Here is some great info (stolen from THIS technet doc)

Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2
Deploying Windows Firewall Settings With Group Policy
Published: December 17, 2004

The
best way to manage Windows Firewall settings in an organization network
is to use Active Directory and the new Windows Firewall settings in
Computer Configuration Group Policy. This method requires the use of
Active Directory with either Windows 2000 or Windows Server 2003 domain
controllers. Group Policy updates are requested by the domain member
computer, and are therefore solicited traffic that is not dropped when
Windows Firewall is enabled.

When you use Group Policy
to configure Windows Firewall, by default local administrators will be
unable to change some elements of its configuration locally, using the
Windows Firewall component in Control Panel. Some tabs and options in
the Windows Firewall dialog box will be grayed out and unavailable.

The basic steps for deploying Windows Firewall settings for Windows XP SP2 with Active Directory are the following:

  1. Update your Group Policy objects with the new Windows Firewall settings.

  2. Specify Windows Firewall settings for your Group Policy objects.

The following sections describe these steps in detail.

Notes  It
is strongly recommended that you test your Windows Firewall Group
Policy settings in a test environment before you deploy them in your
production environment to ensure that your Windows Firewall Group
Policy configuration does not result in unintended vulnerabilities.
The
procedure to update your Group Policy object with the new Windows
Firewall settings will replace the System.adm file that is stored for
the Group Policy object being modified with the version that is
provided with Windows XP SP2, which includes the new Windows Firewall
settings. If a Group Policy administrator on your production network
performs this procedure, your production environment will be updated.
Once
you update your Group Policy objects, you can only modify them from a
computer running Windows XP with SP2. An update is available through
Microsoft Product Support Services (PSS) to allow you to modify Group
Policy settings from computers running Windows 2000. Microsoft is
working on updates for Windows XP SP1 and Windows Server 2003.

Bb490626.3squares(en-us,TechNet.10).gif

On This Page


Step 1: Updating Your Group Policy Objects With the New Windows Firewall Settings


Step 2: Specifying Windows Firewall Settings for Your Group Policy Objects


Group Policy Settings in Mixed Windows XP Environments

Step 1: Updating Your Group Policy Objects With the New Windows Firewall Settings

To
update your Group Policy objects with the new Windows Firewall settings
using the Group Policy snap-in (provided with Windows XP), do the
following:

  1. Install
    Windows XP SP2 on a computer that is a member of the domain that
    contains the computer accounts of the other computers running Windows
    XP on which you plan to install Windows XP SP2.

  2. Restart
    the computer and log on to the Windows XP with SP2-based computer as a
    member of the Domain Administrators security group, the Enterprise
    Administrators security group, or the Group Policy Creator Owners
    security group.

  3. From the Windows XP desktop, click Start, click Run, type mmc, and then click OK.

  4. On the File menu, click Add/Remove Snap-in.

  5. On the Standalone tab, click Add.

  6. In the Available Standalone Snap-ins list, click Group Policy Object Editor, and then click Add.

  7. In the Select Group Policy Object dialog box, click Browse.

  8. In the Browse for a Group Policy Object,
    click the Group Policy object that you want to update with the new
    Windows Firewall settings. An example is shown in the following figure.


    WSFP1202_big.gif

  9. Click OK.

  10. Click Finish to complete the Group Policy Wizard.

  11. In the Add Standalone Snap-in dialog box, click Close.

  12. In the Add/Remove Snap-in dialog box, click OK.

  13. In the console tree, open Computer Configuration, Administrative Templates, Network, Network Connections, and then Windows Firewall. An example is shown in the following figure.


    WSFP1203_big.gif

Repeat
this procedure for every Group Policy object that is being used to
apply Group Policy to computers that will have Windows XP SP2 installed.

Note  To
update your Group Policy objects for network environments using Active
Directory and Windows XP SP1, Microsoft recommends that you use the
Group Policy Management Console, a free download. For more information,
see Group Policy Management Console with Service Pack 1.

Step 2: Specifying Windows Firewall Settings for Your Group Policy Objects

After
a Group Policy object has been updated, it can be configured for
Windows Firewall settings that are appropriate for Windows Firewall and
the use of management, server, listener, or peer applications and
services that are being run on your computers running Windows XP with
SP2.

There are two sets of Windows Firewall settings to configure:

  • The
    domain profile settings that are used by the computers when they are
    connected to a network that contains domain controllers for the domain
    of which the computer is a member.

  • The
    standard profile settings that are used by the computers when they are
    connected to a network that does not contain domain controllers for the
    domain of which the computer is a member.

If
you do not configure standard profile settings, their default values
are still applied. Therefore, it is highly recommended that you
configure both domain and standard profile settings and that you enable
the Windows Firewall for both profiles, except if you are already using
a third-party host firewall product.

As previously
described, the standard profile settings are typically more restrictive
that the domain profile because the standard profile settings do not
need to include applications and services that are only used in a
managed domain environment.

Both the domain profile and
standard profile contain the same set of Windows Firewall settings, as
shown in the following figure.


WSFP1204_big.gif

The Windows Firewall Group Policy settings for the domain and standard profiles consist of the following:

  • Windows Firewall: Protect all network connections Used to specify that all network connections have Windows Firewall enabled.

  • Windows Firewall: Do not allow exceptions  Used to specify that all unsolicited incoming traffic be dropped, including excepted traffic.

  • Windows Firewall: Define program exceptions  Used to define excepted traffic in terms of program file names.

  • Windows Firewall: Allow local program exceptions  Used to enable local configuration of program exceptions.

  • Windows Firewall: Allow remote administration exception  Used
    to enable remote configuration using tools such as Microsoft Management
    Console (MMC) and Windows Management Instrumentation (WMI).

  • Windows Firewall: Allow file and print sharing exception  Used to specify whether file and printer sharing traffic is allowed.

  • Windows Firewall: Allow ICMP exceptions  Used to specify the types of Internet Control Message Protocol (ICMP) messages that are allowed.

  • Windows Firewall: Allow Remote Desktop exception  Used to specify whether the Windows XP-based computer can accept a Remote Desktop-based connection request.

  • Windows Firewall: Allow UPnP framework exception  Used to specify whether the computer can receive unsolicited UPnP messages.

  • Windows Firewall: Prohibit notifications  Used to disable notifications.

  • Windows Firewall: Allow logging  Used to enable logging of discarded traffic, successful connections, and to configure log file settings.

  • Windows Firewall: Prohibit unicast response to multicast or broadcast requests  Used to discard the unicast packets received in response to a multicast or broadcast request message.

  • Windows Firewall: Define port exceptions  Used to specify excepted traffic in terms of TCP and UDP ports.

  • Windows Firewall: Allow local  port exceptions  Used to enable local configuration of port exceptions.

For detailed information about these settings, including example dialog boxes, see Appendix A.

Use
the Group Policy snap-in to modify the Windows Firewall settings in the
appropriate Group Policy objects. Note that you only need to modify
Windows Firewall settings for Group Policy objects that are applied to
Active Directory system containers (domains, organizational units, and
sites) that contain computer accounts corresponding to computers that
are or will be running Windows XP with SP2.

Once you
configure the Windows Firewall settings, the next refresh of Computer
Configuration Group Policy downloads the new Windows Firewall settings
and applies them for computers running Windows XP with SP2. Computers
that are running Windows 2000, Windows Server 2003, Windows XP with
SP1, or Windows XP with no service packs installed ignore the new
Windows Firewall settings.

Recommended Settings for Windows Firewall Group Policy Settings

The following are the recommendations for the Windows Firewall Group Policy settings for Windows XP SP2:

  • Windows Firewall: Protect all network connections  Enabled

  • Windows Firewall: Do not allow exceptions  Not configured

  • Windows Firewall: Define program exceptions  Enabled
    and configured with the programs (applications and services) used by
    the computers running Windows XP with SP2 on your network for managed,
    server, listener, or peer applications.

  • Windows Firewall: Allow local program exceptions  Enabled, unless you don’t want local administrators to be able to configure program exceptions locally.

  • Windows Firewall: Allow remote administration exception  Disabled,
    unless you want to be able to remotely administer with MMC snap-ins or
    remotely monitor using WMI computers running Windows XP with SP2.

  • Windows Firewall: Allow file and print sharing exception  Enabled only if the computers running Windows XP with SP2 are sharing local folders and printers.

  • Windows Firewall: Allow ICMP exceptions  Enabled only to allow diagnostic or management capabilities that are based on ICMP traffic.

  • Windows Firewall: Allow Remote Desktop exception  Enabled only if you use Remote Desktop to connect to Windows XP with SP2-based computers.

  • Windows Firewall: Allow UPnP framework exception  Enabled only if you use UPnP devices on your network.

  • Windows Firewall: Prohibit notifications  Disabled

  • Windows Firewall: Allow logging  Not configured

  • Windows Firewall: Prohibit unicast response to multicast or broadcast requests  Disabled

  • Windows Firewall: Define port exceptions  Enabled
    and configured with the TCP and UDP ports used by the computers running
    Windows XP with SP2 on your network for managed, server, listener, or
    peer programs that cannot be specified by filename.

  • Windows Firewall: Allow local  port exceptions  Enabled, unless you don’t want local administrators to be able to configure port exceptions locally.

Group Policy Settings in Mixed Windows XP Environments

A
mixed Windows XP environment is one in which there are both Windows XP
with SP1 or Windows XP with no service packs installed and Windows XP
with SP2-based computers present. For computers running Windows XP with
SP1 or Windows XP with no service packs installed, the only way to
control Windows Firewall behavior through Group Policy is to use the Prohibit use of Internet Connection Firewall on your DNS domain network
Computer Configuration Group Policy setting in Computer
Configuration/Administrative Templates/Network/Network Connections.
This Group Policy setting is still present when Group Policy objects
are updated for the new Windows Firewall settings. Computers running
Windows XP with SP1 or Windows XP with no service packs installed only
implement the Prohibit use of Internet Connection Firewall on your DNS domain network Computer Configuration Group Policy setting.

Computers running Windows XP with SP2 implement both the Prohibit use of Internet Connection Firewall on your DNS domain network setting and the new Windows Firewall settings in the following way:

  • If the Prohibit use of Internet Connection Firewall on your DNS domain network
    setting is enabled and there are no changes to the default values of
    the new Windows Firewall settings, then Windows Firewall is disabled
    when connected to the network from which the Group Policy object was
    obtained.

  • If the Prohibit use of Internet Connection Firewall on your DNS domain network setting is enabled and the Windows Firewall: Protect all network connections
    setting is enabled, then Windows Firewall is enabled when connected to
    the network from which the Group Policy object was obtained with new
    Windows Firewall settings.

Disabling the Use of Windows Firewall Across Your Network

If
you are already using a third-party host firewall product, then it is
recommended that you disable Windows Firewall. If you are not already
using a third-party host firewall product, then it is recommended that
you enable Windows Firewall to prevent the spread of malicious programs
that make it past the firewall that separates your network from the
Internet.

If you decide to disable the use of Windows
Firewall across your entire organization network, which contains a
mixture of computers running Windows XP with SP2, Windows XP with SP1,
and Windows XP with no service packs installed, and you are using a
third-party host firewall, then you should configure the following
Group Policy settings:

  • Prohibit use of Internet Connection Firewall on your DNS domain network is set to Enabled

  • Domain profile – Windows Firewall: Protect all network connections is set to Disabled

  • Standard profile – Windows Firewall: Protect all network connections is set to Disabled

These
settings ensure that Windows Firewall is not used, whether the
computers are connected to your organization network or not.

If
you decide to disable the use of Windows Firewall across your entire
organization network, which contains a mixture of computers running
Windows XP with SP2, Windows XP with SP1, and Windows XP with no
service packs installed, and you are not using a third-party host
firewall, then you should configure the following Group Policy settings:

  • Prohibit use of Internet Connection Firewall on your DNS domain network is set to Enabled

  • Domain profile – Windows Firewall: Protect all network connections is set to Disabled

  • Standard profile – Windows Firewall: Protect all network connections is set to Enabled

These
settings ensure that the Windows Firewall is not used on your
organization network, but is used when the computers are not connected
to the organization network.

Advertisements