14

I know from direct personal experience that disabling the Windows Firewall service on post-XP systems can lead to all sorts of networking problems, and that the proper way of disabling it is by configuring it to not block any traffic, yet leaving the actual service running. This is because from Vista onwards the Windows Firewall service is a critical component of the Windows networking stack, and stopping it will wreak havoc in completely random ways.

However, I keep stumbling upon people who think that just stopping and disabling the service is a fine solution, and that taking your time to properly disable it is simply too much unneeded work. Then, when all sorts of network pains ensue, they just won't acknowledge the real reason, and will try anything else before grudgingly accepting that, yes, maybe that service should be really left running.

Apart from hitting those people with heavy (and/or sharp) objects, the real solution here would be an official document stating "don't disable this service or you are just asking for troubles". And yet, the only post on this topic I was able to find simply says that "stopping the service associated with Windows Firewall with Advanced Security is not supported by Microsoft", which just doesn't look threatening enough to stop them from doing idiotic things.

Is there anything better I can refer to in order to back up my claim that the Windows Firewall service should indeed NOT be stopped?


A bit of clarification: I was actually not referring to users, but to admins with too much attitude and too little real knowledge, who think the above-described configuration is Just Right, implemented it via GPOs on their whole network, and are simply not listening when I tell them that those random network problems they are experiencing have a very high chance of being caused by it.

I'm currently tasked with fixing those problems (and implementing some new services which are not working as expected because of this issue), and I need a way to persuade them to just leave that f***ing service alone; sadly, personal experience seems to not be official enough.

Massimo
  • 68,714
  • 56
  • 196
  • 319

1 Answers1

12

You already know what the best practice is; the MS-supported thing to do. You've already seen how disabling the service can lead to unpredictable behavior and that it breaks other functionality that's tangentially tied to the service. If you, as an administrator, don't have the power to stop the idiots from doing idiotic things, then escalate this to the administrator who does and have him or her put in a GPO. Have the policy makers at your company make it policy that this service is not to be disabled. Then they're not just being idiots, they're violating company policy.

https://superuser.com/questions/137930/when-the-windows-firewall-service-is-disabled-i-cannot-remote-desktop-rdp-to-t

http://weestro.blogspot.com/2009/06/server-2008-and-windows-firewall.html

Ryan Ries
  • 55,011
  • 9
  • 138
  • 197
  • 1
    Disabling the firewall breaks IPSec, for one thing. – mfinni Jul 03 '13 at 15:13
  • Expanded for clarity. I'm having troubles persuading *other admins* of this, not users. – Massimo Jul 03 '13 at 17:19
  • 2
    You write "the real solution here would be an official document stating "don't disable this service or you are just asking for troubles", then in the very next sentence, you link to an official MS document saying "don't disable this service or you are just asking for troubles!" On top of that, I included two links as examples of guys who broke RDP because they disabled the service. On top of that, I told you that if your admins make bad choices, that is an HR problem and should be addressed through company policies. Not sure what else to give you. – Ryan Ries Jul 03 '13 at 17:33
  • MS says "don't disable this service or we aren't going to support you if you run into troubles". I was hoping for something (on Technet, MS Support...) stating more clearly "if you stop this service you are DEFINITELY going to run into troubles because this, this and this will not work anymore". – Massimo Jul 03 '13 at 19:00
  • I *know* many people reported networking issues after stopping it (including myself), but personal experience just isn't going to cut it with some people; only a statement from the vendor is actually going to be listened to. – Massimo Jul 03 '13 at 19:00
  • 4
    "Stopping the service associated with Windows Firewall with Advanced Security is not supported by Microsoft." That is a statement from the vendor. – Ryan Ries Jul 03 '13 at 19:04
  • Why not play it from a different prospective? that disabling the built in firewall will leave the server exposed to network attacks and that alone could lead to a disaster if a virus or the likes gets into your network, by disabling the firewall you're actually opening the door for more problems to come in. just wondering. – Noor Khaldi Jul 03 '13 at 20:00
  • @Noor That is already a foregone conclusion. We already assume that he is willing to take that extra risk. – Ryan Ries Jul 03 '13 at 20:08
  • Yes, disabling the firewall is a given requirement. I'm just trying to get it disabled in the proper way, i.e. in a way that doesn't totally screw up networking on every machine. – Massimo Jul 03 '13 at 21:14
  • "I was hoping for something stating more clearly "if you stop this service you are DEFINITELY going to run into troubles" Going outside the support boundaries of your vendors is "troubles." – Ryan Ries Jul 04 '13 at 03:03
  • 2
    @Massimo That Technet article is abundantly clear. If your coworkers don't understand it, then perhaps they aren't competent to hold their current positions. – Michael Hampton Jul 04 '13 at 03:30