No Local Firewall Running on OS?

K

KapsZ28

2[H]4U
Joined
May 29, 2009
Messages
2,114
Is it normal for companies to completely disable the Windows Firewall and not use any other third party firewall on a computer running Windows XP and solely rely on server side/network firewalls?
 
we don't use a firewall, per-se, but it is a HIPS product (host-intrusion protection system)
 
Intrusion protection/detections on the network edge is pretty good. Windows firewall just pisses me off lol
 
pretty common as software firewalls become a management/administration nightmare
 
It's common, but it's mistake. I used to run my networks like that, but an outbreak of conficker ( of all things ) cured me of that problem.

You are really relying on your AV and the idea that all devices on your network have an updated AV. The larger the network, the less likely this is true. By securing the local workstations, you protect them against rogue hosts ( malicious or otherwise ). Given how easy the firewall is to manage from a GPO, there's really no reason not to do it.
 
I've found that it's pretty common for lazy admins to just disable the windows firewall rather than configure it properly. It's really not that hard to configure Windows Firewall through GPO and have the settings applied to servers and workstations. I've been turning the firewalls back on on many client networks over the last few years....
 
Most enterprise/corp networks disable the windows firewall a lot run third party tools like Mcafees IPS/IDS software and other bs...

In smaller companies they turn it off because they can't manage rule sets to run their 3rd part client management software
 
KapsZ28 said:
Is it normal for companies to completely disable the Windows Firewall and not use any other third party firewall on a computer running Windows XP and solely rely on server side/network firewalls?
Click to expand...

Well you'll find it's commonly done.....basically out of laziness I suppose.
I prefer to leave it on, and control if via GP like CaptainColo said above....
I make an exception for file/print sharing services, and having it on will better protect the workstations from an outbreak/intrusion within the LAN <=== important

Many of my clients are running SBS for their server, and it has a built in default GPO which does this...XP firewall enabled, file and print sharing exception enabled.
 
Well, lazy admins and engineers is definitely what we have here. It is so bad that when they wanted to prevent clients from accessing "Services" they set the GPO to block all MSC's. Well, in Windows XP the Disk Defragmenter runs in a MSC. So now clients can't even defrag their computers. On top of which, the only reason they wanted to block the services was to stop people from stopping the Altiris service.
 
KapsZ28 said:
the only reason they wanted to block the services was to stop people from stopping the Altiris service.
Click to expand...

If users are smart enough to disable a service through the msc, they're probably going to end up one day googling how to stop a service through the command prompt.
 
jadams said:
If users are smart enough to disable a service through the msc, they're probably going to end up one day googling how to stop a service through the command prompt.
Click to expand...

I don't think they are that smart to begin with. Plus just killing the process in the task manager stops the agent from running. Not much of what they do here makes sense. And we are still battling to remove everyone's administrator rights.
 
The good captain can rag on me all he wants. Windows Firewall is just in general a PITA. I disable it through group policy.

To me I spent a good chunk of change on other security measures (Firewall that does Gateway AV, Spyware, Content Filtering, and couple that with AV at the workstation / laptops) I think I have a solid foundation to not have it on.

I understand it's not fool proof, but it hasn't failed me yet
 
calvinj said:
The good captain can rag on me all he wants. Windows Firewall is just in general a PITA. I disable it through group policy.

To me I spent a good chunk of change on other security measures (Firewall that does Gateway AV, Spyware, Content Filtering, and couple that with AV at the workstation / laptops) I think I have a solid foundation to not have it on.

I understand it's not fool proof, but it hasn't failed me yet
Click to expand...
But when it does, it'll bite you in the ass big time. I thought like you did and learned the hard way.

Managing the firewall through GPOs is trivial, so I'm not sure why you'd have issues with it.
 
XOR != OR said:
I thought like you did and learned the hard way.
Click to expand...

Not to completely derail this and if you don't want to or can't bring it up, but why did you learn the hard way? I mean is it something that could have been prevented with some end user training as well?
 
calvinj said:
Not to completely derail this and if you don't want to or can't bring it up, but why did you learn the hard way? I mean is it something that could have been prevented with some end user training as well?
Click to expand...
Honestly, you can't rely on user training for security. Users are users, and admins make mistakes. It's such a trivial thing to admin, that the extra layer does wonders to protect folks.

In my case, we had several systems on the bench being imaged and ready for deployment. Someone logged on as a domain admin to do some application installs, and used a mislabeled USB key, thinking it contained the apps.

It didn't. It was a virus laden key left ( with no note ) on the admin's desk by a user who wanted us to check it out. Because the workstation was logged in as a domain admin, it began infecting all the workstations it could see. The AV on the workstations caught it and cleaned it, mostly, but it kept popping up preventing work from getting done.

Yes, it was a fail on the part of the admin for logging in as a domain admin to do app install ( primarily because we have an automated utility to handle that, and had he used it it would have installed the AV right off the bat...but I digress ), this chain of events is not too far fetched in most environments. How many of us here run as administrators, at least on our workstations, if not domain accounts?

A quick reconfigure of the GPO to enable the firewall and the exceptions ( 15 minutes of work, another 30 minutes of troubleshooting for our more..colorful apps ) took a huge chunk out of our clean up efforts; it allowed the AV to do it's work and prevented reinfection. Had I done this a day beforehand, there wouldn't have been a problem ( except on that local system ).
 
We had a lot of issues with viruses spreading because of no firewall and the AV software was also not configured correctly. Remember the sality virus that is who knows how old at this point? When we changed from CA to SEP, we got hit hard and that was this year. Mostly because SEP was not setup right, but it kept spreading because there was no firewall protection. On top of which, some of our servers either had no AV protection or the AV software only scanned the D: drive.

After having Symantec come in and fix our SEP configuration it has been much better now. But it baffles me how engineers can be in charge of stuff like this when they don't know what they are doing.
 
I've seen that before... and actually used to do it about 8 years ago when XP first came out. Was running a 10 computer domain, and had all the firewalls off. Some virus came along and infected all the machines(can't remember what virus it was at that time) and so I decided to turn the firewall back on! :D

Have never disabled it since.
 
You must log in or register to reply here.
Back
Top