I am trying to deploy a set of advanced windows firewall ACLs to several 2008 R2 servers. I would like to (i have to) ensure that no local or old rules are getting applied.
So I set "Apply local firewall rules" to "No" within each profile (GPO). This does only apply to local firewall rule merging (as the name implies). Different rules which are getting set by other GPOs are additive and sum up. This makes sense if I think about it.
However this is a problem as through experimenting things became messy on my test machines. So I created another GPO calling a script that deletes all firewall rules in advance (netsh advfirewall firewall delete rule name=all), which leads to a corruptive file and printer sharing service.
So to cut it short: What is be the best/recommended way to ensure a clean rule base before applying new ones?
Best Answer
You said the local firewall rules are applied regardless of the "do not apply local rules" gpo setting. Just to confirm, the local firewall rule will still be present in the "\inbound rules, \outbound rules" sets however you can see the actual "effective" policies (local + gpo) by viewing the "\monitoring\firewall" node.
If you are having conflicting firewall rules across gpo's in your OU structure there isn't much the windows firewall portion is going to help you with. You could do things like change your ou structure, use security filtering per machine, or block inheritance. Overall though your policies would probably setup best by adding more general gpo/fw settings higher in the ou structure and more specific gpo/fw settings directly on the servers ou.