Desktop firewalls inside a domain

sphinx99

[H]ard|Gawd
Joined
Dec 23, 2006
Messages
1,059
Simple question... I've asked this to about a dozen very seasoned admins and the response is split down the middle.

In a Windows domain, with strong AV on every client and various IDS/IPS and other protection systems at network end-points (firewalls, DMZs, in the network core, etc.) is it okay to turn off Windows desktop firewalls on the actual PCs?

My feeling is that it's not okay. But a number of people whose judgement I otherwise trust say that they do due to the low risk vs. benefit of easier manageability.

Thoughts?
 
I don't know how big your company is, but you probably have a border firewall with other firewalls between VLANs. In that case, the Windows firewalls work to protect the client PC internally.

All external stuff is filtered at the borders so I see no reason to keep the firewalls turned on unless you're particularly scared of an internal threat. But on regular desktop PCs, what services will those PCs be running that actually pose a threat? As long as you keep them updated I think they'll be fine, with or without the Windows firewall. That's my $.02
 
We have this same debate all the time. I continue to ask why considering we sell these places high end firewalls, av and other safe guards for their domain.

Personally it's more of a pain in the ass for me to leave it on. With that said we created a group policy to shut it off and stop the service. Makes our screen sharing software and many other things easier to use as well
 
with an external, real firewall it's not worth the hassle to ensure every app we use has proper exceptions on a local client.
 
I leave the Windows Firewall enabled, control its settings via group policy..such as exception for allowing file and print sharing.

Windows firewall really doesn't suck up resouces. It's harmless to have enabled as long as you can control the exceptions you need (such as file and print sharing).

The one benefit is you "may" be able to have workstations more resistant to a worm outbreak inside you LAN. Doesn't matter what you have for "really strong local antivirus"..no matter what the brand, no brand AV is 100%, something can slip past it.
 
Personally it's more of a pain in the ass for me to leave it on. With that said we created a group policy to shut it off and stop the service. Makes our screen sharing software and many other things easier to use as well

You could always do what he does below.

I leave the Windows Firewall enabled, control its settings via group policy..such as exception for allowing file and print sharing.

Windows firewall really doesn't suck up resouces. It's harmless to have enabled as long as you can control the exceptions you need (such as file and print sharing).

The one benefit is you "may" be able to have workstations more resistant to a worm outbreak inside you LAN. Doesn't matter what you have for "really strong local antivirus"..no matter what the brand, no brand AV is 100%, something can slip past it.

I'm with YeOlde on this. We just go in via group policy and add the execptions in I need.
 
I think it is always best practice to have multiple layers of security.

I leave the Windows Firewall enabled, control its settings via group policy..such as exception for allowing file and print sharing.

I'm with YeOlde on this. We just go in via group policy and add the execptions in I need.

And it sounds like these two know what they are doing.
 
Last edited:
You could always do what he does below.

I could. And believe me we've talked about it too, but from our small clients it's easier to just shut it off than have to remember what you've poked open and what you have not. So far we've been lucky to not have anything happen and for the most part I think that is in part to the education of the end users and other policies we have in place to prevent av and other security measures from being shut off
 
idiot users with malware or virii that the software doesnt pick up trumps edge firewalls any day of the week.
 
I prefer to leave it on but have assumed responsibility for clients at a fairly large organization where the existing client management team likes to leave it off to minimize problems. I have asked for it to be enabled and am getting some push back. My view is that it's too dangerous to assume that the network will remain airtight particularly with 0-day attacks.
 
Turn it on. Seriously.

We just cleaned up a Dental office network with 28 workstations where the virus wormed its way from one machine to another. Had the Windows Firewall been turned on, the infection wouldn't have gotten very far.
 
In an actively managed environment, I'd disable it. When there is no daily admin of the network, turn it on.
 
I work for a large forestry company (about 3000 PCs altogether). Our standard practice is to disable it by policy on all XP workstations. Too many of our core apps have problems with it. We just spend a bit more time ensuring that the AV/Spyware is properly updated on the workstations. Past experience has shown that this tradeoff is largely effective.

FYI: Since the firewall in 7 is dramatically improved, Microsoft is now suggesting that the firewall be left enabled in a domain environment where that was not done in the past. Not sure what they recommended as a best practice for XP.
 
I leave the Windows Firewall enabled, control its settings via group policy..such as exception for allowing file and print sharing.

Windows firewall really doesn't suck up resouces. It's harmless to have enabled as long as you can control the exceptions you need (such as file and print sharing).

The one benefit is you "may" be able to have workstations more resistant to a worm outbreak inside you LAN. Doesn't matter what you have for "really strong local antivirus"..no matter what the brand, no brand AV is 100%, something can slip past it.

This.
 
We leave the Windows Firewall enabled on our internal network, and control it via group policy. If we need it off to do an install we can turn it off as needed. The reason for this on our network is that we are 95% laptops, so people take their computers home. I have no control over their home networks or at coffee shops, etc.

Several years ago when the Windows firewall first became avalable for XP, there was a virus/worm that would be defeated by the Windows Firewall. However a lot of people were turning it off. CNN or one of the news outlets had a huge report on the virus/worm because they got infected. One person brought his laptop back in from home, it was infected and it spread through the infrastructure like wild fire. They could have solved the problem just by having the firewall turned on.
 
We are in a medium/small business... 1200 workstations, 12+ locations. We have a SMS type software management and also a "unified" desktop image (soon to be upgraded to a network automated imaging system).

We disable our XP firewalls.

Its been years since the last self propagating worm/virii outbreak, the last spreading issue we had was due to someone with an infected Flash drive.

With imaging and SMS like tools, support is really easy. Spend 10 minutes to fix at MOST, then reimage PC.

Managing exceptions in group policy or other just wasn't something we wanted to do. If we had the resources I would be all for it, but we don't have enough as it is now...

The way I figure it is, if virii can disable AV, it can probably mess with the firewall too...

Like mentioned earlier, smaller business' without centralized management, keep it on. Otherwise look at maintenance etc and make a decision.
 
we disable the Windows firewall, but use Cisco Security Agent as our HIPS (host-intrusion protection system).

as stated, it's to help prevent an outbreak within the LAN.

this apparently happend several years ago, but I wasn't working here at that time.
 
I always enable the Windows Firewall and then open ports needed via GPO. Have it set to turn off most of those open ports when the mobile computers are not on the corporate LAN.
 
I leave windows firewall enabled. All it takes is a rogue laptop plugged into the network to cause a possible problem.
 
Host based firewalls are necessary for layered security. Relying only on our edge appliance is extremely risky. We put firewalls on workstations and servers. We manage them either through GPO, or through SEP. We prefer SEP as it is easier to make rule set determinations based on location than it is with Vista/7 firewalls.

If you are turning off your firewalls for convenience, you really are opening yourself up for all sorts of things.

You don't just lock your door when you go on vacation do you? No. You have someone pick up the papers out front, get the mail, you leave lights on, you check all the doors and windows, make sure the alarm is set, etc.
 
We have Windows Firewall turned off. But that's because we are using Eset Smart Security and just deploy port changes from its management console.
 
Back
Top