Posts Tagged ‘GPO’

Windows Firewall via GPO

Monday, March 12th, 2012

Setting up the Windows Firewall to run on Windows client systems can be tedious when done en masse. But using a Group Policy (GPO) to centrally manage systems can be a fairly straight forward process. First, decide which firewall rules you want to implement. Then, manually configure them and test them  out on a workstation to verify it works the way you want it to. This process has been documented at http://techjournal.318.com/?p=1092.

Once you know the exact settings you’d like to deploy, create an Organizational Unit and put computer accounts (or other OUs/security groups) to be governed by this policy in the new OU. Once you have all of your objects where you’d like them, it’s time to create a GPO of the settings (which should be applied to one machine and tested before going wide across a large contingent of systems). To do so, go to the policy server and Features from within Server Manager to expand Group Policy Management.

From Group Policy Management, expand the appropriate Forest and Domain and then right-click Group Policy Objects, clicking New at the contextual menu. Then provide a name for the new GPO (e.g. Windows Firewall Policy) and click on OK. In the Group Policy Management screen, click on Group Policy Objects and then right-click on Firewall Settings for Windows Clients. Click on Edit to bring up the Group Policy Management Editor.

At the Group Policy Management Editor, right-click Firewall Settings for Windows Clients policy, and select its Properties. Click on the Disable User Configuration settings check box and at the Confirm Disable dialog box, click on the Yes button and click OK when prompted.

In the Group Policy Management Editor open Policies from Computer Configuration. Then expand on Windows Settings and then on Security Settings and finally Windows Firewall with Advanced Security. Here, click on Windows Firewall with Advanced Security for the LDAP GUID for your domain. Then open Overview to verify that each network location profile lists the Windows Firewall state as not configured.

Click on Windows Firewall Properties and under the Domain Profile tab, use the drop-down list to set the Firewall state to On. Then, click on OK and verify the Windows Firewall is listed as On.

Once you’ve created the GPO, go to the OU and click on Link an Existing GPO. Here (the list of GPOs), select the new GPO and test it on a client by running gpupdate or rebooting the client. To verify that the GPO was applied, open the Windows Firewall with Advanced Security snap-in and right-click on Windows Firewall with Advanced Security on Local Computer, selecting Properties from the contextual menu. If the setting is listed as On then the policy was created properly!

Windows Firewall For Windows 7

Friday, March 9th, 2012

A firewall is a barrier between you and the Internet at large that filters information that your computer can receive. Companies usually have firewalls in place to keep certain kinds of websites, people, and information from being accessed from outside their networks, keeping sensitive info safe, and you focused on the job. Your home computer and/or modem can have a firewall built-in as well, acting as the gateway to your home network and the Internet.

NOTE: you might not be able to use a third party application until you add the application to the list of allowed programs.

Here is an explanation of the different options you can modify and customize:

Add a program to the list of allowed programs:

  1. Open Windows Firewall by clicking the Start button, and then clicking the Control Panel. In the search box, type firewall, and then click Windows Firewall.
  2. In the left pane, click Turn Windows Firewall on or off. If you’re prompted for an administrator password or confirmation, type the password or provide confirmation.
  3. Click Change settings.  If you’re prompted for an administrator password or confirmation, type the password or provide confirmation.
  4. Select the check box next to the program you want to allow, select the network locations you want to allow communication on, and then click OK.

If an application needs a specific port that this being blocked you can also allow port traffic by:

  1. Open Windows Firewall by clicking the Start button, and then clicking Control Panel. In the search box, type firewall, and then click Windows Firewall.
  2. In the left pane, click advanced settings. If you’re prompted for an administrator password or confirmation, type the password or provide confirmation.
  3. In the Windows Firewall with Advanced Security dialog box, in the left pane, click Inbound Rules, and then, in the right pane, click New Rule.
  4. Follow the instructions in the New Inbound Rule wizard.

Block all incoming connections, including those in the list of allowed programs: this setting blocks all unsolicited attempts to connect to your computer. Use this setting when you need maximum protection for your computer, such as when you connect to a public network in a hotel or airport, or when a computer virus is spreading over the network or Internet. Word of caution with this setting, you wont be notified when Windows Firewall blocks programs. When you block all incoming connections, you can still view most websites, send and receive e‑mail, and send and receive instant messages.

  1. Open Windows Firewall by clicking the Start button, and then clicking Control Panel. In the search box, type firewall, and then click Windows Firewall.
  2. Check the box that says to block all incoming connections.

Notify me when Windows Firewall blocks a new program
If you select this check box, Windows Firewall will inform you when it blocks a new program and give you the option of unblocking that program.

  1. Open Windows Firewall by clicking the Start button, and then clicking Control Panel. In the search box, type firewall, and then click Windows Firewall.
  2. Select the box that says “Notify me when Windows Firewall blocks a new program”

Turn off Windows Firewall (not recommended)
This step is not recommended unless your system administrator has implemented another application to provide protection for your network.

  1. Open Windows Firewall by clicking the Start button, and then clicking the Control Panel. In the search box, type firewall, and then click Windows Firewall.
  2. In the left pane, click Turn Windows Firewall on or off. If you’re prompted for an administrator password or confirmation, type the password or provide confirmation.

Note: If some firewall settings are unavailable and your computer is connected to a domain, your system administrator might be controlling these settings through Group Policy or third party application like Symantec Endpoint Protection.

If you have trouble allowing other computers to communicate with your computer through Windows Firewall, you can try using the Incoming Connections troubleshooter to automatically find and fix some common problems.

  1. Open the Incoming Connections troubleshooter by clicking the Start button, and then clicking Control Panel.
  2. In the search box, type troubleshooter, and then click Troubleshooting. Click View all, and then click Incoming Connections.

Note: Some material in this article was referenced from Microsoft directly from: http://windows.microsoft.com/en-US/windows7/Allow-a-program-to-communicate-through-Windows-Firewall

Note: Stay tuned for more information about setting up Windows Firewall Using a GPO!

Terminal Server 2008 Load Balancing

Thursday, February 12th, 2009

Load balancing is fairly straight forward in Microsoft Windows Terminal Server 2008.  Before you get started you’ll need to have multiple terminal servers, a Windows 2008 Active Directory environment and a centralized location to store your user profiles. 

When setting up Terminal Servers with load balancing and redirected profiles, no single terminal server should get overloaded by users while another terminal server sits idle.  When a user tries to connect to the terminal server, the master terminal server checks the load on each one of the servers.  It then logs the user into the terminal server with the least load.  Since redirected profiles are setup, every user that logs in will have all of their desktop items, documents folder and pretty much everything that they will need.  The user does not even need to know that they are on a different terminal server then they were the last time that they logged in.

To install Terminal Server clustering first verify that you meet the prerequisites of centralized home folder storage, Active Directory 2008 and multiple terminal servers.  Then install the TerminalServer Session Broker service on each one of the servers.  Then on one of the servers, you need to add all of the terminal servers into the session directory under groups in Local Users and Groups.  You only need to add it on one server and the change will replicate.

The next thing you need to is setup an alias and put all of the IP addresses for the terminal servers to be associated with that alias.  Once complete, when you do an nslookup on that alias, it should display all of the IP addresses that you entered.           

Then you will need to make some changes to group policy.  It appears that you must have a 2008 Domain Controller setup with the most upgraded schema to be able to do this.   Go to Computer Settings -> Policies -> Administrative Templates -> Windows Components -> Terminal Services -> Terminal Server and then TS Session Broker.  In here you need to put the name of the alias under Configure TS Session Broker Farm Name.  Then put the name of main terminal server in Configure TS Session Broker name.  Also you need to enable Join TS Session Broker and also User TS Session Broker Load Balancing.  After you have that setup, save the Group Policy Object (GPO) and attach it to the Organizational Unit (OU) that holds the terminal servers.

Once your group policies are in place you can focus on making the lives of your users a bit easier by enabling redirected user profiles.  First, you will need a place to put all of the user profiles.  Then you will want to move all of the users that need to access the terminal servers into a new Organizational Unit, create a new group policy object and enable folder redirection.  To enable folder redirection, go to User Configuration -> Policies -> Windows Settings and then Folder Direction.  Here, enable each folder redirection policy that you feel the users in the organization will need (this is different for everyone and can require a little testing to get it perfect).  While the choices are a lot to consider at first, Appdata, Desktop and My Documents are the most standard ones to choose and represent a great starting point.  The basic setting is what you will most likely want to use and then just put the root path to your profile in.  It will then give you an example of where everything will be stored and you will verify that the user names and the folders that you created on the network share are the same.

Once all of the users will be able to log into any of the terminal servers and get the same exact environment no matter which server they log into you are mostly done.  Setting up load balancing, the worry of one terminal server being over used is no longer something you need to worry about with 2008.  Once the cluster is setup, the master terminal server will take care of the rest.  

Scripting Printers in Windows

Wednesday, May 14th, 2008

It’s possible to deploy printers to a windows environment when all the client computers are joined to the domain.

First, add the printers to the print server.
Second, make sure that on the print server you have also installed the drivers that the clients will require.

Open up notepad and use the following script template:

rundll32 printui.dll,PrintUIEntry /in /n \\servername\hplj4025
rundll32 printui.dll,PrintUIEntry /in /n \\servername\hpp2015

Save the text file as [whatevernameyouwant].bat

Place it somewhere in Sysvol Scripts or netlogon.

Open up Group Policy Management.
Create the GPO where you would like (in SBS put it with all of the others at the root of the domain).
Go to User Configuration > Windows Settings > Scripts
Go to “logon” and add the script location.

You have now added a logon script that will deploy Printers via a GPO. If the printers are already there, then it will not error, but it wont crash anything either.

Domain Controller Capacity Planning In Active Directory

Friday, April 18th, 2008

The memory requirements per DC is calculated based on the number of DCs and how spread out they are. Any time we are doing this type of planning we start out with the number of users that interact with a given DC and how much replication it does with other DCs. If a DC is processing logins for 1,000 users then it can easily be run from a fairly unsubstantial host – as would be the example with a Global Catalog sitting at a smaller school. However, as the number of users interacting with a single DC goes up, the RAM goes up. The minimum recommended memory is approximately 2GB per 1,000 users and a minimum of 1 dual CPU system per 10,000 users – but again loads may vary based on various aspects of the domain.

In terms of bandwidth utilization the number of users logging in concurrently per school will use practically no bandwidth compared to a fiber connection if they have a DC at the school. However, if the school does not have a DC then you can expect approximately 64k per concurrent login for remote users not counting any network profiles or login scripts. More speed will allow for faster login windows which will in turn allow for the system load to decrease faster following large quantities of users logging in concurrently. The bandwidth utilization can be slightly higher than other LDAP types of environments for Windows hosts but not typically for Linux or Mac clients.

Policies will create additional load. The more layered the policies the higher this load will become. Flattening the policy structure as much as possible will help reduce this overhead. But in the beginning some monitoring and tuning will need to be done. Monitoring the Database Cache % Hit on the server, you will be able to track whether additional memory is required.

Disk space is typically not a factor when planning an Active Directory deployment. But before factoring the size of logs a good setup should accommodate for 4GB plus installers/drivers and .5GB per 1,000 users for non Global Catalogs and an additional 50% for Global Catalogs.