Desktop firewalls inside a domain

sphinx99

Gawd
Joined
Dec 23, 2006
Messages
1,017
Simple question... I've asked this to about a dozen very seasoned admins and the response is split down the middle.

In a Windows domain, with strong AV on every client and various IDS/IPS and other protection systems at network end-points (firewalls, DMZs, in the network core, etc.) is it okay to turn off Windows desktop firewalls on the actual PCs?

My feeling is that it's not okay. But a number of people whose judgement I otherwise trust say that they do due to the low risk vs. benefit of easier manageability.

Thoughts?
 

prochobo

Limp Gawd
Joined
Sep 28, 2005
Messages
321
I don't know how big your company is, but you probably have a border firewall with other firewalls between VLANs. In that case, the Windows firewalls work to protect the client PC internally.

All external stuff is filtered at the borders so I see no reason to keep the firewalls turned on unless you're particularly scared of an internal threat. But on regular desktop PCs, what services will those PCs be running that actually pose a threat? As long as you keep them updated I think they'll be fine, with or without the Windows firewall. That's my $.02
 

calvinj

[H]ard|Gawd
Joined
Mar 2, 2009
Messages
1,738
We have this same debate all the time. I continue to ask why considering we sell these places high end firewalls, av and other safe guards for their domain.

Personally it's more of a pain in the ass for me to leave it on. With that said we created a group policy to shut it off and stop the service. Makes our screen sharing software and many other things easier to use as well
 
Joined
Apr 13, 2008
Messages
856
with an external, real firewall it's not worth the hassle to ensure every app we use has proper exceptions on a local client.
 

YeOldeStonecat

[H]F Junkie
Joined
Jul 19, 2004
Messages
11,330
I leave the Windows Firewall enabled, control its settings via group policy..such as exception for allowing file and print sharing.

Windows firewall really doesn't suck up resouces. It's harmless to have enabled as long as you can control the exceptions you need (such as file and print sharing).

The one benefit is you "may" be able to have workstations more resistant to a worm outbreak inside you LAN. Doesn't matter what you have for "really strong local antivirus"..no matter what the brand, no brand AV is 100%, something can slip past it.
 

swatbat

[H]F Junkie
Joined
Apr 25, 2001
Messages
13,011
Personally it's more of a pain in the ass for me to leave it on. With that said we created a group policy to shut it off and stop the service. Makes our screen sharing software and many other things easier to use as well

You could always do what he does below.

I leave the Windows Firewall enabled, control its settings via group policy..such as exception for allowing file and print sharing.

Windows firewall really doesn't suck up resouces. It's harmless to have enabled as long as you can control the exceptions you need (such as file and print sharing).

The one benefit is you "may" be able to have workstations more resistant to a worm outbreak inside you LAN. Doesn't matter what you have for "really strong local antivirus"..no matter what the brand, no brand AV is 100%, something can slip past it.

I'm with YeOlde on this. We just go in via group policy and add the execptions in I need.
 

vischo

Gawd
Joined
Jul 27, 2005
Messages
854
I think it is always best practice to have multiple layers of security.

I leave the Windows Firewall enabled, control its settings via group policy..such as exception for allowing file and print sharing.

I'm with YeOlde on this. We just go in via group policy and add the execptions in I need.

And it sounds like these two know what they are doing.
 
Last edited:

calvinj

[H]ard|Gawd
Joined
Mar 2, 2009
Messages
1,738
You could always do what he does below.

I could. And believe me we've talked about it too, but from our small clients it's easier to just shut it off than have to remember what you've poked open and what you have not. So far we've been lucky to not have anything happen and for the most part I think that is in part to the education of the end users and other policies we have in place to prevent av and other security measures from being shut off
 

Lightworker

Limp Gawd
Joined
Jan 12, 2009
Messages
457
idiot users with malware or virii that the software doesnt pick up trumps edge firewalls any day of the week.
 

sphinx99

Gawd
Joined
Dec 23, 2006
Messages
1,017
I prefer to leave it on but have assumed responsibility for clients at a fairly large organization where the existing client management team likes to leave it off to minimize problems. I have asked for it to be enabled and am getting some push back. My view is that it's too dangerous to assume that the network will remain airtight particularly with 0-day attacks.
 

SJConsultant

2[H]4U
Joined
Jan 14, 2004
Messages
3,600
Turn it on. Seriously.

We just cleaned up a Dental office network with 28 workstations where the virus wormed its way from one machine to another. Had the Windows Firewall been turned on, the infection wouldn't have gotten very far.
 

XOR != OR

[H]F Junkie
Joined
Jun 17, 2003
Messages
11,549
In an actively managed environment, I'd disable it. When there is no daily admin of the network, turn it on.
 

vectravl400

Weaksauce
Joined
Sep 24, 2007
Messages
80
I work for a large forestry company (about 3000 PCs altogether). Our standard practice is to disable it by policy on all XP workstations. Too many of our core apps have problems with it. We just spend a bit more time ensuring that the AV/Spyware is properly updated on the workstations. Past experience has shown that this tradeoff is largely effective.

FYI: Since the firewall in 7 is dramatically improved, Microsoft is now suggesting that the firewall be left enabled in a domain environment where that was not done in the past. Not sure what they recommended as a best practice for XP.
 

Oswald_

Weaksauce
Joined
Apr 21, 2005
Messages
76
I leave the Windows Firewall enabled, control its settings via group policy..such as exception for allowing file and print sharing.

Windows firewall really doesn't suck up resouces. It's harmless to have enabled as long as you can control the exceptions you need (such as file and print sharing).

The one benefit is you "may" be able to have workstations more resistant to a worm outbreak inside you LAN. Doesn't matter what you have for "really strong local antivirus"..no matter what the brand, no brand AV is 100%, something can slip past it.

This.
 

Haven

Supreme [H]ardness
Joined
Oct 11, 2002
Messages
6,438
We leave the Windows Firewall enabled on our internal network, and control it via group policy. If we need it off to do an install we can turn it off as needed. The reason for this on our network is that we are 95% laptops, so people take their computers home. I have no control over their home networks or at coffee shops, etc.

Several years ago when the Windows firewall first became avalable for XP, there was a virus/worm that would be defeated by the Windows Firewall. However a lot of people were turning it off. CNN or one of the news outlets had a huge report on the virus/worm because they got infected. One person brought his laptop back in from home, it was infected and it spread through the infrastructure like wild fire. They could have solved the problem just by having the firewall turned on.
 

dandirk

[H]ard|Gawd
Joined
Jun 5, 2004
Messages
1,835
We are in a medium/small business... 1200 workstations, 12+ locations. We have a SMS type software management and also a "unified" desktop image (soon to be upgraded to a network automated imaging system).

We disable our XP firewalls.

Its been years since the last self propagating worm/virii outbreak, the last spreading issue we had was due to someone with an infected Flash drive.

With imaging and SMS like tools, support is really easy. Spend 10 minutes to fix at MOST, then reimage PC.

Managing exceptions in group policy or other just wasn't something we wanted to do. If we had the resources I would be all for it, but we don't have enough as it is now...

The way I figure it is, if virii can disable AV, it can probably mess with the firewall too...

Like mentioned earlier, smaller business' without centralized management, keep it on. Otherwise look at maintenance etc and make a decision.
 

gimp

[H]F Junkie
Joined
Jul 25, 2008
Messages
10,535
we disable the Windows firewall, but use Cisco Security Agent as our HIPS (host-intrusion protection system).

as stated, it's to help prevent an outbreak within the LAN.

this apparently happend several years ago, but I wasn't working here at that time.
 
Joined
Feb 19, 2004
Messages
3,861
I always enable the Windows Firewall and then open ports needed via GPO. Have it set to turn off most of those open ports when the mobile computers are not on the corporate LAN.
 
Joined
Oct 10, 2002
Messages
3,441
I leave windows firewall enabled. All it takes is a rogue laptop plugged into the network to cause a possible problem.
 

vertices

Limp Gawd
Joined
Apr 14, 2002
Messages
225
Host based firewalls are necessary for layered security. Relying only on our edge appliance is extremely risky. We put firewalls on workstations and servers. We manage them either through GPO, or through SEP. We prefer SEP as it is easier to make rule set determinations based on location than it is with Vista/7 firewalls.

If you are turning off your firewalls for convenience, you really are opening yourself up for all sorts of things.

You don't just lock your door when you go on vacation do you? No. You have someone pick up the papers out front, get the mail, you leave lights on, you check all the doors and windows, make sure the alarm is set, etc.
 

Eiolon

Gawd
Joined
Apr 6, 2005
Messages
928
We have Windows Firewall turned off. But that's because we are using Eset Smart Security and just deploy port changes from its management console.
 
Top