Ryfujk

Has the laser at Magurele, Romania reached a tenth of the Sun's power?

Is there a reason to prefer HFS+ over APFS for disk images in High Sierra and/or Mojave?

What is the meaning of "You've never met a graph you didn't like?"

Should I warn a new PhD Student?

Do I have to take mana from my deck or hand when tapping a dual land?

In One Punch Man, is King actually weak?

Can I run 125kHz RF circuit on a breadboard?

Ways of geometrical multiplication

Personal or impersonal in a technical resume

Limit max CPU usage SQL SERVER with WSRM

Does Doodling or Improvising on the Piano Have Any Benefits?

Grepping string, but include all non-blank lines following each grep match

Should I assume I have passed probation?

Do I have to know the General Relativity theory to understand the concept of inertial frame?

Why didn't Voldemort know what Grindelwald looked like?

Identifying "long and narrow" polygons in with PostGIS

Would a primitive species be able to learn English from reading books alone?

How to get directions in deep space?

If the only attacker is removed from combat, is a creature still counted as having attacked this turn?

Storage of electrolytic capacitors - how long?

Mimic lecturing on blackboard, facing audience

Alignment of six matrices

Animation: customize bounce interpolation

Review your own paper in Mathematics

Why does GPO for firewall inbound connections still allows change from “Block (Default)” to “Block all connections”

Windows 7 firewall blocking some features of my app despite custom firewall rulesDifference between rsop.msc results and gpresult /v group policy being appliedWhy are group policy preference drive mappings not applied to the domain administrator account?Configure Windows Firewall to block all except for specific trafficHow can I block the SMB (445/tcp) port on Windows 2012R2 Data Center?Can't Remote Desktop on LAN, Firewall Rules in Place, Yet Packets DroppedEnabling Network Discovery via GPO does not work when Windows Firewall turned onWindows Firewall: Apply local firewall rulesFirewall policies understandingWindows Firewall protected network connections blocked by local group policy

0

I found an interesting issue where I set a GPO to control the firewall policy to "Block (default)" the inbound connections, however that setting is not completely enforced. It still allows an administrator to alter it from "Block (default)" to "Block all connections".

Why is the GPO not forcing the setting I provided?

In more detail:

The settings i'm referring to are in:

1. Go to Windows Advanced Firewall


2. Right click on properties


3. Under any profile tab, in my case Domain Profile


4. State > Inbound Connections

The GPO is set explicitly to "Block (default)", however this option can still be changed once the GPO is applied.

Thanks,

Paul

group-policy windows-firewall

share|improve this question

asked Feb 4 '14 at 21:02

Paweł CzopowikPaweł Czopowik

4416

bumped to the homepage by Community♦ 10 mins ago

This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.

add a comment | 

0

I found an interesting issue where I set a GPO to control the firewall policy to "Block (default)" the inbound connections, however that setting is not completely enforced. It still allows an administrator to alter it from "Block (default)" to "Block all connections".

Why is the GPO not forcing the setting I provided?

In more detail:

The settings i'm referring to are in:

1. Go to Windows Advanced Firewall


2. Right click on properties


3. Under any profile tab, in my case Domain Profile


4. State > Inbound Connections

The GPO is set explicitly to "Block (default)", however this option can still be changed once the GPO is applied.

Thanks,

Paul

group-policy windows-firewall

share|improve this question

asked Feb 4 '14 at 21:02

Paweł CzopowikPaweł Czopowik

4416

bumped to the homepage by Community♦ 10 mins ago

This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.

add a comment | 

I found an interesting issue where I set a GPO to control the firewall policy to "Block (default)" the inbound connections, however that setting is not completely enforced. It still allows an administrator to alter it from "Block (default)" to "Block all connections".

Why is the GPO not forcing the setting I provided?

In more detail:

The settings i'm referring to are in:

1. Go to Windows Advanced Firewall


2. Right click on properties


3. Under any profile tab, in my case Domain Profile


4. State > Inbound Connections

The GPO is set explicitly to "Block (default)", however this option can still be changed once the GPO is applied.

Thanks,

Paul

group-policy windows-firewall

share|improve this question

asked Feb 4 '14 at 21:02

Paweł CzopowikPaweł Czopowik

4416

share|improve this question

asked Feb 4 '14 at 21:02

Paweł CzopowikPaweł Czopowik

4416

share|improve this question

asked Feb 4 '14 at 21:02

Paweł CzopowikPaweł Czopowik

4416

asked Feb 4 '14 at 21:02

Paweł CzopowikPaweł Czopowik

4416

asked Feb 4 '14 at 21:02

Paweł CzopowikPaweł Czopowik

4416

1 Answer
1

active

oldest

votes

0

In almost all cases, an administrator can change whatever is set by GPO - it's just a registry setting and one way or another an administrator on a PC can change any registry setting. If your intent is to lock these machines down, then users shouldn't be local admins.

share|improve this answer

answered Feb 4 '14 at 21:39

MDMarraMDMarra

92.9k28174314

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  The other settings are respected and enforced (grayed out). This is the only setting that allows one to change it to a more restrictive setting.
  
  – Paweł Czopowik
  Feb 4 '14 at 22:00
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  My point was that an administrator can get around the greyed-out items fairly easily if they wanted.
  
  – MDMarra
  Feb 4 '14 at 22:10
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thank you for the feedback but this does not address why the GPO setting does not restrict this option. Perhaps its a mechanism to be able to turn off the firewall temporarily in case of emergency without relying on a new GPO being applied?
  
  – Paweł Czopowik
  Feb 5 '14 at 15:26
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  But then again, the setting of "Allow" is enforced and does not allow for such a change.
  
  – Paweł Czopowik
  Feb 5 '14 at 15:37
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f573190%2fwhy-does-gpo-for-firewall-inbound-connections-still-allows-change-from-block-d%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

0

In almost all cases, an administrator can change whatever is set by GPO - it's just a registry setting and one way or another an administrator on a PC can change any registry setting. If your intent is to lock these machines down, then users shouldn't be local admins.

share|improve this answer

answered Feb 4 '14 at 21:39

MDMarraMDMarra

92.9k28174314

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  The other settings are respected and enforced (grayed out). This is the only setting that allows one to change it to a more restrictive setting.
  
  – Paweł Czopowik
  Feb 4 '14 at 22:00
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  My point was that an administrator can get around the greyed-out items fairly easily if they wanted.
  
  – MDMarra
  Feb 4 '14 at 22:10
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thank you for the feedback but this does not address why the GPO setting does not restrict this option. Perhaps its a mechanism to be able to turn off the firewall temporarily in case of emergency without relying on a new GPO being applied?
  
  – Paweł Czopowik
  Feb 5 '14 at 15:26
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  But then again, the setting of "Allow" is enforced and does not allow for such a change.
  
  – Paweł Czopowik
  Feb 5 '14 at 15:37
  

  
  
  
  

add a comment | 

0

In almost all cases, an administrator can change whatever is set by GPO - it's just a registry setting and one way or another an administrator on a PC can change any registry setting. If your intent is to lock these machines down, then users shouldn't be local admins.

share|improve this answer

answered Feb 4 '14 at 21:39

MDMarraMDMarra

92.9k28174314

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  The other settings are respected and enforced (grayed out). This is the only setting that allows one to change it to a more restrictive setting.
  
  – Paweł Czopowik
  Feb 4 '14 at 22:00
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  My point was that an administrator can get around the greyed-out items fairly easily if they wanted.
  
  – MDMarra
  Feb 4 '14 at 22:10
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thank you for the feedback but this does not address why the GPO setting does not restrict this option. Perhaps its a mechanism to be able to turn off the firewall temporarily in case of emergency without relying on a new GPO being applied?
  
  – Paweł Czopowik
  Feb 5 '14 at 15:26
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  But then again, the setting of "Allow" is enforced and does not allow for such a change.
  
  – Paweł Czopowik
  Feb 5 '14 at 15:37
  

  
  
  
  

add a comment | 

In almost all cases, an administrator can change whatever is set by GPO - it's just a registry setting and one way or another an administrator on a PC can change any registry setting. If your intent is to lock these machines down, then users shouldn't be local admins.

share|improve this answer

answered Feb 4 '14 at 21:39

MDMarraMDMarra

92.9k28174314

share|improve this answer

answered Feb 4 '14 at 21:39

MDMarraMDMarra

92.9k28174314

answered Feb 4 '14 at 21:39

MDMarraMDMarra

92.9k28174314

answered Feb 4 '14 at 21:39

MDMarraMDMarra

92.9k28174314