XP Firewall within Domain

[Aelara]

This one is more of a query regarding the role and or importance of the XP firewall within a W2K3 Domain. i would like to disable a good number of workstation firewalls as they are running services usually requiring ports to be enabled. Obviously I can do all I need via GPO's including open/close ports, but I am questioning the need of a workstation firewall when behind a corporate firewall.

Please note I am referring to workstation which store nothing of any great importance and are used by staff for the usual internet, Word processing etc. All inbound/outbound traffic is of course routed through cisco boxes and heavily monitored.

Any thoughts? What scenario would you see the local XP firewall playing a key role in the context of a well structured and protected domain.

Many Thanks.

 

[ArizonaGeek]

I work in an office of about 40 desktops and about 40 servers. I have Windows firewall disabled on all of them.

On or servers, we have our DMZ for external servers and only open the ports we need for those servers. They have no access to each other or backwards to our network.

I use Kaspersky corporate which has it's own firewall and I can open all connections within the network.

Everyone has their own opinion on the subject and it is more of a "best practice for your environment" than a set rule. Obviously keeping an eye on your firewall logs, Windows security updates and having a good corporate virus scan should minimize any threats you'd encounter.

Cheers
Rob

The answer is always "PEBKAC!

 

[jet042]

A workstation-level firewall is another part of the "Defense in Depth" concept. The basic idea being that the more walls you throw in the way of attackers, the less likely they are to be able to do any damage. When assessing your network's security, you have to consider all possible attack angles.

You appear to have external attacks covered well, but what if someone stumbles on a site that has been compromised and that puts some kind of malware on that desktop. Do you have anything in place that would stop it from infecting other machines on your network? What if someone brings in a USB stick they found laying on the ground in front of your office, plugs it into their workstation and subsequently unleashes a worm on your network?

I'm not saying that Windows firewall will stop these attacks, but having it is better than not, especially when it is so easy to configure using group policy.

 

[Davetoo]

My network of about 450 systems total has the firewall disabled via GPO. We have multiple defenses on our external links that we rely upon to help prevent attacks, and we have good, updated, antivirus for anything that gets through.

You are open for an internal attack...or at least, more open than if you had the firewalls enabled, but as you have discovered within a domain sometimes the fireall can be more trouble than it's worth.

I'm Certifiable, not cert-ified.
It just means my answers are from experience, not a book.

There are no more PDC's! There are DC's with FSMO roles!

 

[Aelara]

I agree it is essential to ensure Internal threats are minimised. We aim to balance internal security with ease of service deployment, AV protection, Point of access malware detection, on access virus quarantine etc all systems we use but as you have pointed out only a fool underestimates the enemy within.

On saying that I think I'll disable the firewalls on the mentioned workstatons long enough to do what I need and reapply when done.

Aelara.

 

[pagy]

I like to have the XP firewall turned on as part of 'defence in depth'. I open any ports required via group policy.

Paul
MCSE 2003
MCSA 2003
MCITP Enterprise Administrator

If there are no stupid questions, then what kind of questions do stupid people ask? Do they get smart just in time to ask questions?
Scott Adams