Windows Admins NEVER leave the firewall on!

This is a statement that my boss made yesterday. I won’t bore you with the backstory, but the statement remains. My boss asserted that “Windows Admins never leave the firewall on. The first thing you always do is turn it off.”

Now I’m not a huge fan of the Windows firewall. It has gotten better in W2k8. Arguments aside about doing what your boss wants because ultimately it’s his company, I have to ask.

Do you always turn off the Windows Firewall?

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

m3zilla

Ha, if it needs reimaging, it wouldn't be done by me!! But seriously, if your users are constantly getting viruses/malware, you're doing something wrong. How are they getting infected? Chances are, they're downloading some files, streaming videos, or doing something they shouldn't be.

All our external facing firewalls are running IPS with a moderately protected profile. Our internal firewalls also run IPS, but it's toned down for just client protections. Users machine have symantec endpoint installed for further protection. Users goes through a proxy where we restrict outbound access to file sharing, p2p, etc.

Vik210

I personally think its a decent firewall. If I am not troubleshooting, I will leave it on.

blargoe

The day about 9 years ago when an outside sales person plugged in their laptop into a conference room port and shut down every Windows computer in the building within minutes, and other locations within an hour, is the day I realized every endpoint needs some kind of firewall protection. Perimeter isn't good enough. Adding Symantec Endpoint Protection isn't good enough.

You have to have a multilayered approach at every possible entry point... IDS, stateful packet inspection, etc at the perimeter, a filtered datacenter network, and every host on the network with an endpoint solution that includes a firewall that can filter based on the application, and not just port level. Access to the physical network should be protected by NAP, and ports in public areas either disabled, or isolated into a guest network separate from your regular network. Sames goes for wireless access from personal devices. Implement a good web filtering solution that can be forced on roaming users. Take away administrative rights. And you GOTTA make sure those security patches are kept up to date!

MickQ

m3zilla wrote: »

Ha, if it needs reimaging, it wouldn't be done by me!! But seriously, if your users are constantly getting viruses/malware, you're doing something wrong. How are they getting infected? Chances are, they're downloading some files, streaming videos, or doing something they shouldn't be.

Exactly, but why leave it to chance for someone to plug in that shiny USB stick they found in the car park? All it takes is one nasty virus or piece of malware, not consistent bombardment. Also, if there's a case of data loss, the fine is likely to be not so high if you can show that you took precautions where possible.
Think of the improbable, plan for the worst, hope for the best.

m3zilla

Our company policy doesn't allow removable media/storage unless you have a business reason. In order to use flash drive, or even CD/DVDs, you have to go have your manager submit an exception request with the justification. It then gets approved/rejected by the risk/security policy team.

For environments like ours, it's not practical. Again, who would be responsible for managing those firewalls? For instance, all the SQL boxes in our network are "owned" by the DBAs, whereas the web/IIS box is owned by the dev team. Would they be responsible for managing the Windows firewall for their respective servers? We probably get 20-30 firewall tickets a day. It would be a nightmare if we had to coordinate that between the different owners of the servers.

It's corny, but you're never 100% safe. It comes down to what kind of risk you are willing to accept. It's a balance between functionality and security.

joehalford01

I think in some cases, fear of the windows firewall might be Windows XP/Server 2003 based. I'm realizing as I get in deeper, that a lot of the "turn this off, don't use this feature, windows isn't good at that" type claims tend to come from those who bear the battle scars of running Windows XP and Server 2003 network environments for most of their careers. I just finished upgrading my network to all windows 7, next thing up is getting the firewall mapped out for the workstations (the defaults blocked several important resources) and getting it implemented via group policy. The firewall in Windows 7 is so much better than in XP.

SteveO86

I usually find they, turn on the firewall and walk away. Then come back 5 minutes later and scratch thier heads wondering why applications stopped working.

blargoe

I think today's "Turn off the Windows Firewall because it breaks things" mentality is the successor to the old "Disable Windows Updates, because it breaks things" mentality.

undomiel

I find that the "Disable Windows Updates, because it breaks things" mentality is holding very strong these days.

RomBUS

We have a standard to turn it off because our the A/V client we install on the computers sort of acts as a firewall.

mapletune

I had to disable firewall to get my nics working with my cisco lab =/

not at all familiar with windows firewall... like, assigning each nic to a "zone" (public, private home, etc..) kinda weird...

oh well, we'll see.

netsysllc

Since Windows 7 and Server 2008 I tend to leave the firewalls on as the built in Windows Advanced firewall is very good and tends to have less issues than third party products. Additional there are cool things you can do with the Windows firewall using powershell. For instance I have been deploying a script that checks the event log for failed RDP sessions and if there are more than x number of failed log ins over a 24hour period blocks access to that computer from the attacking IP address.