Firewall troubleshooting: Inability to configure the Windows XP firewall

For several years now, the Windows firewall has been one of Windows' first lines of defense against network-based attacks. As a channel reseller, your customers may ask you to configure the Windows firewall to allow access to a particular resource. But this isn't always as simple as it seems. There are various conditions that can prevent you from reconfiguring a Windows firewall. This article explains how to troubleshoot Windows XP firewall configuration problems.

Before I get started, I want to quickly point out that the configuration interfaces for the Windows XP and the Windows Vista firewalls differ. Because the vast majority of companies are still using Windows XP, this article focuses on troubleshooting the Windows XP firewall. However, if your customer happens to be using Windows Vista, all is not lost. Although the steps that I walk you through are intended for use in Windows XP, the basic concepts are relevant to Windows Vista as well.

Difficulty configuring firewall settings

As someone who has written numerous technical articles over the years, I receive a tremendous amount of email from readers seeking assistance with various technical issues. By far, the one firewall-related issue that I get the most mail about is Windows firewall configuration.

Under normal circumstances, you should be able to open the Control Panel and click on the Security Center link, followed by the Windows Firewall link. This causes Windows to display the Windows Firewall properties sheet, shown in Figure A. You should be able to us...

Digg This!     StumbleUpon     Del.icio.us

VIEW ALL IN THIS CATEGORY

RELATED CONTENT Network Security How to help customers choose a network access control product Offering SaaS for securing mobile devices How to perform a network security audit for customers Cracks in WPA? How to continue protecting Wi-Fi networks Host-based IDS/IPS Partner Program Directory Network security algorithms introduction Searching for multiple strings in packet payloads Approximate string matching Detecting worms IP traceback via logging Network router, switch and device security Firewall audit tool sales driven by PCI, economic cuts UTM appliances bundle security, give VARs multiple revenue streams Merging the channels: McAfee and Secure Computing half a year later Juniper launches mid-level security appliances Configuring privilege levels Cisco Security Device Manager Overview Testing the firewall - Introduction Working with Firewall Builder Validated firewalls System administration More Information on Network Firewalls Windows XP firewall troubleshooting Firewall troubleshooting: How to modify the scope of Windows XP and Vista firewall rules Use Netstat to determine which ports to open on a Windows firewall How to audit the Windows XP firewall Firewall troubleshooting: How to override default XP firewall settings Defining access directions through firewalls Ingress firewall rules for the Cisco Security Monitoring, Analysis, and Response System Choosing the right firewall for your customer Firewall architecture decisions: perimeter protection strategy Firewall topology: system placement

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

e this properties sheet to make any necessary firewall configuration changes.

In some cases, the various configuration options might be grayed out, preventing you from changing the Windows XP firewall configuration. There are two conditions that cause the firewall settings to be unavailable: lack of permissions -- you must have local administrative permissions to change Windows firewall settings -- or a group policy setting.

Keep in mind that group policies are hierarchical in nature. Group policy settings can be applied to the local computer, or they can be applied at the site, domain or Organizational Unit level of the Active Directory. Therefore, if you suspect that a group policy setting may be causing the firewall configuration problem, you may need to check several different group policies before you find the problematic setting.

To check the firewall-related group policy settings, open the Group Policy Object Editor and select the policy that you want to examine. You can find the firewall-related settings at: Computer Configuration | Administrative Templates | Network | Network Connections | Windows Firewall.

If you look at Figure B, you can see that there are two subcontainers within the Windows Firewall container: Domain Profile and Standard Profile. Windows is designed so that you can use completely different firewall configuration settings, depending on whether or not a user is logged in to the domain. This is important, because a computer could be left completely unprotected during idle times, if firewall settings were only in effect when a user logged into a domain.

Having a domain and a standard firewall profile allows you to enforce firewall settings regardless of whether a user is logged in or not. These settings are particularly important for mobile users, who often connect their laptops to untrusted networks. For these users, you could establish a stringent firewall policy that's implemented through the standard profile and a more relaxed policy that's used for the domain profile.

I am telling you all this to make a point. If you are having trouble configuring a Windows XP firewall, then it's worth paying attention to how you logged into the computer. If you're logging in locally, then your problem is either that the local account lacks the necessary permissions or that a security setting (most likely in the local group policy) within the firewall's domain profile is blocking the modification.

About the author
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer he has written for Microsoft, CNET, ZDNet, TechTarget, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at www.brienposey.com.