Should I disable windows firewall in windows 2003 server domain environment?

I setup a DC running windows 2003. I am wondering if I have to setup group policy to disable windows firewall in each workstation? or I can still enable the firewall, but need to setup firewall rule in group policy? where to do this in GP?
okamonAsked:
Who is Participating?
 
Paul MacDonaldDirector, Information SystemsCommented:
I would leave the Windows Firewall in place unless you have another product to fill its niche.
0
 
mmarx82Commented:
You can run with firewalls enabled on both the servers and the workstations. Why do you think you would need to setup a firewall rule in group policy?
0
 
chukuCommented:
you should disable the firewall on all PCs and using a GPO is the best way
many of the basic functions require remote access to PCs and firewall will cause problems and make you work hard to allow everything and update changes with every new app
unless you work for a top level security organization, the network firewall is enough
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
Justin OwensITIL Problem ManagerCommented:
You are going to get two basic responses to a question like this:  1) Disable Windows Firewall completely or 2) Leave it on making use of exceptions as needed for your environment.  Personally, I think that both choices have pros and cons.  The company I am at now disables it, but uses another product in its place.  Past companies have completely disabled it.  Still others have it enabled but make use of exceptions.  All yield the same results: if set up correctly, your environment works.  The choice is more preference than anything else.
All of this can be managed by GPO.  Do get to where you need to set it up, I need a little more info.  What version of AD are you running?  Have you added the 2008 Schema extensions to your AD?  If you have, there are three locations to check for firewall policy settings.  If you haven't, then there are two places you need to check for firewall policy settings.
Link: http://technet.microsoft.com/en-us/library/bb490626.aspx
Justin
0
 
Justin OwensITIL Problem ManagerCommented:
Heh... My timing is ironic.
0
 
amadminCommented:
There is no good case to disable the windows firewall for all of your workstations.
The GPO settings to allow do so are found within "Computer Configuration, Administrative Templates, Network, Network Connections, Windows Firewall."
All of the myriad settings can be found listed at http://technet.microsoft.com/en-us/library/bb490626.aspx

You can control all settings... and allow or specifically deny any ports and applications that you like.
0
 
okamonAuthor Commented:
i agree with chuku. If i don't disable the windows firewall on each machine or setup rules, there will be a lot of problem. But where to disable the firewall in GPO?
0
 
amadminCommented:
Heh ... and mine is slow.
Sorry DrUltima, alll yours. ;-)
0
 
okamonAuthor Commented:
thanx DrUltima. The DC is win 2003 SP2.
0
 
Paul MacDonaldDirector, Information SystemsCommented:
"i agree with chuku."
Well, you're wrong and you'll pay the price for taking the easy way the first time you fall victim to malware.  Fair warning!
0
 
Justin OwensITIL Problem ManagerCommented:
okamon,
Then the link I gave and amadmin also posted should suffice for you.
amadmin,
Happens to all of us... No worries.
Justin
0
 
okamonAuthor Commented:
Thanx paulmacd. But if you recommend to leave it on, how can you make sure there is no issue for the worksattion in domain environment? what firewall policy you need to configure?
0
 
Justin OwensITIL Problem ManagerCommented:
paulmacd,
There are good arguments in both directions.  Personally, I prefer to have some sort of software level firewall on the clients, but if surfing is controlled and good network security is in place, you can make a business case for it being off.
Justin
0
 
windowsmtCommented:
http://technet.microsoft.com/en-us/library/bb490626.aspx

If you decide to disable the use of Windows Firewall across your entire organization network, which contains a mixture of computers running Windows XP with SP2, Windows XP with SP1, and Windows XP with no service packs installed, and you are using a third-party host firewall, then you should configure the following Group Policy settings:

Prohibit use of Internet Connection Firewall on your DNS domain network is set to Enabled

Domain profile – Windows Firewall: Protect all network connections is set to Disabled

Standard profile – Windows Firewall: Protect all network connections is set to Disabled

These settings ensure that Windows Firewall is not used, whether the computers are connected to your organization network or not.

If you decide to disable the use of Windows Firewall across your entire organization network, which contains a mixture of computers running Windows XP with SP2, Windows XP with SP1, and Windows XP with no service packs installed, and you are not using a third-party host firewall, then you should configure the following Group Policy settings:

Prohibit use of Internet Connection Firewall on your DNS domain network is set to Enabled

Domain profile – Windows Firewall: Protect all network connections is set to Disabled

Standard profile – Windows Firewall: Protect all network connections is set to Enabled


Disable firewall at your own risk. This is simply HOW to do it. I personally would not do so unless you are running ePO, Trend, Sophos, or Symantec firewalls as part of their respective products.

0
 
okamonAuthor Commented:
DrUltima, do you know what's the difference between "prohibit use of internet connection firewall on ur DNS domain" and "Windows Firewall: Protect all network connections"?
0
 
windowsmtCommented:
okamon,

What is it that you are afraid will not work? do you have other software with firewall functionality or intrusion prevention (i.e. HIPS, etc..)

windowsmt
0
 
Justin OwensITIL Problem ManagerCommented:
Follow the link and look at Step 2. It defines what each of the settings means and does.
0
 
okamonAuthor Commented:
thanx windowsmt. I was thinking maybe if I didn't disable firewall, things such as group policy, or any communication between server and clients would be in trouble. Am I wrong? are you saying the windows firewall will have no bad effect in the domain environment? I don't even need to configure the firewall policy in GP at all??
0
 
Justin OwensITIL Problem ManagerCommented:
Windows Firewall is designed to function inside a domain setting. If you have specific exclusions you need to enable, you can do so.  For example, your AV might need an exception for automated updates.  It will not impeed GPO unless you specifically block that traffic.
0
 
okamonAuthor Commented:
I see!! thanx DrUltima!! if I don't want to use windows firewall, what 3rd party client firewall would you recommend?
0
 
Justin OwensITIL Problem ManagerCommented:
That is purely a matter of preference.  I am most familiar with McAfee's HIPs.  I find it to be easy to manage, deploy, and keep updated.  Of course, we also use McAfee's AV and AntiSpyware.  Most enterprise class AV vendors have an integrated firewall package.
0
 
tamaneriCommented:
Here you go my man, check out this link:

http://technet.microsoft.com/en-us/library/bb490626.aspx

Should help you in there to create a GP and then modify the settings to your likings appropriately.
0
 
okamonAuthor Commented:
thank you. i appreciate it. do you also install the McAfee's HIP on DC? or the the windows firewall is good enough?
0
 
windowsmtCommented:
You should be fine with domain communications, it was designed to protect that kind of communication so it should work fine.

HIPs is easy, but you have to have McAfee. I agree with dr Ultima (I usually do, he and I are on the same page 95% of the time) it is easy to deploy and while a little dated, works well.

If you are not using McAfee, honestly your best choice is the integrated firewall for your AV provider, or Windows Firewall. I wouldn't introduce another system, that is not only a management nightmare, it creates troubleshooting issues that it sounds like you are trying to avoid.
0
 
Justin OwensITIL Problem ManagerCommented:
I would not install a 3rd party software firewall on servers, as a matter of practice.  It can be done, but the amount of configuration that must be made is maddening.
0
 
windowsmtCommented:
HIPS will work on Windows Server: http://www.ca.com/us/products/product.aspx?ID=5785
 You can use Windows Firewall if you want.
0
 
windowsmtCommented:
I agree again with Dr. Ultima... Usually I dont put Firewall (3rd party) on a server. There are policies protecting them, combined with Windows Firewall they are effective.
0
 
Justin OwensITIL Problem ManagerCommented:
I agree that it will work.  I just prefer not to do it.  Again, this is a personal preference, not necessarily a professional one. :)  I am also always very reticent to install anything which will impeed network traffic on a Domain Controller.  But, I agree with windowsmt.  He and I normally see eye to eye.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.