Microsoft KB Archive/938756

= A Windows Vista-based computer that is connected to a domain uses the public profile or the private profile for the Windows Firewall policy instead of the domain profile =

Article ID: 938756

Article Last Modified on 11/26/2007

-

APPLIES TO


 * Windows Vista Business 64-bit Edition
 * Windows Vista Enterprise 64-bit Edition
 * Windows Vista Ultimate 64-bit Edition
 * Windows Vista Business
 * Windows Vista Enterprise
 * Windows Vista Ultimate

-



SYMPTOMS
Consider the following scenario:
 * You have a Windows Vista-based computer that is connected to a domain.
 * The computer uses two or more network adapters.

You expect the domain profile to be used for the Windows Firewall profile. However, in this scenario, the public profile or the private profile is used instead.

Windows Firewall policy includes rules for remote assistance, for remote administration, for file-and-print sharing, and so on. Therefore, if you rely on these rules to access a client remotely, you cannot access the client when the public profile or the private profile is used.



CAUSE
This behavior occurs if one or more of the network adapters cannot contact a domain controller. This behavior is intended to enforce more restrictive firewall settings over less secure connections, depending on the network location type. Only one firewall profile may be active on the computer at the same time.



MORE INFORMATION
To determine which firewall profile is currently being used, click Start, type wf.msc in the Start Search box, and then click wf.msc in the Programs list. The active profile is indicated in the Overview section in the &quot;Windows Firewall with Advanced Security&quot; Microsoft Management Console (MMC).

For more information, visit the following Microsoft Web site:

http://www.microsoft.com/technet/technetmag/issues/2007/06/VistaFirewall/default.aspx

You can set firewall rules in a Group Policy object (GPO) by using Windows Firewall together with the Advanced Security node in the Group Policy Management Console (GPMC) that is available in Windows Server 2008 or in Windows Vista. In GPMC, you can create different firewall rule sets for each of the following network location profiles or for a combination of them:
 * Domain
 * Private
 * Public

Note These rules apply only to computers that are running Windows Server 2008 or Windows Vista. These rules do not apply to computers that are running earlier versions of Windows, such as Windows Server 2003 or Windows XP with Service Pack 2.

If you set the rules in a GPO by using the Windows Firewall node in the Administrative Templates section of Group Policy Object Editor, you can create rules only for the Domain and Standard profiles. If this GPO is applied to Windows Vista or to Windows Server 2008, the rules in the Standard profile apply whenever the computer’s network location profile is set to Private or Public. The rules in the Domain profile still apply only when the computer’s network location profile is set to Domain.

We recommend that you create separate GPOs to deliver firewall or connection security rules to your computers. Use one GPO for computers that are running Windows Vista or Windows Server 2008. In this GPO, create the rules by using Windows Firewall together with the Advanced Security node. Use a different GPO for computers that are running earlier versions of Windows. In this GPO, create the rules by using the Windows Firewall node in the Administrative Templates section. Use group filtering or Windows Management Instrumentation (WMI) filtering to make sure that the policies apply only to computers that are running the appropriate operating system.

Keywords: kbinfo kbtshoot kbexpertiseinter KB938756

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.