Security

Windows firewall: Overhead or additional protection?

Too many times the value of built-in firewalls may be overlooked. IT pro Rick Vanover explains pros and cons of using firewalls in the operating system.

In the course of administering servers, I've generally preferred to use firewalls via an appliance to dictate traffic patterns at the network level. Using firewalls, namely Windows firewall, that comes built-in with operating systems, I have generally preferred not to use. So much so, that I have committed to memory the command on modern Windows systems to disable the firewall service for all profiles:

netsh advfirewall set allprofiles state off

In a conversation with another administrator who specializes in Linux systems, the topic came up about using built-in firewalls. The other administrator commented, "I'd love to see all of your Windows systems use Windows firewall." The comment made me stop and think for a bit. Primarily, I was expecting something snarky related to the Windows vs. Linux differences that we have. The other administrator continued to say that Windows firewall does a good job at what it is intended to do.

My background is Windows-centric, and that much I did agree with. Windows firewall does do a good job of managing traffic patterns in and out of the system, including block rules and configurations to the port level. This can go one step further and utilize what I feel is the best product Microsoft has ever made in Group Policy. Group Policy in Active Directory can be configured to centrally manage and push Windows firewall configurations very easily.

So the question becomes, do we forgo the use of appliance firewalls and favor firewalls built-in to operating systems? I don't think that is realistic, but I do think that a case can be made to rethink the use of Windows firewall for systems generally on the network. This isn't to say that the practice wouldn't require some enhanced governance and management, however. Besides, a firewall rule that is too restrictive on the host can not only cut off desired communication patterns; but can possibly remove the administrative interfaces.

The only way I see built-in firewalls being a viable option, even for trust zones that are not security-critical, is to be centrally managed. In the case of Windows firewall, Group Policy is the right vehicle for this.

What are your thoughts on using Windows Firewall on a widespread basis? Share your comments below.

About

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

42 comments
clindell
clindell

Forget the desktops and clients, lets talk about servers, Windows Servers. Do you feel that the Windows firewall with advanced protection enhances security or hinders it on a Windows server? Forget any other O/S, this is for those of us who need to manage windows servers. IF you are in a windows shop you have no choice, this is what we work on. We all likely understand there are other things we do and use to keep our networks and systems secure on multiple levels. So do you feel that using Windows firewall is a benefit or causes more grief than needed and either disable it if necessary or turn it off by running netsh advfirewall set profiles state off? Do you run the UAC on your servers? Do you feel they provide additional protection and enhance security or hinder it on a Windows server?

Who Am I Really
Who Am I Really

On: for a standalone system: ie. for the one machine office or home but, Off on my network as it's a Royal PITA just trying to access files on other systems with it on the security router is the firewall

cbader
cbader

I turn it off and use either Comodo or Ill buy the full security suite from Kaspersky and use their firewall.

nwallette
nwallette

I've fixed a ton of problems with extra layers in the Windows networking stack. When I became responsible for a Windows domain, my GP was set to stop the ICS/Firewall service entirely on servers and workstations, but enable it with a minimal ruleset on laptops. IMHO, the Windows codebase is a behemoth of parts that are too integrated for anyone's good. It's all duct tape and bailing wire. The less of it running, the better. That said, I wouldn't put a Windows box directly on the Internet if I had the choice -- firewall or no. Not to make this a Win-Lin debate, but a Linux system running iptables is about the only software firewall I have any trust in. (I use it as my home router actually -- 500 days uptime, filled the flash disk several times with logs of break-in attempts, but still working like a charm.) The one advantage software firewalls have is application-level security going out of a host. In that case, and to keep an infected PC from spreading its digital germs in a trusted network, I can kinda see the reasoning. But then it's only as good as the buffer overflow protection and permissions allow it to be.

kkernspa
kkernspa

In a corporate network environment, it behooves the network administrator to do their level best to secure the network and its resources. With that said, so long as the security used does not hinder user productivity, then it should remain. I personally do not see Windows Firewall as a hinderance to workstation users and would make use of the centralized administration tools available to administrate it.

HaroldHO
HaroldHO

Unless you're utilizing group policy to propagate firewall rules and connection security rules, you aren't even scratching the surface of Windows Server 2008/Vista+'s Windows Firewall with Advanced Security. The ability to customize is really impressive compared to its predecessors, and the ability to configure rules based on profile is useful as well. For instance - configuring a relatively lax firewall policy for the Domain policy on a laptop and a more strict policy on the alternate policies means the firewall will be dynamic depending on the situation. Also, with the connection security rules, you can configure ipsec authentication and encryption on specific source or destination ports or IP addresses. This is especially useful for applications that don't support encryption at the application layer, as you can let the operating system establish the ipsec connection - while it adds additional processing overhead, it's seamless to the application.

andykrantz
andykrantz

"So the question becomes, do we forgo the use of appliance firewalls and favor firewalls built-in to operating systems?" You'd have to be crazy to consider that! You should *always* protect the perimeter of your network with hardened firewalls (appliance or Linux) and use the windows firewall (group managed or not) as a second line of defence. Your Linux admin friend is right - the Windows firewall does a good job of of what it is *intended* to do. Perimeter firewalls is the belt, Windows firewall is the suspenders. I'm a linux sysadmin and I use the windows firewall on my Vista laptop because it is simple, effective, and doesn't cost extra.

HckrAdm2005
HckrAdm2005

We use windows firewall for our local machine but managed via group policy. it works quite well and gets he job done without having to buy an apliance or setup an opensource equivalant.

wiktor00000
wiktor00000

? ???? ???????? (windows xp) ? ????????? ?? ????? ???? ?????? ???????? ?????????

The 'G-Man.'
The 'G-Man.'

should build in small hardware firewalls into the cards / main boards that run outside any installed OS. That would be another option.

Colnar
Colnar

I turn it off as well. I find it more of a nuisance than a help. It makes it extremely difficult to remotely manage PCs and server within the network.

reggaethecat
reggaethecat

One of the first things I do when building a server is turn off the firewall. The Security Configuration Wizard is the thing to use if you need extra security. But I tend to trust my main firewalls. In my view, Microsoft should concentrate on having Windows as locked-down as possible out of the box, ? la Ubuntu, then we wouldn't need to have this discussion. But I appreciate that some open ports are necessary for communication with the outside world.

Editor's Picks