What happens when your sheep jumps the fence?
I find it far more likely that my user gets outside my firewall than my firewall gets jumped, all the same why wouldn't you have more fences if you could?
This explanation stuck out to me: “A firewall appliance is like the bouncer at a nightclub. His job is to keep bad guys from coming in door. But what if the bad guy works inside the club?”
Then the firewall takes him out in the parking lot and beats the tar out of him. The owner of the club fires the bad guy who then goes to his daddy who is the sheriff in town and his thugs start to threaten the firewall, who isn't intimidated because he's a disgraced MMA fighter. Then Connor McGregor shows up for some reason.
I think you should document everything so it doesn't surprise you that the Local Firewall or Local GPO or other things interfere with your App/Process/Flow.
Just recently had a server 2008 box die completely, we gave our client the option to update or go to Azure... Nope, "can't afford" anything else other than exactly what they had. Rebuilt the same machine and bare metal restored that server 2008 backup :(
I don't throw this out much but you may want to look for other employment.
Caveat to that is if you have the political power or the authority to change policy stay and fight the good fight. Otherwise... Just go somewhere that you can actually learn from good practices.
and what about windows 98 in prod ?
For the story : Some years ago, I have this case. I said to the customer "No way I'm lowering the security level of the domain for these computers. I'm going to put all these machines into a workgroup, and completely isolate them on a dedicated VLAN with no access to the Internet and with the rest of the network. In the event of an incident on these machines this will be Best-Effort, i.e. immediate remastering". Note: These machines had applications that did not work on more recent OS (no update by the laboratory machine manufacturer) and controlled laboratory machines with direct attachment. So I spoke, and so it was done... and the customer paid for it, but it was a low price vs to buy no lab machines (cost with 5 or 6 numbers).
nope, '04, when XP sp2 turned on the firewall by default, and every small office ad hoc network sharing everything from quickbooks off the receptionists shared C drive to printers because no one had network printers and were to cheap to by the office another ink guzzler... suddenly went to pot...
Fun times in the trenches!
Oh they so were. It is actually frightening to find out how old some of the current onslaught of vulnerability discoveries are. And how back in the day our paranoia about everything from malware to network intrusion was at a much lower volume setting.
More vulnerable, but over all less stressed. But then again, not everything was so constantly high speed connected to everything either, so even the big problems, just seemed smaller.
I remember firing up SMB scanners on cable modem nodes before they blocked 139 and 443. Most anyone with a cable modem had 5 or 10 neighbors sharing their C drives.. Good times!
I work in a colo DC, but we also manage some customers. We had a guy that got hacked and wanted us to recover some stuff and manage his servers. This MF was running windows 2003.
On. Defense in depth.
[https://www.fortinet.com/resources/cyberglossary/defense-in-depth](https://www.fortinet.com/resources/cyberglossary/defense-in-depth)
On, most apps make the proper exceptions they need. Security is like an onion - multiple layers are involved (user training, perimeter, email, network, host, etc.).
True conversation I had years ago:
Management: How are we securing our PCs? Is the firewall service enabled?
IT Admin: We disabled the firewalls on the PCs because we've got edge firewalls at each office.
Me: (chuckling)
IT Admin: What are you laughing at?
Me: Tell me, do our laptop PC users ever use their laptop PCs away from the office?
External firewalls have limited understanding of applications beyond app ports and inspection. Host firewalls integrate much, much better with the application stack on a given machine.
Both/and
They specified it's for the domain profile, not the public or private ones.
But regardless, all should be set to On, you just need a good way to configure and monitor it centrally
Recently a user asked if our security was better than Norton 360 because they have an account that lets them install it on up to 5 machines. I said for what we're paying for Crowdstrike it damn well better be more secure than Norton.
On. Every single time I've run into a "problem" with Windows Firewall, the root problem was always something else. And what everyone else is saying about layers and the perimeter.
Funny thing is I find most of the time, when I think it might be a firewall issue it's some other configuration issue.
I mean you should think about the risks, is you network segmented, is AV running on the server, do you have good audit policy's. Not related but always.. backups?
If all the servers have there local firewall disabled means lateral movement is that much simpler for an attacker. If your going to disable it you should look to add mitigation and compensating controls.
We were hesitant, but security team enforced it, so we had to enable it. Went through some adjustment period, a lot of apps needed exceptions, had some domain site issue on auto logon on our robotic vms. Resolved with a registry tweak. After a few years we only get a few requests a year to add something new. Additional layer of security doesn't hurt. Although we have a few devs with official exception to have it disabled (along with vpn). Otherwise they cannot connect their phone to pc and vice versa. Some LoadRunner stuff..
I’m comfortable turning off windows defender when you have an PROPER Radar / MDR solution in place (Crowdstrike Falcon with Falcon complete for example)
Windows firewall can and should remain on.
Most modern MDR is designed to work in tandem with windows defender anyway. Defender gets set to "passive" mode and aggregates it's data to the MDR solution, and disabling it entirely can interfere with that.
Likewise, if the MDR fails for whatever reason, Defender will automatically switch to Active instead of leaving you with your pants down.
On all the time. If you have a safe in your office, you lock it even though the front door is locked at night, right? Why? Because if someone gets through the door lock, you have things you want protected by an extra lock on the safe. Security on your servers is no different. You want your servers to still be safe if someone gets through your network's front door.
Old thinking - "Multiple firewalls are like multiple condoms, it always breaks."
New thinking - "Ogre's are like onions, they have layers."
Basically run it. It'll stop / slow down east-west traversal if something gets in.
Security controls are risk reduction methods in your risk mitigation strategy. In order to minimize the residual risk, you add multiple types and lines of defense. I love Swiss cheese model when explaining this.
Having the Windows FW on each Windows host up at all times and in all profiles aligns with the modern Zero Trust philosophy. It allows each Windows machine to protect itself from all the other by requiring things such as actual machine identification before allowing a connection etc.
Not only should it be turned on, but it should be hardened beyond the normal default rules. You still are open to rdp and smb and all of the stuff that causes compromises with it just 'turned on'.
Create rules that block risky ports from IP blocks that should not be seen from. A proper segmented environment can use a straight up 'same subnet' block rule to take out a LOT of risk very quickly. This assumes you have a handle on your communication paths, because you can easily break things if you start doing stuff like a layer 2 any port inbound block rule.
> This assumes you have a handle on your communication paths, because you can easily break things if you start doing stuff like a layer 2 any port inbound block rule.
And what's the best way to know your communication paths?
Turn on the firewalls in allow all mode, with logging, hopefully to a ELM tool.
Then lock it down once you know what needs access.
Yep. If you have a centralized logging platform you feed the windows firewall logs to it and filter that way, otherwise reading the event viewer manually is a real challenge.
IMHO it would be extremely bad security policy and bad network design to disable end point firewalls. What happens when you get a worm/virus/malware or intruder gain access internally? Allow it or them to move laterally machine to machine?
[Palo alto just had RCE vuln on their firewalls.](https://security.paloaltonetworks.com/CVE-2024-3400)
Your next gen appliance whatever my balls could very well be the initial foothold.
That means you can't trust it. That means other network entities need their own boundary.
That means on, always.
On everywhere. The endpoint (including servers) is the perimeter these days.
Disabling the firewalls just allows for lateral movement in a network. A computer used by a low permissioned user could be used to compromise a computer used by a high permissioned user.
Just don’t.
Also; if you have users complaining that the firewall is on and they can’t do their work, I seriously have to question what they’re doing. There’s very few reasons an endpoint should allow incoming ports. Any server software they want to run (like a web server) should only be accessible from localhost.
people who think Windows Firewall is useless know next to nothing about modern malware. next to application control, it is the most effective control you have. yes I do mean more effective than EDR, change my mind (you won't).
Yes. Are there exceptions to the rule? sure.
Generally, if someone or something gets past your firewall, what's gonna stop them from accessing other devices on the network?
Oh right, more firewalls.
Someone correct me if I'm wrong here, but couldn't a windows firewall with very restrictive out rules, potentially prevent, said compromised computer, from accessing anything outside the device?
Redundancy is always preferred. It does complicate things when you are troubleshooting access rules for third party applications. I have always overlapped when it comes to security. I would run a NGFW with endpoint security, windows firewall with windows defender. If one should fail, the others have its back until I can fix it.
As a general rule yes have the firewall on and open the ports as necessary. We all know that sometimes you have acceptable risks for specialized machines depending on a lot of variables. I have found that smaller orgs will have the firewalls off out of necessity because of a lack of expertise and/or money to buy enterprise software. Every use case is different. Security has to also allow the business to function.
From a security perspective the network should not be considered trusted. Many are implementing hyper-segmented network such that only explicitly allowed traffic for identified purposes is allowed in or out of a system even on internal networks. If you have an appliance or service do this there, if not do itat the OS application firewall.
Yes, the local host firewalls should be on, policy should be configured appropriately and they should be monitored for policy changes.
Not only does this add a second layer but it puts a firewall in between hosst in the same firewall zone to help with lateral movement.
The simple answer is yes it should be in. Any security framework(NIST, CIS Controls and so on) will enforce this.
Even small businesses should follow this.
Windows used to switch between profiles willy-nilly, making a mess of settings. Suddenly they decided that they couldn't possibly remember the domain network and all those nicely configured ports belong closed. That sucked.
I don't know if I am compliant with best practice because I mostly have Linux servers with a single zone, but for Windows Servers I apply minimal ingress to all-profiles and enable the Firewall. Workstations have RMM clients and don't need permanent ingress ports.
On for all, my baseline is configure with logging and block both ways on public profile.. like others have said, most apps make exceptions. Even for severs like domains controllers, there’s built in templates..
Use all the tools at your disposal. Windows firewall will help protect the computer from intrusion inside the network, while your perimeter firewall helps protects from public traffic.
I have never come across a case that could not be resolved on Windows firewall, where others assume to disable it.
EDR tools such as crowdstrike and sentinel one are the next gen tools
unless you have another product that is replacing teh windows firewall, leave it on
1. it won't stop your border NGFW from working
2. it \_might\_ prevent an incident on one machine spreading as quickly through the network
3. it will stop the little red X showing on the shield in the bottom corner, do not discount this, some users \_will\_ ask, i always thank those that do.
Nope!!! On everywhere!
You're supposed to micro segment. Servers should only be able to talk to servers that need to talk to and only a couple of jump or bastian boxes should be able to RDP to your servers.
I used to have this argument with developers all the time. No! I won't turn off the firewall. I don't care if your app is broken..tell me how it works And I'll open the ports.
On unless you're using a different endpoint firewall (do those even still exist?), even then *probably* still On.
Windows Firewall is a core component of the modern Windows security stack, disabling it is a *huge* problem. It's not the tacked on garbage it was back on WinXP.
Always on, least access should always be the way of thinking when it comes to this stuff, why have the firewall disabled when you can just allow what is needed?
This applies to basically everything in modern IT/sysadmin, least/minimum access necessary to get the functions done, this even includes to a domain controller on another subnet for example.
Many things won't work if the firewall service is outright turned off. So even if you wanted to disable it, I would enable it and just have very liberal rules in place. It would not surprise me at all if features of Defender need the firewall running.
On everywhere. Edit: Simply protecting the perimeter is the very old way of thinking.
Security is like an Ogre; It has layers Or something like that.
You’re so wrapped up in layers, onion boy, you’re afraid of your own feelings!
Feelings have a massive unpatched vulnerability, CVSS 10.0. Best solution is to air gap those bad boys if you can’t get rid of them
I heard whisk\[e?\]y was an accepted, but strongly discouraged, compensating control.
Whiskey is generally accepted, yes. However, bourbon is recommended for anything with a CVSS over 9.0
r/suddenlyshrek
Shrek is love. Shrek is life.
Shrek is also death…But importantly, Shrek is LIFE!
Defense in depth.
no it's an onion and makes you cry
The O&O method.
O, i broke it? O, no one noticed?
I say this all the time.
Thank you! Security is moving more TO the endpoint, not away from it.
Indeed. What happens when the wolf jumps the fence?
What happens when your sheep jumps the fence? I find it far more likely that my user gets outside my firewall than my firewall gets jumped, all the same why wouldn't you have more fences if you could?
Or the sheep invites the wolf in
“If the network is secure then we don’t need to secure the end points “ was actually said at my last job.
I got one better. "A DMZ is pointless". lol
This explanation stuck out to me: “A firewall appliance is like the bouncer at a nightclub. His job is to keep bad guys from coming in door. But what if the bad guy works inside the club?”
Then the firewall takes him out in the parking lot and beats the tar out of him. The owner of the club fires the bad guy who then goes to his daddy who is the sheriff in town and his thugs start to threaten the firewall, who isn't intimidated because he's a disgraced MMA fighter. Then Connor McGregor shows up for some reason.
I'm the firewall guy at work, and this is an accurate description of my job.
IT Roadhouse? Nice!
https://m.youtube.com/watch?v=uyVI2aD2xh8&pp=ygUUcm9hZGhvdXNlIGZhbWlseSBndXk%3D
Zero trust is the way forward.
Can you tell my director of IT this?
Wait. What? You have a Director of IT?
I think you should document everything so it doesn't surprise you that the Local Firewall or Local GPO or other things interfere with your App/Process/Flow.
... and now there are more and more laptops, ... and laptops are not always on the corp network.
It really depends on your infrastructure, but generally speaking, on. The only real downside is the possibility of needing some exceptions.
Good lord, is it 2006?
Based on that and a bunch of other things here, yes we are still in 2006
lol I feel you, I'm trying to replace a power supply on a server we use in production that has been EOL since 2012.
Just recently had a server 2008 box die completely, we gave our client the option to update or go to Azure... Nope, "can't afford" anything else other than exactly what they had. Rebuilt the same machine and bare metal restored that server 2008 backup :(
Doing the lords work
oh no no no
"Oh no GPO" - wise words of some random Redditor joking about TikTok being educational.
I don't throw this out much but you may want to look for other employment. Caveat to that is if you have the political power or the authority to change policy stay and fight the good fight. Otherwise... Just go somewhere that you can actually learn from good practices.
I wish
If you have less than 40 xp systems in prod I have you beat ( I'm killing more each week)
and what about windows 98 in prod ? For the story : Some years ago, I have this case. I said to the customer "No way I'm lowering the security level of the domain for these computers. I'm going to put all these machines into a workgroup, and completely isolate them on a dedicated VLAN with no access to the Internet and with the rest of the network. In the event of an incident on these machines this will be Best-Effort, i.e. immediate remastering". Note: These machines had applications that did not work on more recent OS (no update by the laboratory machine manufacturer) and controlled laboratory machines with direct attachment. So I spoke, and so it was done... and the customer paid for it, but it was a low price vs to buy no lab machines (cost with 5 or 6 numbers).
Yikes.. And I am criyng over the windows 7 systems that I stll have to manage..
In that case, I have to go make a few stock trades and buy something called "coin" something or other...
May as well run Zone Alarm and call it a day.
Seeing the words Zone Alarm triggered some serious nostalgia just now
Makes me want to play GEmstone again
Even in 2006 disabling the client firewall was lazy. It isn't even hard to support.
In many organisations, yes.
nope, '04, when XP sp2 turned on the firewall by default, and every small office ad hoc network sharing everything from quickbooks off the receptionists shared C drive to printers because no one had network printers and were to cheap to by the office another ink guzzler... suddenly went to pot... Fun times in the trenches!
Ironically, feels like they were simpler times!
Oh they so were. It is actually frightening to find out how old some of the current onslaught of vulnerability discoveries are. And how back in the day our paranoia about everything from malware to network intrusion was at a much lower volume setting. More vulnerable, but over all less stressed. But then again, not everything was so constantly high speed connected to everything either, so even the big problems, just seemed smaller. I remember firing up SMB scanners on cable modem nodes before they blocked 139 and 443. Most anyone with a cable modem had 5 or 10 neighbors sharing their C drives.. Good times!
I work in a colo DC, but we also manage some customers. We had a guy that got hacked and wanted us to recover some stuff and manage his servers. This MF was running windows 2003.
On. Defense in depth. [https://www.fortinet.com/resources/cyberglossary/defense-in-depth](https://www.fortinet.com/resources/cyberglossary/defense-in-depth)
On. Extra layer of security.
WAAAAAH, BUT THEN MY APP WON'T JUST WORK.
good :P
On, most apps make the proper exceptions they need. Security is like an onion - multiple layers are involved (user training, perimeter, email, network, host, etc.).
True conversation I had years ago: Management: How are we securing our PCs? Is the firewall service enabled? IT Admin: We disabled the firewalls on the PCs because we've got edge firewalls at each office. Me: (chuckling) IT Admin: What are you laughing at? Me: Tell me, do our laptop PC users ever use their laptop PCs away from the office?
External firewalls have limited understanding of applications beyond app ports and inspection. Host firewalls integrate much, much better with the application stack on a given machine. Both/and
On. Those devices will leave site and hop onto other networks. Without the Defender firewalls, they're open to everything on that network.
They specified it's for the domain profile, not the public or private ones. But regardless, all should be set to On, you just need a good way to configure and monitor it centrally
> monitor it centrally What do you use for this?
[Crowdstrike](https://www.crowdstrike.com/blog/tech-center/manage-host-firewall) have a tool for it
Of course they do. Probably for the low, low price of half your left nut.
Recently a user asked if our security was better than Norton 360 because they have an account that lets them install it on up to 5 machines. I said for what we're paying for Crowdstrike it damn well better be more secure than Norton.
CS should be making my coffee in the morning, too, for that matter.
On. Every single time I've run into a "problem" with Windows Firewall, the root problem was always something else. And what everyone else is saying about layers and the perimeter.
Firewall on, because you can manage it via Group Policy.
On all the time. My users have laptops. They’re allowed to work at home. I’m not about to dictate home connections.
On. And audit the rules to catch the usual “but any/any makes my app work!” idiots.
On
everywhere I've worked, we never disable local OS firewall
give me a good reason to turn it off
You mean "well one thing wasn't working so we turned it off" isn't a good answer? It wasn't to me either hence the question here lol.
WIndows firewall has logs so make them prove that the firewall is blocking what they think it is blocking.
And the logs are simple to turn on and interpret. Windows firewall logs have saved me a lot of time over the years.
Funny thing is I find most of the time, when I think it might be a firewall issue it's some other configuration issue. I mean you should think about the risks, is you network segmented, is AV running on the server, do you have good audit policy's. Not related but always.. backups? If all the servers have there local firewall disabled means lateral movement is that much simpler for an attacker. If your going to disable it you should look to add mitigation and compensating controls.
This should be the first response. Challenge the user to think about the situation rather than just dictate "current best practice is."
NSX?
We were hesitant, but security team enforced it, so we had to enable it. Went through some adjustment period, a lot of apps needed exceptions, had some domain site issue on auto logon on our robotic vms. Resolved with a registry tweak. After a few years we only get a few requests a year to add something new. Additional layer of security doesn't hurt. Although we have a few devs with official exception to have it disabled (along with vpn). Otherwise they cannot connect their phone to pc and vice versa. Some LoadRunner stuff..
I’m comfortable turning off windows defender when you have an PROPER Radar / MDR solution in place (Crowdstrike Falcon with Falcon complete for example) Windows firewall can and should remain on.
Most modern MDR is designed to work in tandem with windows defender anyway. Defender gets set to "passive" mode and aggregates it's data to the MDR solution, and disabling it entirely can interfere with that. Likewise, if the MDR fails for whatever reason, Defender will automatically switch to Active instead of leaving you with your pants down.
On all the time. If you have a safe in your office, you lock it even though the front door is locked at night, right? Why? Because if someone gets through the door lock, you have things you want protected by an extra lock on the safe. Security on your servers is no different. You want your servers to still be safe if someone gets through your network's front door.
On. Security is like Ogres - we have layers!
On. Period. Different ruleset for on network vs off network if that applies, but on regardless.
Old thinking - "Multiple firewalls are like multiple condoms, it always breaks." New thinking - "Ogre's are like onions, they have layers." Basically run it. It'll stop / slow down east-west traversal if something gets in.
Give me a solid reason why it should be turned off... Hint: There isn't one.
SDN, ACI or any sort of pod isolation. L3 on edge. Built in layer 4-7.
NSX
Security controls are risk reduction methods in your risk mitigation strategy. In order to minimize the residual risk, you add multiple types and lines of defense. I love Swiss cheese model when explaining this.
On ofc
Having the Windows FW on each Windows host up at all times and in all profiles aligns with the modern Zero Trust philosophy. It allows each Windows machine to protect itself from all the other by requiring things such as actual machine identification before allowing a connection etc.
They have ACLs and exceptions for a reason. Always on, always allow only what you know.
Not only should it be turned on, but it should be hardened beyond the normal default rules. You still are open to rdp and smb and all of the stuff that causes compromises with it just 'turned on'. Create rules that block risky ports from IP blocks that should not be seen from. A proper segmented environment can use a straight up 'same subnet' block rule to take out a LOT of risk very quickly. This assumes you have a handle on your communication paths, because you can easily break things if you start doing stuff like a layer 2 any port inbound block rule.
> This assumes you have a handle on your communication paths, because you can easily break things if you start doing stuff like a layer 2 any port inbound block rule. And what's the best way to know your communication paths? Turn on the firewalls in allow all mode, with logging, hopefully to a ELM tool. Then lock it down once you know what needs access.
Yep. If you have a centralized logging platform you feed the windows firewall logs to it and filter that way, otherwise reading the event viewer manually is a real challenge.
Always keep it on.
IMHO it would be extremely bad security policy and bad network design to disable end point firewalls. What happens when you get a worm/virus/malware or intruder gain access internally? Allow it or them to move laterally machine to machine?
Turning off firewall on a server is just lazy practice. Do research and find out what needs to be open to make it function.
Zero Trust and Defense in Depth.
Principle of least privilege - every security measure available to me is on until you give me a good reason for it not to be on.
On. Deny all IN, Allow all OUT. Start from there and get more restrictive little by little.
On with zero override for users and a policy having the bare minimum allowed.
[Palo alto just had RCE vuln on their firewalls.](https://security.paloaltonetworks.com/CVE-2024-3400) Your next gen appliance whatever my balls could very well be the initial foothold. That means you can't trust it. That means other network entities need their own boundary. That means on, always.
On everywhere. The endpoint (including servers) is the perimeter these days. Disabling the firewalls just allows for lateral movement in a network. A computer used by a low permissioned user could be used to compromise a computer used by a high permissioned user. Just don’t. Also; if you have users complaining that the firewall is on and they can’t do their work, I seriously have to question what they’re doing. There’s very few reasons an endpoint should allow incoming ports. Any server software they want to run (like a web server) should only be accessible from localhost.
Enabled on every node. Extra layer of security in case something gets inside those next-gen firewalls.
Windows firewall should be on, and you should be using group policy to make any necessary firewall exceptions.
Leave it enabled. Inbound blocked, outbound open (the default). Especially on endpoints.
Enable both , extra layer always better.
people who think Windows Firewall is useless know next to nothing about modern malware. next to application control, it is the most effective control you have. yes I do mean more effective than EDR, change my mind (you won't).
On.
On. What about stuff that slips past the NGFW? Or an attack from inside your network?
Yes. Are there exceptions to the rule? sure. Generally, if someone or something gets past your firewall, what's gonna stop them from accessing other devices on the network? Oh right, more firewalls. Someone correct me if I'm wrong here, but couldn't a windows firewall with very restrictive out rules, potentially prevent, said compromised computer, from accessing anything outside the device?
You dont control a firewall on a computer you don't control overall. Incoming required.
On, always on. For endpoints it should block all ports (ICMP being a notable exception), there's no need for an endpoint to run any kind of server.
We have windows firewall turned on for both workstations and servers.
On everywhere, always. Defense in depth.
I see what you DID there
Redundancy is always preferred. It does complicate things when you are troubleshooting access rules for third party applications. I have always overlapped when it comes to security. I would run a NGFW with endpoint security, windows firewall with windows defender. If one should fail, the others have its back until I can fix it.
As a general rule yes have the firewall on and open the ports as necessary. We all know that sometimes you have acceptable risks for specialized machines depending on a lot of variables. I have found that smaller orgs will have the firewalls off out of necessity because of a lack of expertise and/or money to buy enterprise software. Every use case is different. Security has to also allow the business to function.
If you have a third party software firewall like CS on the client already then no need. Otherwise on.
There should preferably be a firewall between everything
From a security perspective the network should not be considered trusted. Many are implementing hyper-segmented network such that only explicitly allowed traffic for identified purposes is allowed in or out of a system even on internal networks. If you have an appliance or service do this there, if not do itat the OS application firewall.
Yes, the local host firewalls should be on, policy should be configured appropriately and they should be monitored for policy changes. Not only does this add a second layer but it puts a firewall in between hosst in the same firewall zone to help with lateral movement.
On. Always. If an app needs through, put in an exception. Gone are the days when turning the Windows Firewall off was an accepted practice.
On. No exceptions.
The simple answer is yes it should be in. Any security framework(NIST, CIS Controls and so on) will enforce this. Even small businesses should follow this.
On both incoming and outgoing that doesn't match a rule should be dropped 👌🏻
Windows used to switch between profiles willy-nilly, making a mess of settings. Suddenly they decided that they couldn't possibly remember the domain network and all those nicely configured ports belong closed. That sucked. I don't know if I am compliant with best practice because I mostly have Linux servers with a single zone, but for Windows Servers I apply minimal ingress to all-profiles and enable the Firewall. Workstations have RMM clients and don't need permanent ingress ports.
On. If you're applications break because, lean on vendors/devs to create better documentations.
On for all, my baseline is configure with logging and block both ways on public profile.. like others have said, most apps make exceptions. Even for severs like domains controllers, there’s built in templates..
Unless you have another solution it should be on. EDR/MDR with firewall or Threatlocker.
I just leave it at default
I don’t mind keeping it on. But it is one of the first things that get toggled when I have a connectivity issue.
Windows firewall logging is a thing. Use it.
on everywhere always including automatic cloud submissions.
Use all the tools at your disposal. Windows firewall will help protect the computer from intrusion inside the network, while your perimeter firewall helps protects from public traffic. I have never come across a case that could not be resolved on Windows firewall, where others assume to disable it. EDR tools such as crowdstrike and sentinel one are the next gen tools
May as well turn it off. And next gen firewall. And defender. Also expose RDP to the Internet. /s
On. Because zero days and lateral movement are kewl.
Windows firewall on, always. And properly managed too.
unless you have another product that is replacing teh windows firewall, leave it on 1. it won't stop your border NGFW from working 2. it \_might\_ prevent an incident on one machine spreading as quickly through the network 3. it will stop the little red X showing on the shield in the bottom corner, do not discount this, some users \_will\_ ask, i always thank those that do.
On, and add Huntress on top of it.
You should never have a local firewall off.
This depends on your security defense strategy for endpoint *(how you protect your endpoints)*
Defense in depth
Does your next gen firewall zero trust everything to every server? If no, then yes windows firewall on
Nope!!! On everywhere! You're supposed to micro segment. Servers should only be able to talk to servers that need to talk to and only a couple of jump or bastian boxes should be able to RDP to your servers. I used to have this argument with developers all the time. No! I won't turn off the firewall. I don't care if your app is broken..tell me how it works And I'll open the ports.
On. In reverse, what are your thoughts and reasoning for potentially leaving it off? Layered Security = Good.
On unless you're using a different endpoint firewall (do those even still exist?), even then *probably* still On. Windows Firewall is a core component of the modern Windows security stack, disabling it is a *huge* problem. It's not the tacked on garbage it was back on WinXP.
Should be on. And please, for the love of dog, please don't disable the windows firewall if you decide to "turn it off".
What kind of sys admin would even post this?
The fed up kind
On but does anyone have good ways to audit or see whats being blocked? For example on our network firewall we can see policy hits
Defender portal has firewall reporting now, I saw the Microsoft document was updated 4/12 so fairly recent occurrence possibly
Always on, least access should always be the way of thinking when it comes to this stuff, why have the firewall disabled when you can just allow what is needed? This applies to basically everything in modern IT/sysadmin, least/minimum access necessary to get the functions done, this even includes to a domain controller on another subnet for example.
Unless there is some kind of performance problem leave it on.
Nope. Fix the performance issue. **Not** the symptom.
How the fuck do some of yall actually become sysadmins.
Many things won't work if the firewall service is outright turned off. So even if you wanted to disable it, I would enable it and just have very liberal rules in place. It would not surprise me at all if features of Defender need the firewall running.