As a hoster, I have problems with customers enabling the Windows firewall and disabling exceptions (because they think this is super, extra secure). This means a newly installed box can drop off the face of the earth and an engineer is forced to go to the datacenter and console on to the machine. You may be surprised to hear this happens quite frequently. What I would like to do is be able to build images of 2003 and 2008 with exceptions for ports like 80, 443, 3389 (RDP) etc and disable the ability to switch exceptions *off*. Is this at all possible, I cant see a logical way of doing it through group policy. Cheers.

I worked out how to do this myself. In case anyone googles for this in the future ill post my method :) You need to:1. Start the Firewall service (the registry change will not take effect until the service has been started). 2. Add rules for TCP 3389 (or whatever). This is the dodgy bit. I set up a WK2003 lab this afternoon to test this and, while an exception for RDP already existed in the firewall config, it was not enabled. There is no way to enable a preexisting exception via the command line (that I can find), so this line creates a new, enable exception. Windows detects a entry for TCP 3889 already exists with the same rule and enables it. Did that make any sense? 3. Add a registry key to disable "Dont allow exceptions". 4. Stop the Firewall service. 5. The next time the Firewall service is started the "Dont Allow exceptions" setting will be disable and TCP 3389 will be open to the world. Here is the script - it can be run from the command line or as a batch file: net start "Windows Firewall/Internet Connection Sharing (ICS)" NETSH firewall set portopening TCP 3389 RDP ENABLE ALL ECHO Adding registry key reg addHKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d 00000000 /f net stop "Windows Firewall/Internet Connection Sharing (ICS)"This i workng for me...