Windows Vista Vista Firewall - Domain Profile problems

[Maeliosa]

I understand how the Vista profiles work. However I have issues with
this because on our domain I am not able to fully manage Vista
clients. Here's why:

In order for Vista to use the Domain Profile for the Firewall, every
active network connection on the PC must be authenticated to the
domain. If there are any other active network connections where the
network type is not "Domain" then the firewall profile "Public" is set
as active, and the machine cannot be communicated with.

I WANT the public profile to stay the way it is. This is safe because
when they take their machines away from the office, they are protected
automatically. However while in the office this causes many issues.
Our machines need to be FULLY managed. This means we need to be able
to ping, file share (for hidden admin shares), we use SMS, Antivirus
management tools, etc... So there are many firewall exceptions
defined on the Domain Profile using Group Policy.

Here's the issue:

Some machines have wireless cards. Well I have yet to find a way to
disable wireless cards automatically when they can connect to the
domain. If we can't do it automatically, then it isn't fully
manageable and our users can exploit the fact that they can make their
machine "invisible" on our network, except that we know they are
getting an IP through DHCP. This is bad.

And wireless cards aren't the end of it. Anyone that has any other
type of network adapter, like the virtual adapters VMWare installs.
Those are always an active connection. And that connection is
classified as "unidentified network" - which means anyone with VMWAre
installed on their machine will always use the public profile, unless
they manually disable all the VMWare adapters.

The Vista firewall is powerful, but it is not ideal for computers that
are used on the domain because of these reasons. For security reasons
if a computer is not fully manageable while on your domain, or if a
user can block you the administrators of the domain from having full
control of their domain computer, then that is a huge security risk.
The point of domain machines is that they are in a controlled
environment. Automatically applying the public profile to a domain
machine while it is on the domain, simply because it has other network
adapters, causes the machine to be authenticated to the domain, yet
the domain has no authority over that machine except when manual
intervention is used. This is very, very bad. Did no one think of
this when designing the firewall profiles? I expect to see more
people either disabling the Vista firewall completely, or putting
exceptions in their public profile to work around this issues, thereby
making the Vista firewall moot anyways.


If anyone knows how to address these issues in an AUTOMATED way -
meaning I can centrally control this and don't rely on manual
intervention on the clients (for security reasons we don't rely on the
users to configure their machines) - please respond. Taking away the
user's admin rights now is not enough. Now we have to figure out some
way to make sure the Vista machines are manageable without the user
simply turning on their wireless card to block admins from controlling
their machines. So far I have found no ideal solution without
loosening the public profile settings - I might as well just disable
the firewall feature completely and cross my fingers eh?

 

[Maeliosa]

Re: Vista Firewall - Domain Profile problems

On Nov 27, 8:27 am, Maeliosa <jmhay...@gmail.com> wrote:
> I understand how the Vista profiles work. However I have issues with
> this because on our domain I am not able to fully manage Vista
> clients. Here's why:
>
> In order for Vista to use the Domain Profile for the Firewall, every
> active network connection on the PC must be authenticated to the
> domain. If there are any other active network connections where the
> network type is not "Domain" then the firewall profile "Public" is set
> as active, and the machine cannot be communicated with.
>
> I WANT the public profile to stay the way it is. This is safe because
> when they take their machines away from the office, they are protected
> automatically. However while in the office this causes many issues.
> Our machines need to be FULLY managed. This means we need to be able
> to ping, file share (for hidden admin shares), we use SMS, Antivirus
> management tools, etc... So there are many firewall exceptions
> defined on the Domain Profile using Group Policy.
>
> Here's the issue:
>
> Some machines have wireless cards. Well I have yet to find a way to
> disable wireless cards automatically when they can connect to the
> domain. If we can't do it automatically, then it isn't fully
> manageable and our users can exploit the fact that they can make their
> machine "invisible" on our network, except that we know they are
> getting an IP through DHCP. This is bad.
>
> And wireless cards aren't the end of it. Anyone that has any other
> type of network adapter, like the virtual adapters VMWare installs.
> Those are always an active connection. And that connection is
> classified as "unidentified network" - which means anyone with VMWAre
> installed on their machine will always use the public profile, unless
> they manually disable all the VMWare adapters.
>
> The Vista firewall is powerful, but it is not ideal for computers that
> are used on the domain because of these reasons. For security reasons
> if a computer is not fully manageable while on your domain, or if a
> user can block you the administrators of the domain from having full
> control of their domain computer, then that is a huge security risk.
> The point of domain machines is that they are in a controlled
> environment. Automatically applying the public profile to a domain
> machine while it is on the domain, simply because it has other network
> adapters, causes the machine to be authenticated to the domain, yet
> the domain has no authority over that machine except when manual
> intervention is used. This is very, very bad. Did no one think of
> this when designing the firewall profiles? I expect to see more
> people either disabling the Vista firewall completely, or putting
> exceptions in their public profile to work around this issues, thereby
> making the Vista firewall moot anyways.
>
> If anyone knows how to address these issues in an AUTOMATED way -
> meaning I can centrally control this and don't rely on manual
> intervention on the clients (for security reasons we don't rely on the
> users to configure their machines) - please respond. Taking away the
> user's admin rights now is not enough. Now we have to figure out some
> way to make sure the Vista machines are manageable without the user
> simply turning on their wireless card to block admins from controlling
> their machines. So far I have found no ideal solution without
> loosening the public profile settings - I might as well just disable
> the firewall feature completely and cross my fingers eh?

Is there anyone out there that has a solution for this? This is a
serious problem with security in our business with Vista.

 

[ThePro]

Re: Vista Firewall - Domain Profile problems

"Maeliosa" <jmhaynes@gmail.com> wrote:
> On Nov 27, 8:27 am, Maeliosa <jmhay...@gmail.com> wrote:
>> I understand how the Vista profiles work. However I have issues with
>> this because on our domain I am not able to fully manage Vista
>> clients. Here's why:
>>
>> In order for Vista to use the Domain Profile for the Firewall, every
>> active network connection on the PC must be authenticated to the
>> domain. If there are any other active network connections where the
>> network type is not "Domain" then the firewall profile "Public" is set
>> as active, and the machine cannot be communicated with.
>
> Is there anyone out there that has a solution for this? This is a
> serious problem with security in our business with Vista.

We have some Vista laptops on the network and I do not have any problems
with remote admin. All the "others" connections (VPN, modem, etc.) are
"disconnected" when they are at the office so I guess they use the domain
profile.

Could you explain the steps to reproduce the problem you have ?

Thanks.

ThePro

 

[Maeliosa]

Re: Vista Firewall - Domain Profile problems

> We have some Vista laptops on the network and I do not have any problems
> with remote admin. All the "others" connections (VPN, modem, etc.) are
> "disconnected" when they are at the office so I guess they use the domain
> profile.
>
> Could you explain the steps to reproduce the problem you have ?
>
> Thanks.
>
> ThePro

Yes. My point is that I need to be sure that I can manage computers
that are in my domain. Right now all a user has to do to block me
from remotely managing a Vista box, is make one of their public
connections active. This is easy to do with products like VMWare,
that install virtual network adapters and need no physical connection
to be active. Once the adapter is active, the firewall profile
switches to public, blocking all traffic that I need to manage the
OS. Essentially, the user becomes invisible to us, except that we can
see it in log files. We just can't support them remotely. Wifi
connections have the same issue. We're left only to rely on the user
to disable their connection, know how to do that, and be honest enough
to do it. But that doesn't stop a malicious user.

This is a very bad thing. And it is ironic how the Windows Firewall
can be exploited like this to break one of the rules of security: to
be able to manage the resources on your domain. I know I can disable
it, but if I do that then they have no firewall if they connect the
laptop to a public network, and that also is a security risk. I'm in
what seems like a catch22 situation. I suspect when people catch on
to this it will be a bigger problem than just where I work.

Does anyone know how to solve this problem, am I somehow missing
something, or does Microsoft need to be notified?

 

[Maeliosa]

Re: Vista Firewall - Domain Profile problems

On Dec 7, 10:41 am, Maeliosa <jmhay...@gmail.com> wrote:
> > We have some Vista laptops on the network and I do not have any problems
> > with remote admin. All the "others" connections (VPN, modem, etc.) are
> > "disconnected" when they are at the office so I guess they use the domain
> > profile.
>
> > Could you explain the steps to reproduce the problem you have ?
>
> > Thanks.
>
> > ThePro
>
> Yes.  My point is that I need to be sure that I can manage computers
> that are in my domain.  Right now all a user has to do to block me
> from remotely managing a Vista box, is make one of their public
> connections active.  This is easy to do with products like VMWare,
> that install virtual network adapters and need no physical connection
> to be active.  Once the adapter is active, the firewall profile
> switches to public, blocking all traffic that I need to manage the
> OS.  Essentially, the user becomes invisible to us, except that we can
> see it in log files.  We just can't support them remotely.  Wifi
> connections have the same issue.  We're left only to rely on the user
> to disable their connection, know how to do that, and be honest enough
> to do it.  But that doesn't stop a malicious user.
>
> This is a very bad thing.  And it is ironic how the Windows Firewall
> can be exploited like this to break one of the rules of security: to
> be able to manage the resources on your domain.  I know I can disable
> it, but if I do that then they have no firewall if they connect the
> laptop to a public network, and that also is a security risk.  I'm in
> what seems like a catch22 situation.  I suspect when people catch on
> to this it will be a bigger problem than just where I work.
>
> Does anyone know how to solve this problem, am I somehow missing
> something, or does Microsoft need to be notified?

I guess no one has anything to offer up on this? Maybe no one wants
to read so much?

To sum it up: Vista Firewall is broken. If you want the details, read
the rest. Now does anyone out there know of anything to help me out
here?