Which Registry Values store these Windows Firewall GPO settings......

Which Registry Values store these Windows Firewall GPO settings......
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Which Registry Values store these Windows Firewall GPO settings...... gayle 08-19-2007
Posted by gayle on August 19, 2007, 6:45 am
If you were  Registered and logged in, you could reply and use other advanced thread options
In PolicySettings.xls - a spreadsheet that lists all GPO settings ,
some settings have multiple registry value paths associated with them.
In GPO Editor , when enabling these settings , a user must specify
more than whether the setting is Enabled/Disabled .

Are all these registry paths required to store 1 Windows Firewall GPO
Setting ? For instance::

1.For the policy setting - Windows Firewall: Allow remote
administration exception;
there are 2 registry values associated :
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
\RemoteAdminSettings!Enabled, HKLM\SOFTWARE\Policies\Microsoft
\WindowsFirewall\DomainProfile\RemoteAdminSettings!RemoteAddresses
Are both neccessary for the GPO setting to be Enabled. To determine
if the setting is Enabled, isn't the first 1 sufficient?

Similar case for :

Windows Firewall: Allow file and printer sharing exception

Its 2 registry values are:
1] HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
\Services\FileAndPrint!Enabled, 2] HKLM\SOFTWARE\Policies\Microsoft
\WindowsFirewall\DomainProfile\Services\FileAndPrint!RemoteAddresses

If the 1st Registry value is set to enabled, is it neccessary to check
for the Address List.What will the behaviour be , if only the
1stregistry value is present?

2. On enabling the Logging setting in gpedit.msc , 2 registry values
get created - LogFileSize & LogFilePath & on disabling the setting,
both registry values get deleted

If 1 registry value say LogFileSize is deleted, is Logging enabled/
disabled effectively? In GPO Editor, the setting before the value was
deleted is maintained.i.e. To check if logging is enabled using a
script, are the values of both registry values[LogFileSize &
LogFilePath] required?


Posted by Steve Riley [MSFT] on August 19, 2007, 2:30 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
What is it that you're trying to do? Check to see whether something is
configured, or create rules by editing the registry? Please note that the
only supported way to modify the rules is through group policy or the
advanced configuration MMC. Editing the rulebase directly in the registry is
unsupported.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


> In PolicySettings.xls - a spreadsheet that lists all GPO settings ,
> some settings have multiple registry value paths associated with them.
> In GPO Editor , when enabling these settings , a user must specify
> more than whether the setting is Enabled/Disabled .
>
> Are all these registry paths required to store 1 Windows Firewall GPO
> Setting ? For instance::
>
> 1.For the policy setting - Windows Firewall: Allow remote
> administration exception;
> there are 2 registry values associated :
> HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
> \RemoteAdminSettings!Enabled, HKLM\SOFTWARE\Policies\Microsoft
> \WindowsFirewall\DomainProfile\RemoteAdminSettings!RemoteAddresses
> Are both neccessary for the GPO setting to be Enabled. To determine
> if the setting is Enabled, isn't the first 1 sufficient?
>
> Similar case for :
>
> Windows Firewall: Allow file and printer sharing exception
>
> Its 2 registry values are:
> 1] HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
> \Services\FileAndPrint!Enabled, 2] HKLM\SOFTWARE\Policies\Microsoft
> \WindowsFirewall\DomainProfile\Services\FileAndPrint!RemoteAddresses
>
> If the 1st Registry value is set to enabled, is it neccessary to check
> for the Address List.What will the behaviour be , if only the
> 1stregistry value is present?
>
> 2. On enabling the Logging setting in gpedit.msc , 2 registry values
> get created - LogFileSize & LogFilePath & on disabling the setting,
> both registry values get deleted
>
> If 1 registry value say LogFileSize is deleted, is Logging enabled/
> disabled effectively? In GPO Editor, the setting before the value was
> deleted is maintained.i.e. To check if logging is enabled using a
> script, are the values of both registry values[LogFileSize &
> LogFilePath] required?
>

Posted by gayle on August 19, 2007, 11:16 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Thanks for your response.I'm not trying to modify the firewall rules
from the registry - just seeing if some Windows Firewall GPO settings
[ those that have more than 1 registry value associated with them ]
are configured by looking up their registry values by following
details in PolicySettings.xls - The Security Policy Reference from
Technet

Since some Windows Firewall GPO settings have multiple Registry values
listed, I would like to know whether this registry value
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall
\DomainProfile\RemoteAdminSettings!Enabled,
when set to enabled, is sufficient for this setting to be enabled
Windows Firewall: Allow remote
administration exception;

Does Windows Firewall work like this? Is it correct to assume that the
other associated Registry values like HKLM\SOFTWARE
\Policies\Microsoft\WindowsFirewall\DomainProfile\RemoteAdminSettings!
RemoteAddresses
are not essential to determine if the GPO setting is configured to
Enabled/Disabled?

What about the Allow Logging setting ? There is no value that stores
'Enabled' , only 2 values LogFileSize & LogFilePath..How do I
determine if Logging is Enabled? Is the presence of both values
essential?


Posted by Roger Abell [MVP] on August 19, 2007, 11:41 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

> Thanks for your response.I'm not trying to modify the firewall rules
> from the registry - just seeing if some Windows Firewall GPO settings
> [ those that have more than 1 registry value associated with them ]
> are configured by looking up their registry values by following
> details in PolicySettings.xls - The Security Policy Reference from
> Technet
>

Previously you referred to PolicySetting.xls as the doc of all
GPO policies. That is incorrect. It docs the adm/admx settings.

> Since some Windows Firewall GPO settings have multiple Registry values
> listed, I would like to know whether this registry value
> HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall
> \DomainProfile\RemoteAdminSettings!Enabled,
> when set to enabled, is sufficient for this setting to be enabled
> Windows Firewall: Allow remote
> administration exception;
>

You know, the most quick way to answer these sorts of things is to
set up a brief experiment.
In this case, I believe that the Enable reg entry enables/disables
remote admin exception, and if used without the other setting is
a rather unsafe thing to do as the exception will be enabled for
all origin IPs (rather than a normally highly restricted list of IPs)

> Does Windows Firewall work like this? Is it correct to assume that the
> other associated Registry values like HKLM\SOFTWARE
> \Policies\Microsoft\WindowsFirewall\DomainProfile\RemoteAdminSettings!
> RemoteAddresses
> are not essential to determine if the GPO setting is configured to
> Enabled/Disabled?
>

Again, I believe that in this case it is sufficient; but you would want to
check that there is a restriction on IPs allowed to use the exception.

> What about the Allow Logging setting ? There is no value that stores
> 'Enabled' , only 2 values LogFileSize & LogFilePath..How do I
> determine if Logging is Enabled? Is the presence of both values
> essential?
>

I an unsure what policy you refer to. I would say "what logging", but
again, your best approach would be to use a test/reference system and
see what is the case.



Posted by Steve Riley [MSFT] on August 20, 2007, 12:15 am
If you were  Registered and logged in, you could reply and use other advanced thread options
I'm guessing that you have a need to detect the state of the firewall and
certain configuration settings, correct? I'm going to assume here that
you're writing some kind of script to do this. It's still a bit unclear
about what it is that you need to accomplish, exactly.

If you use group policies to configure the firewall, you have to supply
certain values, so then the registry entries will be set correctly. For
example, when you enable "Allow remote administration exceptions," you also
need to define which subnets will be the source of incoming administration
requests. So I'd guess that maybe you should check for both in your script.
Let's say that you enable it, but don't define any allowed incoming source
subnets. I honestly couldn't tell you how the computer will behave in this
case. This is not an allowed configuration, so your script should raise some
kind of error message.

The logging setting has more than just the two registry entries you see. The
collection is LogDroppedPackets, LogSuccessfulConnections, LogFilePath,
LogFileSize. The first two indicate what you want to log. If you enable
either or both, then you need to define the location (path) and maximum log
size. Again, we can't predict how it'll behave if you enable logging but
don't define the path and size. So your script should ensure that both are
defined if either kind of log is enabled.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


> Thanks for your response.I'm not trying to modify the firewall rules
> from the registry - just seeing if some Windows Firewall GPO settings
> [ those that have more than 1 registry value associated with them ]
> are configured by looking up their registry values by following
> details in PolicySettings.xls - The Security Policy Reference from
> Technet
>
> Since some Windows Firewall GPO settings have multiple Registry values
> listed, I would like to know whether this registry value
> HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall
> \DomainProfile\RemoteAdminSettings!Enabled,
> when set to enabled, is sufficient for this setting to be enabled
> Windows Firewall: Allow remote
> administration exception;
>
> Does Windows Firewall work like this? Is it correct to assume that the
> other associated Registry values like HKLM\SOFTWARE
> \Policies\Microsoft\WindowsFirewall\DomainProfile\RemoteAdminSettings!
> RemoteAddresses
> are not essential to determine if the GPO setting is configured to
> Enabled/Disabled?
>
> What about the Allow Logging setting ? There is no value that stores
> 'Enabled' , only 2 values LogFileSize & LogFilePath..How do I
> determine if Logging is Enabled? Is the presence of both values
> essential?
>

Similar ThreadsPosted
Cant access Windows Firewall Settings June 2, 2006, 7:14 am
changing rule settings in windows firewall January 6, 2007, 1:27 am
Windows 2003 NIC Firewall Settings - How to add port ranges May 30, 2008, 6:44 am
Pushing Registry settings via GPO February 26, 2007, 11:52 am
Router firewall settings July 13, 2008, 3:50 am
Windows security settings from .NET March 12, 2007, 10:23 am
different user groups with different security settings and windows environment August 7, 2005, 7:43 pm
cannot open remote registry when login with a domain user on vista or windows server 2008 May 4, 2008, 9:44 am
CA store July 6, 2006, 4:22 pm
Certificate store question February 4, 2008, 1:01 pm

The site map in XML format XML site map

Contact Us | Privacy Policy