Tag: Computer Configuration
Windows Firewall: Allow inbound Remote Desktop exceptions
Allows this computer to receive inbound Remote Desktop requests. To do this Windows Firewall opens TCP port 3389. If you enable this policy setting Windows Firewall opens this port so that this computer can receive Remote Desktop requests. You must specify the IP addresses or subnets from which these incoming messages are allowed. In the Windows Firewall component of Control Panel the “Remote Desktop” check box is selected and administrators cannot clear it. If you disable this policy setting Windows Firewall blocks this port which prevents this computer from receiving Remote Desktop requests. If an administrator attempts to open this port by adding it to a local port exceptions list Windows Firewall does not open the port. In the Windows Firewall component of Control Panel the “Remote Desktop” check box is cleared and administrators cannot select it. If you do not configure this policy setting Windows Firewall does not open this port. Therefore the computer cannot receive Remote Desktop requests unless an administrator uses other policy settings to open the port. In the Windows Firewall component of Control Panel the “Remote Desktop” check box is cleared. Administrators can change this check box. “
Windows Firewall: Prohibit unicast response to multicast or broadcast requests
Prevents this computer from receiving unicast responses to its outgoing multicast or broadcast messages. If you enable this policy setting and this computer sends multicast or broadcast messages to other computers Windows Firewall blocks the unicast responses sent by those other computers. If you disable or do not configure this policy setting and this computer sends a multicast or broadcast message to other computers Windows Firewall waits as long as three seconds for unicast responses from the other computers and then blocks all later responses. Note: This policy setting has no effect if the unicast message is a response to a Dynamic Host Configuration Protocol (DHCP) broadcast message sent by this computer. Windows Firewall always permits those DHCP unicast responses. However this policy setting can interfere with the NetBIOS messages that detect name conflicts.
Windows Firewall: Allow inbound UPnP framework exceptions
Allows this computer to receive unsolicited inbound Plug and Play messages sent by network devices such as routers with built-in firewalls. To do this Windows Firewall opens TCP port 2869 and UDP port 1900. If you enable this policy setting Windows Firewall opens these ports so that this computer can receive Plug and Play messages. You must specify the IP addresses or subnets from which these incoming messages are allowed. In the Windows Firewall component of Control Panel the “UPnP framework” check box is selected and administrators cannot clear it. If you disable this policy setting Windows Firewall blocks these ports which prevents this computer from receiving Plug and Play messages. If an administrator attempts to open these ports by adding them to a local port exceptions list Windows Firewall does not open the ports. In the Windows Firewall component of Control Panel the “UPnP framework” check box is cleared and administrators cannot select it. If you do not configure this policy setting Windows Firewall does not open these ports. Therefore the computer cannot receive Plug and Play messages unless an administrator uses other policy settings to open the required ports or enable the required programs. In the Windows Firewall component of Control Panel the “UPnP framework” check box is cleared. Administrators can change this check box. “
Windows Firewall: Define inbound program exceptions
Allows you to view and change the program exceptions list defined by Group Policy. Windows Firewall uses two program exception lists: one is defined by Group Policy settings and the other is defined by the Windows Firewall component in Control Panel. If you enable this policy setting you can view and change the program exceptions list defined by Group Policy. If you add a program to this list and set its status to Enabled that program can receive unsolicited incoming messages on any port that it asks Windows Firewall to open even if that port is blocked by another policy setting such as the “Windows Firewall: Define inbound port exceptions” policy setting. To view the program list enable the policy setting and then click the Show button. To add a program enable the policy setting note the syntax click the Show button. In the Show Contents dialog box type a definition string that uses the syntax format. To remove a program click its definition and then press the DELETE key. To edit a definition remove the current definition from the list and add a new one with different parameters. To allow administrators to add programs to the local program exceptions list that is defined by the Windows Firewall component in Control Panel also enable the “Windows Firewall: Allow local program exceptions” policy setting. If you disable this policy setting the program exceptions list defined by Group Policy is deleted. If a local program exceptions list exists it is ignored unless you enable the “Windows Firewall: Allow local program exceptions” policy setting. If you do not configure this policy setting Windows Firewall uses only the local program exceptions list that administrators define by using the Windows Firewall component in Control Panel. Note: If you type an invalid definition string Windows Firewall adds it to the list without checking for errors. This allows you to add programs that you have not installed yet but be aware that you can accidentally create multiple entries for the same program with conflicting Scope or Status values. Scope parameters are combined for multiple entries. Note: If you set the Status parameter of a definition string to “disabled” Windows Firewall ignores port requests made by that program and ignores other definitions that set the Status of that program to “enabled. ” Therefore if you set the Status to “disabled” you prevent administrators from allowing the program to ask Windows Firewall to open additional ports. However even if the Status is “disabled” the program can still receive unsolicited incoming messages through a port if another policy setting opens that port. Note: Windows Firewall opens ports for the program only when the program is running and “listening” for incoming messages. If the program is not running or is running but not listening for those messages Windows Firewall does not open its ports.
Windows Firewall: Do not allow exceptions
Specifies that Windows Firewall blocks all unsolicited incoming messages. This policy setting overrides all other Windows Firewall policy settings that allow such messages. If you enable this policy setting in the Windows Firewall component of Control Panel the “Block all incoming connections” check box is selected and administrators cannot clear it. You should also enable the “Windows Firewall: Protect all network connections” policy setting; otherwise administrators who log on locally can work around the “Windows Firewall: Do not allow exceptions” policy setting by turning off the firewall. If you disable this policy setting Windows Firewall applies other policy settings that allow unsolicited incoming messages. In the Windows Firewall component of Control Panel the “Block all incoming connections” check box is cleared and administrators cannot select it. If you do not configure this policy setting Windows Firewall applies other policy settings that allow unsolicited incoming messages. In the Windows Firewall component of Control Panel the “Block all incoming connections” check box is cleared by default but administrators can change it.
Set a default associations configuration file
This policy specifies the path to a file (e. g. either stored locally or on a network location) that contains file type and protocol default application associations. This file can be created using the DISM tool. For example:Dism. exe /Online /Export-DefaultAppAssociations:C: -> AppAssoc. txt For more information refer to the DISM documentation on TechNet. If this group policy is enabled and the client machine is domain-joined the file will be processed and default associations will be applied at logon time. If the group policy is not configured disabled or the client machine is not domain-joined no default associations will be applied at logon time. If the policy is enabled disabled or not configured users will still be able to override default file type and protocol associations.
Allow the use of remote paths in file shortcut icons
This policy setting determines whether remote paths can be used for file shortcut (. lnk file) icons. If you enable this policy setting file shortcut icons are allowed to be obtained from remote paths. If you disable or do not configure this policy setting file shortcut icons that use remote paths are prevented from being displayed. Note: Allowing the use of remote paths in file shortcut icons can expose users’ computers to security risks.
Specify Windows File Protection cache location
This policy setting specifies an alternate location for the Windows File Protection cache. If you enable this policy setting enter the fully qualified local path to the new location in the “Cache file path” box. If you disable this setting or do not configure it the Windows File Protection cache is located in the %Systemroot% -> System32 -> Dllcache directory. Note: Do not put the cache on a network shared directory.
Limit Windows File Protection cache size
This policy setting specifies the maximum amount of disk space that can be used for the Windows File Protection file cache. Windows File Protection adds protected files to the cache until the cache content reaches the quota. If the quota is greater than 50 MB Windows File Protection adds other important Windows XP files to the cache until the cache size reaches the quota. If you enable this policy setting enter the maximum amount of disk space to be used (in MB). To indicate that the cache size is unlimited select “4294967295” as the maximum amount of disk space. If you disable this policy setting or do not configure it the default value is set to 50 MB on Windows XP Professional and is unlimited (4294967295 MB) on Windows Server 2003.
Set Windows File Protection scanning
This policy setting allows you to set when Windows File Protection scans protected files. This policy setting directs Windows File Protection to enumerate and scan all system files for changes. If you enable this policy setting select a rate from the “Scanning Frequency” box. You can use this setting to direct Windows File Protection to scan files more often. — “Do not scan during startup” the default scans files only during setup. — “Scan during startup” also scans files each time you start Windows XP. This setting delays each startup. If you disable or do not configure this policy setting by default files are scanned only during setup. Note: This policy setting affects file scanning only. It does not affect the standard background file change detection that Windows File Protection provides.