+ Post New Thread
Results 1 to 6 of 6
Internet Related/Filtering/Firewall Thread, Win 7 Firewall rules for lab exam environment in Technical; Hi, I'm trying to figured out a way to configure Windows 7 firewall rules via GPO for the following environment: ...
  1. #1

    Join Date
    Dec 2011
    Location
    Saskatoon
    Posts
    6
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Blog Entries
    1
    Rep Power
    0

    Question Win 7 Firewall rules for lab exam environment

    Hi, I'm trying to figured out a way to configure Windows 7 firewall rules via GPO for the following environment:
    • Local account only, no domain accounts (this is easy via GPO)
    • Need access to one web server that serves the exam
    • Need access to CAS, DNS, and AD machines
    • Do not block traffic from specific machines used for administration.
    • Block everything else.


    In Linux and Mac this is relatively easy using iptables and ipfw respectively:
    • allow all out going traffic
    • restrict incoming to be allowed from only specific IP addresses.


    I can not see a way to configure a rule to be applied to all incoming traffic and not just incoming connections (connections initiated from an external source). I considering the following configuration:
    • Block all incoming connections unless matched by a rule
    • Block all outgoing connections unless matched by a rule
    • Add rules for the following:
    • - Allow all DHCP (UDP, ports 67 & 68)
    • - Allow all traffic to our DNS servers (I have a list of these)
    • - Allow all traffic to our CAS servers (I have a list of these)
    • - Allow all traffic to our AD servers (I have to get a list of these)
    • - Allow all traffic to our exam server
    • - Allow all traffic from our administration servers


    Does this sound reasonable? Is it possible with Windows 7 firewall? Has anybody done this?

    Note: I have read similar posting regarding ISA servers, network firewalls, etc. We are on a large campus and I do not have configuration access to our network equipment including proxies, content filters, etc. Hence why I'm trying just to use the Windows 7 firewall rules if possible.

    Cheers,
    Merlin.

  2. #2

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,139
    Thank Post
    860
    Thanked 2,692 Times in 2,282 Posts
    Blog Entries
    9
    Rep Power
    771
    Yes, just use group policy > computer config > Windows Settings > Windows Firewall > etc.

    I do this to push out exceptions to stations for certain dirty programs that don't make their own on install.

  3. Thanks to SYNACK from:

    HeyMerlin (7th April 2012)

  4. #3
    p858snake's Avatar
    Join Date
    Dec 2008
    Location
    Queensland
    Posts
    1,490
    Thank Post
    37
    Thanked 175 Times in 151 Posts
    Blog Entries
    2
    Rep Power
    51
    I would put a box inbetween your network and the wider network running something like Squid or the likes.

    Hi, I'm trying to figured out a way to configure Windows 7 firewall rules via GPO for the following environment:
    * Local account only, no domain accounts (this is easy via GPO)
    Why only a local account and not a domain account?

    What user rights does the local account have?

  5. #4

    Join Date
    Dec 2011
    Location
    Saskatoon
    Posts
    6
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Blog Entries
    1
    Rep Power
    0
    Quote Originally Posted by SYNACK View Post
    Yes, just use group policy > computer config > Windows Settings > Windows Firewall > etc.

    I do this to push out exceptions to stations for certain dirty programs that don't make their own on install.
    Thanks for the reply. I have used GPOs to manage the Firewall settings previously however mostly for the usual things: exceptions for specific programs, exceptions for specific ports, etc. I had not tried fully controlling all outgoing and incoming connections. My initial look into it did not show a clear way of doing this with the Windows firewall as it is much more connections oriented rather than traffic oriented than iptables or ipfw. However, I now have a configuration up and running on my dev/test boxes that works. I plan to post the details to this thread when I'm back at work next in case others are looking for the same information.
    Last edited by HeyMerlin; 7th April 2012 at 06:27 PM.

  6. #5

    Join Date
    Dec 2011
    Location
    Saskatoon
    Posts
    6
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Blog Entries
    1
    Rep Power
    0
    Quote Originally Posted by p858snake View Post
    I would put a box inbetween your network and the wider network running something like Squid or the likes.


    Why only a local account and not a domain account?

    What user rights does the local account have?
    Unfortunately on our campus I have no direct access to the networking equipment so injecting any sort of hardware/software solution to isolate the lab is impossible (University campus with 20K+ students). Not to mention that I know I have other machines outside the target lab on the same subnet/switch stack so separating them out would painful.

    Domain accounts are in much the same situation. The AD is administrated centrally. I have rights to add/edit/delete OUs, GPOs, computers, but not user objects. So adding domain accounts or changing existing domain user accounts is out.

    I can limit the login access to the students within the target class in the target lab however currently student accounts are subject to folder redirection and store all user folders on a file server. I need to restrict access to all user files for the exam so Local accounts seemed to be the easiest way. This way they have no access to anything in their profiles on the lab machines or on the file servers (either ones in our department or others on campus). I can use GPOs to create/enable/disable/delete local accounts easily enough. The local accounts are your basic non-privileged limited user account, very similar to what a standard domain user is.

    I'm certainly open to any and all suggestions of different/better ways to meet this sort of lab exam environment requirement. As most of you probably experience, the requirement for this came to my attention with next to no notice so I have had to put something together quickly if not elegantly. I'm hoping to improve the configuration after this set of exams is over so as to be better prepared for the next time.

  7. #6

    Join Date
    Dec 2011
    Location
    Saskatoon
    Posts
    6
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Blog Entries
    1
    Rep Power
    0
    I have followed up this thread with a blog post under my EduGeek profile outlining the final configuration that I used. With the length of the entry I figured the blog would be a better place as well as easier to find in the future.

SHARE:
+ Post New Thread

Similar Threads

  1. Getting GRID to Alter Firewall Rule for iphone access to Mdaemon
    By kennysarmy in forum Internet Related/Filtering/Firewall
    Replies: 0
    Last Post: 18th November 2009, 01:05 PM
  2. [News] Rules for Buying Gifts for Men - [ Ladies PLEASE NOTE ]
    By mattx in forum Jokes/Interweb Things
    Replies: 4
    Last Post: 27th November 2008, 04:20 PM
  3. One rule for one....
    By Hightower in forum General Chat
    Replies: 43
    Last Post: 14th October 2008, 03:00 PM
  4. Firewall rule help
    By IA76 in forum Wireless Networks
    Replies: 5
    Last Post: 23rd July 2008, 12:26 PM
  5. Win Wind Pc For your School
    By russdev in forum General Chat
    Replies: 0
    Last Post: 7th March 2007, 09:27 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •