Hello! I just discovered that in Windows 7, a local firewall exception can be created that can override an exception set via the domain group policy. For instance, we have a domain GP that defines the "File and Printer Sharing" firewall rules and limits access to specific subnets. However, a local program installation/administrator is able to define a custom port exception to TCP 445 to allow any IP to connect, and it appears that the workstation respects this setting. With this local change, file sharing is available to this computer from all computers on our network.
I discovered this problem after I installed the Remote Server Admin Tools (RSAT) on a workstation. It appears that when the DFS Management tool is activated, it creates a firewall exception calledDFS Management (SMB-In) that allows access over TCP 445 to any IP address. Unfortunately, I also found that this local exception overrides the domain GP that I had set where I had explicitly limited this access for file and print sharing.
Note that I also tested this in XP and I was unable to add a custom port exception for 445 since the firewall interface gave me a warning indicating that there was a conflict with a managed exception (this is what I expected).
I would like to avoid disabling local firewall rules entirely since we would then need to define exceptions for all of the custom programs we have across our network. However, I would like Windows to enforce that if a domain firewall GP is being applied, that a local firewall exception cannot override the domain policy. How can I correct this behavior?
Thanks!