locked
Is it best to disable my firewall RRS feed

  • Question

  • in the previous network I worked in the Windows firewall was enabled for all profiles and controlled by GPO, we never had any issues.

    I have inherited the responsibility for a larger network and their domain profile firewall is disabled by GPO. is this standard practice for a larger business or is it someone's lazy way out of doing a proper job? in my opinion threats can easily get onto a client system whether the machine is external or internal (especially since everyone runs as local admins here), surely having the domain profile disabled increases the security risk a lot. even the servers have it disabled!

    if I re-enable the firewall by GPO am I likely to face many issues?

    is it advised I enable the firewall for the domain profile or not?

    Steve

    Wednesday, July 10, 2013 10:41 AM

Answers

  • Hi,

    I donot know why they disabled the default firewall network wide. Normally, if we encounter any issue related to firewall or the firewall blocks a connection, I will just add an exception rule to make application work.


    Juke Chou
    TechNet Community Support

    Thursday, July 11, 2013 9:42 AM
  • Hi,

    This depends on the needs and specific situation. If it is server application, I will just add a corresponding rule into the computer's firewall.


    Juke Chou
    TechNet Community Support

    Friday, July 19, 2013 7:19 AM

All replies

  • Some thoughts:

    I don't think disabling the firewall is standard practice in larger businesses (some may but it's not the standard).

    Upon installation, Exchange should open all necessary ports for messaging operations (should be no need for manual configuration).

    So disabling the firewall should not be necessary in most circumstances.

    The domain profile is probably the only active profile on the mail server in your scenario.

    The big question: should you enable it?

    Normally, you should be able to. But if the previous admin(s) were tweaking and customizing things (like ports), they may have had reasons to disable the firewall. Maybe that was the only way they could make the server work after "playing around" with its configuration.

    You might be able to export the configuration and compare it to a "good copy".

    http://technet.microsoft.com/en-us/library/cc771920(v=ws.10).aspx

    But... you'd have to have a good working installation.

    Whatever you do (if you look at the link), do not reset the permissions because that would reset them the way the server was before the Exchange installation. Many things would stop working.

    Lastly, the true trial would be enabling the firewall and testing (seeing what does not work).

    In a "larger business", you would want to agree on (possible) downtime with management.

    You are correct that disabling the host firewall decreases security (to some extent).

    The larger the business, the greater the changes of someone connecting a virus-infected laptop or setting up a rogue access point sometime, somewhere. So I would tend to favor using the host-based firewalls in addition to the perimeter firewall(s).

    My two cents, as they say.


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

    Wednesday, July 10, 2013 11:39 PM
  • Thanks for that, I wasn't specifically focusing on Exchange server (our entire domain has the firewall disabled by GPO (default domain policy was edited to do this) so we have absolutely no internal firewall between any machine at all, like back in the days of windows 2000.

    there must have been an extremely good reason to disable the firewall network wide, or incompetence or sheer laziness to fix it properly - no documentation though to explain why. perhaps I should take the approach of configuring such things for new machines I introduce into the network and slowly phase out the old systems over time.

    cheers, Steve

    Thursday, July 11, 2013 7:04 AM
  • Hi,

    I donot know why they disabled the default firewall network wide. Normally, if we encounter any issue related to firewall or the firewall blocks a connection, I will just add an exception rule to make application work.


    Juke Chou
    TechNet Community Support

    Thursday, July 11, 2013 9:42 AM
  • yes this is how I generally do things. I also prefer to follow the approach of opening up only ports that are required for a particular machine, but since there are so many client machines all with different applications and such its near impossible to open all these ports by group policy for each machine as i'd end up with loads of firewall GPO's.

    How do you tend to tackle this issue? do you just open up port xxx for all clients even if only a handful require it?

    Friday, July 12, 2013 7:42 AM
  • Hi,

    This depends on the needs and specific situation. If it is server application, I will just add a corresponding rule into the computer's firewall.


    Juke Chou
    TechNet Community Support

    Friday, July 19, 2013 7:19 AM