|
Posted by djc on October 12, 2006, 4:07 pm
Please log in for more thread options
ok, thanks
> Hi,
>
> If you select "Protect all network connections" it will also raise a
> firewall on VPN connection.
>
> All policies apply to all inbound connections regardless of adapter. In
> general you could try using IPSelc Filters -- but they can be quite hard
> to manage.
>
> --
> Mike
> Microsoft MVP - Windows Security
>
>> yep yep on the local admin thing. None of my users run with admin
>> priveleges.
>>
>> on the gpo thing. You mentioning being careful about filters between
>> client and DC brought up some questions:
>> 1) would the windows firewall, by default, also apply to the 'vpn'
>> connection?
>>
>> 2) if the answer to 1 is no, can you make it apply to the vpn connection?
>>
>> 3) can you configure windows firewall rules seperately for different
>> network adapters, including vpn?
>>
>>
>>> Hi,
>>>
>>> Malware will need administrative privileges to e.g. disable Windows
>>> Firewall. As long as your users are local administrators on their
>>> computers, malware will be able to do just about anything and it doesn't
>>> matter what firewall you install on the computer. So, first step in
>>> securing your clients is to make sure that users are not local
>>> administrators.
>>> Updating Group Policies over VPN depends mostly on VPN configuration and
>>> Group Policy settings. If you set it up correctly (be careful about
>>> filters between clients and domain controllers) they will be able to
>>> update group policy settings over VPN.
>>>
>>> --
>>> Mike
>>> Microsoft MVP - Windows Security
>>>
>>>> Ya, I'm aware of it, but I was under the impression it would not
>>>> suffice. Not as robust as third party packages and too easily
>>>> manipulated by malicious code. Thats what I'm told anyway. I guess you
>>>> disagree with that? Using GPO's is certianly a bonus, but would changes
>>>> in GPO's be picked up over VPN?
>>>>
>>>>> Hi,
>>>>>
>>>>> I can recommend you a firewall that comes with Windows XP SP2. You can
>>>>> even use group policy to configure it.
>>>>>
>>>>> --
>>>>> Mike
>>>>> Microsoft MVP - Windows Security
>>>>>
>>>>>> so far I have only had 'remote' users. By 'remote' I mean I have been
>>>>>> in control of the machine they are using *and* the network (home)
>>>>>> they are connecting from. I securely configure their home router, I
>>>>>> supply them with a company laptop that picks up our group policy
>>>>>> before leaving, has our company AV software, and is configured with a
>>>>>> VPN connection to our network. After connecting to VPN user's RDP to
>>>>>> their desktops.
>>>>>>
>>>>>> I realize the setup I'm using now would not work for 'mobile' users
>>>>>> connecting from public wi-fi hotspots and such since I don't have
>>>>>> control of those networks. Is it just a matter of adding a good
>>>>>> host-based personal firewall into the mix? (if so, any
>>>>>> recommendations on whats currently a good one would be appreciated,
>>>>>> it seems to change every time I check)
>>>>>>
>>>>>> any input on this in general would be greatly appreciated.
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
| 
XML Sitemap