Should I disable windows firewall in windows 2003 server domain environment?

You can run with firewalls enabled on both the servers and the workstations. Why do you think you would need to setup a firewall rule in group policy?

you should disable the firewall on all PCs and using a GPO is the best way
many of the basic functions require remote access to PCs and firewall will cause problems and make you work hard to allow everything and update changes with every new app
unless you work for a top level security organization, the network firewall is enough

Heh... My timing is ironic.

i agree with chuku. If i don't disable the windows firewall on each machine or setup rules, there will be a lot of problem. But where to disable the firewall in GPO?

Heh ... and mine is slow.
Sorry DrUltima, alll yours. ;-)

thanx DrUltima. The DC is win 2003 SP2.

"i agree with chuku."
Well, you're wrong and you'll pay the price for taking the easy way the first time you fall victim to malware.  Fair warning!

okamon,
Then the link I gave and amadmin also posted should suffice for you.
amadmin,
Happens to all of us... No worries.
Justin

Thanx paulmacd. But if you recommend to leave it on, how can you make sure there is no issue for the worksattion in domain environment? what firewall policy you need to configure?

paulmacd,
There are good arguments in both directions.  Personally, I prefer to have some sort of software level firewall on the clients, but if surfing is controlled and good network security is in place, you can make a business case for it being off.
Justin

DrUltima, do you know what's the difference between "prohibit use of internet connection firewall on ur DNS domain" and "Windows Firewall: Protect all network connections"?

okamon,

What is it that you are afraid will not work? do you have other software with firewall functionality or intrusion prevention (i.e. HIPS, etc..)

windowsmt

Follow the link and look at Step 2. It defines what each of the settings means and does.

thanx windowsmt. I was thinking maybe if I didn't disable firewall, things such as group policy, or any communication between server and clients would be in trouble. Am I wrong? are you saying the windows firewall will have no bad effect in the domain environment? I don't even need to configure the firewall policy in GP at all??

Windows Firewall is designed to function inside a domain setting. If you have specific exclusions you need to enable, you can do so.  For example, your AV might need an exception for automated updates.  It will not impeed GPO unless you specifically block that traffic.

I see!! thanx DrUltima!! if I don't want to use windows firewall, what 3rd party client firewall would you recommend?

That is purely a matter of preference.  I am most familiar with McAfee's HIPs.  I find it to be easy to manage, deploy, and keep updated.  Of course, we also use McAfee's AV and AntiSpyware.  Most enterprise class AV vendors have an integrated firewall package.

Here you go my man, check out this link:

http://technet.microsoft.com/en-us/library/bb490626.aspx

Should help you in there to create a GP and then modify the settings to your likings appropriately.

thank you. i appreciate it. do you also install the McAfee's HIP on DC? or the the windows firewall is good enough?

You should be fine with domain communications, it was designed to protect that kind of communication so it should work fine.

HIPs is easy, but you have to have McAfee. I agree with dr Ultima (I usually do, he and I are on the same page 95% of the time) it is easy to deploy and while a little dated, works well.

If you are not using McAfee, honestly your best choice is the integrated firewall for your AV provider, or Windows Firewall. I wouldn't introduce another system, that is not only a management nightmare, it creates troubleshooting issues that it sounds like you are trying to avoid.

I would not install a 3rd party software firewall on servers, as a matter of practice.  It can be done, but the amount of configuration that must be made is maddening.

HIPS will work on Windows Server: http://www.ca.com/us/products/product.aspx?ID=5785
 You can use Windows Firewall if you want.

I agree again with Dr. Ultima... Usually I dont put Firewall (3rd party) on a server. There are policies protecting them, combined with Windows Firewall they are effective.

I agree that it will work.  I just prefer not to do it.  Again, this is a personal preference, not necessarily a professional one. :)  I am also always very reticent to install anything which will impeed network traffic on a Domain Controller.  But, I agree with windowsmt.  He and I normally see eye to eye.