Applying outbound connection rules PER USER in Windows Firewall with Advanced Security

networking windows-server-2008 firewall windows-firewall

This just isn't a feature that's available. If you want to do something like this, you might look at using Microsoft TMG as an outbound proxy. It can do user/group based access to Internet resources.


This is doable, I just did it for my kid's computers. Just create the entries below in Task Scheduler. Note that this is not super-secure, since it doesn't account for things like multiple sessions from remote desktops, etc. That said, hopefully it will help a lot of people viewing this topic. Also, note the 30-second delay in Step 2 before the firewall is turned off for registered users. Not sure if that can be made quicker somehow, 5-10 seconds would be more than enough for my computers.

Step 1) Create a Task that turns ON the firewall when anyone logs on:

Task Scheduler -> Action -> "Create Task"

General:

 Name:TurnOnWindowsFirewall
 Security Options:"Run whether user is logged on or not" checked
 Security Options:"Run with highest privileges" checked

Triggers: (click 'New...')

 BeginTheTask:"At log on"
 Settings:"Any User" checked
 Advanced Settings:"Stop if task runs longer than:" checked; "30 minutes" selected
 Advanced Settings:"Enabled" checked

Actions: (click 'New...')

 Action:"Start a program"
 Program/script:"netsh"
 Add Aruments:"advfirewall set allprofiles state on"

Conditions:

 Uncheck everything on this tab

Settings:

 AllowOnDemand: checked
 RunTaskAsSoonAsPossible: checked
 IfTheTaskFails: unchecked
 StopTheTaskIfItRunsLonger: checked; "1 hour" selected
 IfTheRunningTaskDoesNotEndForceIt: checked
 IfTheTaskIsNotSchedAgainDeleteIt: unchecked
 IfTheTaskIsAlreadyRunning: "Do not start a new instance" selected

Step 2) Create a Task that turns OFF the firewall when a certain user logs on:

Task Scheduler -> Action -> "Create Task"

General:

 Name:TurnOffWindowsFirewall
 Security Options:"Run whether user is logged on or not" checked
 Security Options:"Do not store password" checked
 Security Options:"Run with highest privileges" checked

Triggers: (click 'New...')

 BeginTheTask:"At log on"
 Settings:"Specific User" checked  (select user that should have OPEN internet access.)
 Advanced Settings:"Delay task for:" checked; "30 seconds" selected
 Advanced Settings:"Stop if task runs longer than:" checked; "30 minutes" selected
 Advanced Settings:"Enabled" checked

Actions: (click 'New...')

 Action:"Start a program"
 Program/script:"netsh"
 Add Aruments:"advfirewall set allprofiles state on"

Conditions:

 Uncheck everything on this tab

Settings:

 AllowOnDemand: checked
 RunTaskAsSoonAsPossible: checked
 IfTheTaskFails: unchecked
 StopTheTaskIfItRunsLonger: checked; "1 hour" selected
 IfTheRunningTaskDoesNotEndForceIt: checked
 IfTheTaskIsNotSchedAgainDeleteIt: unchecked
 IfTheTaskIsAlreadyRunning: "Do not start a new instance" selected

Good Luck!

Related

How to disable time synchronization on hyper V
Creating you own FreeBSD ami in EC2
How to programmatically migrate an EC2 EBS AMI to other regions?
Setup user/group quotas >4TiB on Ubuntu
Regular expression from the hostname in the proxy_pass uri in Nginx
Inconsistency between LUN ID's
how to add(and install) java openjdk repository to your yum fedora?
Is a self signed cerificate secure from man in the middle once you have accepted it
How to add a extention to the php.ini file
Tools to automate windows server administration? Puppet? [closed]
Terminal server logs off users after 5 minutes
What are some shared-disk filesystems people have successfully used with iSCSI?