot define a GPO for that because the GPO will not be applied on
> those computers as the firewall is configured to block incoming trafic.
>
> Thanks
>
>> Based on statement of cannot force a GPO, this hints that the
>> workstations are members of an Active Directory domain. Why not
>> configure a GPO that allows certain things to happen (e.g. Remote
>> administration, file sharing, .etc)?
>>
>>
>> "Eric" <Eric_m[ at ]nospam.hotmail.com> wrote in message
>> news:mn.8bd07d8c92e90201.70874[ at ]nospam.hotmail.com...
>>> Hi,
>>>
>>> a lot of users in our LAN have admin rights (I know it's bad but please
>>> it is like that, so please dont blame me about that ;-)).
>>>
>>> Some of them have the Windows XP firewall enabled and not configured
>>> correctly. By the way, I am not able to detect those computers on the
>>> network through a ping and I cannot force a group policy because the
>>> firewall is blocking the trafic too; neither remotely request a service
>>> state etc...
>>>
>>> My question is : How can I detect computers that are running XP firewall
>>> ?
>>>
>>> Thanks in advance
>>>
>>> -- Eric
>>>
>>>
>
> --
> Eric
>
>
|
|
No, because the GPO is blocked by XP firewall; this is my problem ;p)
[Quoted Text] > I'm think I'm still missing something about your environment... if Windows XP
> is a member of an Active Directory domain, then the member workstation should
> pull the GPO every 9 hours or the next time the system boots when connected
> to the corporate network.
>
> "Eric" <Eric_m[ at ]nospam.hotmail.com> wrote in message
> news:mn.93017d8cc5c41f5b.70874[ at ]nospam.hotmail.com...
>> Hi,
>>
>> thanks for your answer.
>>
>> I cannot define a GPO for that because the GPO will not be applied on those
>> computers as the firewall is configured to block incoming trafic.
>>
>> Thanks
>>
>>> Based on statement of cannot force a GPO, this hints that the workstations
>>> are members of an Active Directory domain. Why not configure a GPO that
>>> allows certain things to happen (e.g. Remote administration, file sharing,
>>> .etc)?
>>>
>>>
>>> "Eric" <Eric_m[ at ]nospam.hotmail.com> wrote in message
>>> news:mn.8bd07d8c92e90201.70874[ at ]nospam.hotmail.com...
>>>> Hi,
>>>>
>>>> a lot of users in our LAN have admin rights (I know it's bad but please
>>>> it is like that, so please dont blame me about that ;-)).
>>>>
>>>> Some of them have the Windows XP firewall enabled and not configured
>>>> correctly. By the way, I am not able to detect those computers on the
>>>> network through a ping and I cannot force a group policy because the
>>>> firewall is blocking the trafic too; neither remotely request a service
>>>> state etc...
>>>>
>>>> My question is : How can I detect computers that are running XP firewall
>>>> ?
>>>>
>>>> Thanks in advance
>>>>
>>>> -- Eric
>>>>
>>>>
>>
>> -- Eric
>>
>>
--
Eric
|
|
Hi,
thanks for your answer.
I am not able to configure a firewall GPO for them because GPO are not
applied on their computer because the firewall is enabled (and not
configured to allow trafic needed by GPO).
Disabling computer accounts is a hard method but should work
effectively; I will deep further into this direction.
I will also try with NMAP and the OS Fingerprint that would be able to
show me those computers.
If you have others ideas, please let me know ! ;-)
Thanks !
[Quoted Text] > Hello Eric, > > You are the domain admin, so configure your firewall with GPO according to > the document (see link) and collect all the machines that you can't ping. Or > do it the harder way, disable the computer accounts in AD, so that the users > of that machines have to call your helpdesk and then you can enable the > firewall and get the GPO running. Ofcourse talk to your boss for the > disabling, so that you are on the safe site. > > http://technet.microsoft.com/en-us/library/bb490626.aspx> > Best regards > > Meinolf Weber > Disclaimer: This posting is provided "AS IS" with no warranties, and confers > no rights. > ** Please do NOT email, only reply to Newsgroups > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm> > >> Hi, >> >> a lot of users in our LAN have admin rights (I know it's bad but >> please it is like that, so please dont blame me about that ;-)). >> >> Some of them have the Windows XP firewall enabled and not configured >> correctly. By the way, I am not able to detect those computers on the >> network through a ping and I cannot force a group policy because the >> firewall is blocking the trafic too; neither remotely request a >> service state etc... >> >> My question is : How can I detect computers that are running XP >> firewall ? >> >> Thanks in advance >>
--
Eric
|
|
Hey,
I have found a way with NMAP (command : nmap -O -sS -p 80,139,140 -P0
10.120.2.0/24)
If ports are filtered then the firewall is ON
If ports (like 140) are closed, then the firewall is OFF :)
Thanks and hope this helps =))
[Quoted Text] > Hi, > > thanks for your answer. > I am not able to configure a firewall GPO for them because GPO are not > applied on their computer because the firewall is enabled (and not configured > to allow trafic needed by GPO). > > Disabling computer accounts is a hard method but should work effectively; I > will deep further into this direction. > > I will also try with NMAP and the OS Fingerprint that would be able to show > me those computers. > > If you have others ideas, please let me know ! ;-) > > Thanks ! > >> Hello Eric, >> >> You are the domain admin, so configure your firewall with GPO according to >> the document (see link) and collect all the machines that you can't ping. >> Or do it the harder way, disable the computer accounts in AD, so that the >> users of that machines have to call your helpdesk and then you can enable >> the firewall and get the GPO running. Ofcourse talk to your boss for the >> disabling, so that you are on the safe site. >> >> http://technet.microsoft.com/en-us/library/bb490626.aspx>> >> Best regards >> >> Meinolf Weber >> Disclaimer: This posting is provided "AS IS" with no warranties, and >> confers no rights. >> ** Please do NOT email, only reply to Newsgroups >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm>> >> >>> Hi, >>> >>> a lot of users in our LAN have admin rights (I know it's bad but >>> please it is like that, so please dont blame me about that ;-)). >>> >>> Some of them have the Windows XP firewall enabled and not configured >>> correctly. By the way, I am not able to detect those computers on the >>> network through a ping and I cannot force a group policy because the >>> firewall is blocking the trafic too; neither remotely request a >>> service state etc... >>> >>> My question is : How can I detect computers that are running XP >>> firewall ? >>> >>> Thanks in advance >>>
--
Eric
|
|
In message <mn.9a5a7d8cc49e8ff7.70874[ at ]nospam.hotmail.com> Eric
<Eric_m[ at ]nospam.hotmail.com> was claimed to have wrote:
[Quoted Text] >No, because the GPO is blocked by XP firewall; this is my problem ;p)
How so? Despite the nomenclature of "pushing" changes via GP, GPs are
pulled, not pushed. XP's firewall is inbound only, sessions that are
via outbound connections are always permitted, this should be enough for
your group policies to reconfigure the firewall as needed.
Now I haven't done a ton of testing, but I did go as far as to turn on
XP's firewall (XP, SP3, joined to a domain, but without any firewall
related policies), turn off all the firewall exceptions, then I moved
the machine to a OU that would disable it's firewall, came back a few
hours later and the firewall was off via GP.
|
|
|