There are at least two ways of controlling the Windows 8 firewall with Group Policies; my first choice would be to go to the Windows Settings, Security Settings folder.
When it comes to firewall GPOs the old saying, ‘go slowly, I am in a hurry’ springs to mind. However, if you know what you want, and have a plan, then you can configure these firewall group policy settings to produce a most satisfyingly result.
Methods for Disabling a Firewall with a Group Policy
- Windows Firewall with Advanced Security
- How to Configure the Firewall Profile Tabs
- Windows Firewall: Protect all network connections
The most sure-footed method of getting this bunch of policies working, is to open the Control Panel on the Firewall page; then as you make your selections with Gpedit.msc, so you can see changes in the Cpanel window.
Later you can reproduce these settings in the GPMC and thus apply them to all your users.
… Windows Settings [Key folder]
….. Windows Firewall Advanced Security
Windows Firewall Properties
Simply click on the Windows Firewall and Advanced Security and this will display all the settings that you see in the Control Panel.
The key difference with using Gpedit (or GPMC) is that local users, even those with administrative rights, cannot change the firewall settings.
If you want to disable the firewall the crucial step is to click on: Windows Firewall Properties. See screenshot to the right.
The secret of mastering these policies is to watch what happens in the Control Panel window as you configure the drop-down menus on each Profile tab. The reason that harp on about this comparison technique is that there are 3 possible firewalls, Domain, Private and Public, and you can configure each independently.
Understanding the three options for Firewall state:
Setting the state to ‘Off’ disables the Windows 8 firewall, this group policy also means that the local administrator cannot over-ride the policy, and turn it on. Equally, if you set the policy to ‘On (recommended)’ then the administrator will find the radio buttons greyed-out if they try to reverse your policy. The only setting that enables the administrator to make changes to the firewall is ‘Not configured’.
Here is an utility where you can review firewall settings such as access control lists (ACL), or troubleshoot problems with network address translation (NAT).
Other reasons to download this SolarWinds Firewall Browser include managing requests to change your firewall settings, testing firewall rules before you go live, and querying settings with the browser’s powerful search options.
Guy recommends that you download a copy of the SolarWinds free Firewall Browser.
Windows Firewall: Protect all network connections
Before you change any settings, make your plan. Do you want to enable (have a firewall), or disable the firewall on the Windows 8 client? The logic of this policy is by no means obvious so check in the Control Panel that your settings really to bite.
Would this be a Domain or Standard profile? Researching with NetSh did not help me, but this is the syntax:
netsh advfirewall firewall (base command)
netsh advfirewall firewall show rule name=all profile=private
What worked for me was ‘suck it and see’. I disabled the Standard profile and success, I disabled the Domain profile nothing happened on my configuration, but beware, the opposite may be the case in your network.
These Windows 8 firewall policies are in the Computer Configuration, thus launch your GPMC, or Gpedit on Windows 8, now expand:
. Administrative Templates
….. Network Connections [Key folder]
……. Standard Profile [Check Domain Profile]
……… Windows Firewall: Protect all network connections
If you disable this policy setting, Windows Firewall does not run.
This is the only way to ensure that Windows Firewall does not run and administrators who log on locally cannot start it.
Note 1: As with many Windows 8 Group Policies, check the logic, for instance, Protect — > Disable. This means you have no firewall protection.
Note 2: Check that your policy is working in the Control Panel. As this policy changes requires neither a reboot nor a logon / logoff, the changes will be instantaneous.
More Windows 8 Firewall Group Policies
So far I have only dealt with the basic job of preventing unauthorized access to, or from, your network with a group policy. If we go back to those Control Panel settings, then you can see dozens of extra firewall configurations, for example those ‘Rules’ under Advanced Settings; well it’s no surprise that each can be controlled via a group policy. See more about Windows firewall configuration.
Guy Recommends SolarWinds’ Free Network Monitor
Thus utility makes it easy to check the health of a router or firewall. Check the real-time performance, and availability statistics, for any device on your network. Get started with an extensive collection of "out-of-the-box" monitors for popular network devices. Give Network Monitor a whirl – it’s free. Download your free Network Device Monitor
If you need more comprehensive network analysis software:
Download a free trial of NPM (Network Performance Monitor)
Registry Techniques to Disable Windows 8 Firewall
Another strategy for preventing administrators from changing the firewall settings in the control panel is to call for Regedit and change the settings there. This method should alert you to the fact that a local administrator could reverse your attempt to disable the firewall – unless you have a Group Policy to disable regedit. Anyway, you can research thus:
Launch Windows 8’s regedit and drill down to:
- Select the appropriate folder: Domain, Public or Standard Profile.
- Seek the DWORD EnableFirewall
- Logic check:
1 means the firewall is on, and the admin cannot turn it off.
- Zero means the firewall is disabled.
Registry Research For Windows 8 Group Policy
Experimenting with Windows 8 firewall led me to wonder where in the registry the group policies tattooed their settings. I found the above enable / disable firewall setting by examining the registry:
My technique was to launch Regedit and export the entire registry, I called my file: FWallEnable.reg. Next I made the change to, ‘EnableFirewall’, then I exported the registry a second time and called the file: FWallDisable.reg. Next I ran either WinDiff or this PowerShell script:
# PowerShell script to find registry differences
$strReference = Get-Content "C:\PShell\FWallEnable.reg"
$strDifference = Get-Content "C:\PShell\FWallDisable.reg"
Compare-Object $strReference $strDifference
Note 4: The script took about 20 minutes to complete. You could speed up my experiment by exporting only the HKEY_CURRENT_USER branch of the registry.
Summary of Windows 8 Disable Firewall Group Policy Settings
In my opinion, enabling group policies to prevent unauthorized access to your network is tricky. However, you can control the Windows 8 firewall through either the Administrative Templates or the Windows Settings areas in Group Policies, my choice would be the latter. Which ever path you take, the secret of understanding how these policies work is to keep the Control Panel’s Firewall window open as you make your policy changes.
If you like this page then please share it with your friends