Should I disable windows firewall in windows 2003 server domain environment?

I setup a DC running windows 2003. I am wondering if I have to setup group policy to disable windows firewall in each workstation? or I can still enable the firewall, but need to setup firewall rule in group policy? where to do this in GP?
okamonAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

mmarx82Commented:
You can run with firewalls enabled on both the servers and the workstations. Why do you think you would need to setup a firewall rule in group policy?
0
Paul MacDonaldDirector, Information SystemsCommented:
I would leave the Windows Firewall in place unless you have another product to fill its niche.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
chukuCommented:
you should disable the firewall on all PCs and using a GPO is the best way
many of the basic functions require remote access to PCs and firewall will cause problems and make you work hard to allow everything and update changes with every new app
unless you work for a top level security organization, the network firewall is enough
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Justin OwensITIL Problem ManagerCommented:
You are going to get two basic responses to a question like this:  1) Disable Windows Firewall completely or 2) Leave it on making use of exceptions as needed for your environment.  Personally, I think that both choices have pros and cons.  The company I am at now disables it, but uses another product in its place.  Past companies have completely disabled it.  Still others have it enabled but make use of exceptions.  All yield the same results: if set up correctly, your environment works.  The choice is more preference than anything else.
All of this can be managed by GPO.  Do get to where you need to set it up, I need a little more info.  What version of AD are you running?  Have you added the 2008 Schema extensions to your AD?  If you have, there are three locations to check for firewall policy settings.  If you haven't, then there are two places you need to check for firewall policy settings.
Link: http://technet.microsoft.com/en-us/library/bb490626.aspx
Justin
0
Justin OwensITIL Problem ManagerCommented:
Heh... My timing is ironic.
0
amadminCommented:
There is no good case to disable the windows firewall for all of your workstations.
The GPO settings to allow do so are found within "Computer Configuration, Administrative Templates, Network, Network Connections, Windows Firewall."
All of the myriad settings can be found listed at http://technet.microsoft.com/en-us/library/bb490626.aspx

You can control all settings... and allow or specifically deny any ports and applications that you like.
0
okamonAuthor Commented:
i agree with chuku. If i don't disable the windows firewall on each machine or setup rules, there will be a lot of problem. But where to disable the firewall in GPO?
0
amadminCommented:
Heh ... and mine is slow.
Sorry DrUltima, alll yours. ;-)
0
okamonAuthor Commented:
thanx DrUltima. The DC is win 2003 SP2.
0
Paul MacDonaldDirector, Information SystemsCommented:
"i agree with chuku."
Well, you're wrong and you'll pay the price for taking the easy way the first time you fall victim to malware.  Fair warning!
0
Justin OwensITIL Problem ManagerCommented:
okamon,
Then the link I gave and amadmin also posted should suffice for you.
amadmin,
Happens to all of us... No worries.
Justin
0
okamonAuthor Commented:
Thanx paulmacd. But if you recommend to leave it on, how can you make sure there is no issue for the worksattion in domain environment? what firewall policy you need to configure?
0
Justin OwensITIL Problem ManagerCommented:
paulmacd,
There are good arguments in both directions.  Personally, I prefer to have some sort of software level firewall on the clients, but if surfing is controlled and good network security is in place, you can make a business case for it being off.
Justin
0
windowsmtCommented:
http://technet.microsoft.com/en-us/library/bb490626.aspx

If you decide to disable the use of Windows Firewall across your entire organization network, which contains a mixture of computers running Windows XP with SP2, Windows XP with SP1, and Windows XP with no service packs installed, and you are using a third-party host firewall, then you should configure the following Group Policy settings:

Prohibit use of Internet Connection Firewall on your DNS domain network is set to Enabled

Domain profile – Windows Firewall: Protect all network connections is set to Disabled

Standard profile – Windows Firewall: Protect all network connections is set to Disabled

These settings ensure that Windows Firewall is not used, whether the computers are connected to your organization network or not.

If you decide to disable the use of Windows Firewall across your entire organization network, which contains a mixture of computers running Windows XP with SP2, Windows XP with SP1, and Windows XP with no service packs installed, and you are not using a third-party host firewall, then you should configure the following Group Policy settings:

Prohibit use of Internet Connection Firewall on your DNS domain network is set to Enabled

Domain profile – Windows Firewall: Protect all network connections is set to Disabled

Standard profile – Windows Firewall: Protect all network connections is set to Enabled


Disable firewall at your own risk. This is simply HOW to do it. I personally would not do so unless you are running ePO, Trend, Sophos, or Symantec firewalls as part of their respective products.

0
okamonAuthor Commented:
DrUltima, do you know what's the difference between "prohibit use of internet connection firewall on ur DNS domain" and "Windows Firewall: Protect all network connections"?
0
windowsmtCommented:
okamon,

What is it that you are afraid will not work? do you have other software with firewall functionality or intrusion prevention (i.e. HIPS, etc..)

windowsmt
0
Justin OwensITIL Problem ManagerCommented:
Follow the link and look at Step 2. It defines what each of the settings means and does.
0
okamonAuthor Commented:
thanx windowsmt. I was thinking maybe if I didn't disable firewall, things such as group policy, or any communication between server and clients would be in trouble. Am I wrong? are you saying the windows firewall will have no bad effect in the domain environment? I don't even need to configure the firewall policy in GP at all??
0
Justin OwensITIL Problem ManagerCommented:
Windows Firewall is designed to function inside a domain setting. If you have specific exclusions you need to enable, you can do so.  For example, your AV might need an exception for automated updates.  It will not impeed GPO unless you specifically block that traffic.
0
okamonAuthor Commented:
I see!! thanx DrUltima!! if I don't want to use windows firewall, what 3rd party client firewall would you recommend?
0
Justin OwensITIL Problem ManagerCommented:
That is purely a matter of preference.  I am most familiar with McAfee's HIPs.  I find it to be easy to manage, deploy, and keep updated.  Of course, we also use McAfee's AV and AntiSpyware.  Most enterprise class AV vendors have an integrated firewall package.
0
tamaneriCommented:
Here you go my man, check out this link:

http://technet.microsoft.com/en-us/library/bb490626.aspx

Should help you in there to create a GP and then modify the settings to your likings appropriately.
0
okamonAuthor Commented:
thank you. i appreciate it. do you also install the McAfee's HIP on DC? or the the windows firewall is good enough?
0
windowsmtCommented:
You should be fine with domain communications, it was designed to protect that kind of communication so it should work fine.

HIPs is easy, but you have to have McAfee. I agree with dr Ultima (I usually do, he and I are on the same page 95% of the time) it is easy to deploy and while a little dated, works well.

If you are not using McAfee, honestly your best choice is the integrated firewall for your AV provider, or Windows Firewall. I wouldn't introduce another system, that is not only a management nightmare, it creates troubleshooting issues that it sounds like you are trying to avoid.
0
Justin OwensITIL Problem ManagerCommented:
I would not install a 3rd party software firewall on servers, as a matter of practice.  It can be done, but the amount of configuration that must be made is maddening.
0
windowsmtCommented:
HIPS will work on Windows Server: http://www.ca.com/us/products/product.aspx?ID=5785
 You can use Windows Firewall if you want.
0
windowsmtCommented:
I agree again with Dr. Ultima... Usually I dont put Firewall (3rd party) on a server. There are policies protecting them, combined with Windows Firewall they are effective.
0
Justin OwensITIL Problem ManagerCommented:
I agree that it will work.  I just prefer not to do it.  Again, this is a personal preference, not necessarily a professional one. :)  I am also always very reticent to install anything which will impeed network traffic on a Domain Controller.  But, I agree with windowsmt.  He and I normally see eye to eye.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.