Firewall Everywhere Around My Computer Firewall Around My Computer Funny Pic

• Home
• Networking
• General Networking

Should you be disabling the Windows Firewall in an Enterprise network?

Posted by Luke Anderson

Hi Everyone,

I would like to get a wider opinion on something my workplace is doing.

A while ago the decision was made that via GP,allcomputers (incl. servers) are to have the Windows Firewall disabled. I queried this, and the response wasbecause it is annoying - instead of fixing it.

We don't even use that many complex applications so I suspect not much time would be needed to implement the correct firewall rules.

How big of a security flaw is this really?

97 Replies

• 

  The biggest flaw here would be the devices that are not always on the network - if it's fully disabled on laptops, that's a pretty major concern whenever they're on a home network, public hotspot, etc - there'd be no protection then beyond whatever AV you have installed.

  As for on-network? I wouldn't say if it's the end of the world if you got a good defense-in-depth strategy otherwise (network level firewalls, IDS, antivirus, etc). But at the same time, if something gets loose on the network and tries to spread, having a good host-based firewall can help mitigate the spread.

  My personal opinion - if you have it, and you can make it work, you should probably use it.

  10 found this helpful thumb_up thumb_down

• 

  How big of a security flaw is this really?

  You can drive a bus/truck through it

  you are allowing every port to be scanned and any open ports to be probed

  If they are lazy about this , then they are probably lazy about a bunch of things like:

   print/file shared feature always installed as that makes it easy" and lets leave SMB1 installed as that saves us thinking and opens us up to ransomware

   we will patch eventually when we get around to it

   we don't need to patch those servers because they don't face the internet..

  We have had a number of issues with lazy engineers turning firewalls off because it was hard. Most don't work here any more and we are turning them back on as we find them. It is easy enough to  use something like cports to gather data about what ports are in use, then apply to the test environment, then apply to prod

  7 found this helpful thumb_up thumb_down

• 

• 

  The thing people forget, yes it may make it "harder" for legitmant stuff, it also makes it harder for malicious. It's all a balance, if the organization is aware of the risks and accepts it then fine.

  I remember when we started enabling the windows firewalls many years ago, vendors would tells us the software required the firewall to be turned off.  We powered through it and now it's not even something we think about, half the time we forget to turn it of when trouble shooting.

  1 found this helpful thumb_up thumb_down

• This is extremely bad practice. It is sad when people decide to take the lazy route of disabling the firewall on internal servers. It is completely bizarre that you would disabled something that protects your server. There is absolutely no good reason for disabling the firewall permanently. Doing it temporarily for testing is fine.

  3 found this helpful thumb_up thumb_down

• You should always enable AV and firewall then have GPO in place to open certain ports required by your office or corporate applications.

  2 found this helpful thumb_up thumb_down

• 

  pure capsaicin

  General Networking Expert

  • check 234 Best Answers
  • thumb_up 1153 Helpful Votes

  There's a business analysis that needs to be made: risk versus cost.

  How much will it cost your business to enable the Windows firewall, configure all your computers, and maintain it through updates and configuration changes?

  How much will it reduce risk?

  If I activate the Windows firewall, then open up every port I need to function on a Windows network, is the Swiss cheese that's left really any protection?

  Of all the attacks that are likely to happen on a Windows network, how many will occur on ports that are not used for any Windows functions that the firewall could block?

  Are you going to filter access by IP? And then just allow access by every device on your network and also all those DHCP devices?

  Properly used and configured, the Windows firewall can be quite effective in narrow cases of stopping problems on ports you're not using. But given the choice between spending resources on that or fixing other security problems, I'd spend my time elsewhere.

  22 of 26 found this helpful thumb_up thumb_down

• 

  dbeato

  This person is a verified professional.

  Verify your account to enable IT peers to see that you are a professional.

  pure capsaicin

  Luke Anderson wrote:

  Hi Everyone,

  I would like to get a wider opinion on something my workplace is doing.

  A while ago the decision was made that via GP,allcomputers (incl. servers) are to have the Windows Firewall disabled. I queried this, and the response wasbecause it is annoying - instead of fixing it.

  We don't even use that many complex applications so I suspect not much time would be needed to implement the correct firewall rules.

  How big of a security flaw is this really?

  2 found this helpful thumb_up thumb_down

• For endpoints, just because they may be outside the corporate perimeter, I'd have a hard time justifying leaving the Domain firewall off, let alone the Public network side. There ought not be any services exposed, the WMI and various other exceptions for management are well understood and documented. I have a goodly number of users either mostly offsite or frequently, and I'm too lazy to segregate those machines from the "safe in the shepherd's arms" boxes. Easier to have a uniform firewall profile.

  For servers? Forget it, if the listening services have a flaw, there is no utility in a firewall. I enabled the firewall on my two fileservers by a specific policy because a tool I use for ransomware mitigation (layer 23.4 in the Security Onion) but that is only so the tool can react by firewalling off the offending workstation. I'm with Robert on this one, once you've pedantically opened the necessary service ports, what's really being protected?

  As another example, the blanket policy of "all servers must have anti-virus installed an active" - that's nonsense. If there is no end-user accessible filesystem, how could file-based AV possibly be useful? If it is needed, what the HECK are server admins doing on/from servers that it is warranted? Fix the underlying problem of stupid server admins, and the only AV is on fileservers and Remote Desktop servers. WOW is there a lot of stupid in blanket policies!

  Why would your Exchange server(s) need file system AV on them? Yeah, like I said......that SQL Server ain't gonna run faster with Norton on it!

  Endpoints? Lock them down, including the perfectly adequate Windows Firewall. Servers? Not so much......

  3 of 4 found this helpful thumb_up thumb_down

• 

  R.C.G

  This person is a verified professional.

  Verify your account to enable IT peers to see that you are a professional.

  jalapeno

  I don't and am managing about 100 VM's

  I have a few FW rules in place like RDP from management netowrk, ping from management and just leave the others as they are

  Was this post helpful? thumb_up thumb_down

• Well once you've got one box compromised then the attacker can much more easily get to the others if you disable local firewalls - called east-west vulnerability

  Was this post helpful? thumb_up thumb_down

• 

  Windows firewall is a joke, when you, or end-users, or any other malicious software, can make rules to go right through the wall, even via command-line...

  https://support.microsoft.com/en-us/help/947709/how-to-use-the-netsh-advfirewall...

  ...you really have to ask yourself how good is it?

  It's "security by obscurity" or "better than nothing" if you rely on Windows firewall for anything.

  A REAL firewall should be a separate security device that is not so easily influenced/reduced to rubble by the OS it runs on (in this case Windows)

  Your post sorta reads like you're trying to "prove yourself" with "pointing out" to your company how this is dumb, but I would put away your pitchfork on this one and look elsewhere.

  4 of 13 found this helpful thumb_up thumb_down

• 

  HelpJack

  This person is a verified professional.

  Verify your account to enable IT peers to see that you are a professional.

  New contributor poblano

  Disabling the firewall is a very bad idea - what if an attack on the network was to come from the inside? That's the most vulnerable place for an attack and would be made easier by disabling the firewall. The more lines of defence you have the better, management will be the first to complain when they can't access their document because the network has been hacked.

  1 found this helpful thumb_up thumb_down

• 

• 

  IgnaceQ

  This person is a verified professional.

  Verify your account to enable IT peers to see that you are a professional.

  cayenne

  We disabled the Windows firewall but enabled our firewall that comes with the AV solution. This one is much easier to manage.

  I would not run any endpoint without firewall enabled.
  

  For servers i also run them with a firewall enabled, but for some it is indeed a bit like a swiss cheese.....

  Was this post helpful? thumb_up thumb_down

• 

  Keep it enabled... add exceptions for your enterprise requirements - GPO is useful here...

  It isn't the worlds best firewall, but its something and its needed for some (albeit obscure) bits of windows to work properly.
  

  Was this post helpful? thumb_up thumb_down

• Well, the reason "because it's annoying" has to be the worst business decision reasoning I have yet heard.

  Personally I would not disable it.  It is very easy to allow programs that need to be allowed through as and when they appear.

  Was this post helpful? thumb_up thumb_down

• 

  LegoMan wrote:

  Windows firewall is a joke, when you, or end-users, or any other malicious software, can make rules to go right through the wall, even via command-line...

  https://support.microsoft.com/en-us/help/947709/how-to-use-the-netsh-advfirewall...

  ...you really have to ask yourself how good is it?

  It's "security by obscurity" or "better than nothing" if you rely on Windows firewall for anything.

  A REAL firewall should be a separate security device that is not so easily influenced/reduced to rubble by the OS it runs on (in this case Windows)

  Your post sorta reads like you're trying to "prove yourself" with "pointing out" to your company how this is dumb, but I would put away your pitchfork on this one and look elsewhere.

  Those commands require administrative privileges. Once a hacker has those keys , you stuffed no matter what

  2 found this helpful thumb_up thumb_down

• 

  Turning off the firewall can actually break things like printer sharing.

  Just leave it on and configure it properly via GPO and forget about it.
  

  0 of 2 found this helpful thumb_up thumb_down

• Assuming there isn't some other form of endpoint protection in place, then Bad Idea.

  We have an endpoint protection solution that includes a firewall (and AV and some other stuff) which turns off the Windows firewall during installation.

  But if there is nothing to take it's place, configure it properly and forget about it.
  

  Was this post helpful? thumb_up thumb_down

• If you don't use Windows Firewall, use another firewall on your workstations and servers.  You do need something so pick one you can work with and that will work with your user's.

  Was this post helpful? thumb_up thumb_down

• I've seen it both ways.  My opinion is that it's a waste of time leaving the firewall on for workstations and servers that are connected to your internal network.  Too often have I seen complete misdiagnoses of issues by the Helpdesk because they forgot the firewall was on.  Too much time is wasted arguing with software vendors that don't understand their own product well enough.

  In this place all of our workstations and servers have the firewall turned off when connected to a domain.  For everything else the firewall is on.  Of course they are never connected to anything else.

  Really it's nothing more than personal opinion/preference.  I agree that the Windows firewall is crap AND the argument that "some protection is better than none" really is pretty lame.  Complete protection or no protection.  Those are the real options.  Some = none if you are talking protection.

  That's why I don't waste my time.
  

  3 of 7 found this helpful thumb_up thumb_down

• 

  Rich662

  This person is a verified professional.

  Verify your account to enable IT peers to see that you are a professional.

  chipotle

  Over time endpoint firewall has become a needed part of protection. I agree with others that it may be better to use one that is integrated with your AV suite. In the case of workstations, a single central configuration is fine. In the case of servers, it is custom for each type of server - and that has been an argument for leaving it off.

  Myself I am moving towards implementing firewall everywhere. One reason is that perimeter firewalls are full of holes now, with VPN, non inspectable SSL VPN, Cloud apps, and scary technology like Teredo to get around all our perimeter protections.

  I don't agree with any statement that a hardware box is better than running software on a host. It's easier to deal with conceptually, but it is still a software stack.

  The days of perimeter firewalls are numbered because when we all go to IPV6 there will in theory be no need for NAT. So we better get used to software firewalls...

  And yes, IPV6 is already here. If you care about your Google ranking make sure it is enabled on your web host.

  Was this post helpful? thumb_up thumb_down

• 

  JHMusic

  This person is a verified professional.

  Verify your account to enable IT peers to see that you are a professional.

  anaheim

  I can say this isn't just with companies and their own systems. I have dealt with a specific dental software company for numerous clients, and they require Windows firewall and any other firewall on the system to be disabled completely. They won't even tell you the necessary ports if you ask them. It's just a "disable it all" policy, and without the firewall disabled they won't provide you any further support for their product. Of course they have no issue with a firewall covering the whole network though.

  Was this post helpful? thumb_up thumb_down

• It really isn't hard to have a basic level of protection from the Windows Firewall if you use Group Policy so I think it should be on for all workstations and servers.

  • Allow the usually needed ports to be open to any computer in the Server / Admin computer range but blocked for everyone else.
    
  • Block all ports on end user devices if not connected to the "Work" firewall profile
  • Remove admin rights so users cannot change the settings

  Those simple things will barely ever need any management but will keep end user devices from being able to attack each other and will protect laptops that connect to public WiFi.

  Was this post helpful? thumb_up thumb_down

• I think the biggest thing you should worry about is there response "because it is annoying." This tells me that they have little to no concern for security because of little "annoyances." I wouldn't be surprised if they start complaining that passwords are annoying and should be removed to. The firewall, as many have stated, is a dangerous thing to turn off if there is no alternative. The biggest threat is not the gaping hole in the wall, but the manager with a sledge hammer that said the wall is in the way. Explain to them that its either the "free windows firewall" or a costly yearly subscription to a third-party firewall and AV that will cost them more. You can also tell them about the "big annoyance" of having to fix a breach that could have been prevented.
  

  Was this post helpful? thumb_up thumb_down

• We disable ours since our AV solution manages its own firewall. Also, so our users can scan to their local machine from our Canon printers.
  

  1 found this helpful thumb_up thumb_down

• Robert5205 raises a good point.  Turning on the firewall will require exceptions being made for the necessary server services running.  So, access to the ports used by those services will still be available.   If there is no service listening on a specific port, blocking access to that port may not accomplish anything.  So what's the net change?

  Just out of curiosity, I did a little test.  I ran nmap against a test server with the Windows firewall on and then ran the same test against the same server with the firewall off.  Net difference was 3 additional MSRPC ports open with the firewall off.

  That said, I still feel better that I have firewalls activated.  Unless you have an incredible number of servers and/or services running, it will not take much time.  You can also make sure that access to the ports is limited to the subnet only. (This raises a whole different issue because unless your external firewall is grossly misconfigured, attacks are likely to originate from the subnet to start with.)
  

  I think of equal or greater value is making sure that no unnecessary services are running.  Whether the firewall is on or off, unnecessary services expose computers to unnecessary risk.  This is a situation where running something like nmap against your own network can be very valuable.  (I hope it goes without saying, only run nmap against your own network if you're authorized to do so, otherwise you may be posting a sad story in the career section at Spiceworks.)

  Was this post helpful? thumb_up thumb_down

• 

  Rich662

  This person is a verified professional.

  Verify your account to enable IT peers to see that you are a professional.

  chipotle

  Our VOIP system documents the necessary ports, but the documentation is incomplete and it doesn't work properly.
  In a situation like that we have to packet trace the network traffic to figure out the correct port...

  Was this post helpful? thumb_up thumb_down

• 

  That's a terrible idea.  How "annoying" could it possibly be?  If one of your applications requires ports that are closed by default, open them up or add an exception = problem solved.  As someone else said, a company that makes poor decisions like this is probably making a lot of other poor decisions across the board.  Cue up people saying "start polishing up your resume" responses.  ;-)
  

  Was this post helpful? thumb_up thumb_down

• 

  The way I see it is, if your willing to invest the time to set up and manage Windows Firewall correctly, it can be very powerful.

  However, if you already have a network firewall and just turn it on to tick some boxes, its not going to make a huge difference barring a few isolated risks that Windows Firewall blocks by default. Its fairly permissive by default in the domain/work/home profiles. I would leave it enabled on laptops though. Connecting to public wifi is when Windows Firewall is important regardless.

  Was this post helpful? thumb_up thumb_down

• 

  mberna

  This person is a verified professional.

  Verify your account to enable IT peers to see that you are a professional.

  chipotle

  You can set it via GPO so that it is disabled only when it is connected to the domain so that it still works on laptops when they connect to other networks.

  Was this post helpful? thumb_up thumb_down

• 

  If you have a different firewall/AV solution in place, then there is nothing wrong with disabling Windows firewall.  Having none on with just a NAT router as perimeter defense would be a terrible idea.

  Windows Defender/Firewall after the Creators Updates is far better than it once was, but I'm personally still not entirely ready to give up my 3rd party firewall/AV.

  You mentioned that the reason was "because it's annoying".  If the firewall solution is annoying it would be because either people are making a lot of configuration changes that use unusual ports or the firewall isn't configured to allow the common ones through that your users rely on to do their jobs. The other possibility is the anti-FW faction only thinksit's the firewall, when in fact it may be something else holding them up like permissions.

  Was this post helpful? thumb_up thumb_down

• 

  Pluto24

  This person is a verified professional.

  Verify your account to enable IT peers to see that you are a professional.

  serrano

  Disabled internally as we have multiple physical firewalls and our AV has firewall built in.  The second one of our PCs connects to a external network, it gets enabled.

  Was this post helpful? thumb_up thumb_down

• 

  Only if either another firewall solution or a proper network segmentation strategy replaces it.
  

  Was this post helpful? thumb_up thumb_down

• I have seen applications just not work right until this was disabled in a domain environment so it is possible that it is needed.
  

  Was this post helpful? thumb_up thumb_down

• 

  Are you running any OS above Windows 7?  If yes, then Windows Firewall should *absolutely* be turned on.  It's pretty seriously integrated into the OS, and disabling it causes far more networking problems than whatever hassle is saved by not needing to manage it.  God knows how many times Windows Firewall has been the root cause of some stupid desktop issue because it was "disabled" but still blocking something.

  The only time it should ever be completely off is if another third party firewall is enabled.
  

  Was this post helpful? thumb_up thumb_down

• The only time that I have heard/practiced this is when you have a lot of apps on a single server that is not public facing. Everything else should have the firewall active. It does not stop everything but at least it is something.

  Was this post helpful? thumb_up thumb_down

• 

  Please don't let firewalls on clients be your one stop shop for security. Vulnerabilities pop up every day and more is needed than just a firewall. Protect yourself with AV and SRPs. We've also restructured our network to segregate our servers from our clients (separate vlans), and use our main firewall to filter traffic to and from.

  Was this post helpful? thumb_up thumb_down

• 

  molan

  This person is a verified professional.

  Verify your account to enable IT peers to see that you are a professional.

  mace

  General Networking Expert

  • check 37 Best Answers
  • thumb_up 211 Helpful Votes
  • format_list_bulleted 6 How-tos

  Unless you are replacing it with a different firewall such as one provided with a piece of security software this is a very bad idea.

  Great idea if you are malware and want to have easy access to the network

  Was this post helpful? thumb_up thumb_down

• It really isn't that difficult to find the necessary requirements for a program or service to create the rules needed to allow a program through to work correctly and set it up.  It may take a little time to find what needs to be opened up; but the time spend to correctly make it work with the firewall running is worth it in my book.

  Turning it off because "it is annoying" is BS - getting hacked because you voluntarily turned off one of your protections.....THAT's annoying.
  

  Was this post helpful? thumb_up thumb_down

• 

  Michael3190 wrote:

  Are you running any OS above Windows 7?  If yes, then Windows Firewall should *absolutely* be turned on.  It's pretty seriously integrated into the OS, and disabling it causes far more networking problems than whatever hassle is saved by not needing to manage it.  God knows how many times Windows Firewall has been the root cause of some stupid desktop issue because it was "disabled" but still blocking something.

  This has never been my experience, having managed many hundreds of such computers over the years. I think you're seeing some other problem; disabled = disabled from what I've seen.

  Was this post helpful? thumb_up thumb_down

• 

  Well first of all whoever made this decision should be dipped in tar then fired..... In all seriousness this is a horrible practice to get into. If you have a problem with an application going through a local firewall, the answer is not to turn it off. The answer is get a qualified network guy (raises hand) and have them figure out what port, service etc is being blocked and set a custom rule to allow that process. In any environment "default to denial" or block all and open holes as needed should always be the preferred practice.

  Was this post helpful? thumb_up thumb_down

• 

  hutchingsp wrote:

  This is worth a watch https://channel9.msdn.com/Events/Ignite/New-Zealand-2016/M377

  Thank you for the link, Jessica Payne is a great instructor.  I've been listening to her in the background all day!
  

  Was this post helpful? thumb_up thumb_down

• 

  You don't say if your AV/endpoint protection includes a FW?  If it does then of course turning off Windows FW is less of a big deal.

  We have endpoint protection that includes a FW but still leave Windows FW on too.  There are very few applications we use now that are hampered by generic FW rules so setup is easy.

  In the world of having layers of security I would say that having as much protection as you can is the way to go even if it does need a little bit of configuring to make everything work.

  Our LAN machines are behind two FWs and have two FWs running on them.  We see no hassle and have no performance issues so why not?

  Our off LAN machines have their same two FWs as the other machines.

  Was this post helpful? thumb_up thumb_down

• 

  In my experience it causes more problems then it solves!

  Can't RDP into a server, why can't I connect to SQL... etc etc.

  Was this post helpful? thumb_up thumb_down

• 

  Ever see pictures of medieval castles?

  https://myliteraryquest.files.wordpress.com/2010/10/medieval-castle-diagram.jpg
  

  They often had an outer wall and an inner wall to defend against the bad guys. But if the bad guys breach the outer wall, all is not lost and you can often keep fighting and stay alive.

  Your network is like this.

  You should have multiple layers of protection, and totally rely on that outer layer. Sure, you might have the best firewall ever, but Mr Joe User brings his laptop in after working in a coffee shop and his machine is now the infection point, and in a few minutes every system in your network is now infected.
  

  Don't do it.

  Was this post helpful? thumb_up thumb_down

• Quango2009 wrote:

  Ever see pictures of medieval castles?

  ...

  https://www.youtube.com/watch?v=Kl1NxmB93mQ

  From 2002, and still worth listening to.
  

  1 found this helpful thumb_up thumb_down

• 

  Disabling it is fine, but an alternative solution is required.

  NSX from vmware with guest introspection for example.

  Was this post helpful? thumb_up thumb_down

Read these next...

• 

  The SOC Briefing for June 17th - Oh Sophos how could you!

  Security

  Good afternoon and welcome to today's briefing. We get to go through many Security news, including murder, breaches in healthcare and government. We have Microsoft Patch Tuesday and fixes to Follina. Wordpress NinjaForms, Zimbra and other vulnerabilities ...

• 

  Snap! WiFi issues, EU net neutrality update, Martian water, DD2, & T-Rex runner

  Spiceworks Originals

  Your daily dose of tech news, in brief. We made it to Friday! And while some may argue that every day is a dad day, many are observing and celebrating Father's Day this weekend. Community member GuruGabe1 wanted to start the festivities a little ea...

• 

  Not sure what to do about mystery device on network

  Windows

  Around 2:30 yesterday it appears a device received a DHCP lease from our DC, Windows 2016. It appears to be a Windows device because it has the standard DESKTOP- random numbers and letters as the name. I always rename each device to make it actually usefu...

• 

  Email PDF link to recipients, require verification code, report who clicked link

  Collaboration

  A client would like to email confidential PDF files to a list of recipients on a regular basis, and require the recipients to verify access before downloading the files (similar to SharePoint secure links).They want to be able to monitor which of the reci...

• 

  Celebrating Father's Day a little early

  Water Cooler

  Dad jokes, keep them rolling in. I joined a new procrastinator's group. It's called Wait Watchers.I tried to come up with a carpentry pun that woodwork. I think I nailed it.Can everyone waiting for yodeling lessons, please form an orderly orderly order...

floresivii1959.blogspot.com

Source: https://community.spiceworks.com/topic/2098561-should-you-be-disabling-the-windows-firewall-in-an-enterprise-network

Share this post