How to create a Windows NT 4.0 system policy to manage Windows Firewall in a Windows NT 4.0 domain (897100)


The information in this article applies to:

  • Microsoft Windows NT 4.0
  • Microsoft Windows XP Service Pack 2

SUMMARY

Domain administrators typically use Group Policy to manage the Windows Firewall program that is included with Microsoft Windows XP Service Pack 2 (SP2). However, Microsoft Windows NT 4.0 does not support Group Policy. Administrators cannot manage Windows Firewall by using Group Policy in a Windows NT 4.0 domain. To resolve this issue, Microsoft provides a policy template that you can use with a Windows NT 4.0 system policy to manage Windows Firewall in a Windows NT 4.0 domain. This article discusses the following tasks:
  • How to create a Windows NT 4.0 system policy to manage Windows Firewall
  • How to replicate the new system policy from the primary domain controller (PDC) to all backup domain controllers (BDCs) in the domain
  • How to apply the new system policy on Windows XP SP2-based client computers

INTRODUCTION

This article discusses how to download the Windows Firewall policy template and how to create a Windows NT 4.0 system policy to manage Windows Firewall in a Windows NT 4.0 domain. The following concepts relate to these tasks:
  • In a Windows NT 4.0 domain, you cannot add computers to groups. You have to use one of the following methods to apply a system policy to computers:
    • Use the Default Computer object to apply system policy settings to all computers in the domain.
    • Add each applicable computer to the System Policy Editor. For each computer that you add, you must configure system policy settings.
    Note The procedures in this article use the Default Computer object to apply system policy settings to all computers in the domain.
  • Windows Firewall has two profiles, the domain profile and the standard profile. These profiles can be managed by using system policies. In a Windows NT 4.0 domain, the computer always loads the standard profile.

    Note In Windows XP SP2, the Network Location Awareness service determines whether the connection-specific Domain Name System (DNS) suffix and the primary DNS suffix match. If these suffixes match, Windows Firewall loads the domain profile. Otherwise, Windows Firewall loads the standard profile. In a Windows NT 4.0 domain, the connection-specific DNS suffix and the primary DNS suffix do not match. Therefore, Windows Firewall always loads the standard profile.
  • When you set exceptions in Windows Firewall, you must set the scope. The scope setting controls the IP addresses from which to accept unsolicited traffic. Each exception has its own scope setting.

MORE INFORMATION

How to create a Windows NT 4.0 system policy to manage Windows Firewall

  1. Download a copy of the Windows Firewall policy template (Wfnt.adm) to the Windows NT 4.0 PDC. To download this file, visit the following Microsoft Web site:

    http://www.microsoft.com/downloads/details.aspx?FamilyID=d67c7085-4bff-4056-8e7e-3d583214e728&DisplayLang=en

  2. Add the Wfnt.adm file to the System Policy Editor (Poledit.exe). To do this, follow these steps:
    1. On the PDC, copy the Wfnt.adm file to the %systemroot%\Inf folder.
    2. On the PDC, click Start, click Run, type poledit, and then click OK.
    3. In the System Policy Editor dialog box, click Options, and then click Policy Template.
    4. In the Policy Template Options dialog box, click Add.
    5. In the Open Template File dialog box, locate the %systemroot%\Inf folder, click to select the Wfnt.adm file, and then click Open.
    6. In the Policy Template Options dialog box, click OK.
  3. Create a system policy or modify an existing system policy to add the Windows Firewall settings. To do this, follow these steps.

    Note In this example, you enable the File and Printer Sharing service by using the Default Computer object and by setting the scope to LocalSubnet.
    1. In the System Policy Editor dialog box, click File, click New Policy or Open Policy to select an existing system policy, and then double-click Default Computer.
    2. In the Default Computer Properties dialog box, expand Windows Firewall, and then expand Standard Profile.
    3. Click to select the Windows Firewall: Allow file and printer sharing exception check box.
    4. Under Allow unsolicited incoming messages from, type LocalSubnet, and then click OK.
    5. In the System Policy Editor dialog box, click File, and then click Save.
    Note If you are using the Directory Replicator Service, you can save the file as Ntconfig.pol in the %systemroot%\System32\Repl\Export\Scripts folder. Otherwise, you can save the file as Ntconfig.pol in the %systemroot%\System32\Repl\Import\Scripts folder. The %systemroot%\System32\Repl\Import\Scripts folder is the NETLOGON share in Windows NT 4.0.

How to replicate the new or updated system policy from the PDC to all BDCs in the domain

The new or updated Ntconfig.pol file must be present on the NETLOGON share of the PDC and of all BDCs in the domain. To replicate the Ntconfig.pol file, and the system policy, use one of the following methods:
  • Manually replicate the system policy. This method works well if the system policy is not going to change and if you have only a few BDCs.
  • Replicate the system policy by using the Directory Replicator Service that is the built-in File Replication service for Windows NT 4.0. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

    101602 Configuring Windows NT for replication

  • Replicate the system policy by using the Robocopy.exe command. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

    160513 Alternatives to the Directory Replicator Service

How to apply the new system policy on Windows XP SP2-based client computers

  1. Log on to the Windows NT 4.0 domain from the Windows XP SP2-based client computer.

    Note System policies in Windows NT 4.0 are applied at user logon time. To apply a new system policy, you must log on to the Windows NT 4.0 domain from the Windows XP SP2-based client computer. After you log on, the registry on the client computer is updated with the new system policy settings. On a Windows XP SP2-based client computer that is in a Windows NT 4.0 domain, the new system policy settings are stored in the following registry subkey:

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile

  2. For the registry settings to take effect, you must restart the Windows Firewall service on the Windows XP SP2-based client computer. To do this, manually restart the service, or restart the client computer.

    Note After the registry settings take effect, the settings can be reversed only by implementing a counteracting Windows NT 4.0-style system policy or by editing the registry to remove the settings.
You can use scripts, the Netsh.exe command, or the Netfw.inf file to manage Windows Firewall settings on a Windows XP SP2-based client computer in a Windows NT 4.0 domain.

For more information about how Windows Firewall works, visit the following Microsoft Web site:

http://technet2.microsoft.com/windowsserver/en/library/3ccb6af5-d960-4a8d-b12b-70692dc47bf41033.mspx

For more information about how Windows Firewall works with Windows XP SP2, visit the following Microsoft Web sites:

http://www.microsoft.com/downloads/details.aspx?FamilyID=4454e0e1-61fa-447a-bdcd-499f73a637d1&DisplayLang=en

http://www.microsoft.com/downloads/details.aspx?familyid=cb307a1d-2f97-4e63-a581-bf25685b4c43&displaylang=en

Modification Type:MajorLast Reviewed:3/1/2006
Keywords:kbdomain kbFirewall kbhowto kbinfo KB897100 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.