Windows Firewall Group Policy

In my environment the Windows firewall has currently been locally enabled on a number of 2012 servers in a 2012R2 domain.

Rather than use local policy I'd like to migrate firewall policy to GPO.  In this case, I assume I can define a domain firewall policy and apply it use security filtering to the servers that require it.

A few questions --

1) Once the GPO is applied, will it overwrite the local server policy?  I assume it will.

2) Considering each server will likely have a slightly different firewall policy (to allow through traffic for different services), I assume that a different firewall policy will need to be created for each config and applied using filtering?  Is there a more effective way of application?  I'm envisioning a lot of different firewall policies and application to be messy.

3) Given your likely responses for question 1 & 2 is GPO really the preferred method of administering firewall policy?

April 30th, 2015 2:42pm

Hi

>1) Once the GPO is applied, will it overwrite the local server policy?

Yes, the group policy in the domain/ OU level will overwrite the local group policy. The precedence of group policy objects is: Child OU level > Parent OU level > Domain level> local policy, if you didn't enforce any particular gpo.

>2) Considering each server will likely have a slightly different firewall policy (to allow through traffic for different services), I assume that a different firewall policy will need to be created for each config and applied using filtering?  Is there a more effective way of application?  I'm envisioning a lot of different firewall policies and application to be messy.

If you need different settings for different server then you may need to create different group policy for them with the security filtering or WMI filter.

>3) Given your likely responses for question 1 & 2 is GPO really the preferred method of administering firewall policy?

You can use Group policy to central manage the clients and servers in your domain, it is more effective to help to Administrators to apply some common settings on a numbers of computers. Also it is easy to check all the group policy objects which configured in your environment in the GPMC, no need to log on the computers one by one. In your case, it depends on how may firewall group policy settings you need, if each server has a different setting then I'd prefer the local policy. If some server servers can be gathered and have the same settings, then GPO would be more effective and time saving.

Hope it helps.

Best Regards,

Elaine 

Free Windows Admin Tool Kit Click here and download it now
May 4th, 2015 10:11pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics