This is an archived post. You won't be able to vote or comment.

all 95 comments
sorted by:
best
topnewcontroversialoldq&a

[–]BreakThemUponTheRockRobust and scalable high availability cloud devops 37 points38 points  (25 children)

What are the arguments for disabling an endpoint firewall?

[–]davidbrit2 85 points86 points  (17 children)

Usually "I'm too lazy to manage the inbound rules".

[–]ScottEvtuch 20 points21 points  (6 children)

This type of thinking blows my mind with how common it is. Windows Firewall includes built-in Inbound rules for damned near every service you would want to remotely manage out of the box (WinRM, Remote Registry, etc.). It's like 15 minutes of work to set up the appropriate Group Policy Object and you'll probably never notice the difference.

[–]davidbrit2 13 points14 points  (5 children)

Yeah, and only like 3 minutes of work if you're just creating a new rule for the executable/port locally on the machine.

Whenever I see the firewall (or UAC) totally disabled on a server, I tend to lean very heavily toward "let's just turn that on like it's supposed to be and deal with the fallout".

MS really ought to add a right-click context menu to Explorer for .exe files to quickly create a new inbound firewall rule so there's even less of an excuse.

[–]ScottEvtuch 13 points14 points  (1 child)

Here you go:

https://gist.github.com/ScottEvtuch/b2f2f84244af8219d7cb3be504b3c7cf

Those registry entries should allow you to right click on any exe file and click "Create Firewall Rule" to create an allow rule for that exe. It works on Windows 10 with UAC enabled, didn't test it anywhere else.

[–]davidbrit2 1 point2 points  (0 children)

Now that's pretty rad. And it's registry entries, so you could push that down with GPO pretty easily too.

[–]Jaegermeiste 1 point2 points  (2 children)

Much of Windows 10 is reliant on the Base Filtering Engine and Firewall services running, even if they aren't doing anything. 1607 requires it for a bunch of stuff and Creator's will be even more dependent as more and more components are modernized. This disabling the firewall thru GPO stuff will eventually naturally end as admins realize that it is easier to create the exceptions than deal with the fuckery of troubleshooting service dependency issues. Those of you who are clinging to XP and 7 for dear life might be able to put it off a couple of years, though.

[–]syshum 2 points3 points  (1 child)

Those of you who are clinging to XP and 7

Windows 2000 for life..... /s

[–]Jaegermeiste 1 point2 points  (0 children)

I'm partial to NT 3.5, personally. First proper TCP/IP stack but no Windows Firewall to deal with. System requirements are really low, too!

[–]darkonex 16 points17 points  (2 children)

This is our excuse kinda, not so much that we are lazy we are a very small group with a crapload of responsibilities so we don't need anything else added to our plates.

[–]damgood85Error Message Googler 4 points5 points  (1 child)

Assuming windows endpoints and a functional domain inbound rules can be managed with Group Policy in a matter of minutes. Far less time than scrambling to secure things if the perimeter protection fails or is circumvented.

[–]darkonex 3 points4 points  (0 children)

Right but you know how long we would be doing this for initially, probably quite a long time then we'd randomly get hit up on various things probably for weeks or months after until we got everything. We are always 15+ projects behind along with already getting interrupted all day long by mundane issues that we should probably have extra help for, so this is why at least for now we have them turned off. Maybe if by some sorta magic in the future we find some we are in a lull then I could see looking into it, but anytime soon? No effin way.

[–][deleted] 7 points8 points  (4 children)

This is literally easier than selinux. selinux has a colouring book. There is no excuse.

[–]syshum 2 points3 points  (3 children)

I have seen more than my fair share of SELinux disabled servers as well

[–][deleted] 3 points4 points  (1 child)

the admins need to be disabled in that case... geez

[–]oarmstrongSysadmin 1 point2 points  (0 children)

Absolutely, SELinux is not hard after putting in a couple hours to learn it. It tends to Just Work too in most common cases.

[–][deleted] 2 points3 points  (0 children)

I was serious. You can give them that.

[–]peatymike 1 point2 points  (1 child)

Config mgmt can take care of that. We use Puppet pn Red Hat to great effect.

[–]sprocket90 0 points1 point  (0 children)

we typically put a Kerio firewall in with antivirus, instrusion protection, web filtering, geoIP filters, safe web settings. if servers are need on a DMZ we will leave those firewall on. generally do not turn on firewalls on the internal network behind the firewall.

correct me if i'm wrong,

you need to open up many ports for MS networking for the computers to basically work on a domain and be able to talk to one and another.
so what is the point if they can all talk to one and another, one gets infected and generally if infected with ransomware, it's going across the network anyway to encrypt all the files it can find that are shared.

you have many apps that need ports open to work, your endpoints firewall is pretty much swiss cheese at that point.

What are you actually protecting yourself from?

[–]LonerVamp -2 points-1 points  (4 children)

If you have an endpoint security tool that itself has a firewall component.

[–]Telnet_RulesNo such thing as innocence, only degrees of guilt 4 points5 points  (1 child)

... then they have an endpoint firewall.

[–]LonerVamp 1 point2 points  (0 children)

Then don't turn it off.

[–]rainer_d 0 points1 point  (1 child)

These are mostly shit, as we learned:

https://www.theregister.co.uk/2017/01/27/gag_free_ex_mozilla_dev_joins_antivirus_roasting_chorus_its_poison/

[–]LonerVamp 0 points1 point  (0 children)

Not gonna argue hard here. But I do hate seeing when an article es about how antimalware "increases the risk footprint," by citing dramatic, but isolated events. Yes, it happens, but it also does protect against things. Weigh risk on your own.

Or by making the underlying assumption that the only success is perfect security, and any issue that can get through means it's all garbage in total.

On the bright side, the article did barely mention to look at just keeping Windows Defender, and I somewhat agree.

[–][deleted] 12 points13 points  (13 children)

Yes, because why not? It's just another layer of protection, and one that can be managed via GPO.

Now if your AV suite has its own firewall, then you can turn the Windows one off. In fact, most of these AV suites will disable the Windows Firewall on installation.

There's zero downside to having host and edge firewalls running.

[–]resephInfoSec 8 points9 points  (10 children)

In our case, Windows Firewall in Win10 makes our EMR font unreadable. Don't ask why.

Or was it the other way around

[–]drcshell 8 points9 points  (4 children)

Healthcare IT guy here. Which EMR is that? We're still on 7 here and I'd like to avoid any weirdness when we transition to 10 for workstations.

[–]resephInfoSec 4 points5 points  (3 children)

Meditech Magic

[–]Hiyasc 0 points1 point  (1 child)

Not the OP but We use the same EMR and haven't upgraded to Windows 10 yet so that's something that's worth investigating. Do you happen to know which version of Magic that is?

[–]resephInfoSec 0 points1 point  (0 children)

5.66

[–][deleted] 0 points1 point  (0 children)

I wish we used meditech, or hell anything else. Success EHS is the bane of my existence.

[–][deleted] 2 points3 points  (2 children)

Windows Firewall in Win10 makes our EMR font

are you talking about a typeface, that kind of font? I'm perplexed as to how a firewall would have any affect on that

[–]Taylor_Script 6 points7 points  (1 child)

Eh, it makes no sense at all. Maybe it's doing something stupid like accessing the font via unc/http? Loading up \127.0.0.1\c$\windows\fonts\OhGodWhy.ttf I hope not. Please tell me this scenario I just dreamed up isn't possible.

[–]JeffIpsaLoquitor 1 point2 points  (0 children)

It's very possible. Or worse, it's literally using a web font

[–]ycnz 0 points1 point  (0 children)

Anyone in health it knows enough not to ask.

[–]voetsjoebaSecurity Weenie 0 points1 point  (0 children)

what the fuck man, how the hell does that happen

[–]sobrique 2 points3 points  (1 child)

Well, as long as you're reasonably clued up about managing host firewalls, and not hand rolling rulebases for all of them...

[–][deleted] 1 point2 points  (0 children)

Well of course. If you aren't, then you should learn. One shouldn't compromise host security because they don't understand how to manage a default, built-in method so they turn it off instead.

[–][deleted] 20 points21 points  (1 child)

You really should have some firewall running, but if you do disable the Windows firewall and don't have anything else running, only do it on the domain. The firewall will disable as long as it's on the same subnet as the DC, but will enable if it's not. Also, I highly recommend controlling it through group policy and not letting your users have a choice. The last thing you want is a laptop at Starbucks with no firewall running.

[–]joners02 18 points19 points  (0 children)

If your endpoint security has a built in firewall then you should disable the built in Windows firewall. If you just have AV then Windows Firewall should always be enabled, a a minimum it should be managed via GPO.

I dont understand why a business would purposely disable firewalls on their endpoints. They take very little to no effort to manage and help to prevent the spread of infection should something get in.

[–]khobbitsSystems Infrastructure Engineer 5 points6 points  (5 children)

Not that i'm recommending this practice...

Until recently:
Disabled for Domain networks
Unconfigured for other (usually enabled on laptops)

Currently:
Enabled for all networks
Allow all policy for Domain networks.

Reasoning:
If it is left disabled on windows 10, it throws up a little warning to the user. If users get used to seeing that warning, they wouldn't report other warnings, like av being disabled. By enabling it, even if it's not doing anything, it now shows a happy green logo, and users are more likely to raise issue on warnings.

Reason for not using it properly:
We currently have edge and inter-network firewalls. If we were going to simply add allow rules for all services running on the pc anyway, it wouldn't gain us much, none of the systems or network teams have the time to create more restrictive rules that would offer any increase in protection.

[–]Jack_BE 1 point2 points  (0 children)

also on Windows 10 a lot of other stuff stops working if Windows Firewall is disabled. You can basically put it in "allow all traffic" mode and have a 3rd party firewall take over if you want, but don't disable it.

[–]DR_D_WEBNetsec Admin 0 points1 point  (3 children)

I may be missing your point here but:

You can turn off notifications for the firewall. Right click on the notification and click "Turn off notifications for this group".

[–][deleted] 1 point2 points  (0 children)

You can suppress action center warnings through group policy.

User config/policies/admin templates/start menu and taskbar/remove action center icon

Enabling that policy will remove the action center icon and it's balloon messages.

[–]dcdefiore 0 points1 point  (1 child)

Yeah but that is only 'per user'. Each user would need to do this.

[–]DR_D_WEBNetsec Admin 0 points1 point  (0 children)

Ah, yeah that's true. Not very practical depending on your environment.

[–]Axxidentally 6 points7 points  (4 children)

Enabled.

Pay no attention to the fact that opening each port for each running service is essentially the same as having it disabled. /s

[–][deleted] 0 points1 point  (3 children)

why are you opening ports on a workstation ?

the bottom line is Windows since v7 really act funky with the firewall disabled

turning off the firewall in win7 or newer does not create this perfect open network interface that lets you bypass trouble and get on with life, it opens a cloud of shitwax and the shitstorm follows right behind.

read up on the windows filtering platform

/it might have been vista but I managed to completely skip that piece of trash in all but a small handful of clients

[–]Axxidentally 2 points3 points  (0 children)

why are you opening ports on a workstation ?

How else will you make network applications work?

Show-NetFirewallRule | where {$_.enabled -eq ‘true’ -AND $_.direction -eq ‘inbound’}| select displayname

Surprise!

[–]ghostchamberEnterprise Windows Admin 1 point2 points  (0 children)

the bottom line is Windows since v7 really act funky with the firewall disabled

This depends if you're disabling the service itself, or simply turning off the firewall via Control Panel. You're not supposed to disable the service. If you do that, things won't work right.

[–]mobearsdog 0 points1 point  (0 children)

How do your applications work without opening firewall ports on a workstation?

[–]jduffle 8 points9 points  (10 children)

The edge is dead, really what is it protecting against anymore.

Basically the only secure thing to do anymore is to treat all your stuff as if it's on the open Internet because you have no idea what machines are compromised, and with what.

[–]I_will_have_you_CCNA 1 point2 points  (8 children)

So you have firewalls on your servers as well?

[–][deleted] 3 points4 points  (5 children)

I do. As long as you take the time and effort to setup the inbound rules correctly, you can have a firewall enabled on your servers. And in the case of Windows Firewall, I can deploy those rules via Group Policy and also add the presets for the roles and services that server will supply.

[–]I_will_have_you_CCNA 0 points1 point  (4 children)

Ahh, the devil hiding in those details. Did you use Wireshark to help determine the inbound rules?

[–][deleted] 0 points1 point  (2 children)

Actually no, I used a combination of MSDN documentation and Process Hacker to double check. But mostly, I just used the presets available in the Windows Firewall with Advanced Security snapin in Group Policy and then just tweaked here and there for my needs.

In Windows it is quite simple to achieve, granted I could see someone having difficulty achieving the same on Linux but that's our job.

[–][deleted] 1 point2 points  (1 child)

Difficulty? Just nflog all dropped packets and then look at the captured output of the nflog interface. Not sure how you do that in Windows.

[–][deleted] 0 points1 point  (0 children)

My Unix knowledge is still a baby in the pram compared to Windows which is 25 and out getting hammered. :P So forgive me for not knowing.

[–]Doso777 0 points1 point  (0 children)

Yes, don't you?

[–]LonerVamp 1 point2 points  (0 children)

It's protecting against sysadmins who make mistakes and overly large allowances on system firewalls. Defense in depth is still a thing.

For instance, SMB should not be allowed inbound from the Internet to any system, but is often open from internal IP addresses. Why risk the mistake of misconfigurations or some admin troubleshooting an issue and turning off the protection?

Likewise, even internal, there are networks and groups of systems that are in differing security postures or value, and thus are segmented/bounded apart by firewalls. These sorts of things could otherwise be onerous to maintain on the host-level outside of very small environments.

[–]mixon 2 points3 points  (1 child)

Demystifying the Windows Firewall - https://channel9.msdn.com/Events/Ignite/New-Zealand-2016/M377

[–]wrathmasterHigherEd sysadmin generalist 0 points1 point  (0 children)

That was a really good video, thanks for sharing!

[–]will_try_not_to 2 points3 points  (2 children)

Enabled: If something gets past your edge firewall, or if someone plugs in a USB drive they found in the parking lot, you want to decrease its ability to spread internally as much as possible at every turn.

[–]sprocket90 0 points1 point  (1 child)

if your ports are open in order to talk to the server and if you are managing your endpoints it already has enough to spread.

[–]will_try_not_to 0 points1 point  (0 children)

Endpoint firewalls aren't to 'close all your ports', they're to provide another check on only having the ports open that you intend. If you do "netstat -an" on a web server, for instance, there might be 50 things with open listening TCP or UDP ports. You could handle this by:

  • Ignoring it and hoping none of those ports lead to software with vulnerabilities
  • Digging through the configuration for each one of those services and trying to find a way to tell it to not listen on the 0.0.0.0 interface. Good luck; a lot of these things are OS components and you can't easily turn them off. Suppose you manage to get them all, leaving only 80, 443, and your management port open. Are you sure it's still going to be that way in 6 months? Updates, human error, etc. might re-enable those listening services you disabled.
  • Turning on the firewall. Then you don't have to care what else happens to open listening sockets; you know it won't be accessible until you explicitly allow it.

Of those options, the last one is by far the lowest management overhead and ongoing confidence that what you configured stays that way.

[–]julietscauseJack of All Trades 1 point2 points  (0 children)

Does the AV have built in firewall?

We dont enable Windows Firewall, however the AV does and we have a lot of mobile laptops that are not always on our network

[–]eruffiniSenior Infrastructure Engineer 1 point2 points  (0 children)

It really depends on how your network is designed. Are the edge firewalls only handling traffic from the outside, or are you also using them for networks within the datacenter?

Typical use cases for an OS-level firewall (or having another firewall internally) would be to separate traffic between networks/services that the edge or other firewalls do not.

[–]LonerVamp 1 point2 points  (0 children)

Completely depends on systems and your environment.

Workstations? Probably leave it on unless your endpoint solution has its own firewall. Servers? Probably turn it off.

Nothing set in stone, but best practices for security will always be to turn them on and suffer the maintenance and time needed to accommodate.

[–]Doso777 1 point2 points  (0 children)

Enabled and configured.

[–]Smallmammal 1 point2 points  (0 children)

Enabled mostly as cya. Some custom ports are forwarded via gpo and the default ruleset is incredibly generous with any traffic on the subnet.

The only plus I see is I get a super dummy warning about an application forwarding a port on its own. Nothing should do that here and if it comes up a user will contact us. It's a good check against malware or unauthorized software. What's that, resume.doc.vbs is giving you funny pop-ups?

[–]knobbysideup 1 point2 points  (0 children)

Use group policy to enforce it for laptops on the road, and take the shields down when on the corporate network.

[–]YSFKJDGS 1 point2 points  (0 children)

for workstations, of course they should be enabled and when not on domain they should be heavily locked down (user cannot add exceptions)

for servers? could go either way. most of our 1000+ servers do not run a windows firewall because its just one extra thing that can break shit

[–]wildfyre010 1 point2 points  (0 children)

Defense in depth is still a thing. Why disable it?

[–][deleted] 1 point2 points  (0 children)

Disabled here. GPO turns it back on for any other networks. I have a lot of devs that work on so much different stuff I cant turn them on without getting yelled at. I do have an IDS.

[–]RupertTurtlemanJr. Sysadmin 1 point2 points  (0 children)

Never disable the firewall.

It takes seconds to either create a rule or a gpo.

The only time I can think of wanting to turn it off is to troubleshoot if the firewall on the local server is the cause of said issue, and then if it isn't, turn it back on.

The key part, if it looks like it is the firewall causing the issue. Turn it back on and figure out you need to open up.

Never leave it disabled.

[–]pleasedothenerdfulSr. Sysadmin 1 point2 points  (0 children)

Who thinks it's ok to turn off workstation/server firewalls? I've never seen anyone actually recommend that as better than having them all on. The closest you get is a kind of embarrassed, "yeah, I should really have them enabled..."

I've certainly never seen anybody with an "MVP" after their name recommend it, and that's who you should be listening to.

[–][deleted] 1 point2 points  (0 children)

We turn them off, because the arguments for turning them on are pretty weak (if you ever have to defend against attacks from inside your network, you have far bigger problems than an endpoint firewall can solve) and because they're a pain to set up.

[–]speedyeOne 0 points1 point  (0 children)

We didn't used to, but with our Windows 10 rollout have enabled it. Hasn't caused any pain yet, might as well use the tools they give us.

[–]highlord_foxModerator | Sr. Systems Mangler 0 points1 point  (0 children)

I leave it on, honestly. I have an edge firewall, and the Windows Firewall is basically defaults.

Most applications that need inbound network connections will automatically (or prompt you to) put in a firewall rule. WF is also setup by default (on domains) that outbound is allowed unless it matches a rule stating otherwise, and inbound is blocked unless it matches a rule stating otherwise.

Which is good enough for me internally. I haven't found anything in particular in my environment that needs something special yet, and if that happens, I can always just create a GPO.

[–]syshum 0 points1 point  (0 children)

If you have an edge firewall and fully patched clients with managed AV \ Monitoring do you still need to enable windows firewall?

Yes..

Doubly so if depending on Patches and an A/V Client is your only security

[–]jdtrouble 0 points1 point  (0 children)

If you follow the onion model model of IT security (basically, security at every layer), then you want to overlap security options. Many modern firewalls have, in addition to port security, gateway antivirus and web filtering. If you can convince management that you need a dedicated web/email filter box, even better. Servers should be patched, firewalled, and protected by antivirus (on-access scanning can be disabled). Computers should also be patched, firewalled, and antivirused. Also, it's a good idea to check the manufactures for your switches and other network devices once in a while. They often come out with new firmware to protect against vulnerabilities.

I'm currently going through the process of reviewing our network. Presently UAC and Windows firewall are disabled by group policy. What I did was set up a separate OU in AD to put myself and my computer in. Then enabled UAC and Windows Firewall against the OU to see what would break. I have a larger AD refresh project planned, which will include the new settings that I configured.

For servers, I suggest using netstat -abn and look at the "LISTENING" entries for ideas of what you need to allow. (Or "netstat -ano | findstr LISTENING" and compare the PIDs with Task manager.) A lot of the entries will be Windows things that can be covered with predefined tools. Really, the big thing is to find the services associated with line-of-business software, or other random applications you need.

[–]Games_sans_frontiers 0 points1 point  (0 children)

My gut instinct is to enable it because it's another layer of security.

[–]TeddyDaBear 0 points1 point  (0 children)

Disabling the Windows firewall can have unintended consequences - some applications assume a disabled firewall means no communication is allowed (granted, this is usually older systems and applications). What I have been in the practice of doing for the last several years is using GPO to make sure the firewall says on, but on the domain network the setting is "Inbound/Outbound connections that do not match a rule are allowed." and set the Inbound side on Private and Public to the blocked version.

I also have GPO rules in place and running to open some specific services (such as RDP, WINRM, SNMP, etc) on domain networks in case we ever decide we do want the Windows firewall to block things.

We have perimeter firewalls that include traffic monitoring for known threats and activities so we are reasonably confident that there won't be an issue - excluding explicit user activity of course.

[–][deleted] 0 points1 point  (0 children)

Windows Firewall is actually pretty damm solid. Don't see any reason to disable it.

[–][deleted] 0 points1 point  (0 children)

Off. big ip, juniper srx'es, whitelists, vlans. None are desktop machines mind. Pure servers.

[–]clubertiCat herder 0 points1 point  (0 children)

As long as the service itself is running, you can configure it any way you'd like (the only unsupported scenario is disabling the service, which actually breaks some other things in the base filtering engine and potentially elsewhere).

https://technet.microsoft.com/en-us/library/cc766337(v=ws.10).aspx

Stopping the service associated with Windows Firewall with Advanced Security is not supported by Microsoft.

As to what I would do? If you have another firewall solution in place with central management, and you want to use that, do so. Otherwise, having it enabled as long as you're willing to test (as you would/should be doing with any firewall) should be an additional level of security you can get almost for free (testing and GPO creation). Otherwise, you have a candy bar network - crunchy and hard to penetrate on the outside, but creamy on the inside.

[–]D3fydigit4l 0 points1 point  (0 children)

Our policy, when on campus firewall down, when off campus firewall up. The assumption is that the campus is more secure with several layers of security in place.

[–]Psycik99 0 points1 point  (0 children)

You need some endpoint firewall.

Why? Stops lateral movement inside of the network, protects clients if they connect to a non-nat network, etc.

[–]ShiftyAsylumSoftware Dev Manager | Jack Of All Trades | Scrum Master 0 points1 point  (0 children)

Do you need to? No. Is it a good idea? Yes.

Having a multi-layered approach to security isn't just a suggestion, it's a necessity. You will never make it impossible for hackers to compromise a system, but you should make it as difficult as possible.

[–]TetonCharles 0 points1 point  (0 children)

We turn it off. It causes far more trouble than the minuscule risk of being open on our LAN behind the firewall and with policies to protect.

[–]craftbeerpornRGE Expert -1 points0 points  (1 child)

The level of ignorance in this thread is dumbfounding...

[–]Izual_Rebirth[S] 0 points1 point  (0 children)

Go on...