Is it a good idea or common practice to completely turn off windows firewall in an AD domain using Group Policy? At this time, even the servers' firewall are turned off. The only device not affected is the WAN facing router/firewall.
4 Answers
This is a practice we used to partake in, on an AD domain with VPNs to multiple offices in multiple countries, and thought it was fine.
Until someone in a remote island office plugged a client's laptop into the network. Within 10 minutes, every office was infected with Conficker, we had to pull all internet connections and 3 engineers spent the best part of a week cleaning the worm out of all our systems (p.s. A/V at the time was Symantec, it wasn't for long after this).
Worms are less prevalent these days, however do you really need file and printer sharing ports open on your workstations? You'll need them on various servers, but that's where the beauty of GPO comes in. Default policy locks it down, add a policy object for the ports you need and apply only to the servers that really need it.
Whilst it's obvious that company policy should be no external laptops plugged into the domain (and it was), accidents happen, people bring viruses/worms in from visits etc. Better to be safe than very very sorry!
- 228
- 2
- 10
-
2I personally don't agree and find having a local firewall on each system in a LAN too be more a nuisance than a benefit; but I can't help giving you a +1 for "A/V at the time was Symantec, it wasn't for long after this". – Massimo Sep 30 '11 at 10:12
-
1Across all of our clients, we've inherited a slew of different anti-virus vendors and all of them, at some point, lose out on the virus signature arms race to another vendor. I hate Symantec for other reasons though. – gravyface Sep 30 '11 at 10:37
-
2This is the answer right here. Use Group Policy to MANAGE the firewall, but resist the temptation to turn it off. Yes, it can be a pain and yes it will require some work to configure but that's no excuse. Threats do come internally and they will hurt 10x as hard if you've decided you're safe in your house. – Dan Sep 30 '11 at 11:39
-
@Massimo may i ask what are some of your applications that require ports to open on clients that make the firewall a pain? – Jake Oct 01 '11 at 12:21
-
@Jake: in order to remotely act on a workstation or on a server, you need RPC and file sharing to be opened; and when you open them, you're not safe anymore against worms. – Massimo Oct 01 '11 at 13:18
-
@Massimo that's why you do need firewall policies, because then you can only allow these ports from authorised machines on your network. Whilst you are no longer 100% protected, a worm is less likely to originate from a tech's machine than from a user's laptop. – Richard Benson Oct 03 '11 at 09:08
I used to disable the firewall via GPO but no longer do so since an incident involving a compromised machine being plugged into my network. Although the firewall can be a real nuisance at times, as mentioned by Massimo, I believe it's preferable to apply appropriate rules rather than disable it completely. These days there are far too many threats coming from far too many sources and the extra layer of protection is welcome.
- 27,262
- 12
- 53
- 108
One solid strategy to secure a network is the idea of "defense in depth". What that means is establishing multiple layers of defenses to protect the network assets and information. At the dawn of the internet we didn't even have firewalls. Today we have a perimeter firewall, workstation firewalls, anti-malware, anti-spam, we restrict outbound ports and ensure all software is kept up-to-date.
Defense in-depth allows for the failure of any one component while still maintaining protection of the environment.
That said, when you have multiple layers, if you need to make a tactical decision to remove the firewall from a troublesome box, or disable real-time malware scanning for a particular machine, you will still have the other layers to protect you.
- 6,337
- 21
- 36
This question doesn't have a definitive answer in that it depends on your circumstances, so it can be business specific.
In general it's bad practice to shut it off completely. The more layers of security you have in place that won't interfere with your users productivity or your ability to manage the system, the better. And the firewall is virtually invisible to your users, so it's a good thing.
That said, we turn it off internally in our organization. The key is to have a way to mitigate the threat that comes with not having the firewall in place. We have hundreds of systems but they're running Deep Freeze; an infection on the network will be purged by shutting down all the computers at once since Deep Freeze will reset them to a pre-infection state, and if the user has a profile there is malware/virus detection on the server that can run and clean them out.
But this can fail, as an example in the answers points out. AV and Anti-Malware that relies on signatures are a band aid solution; there's always an arms race and you risk not having a cure in place before the infection.
That said, you're asking this, so you must have a reason for it. And more to the point you're being specific in that you want to shut it down via group policy. So...are you asking about having the firewall in place, or the method of shutting it down? If you're asking about how to shut it down, yes, shut it down with group policy. If you're asking whether it's good to shut down the firewall, you're getting plenty of answers on that :-)
(To note, we shut it down because it was a pain in the @#% when we needed to remotely work on people's systems, and the Windows firewall was interfering with certain applications. Using Deep Freeze mitigated about 85% of the risk of fast moving infections within our internal network, and yes, we've engaged in combat against a worm within the network before due to the lack of firewall and found that we still managed okay due to what we have in place. Keeping systems patched also help mitigate the risk.)
- 31,092
- 9
- 65
- 87
-
I asked because I disagree with our new IT manager turning off the firewall completely for no apparent reason i can think of. The top reason I want it turned on is that he doesn't work in my office, he is from HQ in another country, so if anything goes wrong, it's my butt. – Jake Oct 01 '11 at 12:24
-
We had issues with it disconnecting/interfering with software we used for remote help; when you have 3 people dealing with 800+ computers, it got to be a little more than a nuisance at times. With DF in place, the risk of infection is greatly mitigated. – Bart Silverstrim Oct 01 '11 at 21:18