Send your Windows question to Mitch today! | See other Windows tips



Those enterprises that have begun testing Windows Vista for deployment will have noticed many differences between how this new version of Microsoft Windows is managed compared with the previous version Windows XP. One area of difference is managing the Windows Firewall, for not only has the Windows Firewall been significantly enhanced in Windows Vista with outbound filtering and IPsec integration, there is also a new management tool (the Windows Firewall with Advanced Security Policy snap-in) and new Group Policy settings for managing the firewall.



If you migrate all the desktops in a given organizational unit to Windows Vista, you can simply manage the firewall on these computers using the new Group Policy node found under Computer Configuration\Windows Settings\Security Settings\Windows Firewall With Advanced Security. But what if your OU will contain a combination of Windows XP and Windows Vista computers? What's the best way to use Group Policy to manage the Windows Firewall on these computers? Here's a brief answer taken with permission from the soon-to-be-released Windows Vista Resource Kit:

Windows Vista introduces a lot of new and exciting functionality in Windows Firewall. However, policy created by the new management console, Windows Firewall with Advanced Security is not understood by earlier versions of Windows. Using WMI filtering to selectively apply policy to a Group Policy object (GPO) allows you to manage this mixed environment. Through Group Policy Management Console (GPMC), create two GPOs. Use a WMI query to target one of the GPOs to only computers running a version of Windows prior to Windows Vista. In this GPO, create a firewall policy using the Windows Firewall Administrative Template (located under Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall). Target the second GPO to Windows Vista and later computers. Configure the firewall policy for this GPO using the Windows Firewall with Advanced Security snap-in (located under Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security).



There are several reasons why we recommend that you take the split GPO approach to firewall management even though Windows Vista understands the Windows Firewall Administrative Template policy. First, by using the Windows Firewall with Advanced Security snap-in for policy configuration instead, you can take advantage of the flexibility and granularity of the new functionality, allowing for rules that are scoped much more than they could be when you use the Windows Firewall Administrative Template. Additionally, Windows Firewall with Advanced Security ships with a number of rule groups that are already configured to provide features and experiences in Windows Vista the network access they need. Trying to translate these rules into the Windows Firewall Administrative Template is in some cases not possible and in other cases would result in a rule that exposes much more attach surface than the Windows Vista equivalent rule. Finally, earlier versions of Windows Vista may be running different programs or updated versions of the programs for Windows Vista may have different networking requirements, so this split helps ensure that each computer gets only the rules it needs.

The above is one of many great tips you'll find in the Windows Vista Resource Kit, and one reason you'll find this book an invaluable resource is because this particular insight (and dozens and dozens of others in the book) was contributed by someone on the Windows Vista product team at Microsoft. These "from-the-source" insights are designed to help IT pros understand how Windows Vista works under the hood and also provide best practices for deploying, managing and troubleshooting different features of the platform.

ITworld.com

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine