network locations James Bond <jbond[ at ]007.com> 12/9/2008 7:21:28 AM What is the go with network locations ? It is stuffing up my firewall group policies from applying. How is this all supposed to work ? I am now connected as public.. how does it determine this ?

Re: network locations Malke <malke[ at ]invalid.invalid> 12/9/2008 1:04:13 PM James Bond wrote: [Quoted Text] > What is the go with network locations ? > > It is stuffing up my firewall group policies from applying. How is > this all supposed to work ? > > I am now connected as public.. how does it determine this ? It would be helpful to know: 1. How your network is set up; 2. What error messages you get (quoted, not paraphrased); 3. What firewall you're running; 4. If this is a domain member workstation and if yes, what server OS you have. Basically, a private network is a Local Area Network that is trusted. Private will allow you to share files/printers. A public network is one that is exposed. For instance, you'd want to use "public" with a standalone computer connected directly to a cable/dsl modem. If this is a home computer on a network where you want to share files/printers with other computers on the network or a domain member that must connect to the server, set the properties on that network to "private". Malke -- MS-MVP Elephant Boy Computers - Don't Panic! FAQ - http://www.elephantboycomputers.com/#FAQ

Re: network locations James Bond <jbond[ at ]007.com> 12/9/2008 1:46:34 PM We are running AD 2003 functional, with Vista clients. I am deploying firewalls via group policies. I am trying to prevent users opening up ports for network games or other services on our LAN. I believe users have the ability to select which profile they use. This does not help me, as users then have the ability to choose the profile with lax security while on our lan and still enjoying hosting games. I have all 3 profiles set, domain, private and public. Domain and private are set with same settings. No local settings are read. Public profile also reads the local rules so users can setup and host services while outside our lan. They own their computers and this is seen as reasonable. Anything I can do ? Malke wrote: [Quoted Text] > James Bond wrote: > >> What is the go with network locations ? >> >> It is stuffing up my firewall group policies from applying. How is >> this all supposed to work ? >> >> I am now connected as public.. how does it determine this ? > > It would be helpful to know: > > 1. How your network is set up; > 2. What error messages you get (quoted, not paraphrased); > 3. What firewall you're running; > 4. If this is a domain member workstation and if yes, what server OS you > have. > > Basically, a private network is a Local Area Network that is trusted. > Private will allow you to share files/printers. A public network is one > that is exposed. For instance, you'd want to use "public" with a standalone > computer connected directly to a cable/dsl modem. If this is a home > computer on a network where you want to share files/printers with other > computers on the network or a domain member that must connect to the > server, set the properties on that network to "private". > > Malke

Re: network locations Malke <malke[ at ]invalid.invalid> 12/9/2008 2:40:20 PM James Bond wrote: [Quoted Text] > We are running AD 2003 functional, with Vista clients. > > I am deploying firewalls via group policies. I am trying to prevent > users opening up ports for network games or other services on our LAN. > > I believe users have the ability to select which profile they use. This > does not help me, as users then have the ability to choose the profile > with lax security while on our lan and still enjoying hosting games. > > I have all 3 profiles set, domain, private and public. Domain and > private are set with same settings. No local settings are read. > > Public profile also reads the local rules so users can setup and host > services while outside our lan. They own their computers and this is > seen as reasonable. The main problem here is that you've allowed users to have local administrative privileges. You can't have it both ways. Either you set up the laptops securely (recommended) or you will have problems. Having unsecured laptops where users can install all sorts of malware at home and then come and connect to your company network is the proverbial Recipe For Disaster. So what is truly reasonable? Letting the users do what they want or letting them trash your network workstations and servers? One solution is to purchase company laptops which you will then configure correctly (securely) and outlaw personal laptops completely. As for blocking games, etc. you should have some sort of edge security/firewall appliance. Even if you are a small business, you can afford one of the lower-tier SonicWall boxen for example. Another option if you have an older workstation lying around is to install something like Untangle on it - http://www.untangle.com/. I suggest you post in one of the server newsgroups to see how other sysadmins manage this very common issue. http://aumha.org/nntp.htm - list of MS newsgroups microsoft.public.windows.server.general If you continue with your current setup, I strongly suggest you image a clean workstation and your server regularly. Store the images on a device/computer that is not regularly connected to the network where it can become infected. I really like the Acronis enterprise programs for this kind of work. Best of luck to you, Malke -- MS-MVP Elephant Boy Computers - Don't Panic! FAQ - http://www.elephantboycomputers.com/#FAQ