Windows

Disabling the firewall in Windows Server 2008 Core Edition

For Windows Server 2008's Core Edition, the default firewall configuration is one of the things most administrators want to turn off after installation. You can complete this task with one line of code, which you'll want to add to your script arsenal.

The use cases for Windows Server 2008 Core Edition include additional security for certain installation sites and networks, and certain products (e.g., the free Hyper-V role) are only available on core editions. In Windows Server 2008 systems, including the core installations, the Windows Firewall is enabled by default. For many administrators, the first step of a new Windows installation is to disable the Windows Firewall. You can do this with the following Netsh command:

[netsh advfirewall set allprofiles state off]
Now the Windows Firewall is disabled for all network profiles. You can tweak the parameters to within what is run from Netsh. To determine what commands are available for Netsh, simply go into Netsh and enter a question mark (?) in one of the interactive contexts. Figure A shows the advfirewall context. Figure A

Figure A

Visit TechNet for more information about Netsh in the advfirewall context.

Stay on top of the latest Windows Server 2003 and Windows Server 2008 tips and tricks with our free Windows Server newsletter, delivered each Wednesday. Automatically sign up today!

About

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

12 comments
paul.willy
paul.willy

Netsh allows terse, like IOS so, netsh advfi set allp st of has the same effect as; netsh advfirewall set allprofiles state off and requires fewer keystrokes. netsh fire set op dis also disables the firewall. It would be possible to write a netsh script to only open the ports you need, post install. The reason I think this is a great tip; Unlike Server Manager in non-core installs, where adding a role automatically opens the correct ports in the advanced firewall. Core uses OCSETUP which does not have that functionality. And there is no GUI to use to config the Advanced firewall. You might use Group Policy.

Michael Kassner
Michael Kassner

Can the firewall be configured on any interface? I am seeing a real need to firewall important servers on the internal interface as well as external.

Gis Bun
Gis Bun

I like this: "For many administrators, the first step of a new Windows installation is to disable the Windows Firewall." Wouldn't keeping the firewall enabled on a server and then allowing certain required traffic be better?

b4real
b4real

Not sure about core, but in the full installation, you can select the Advanced tab and apply to selected interfaces. Leads me it can be done in core. So, good idea for a next tip!

b4real
b4real

Sometimes the steps of the build require actions such as a file copy, RDP, or other functions that are used before a live workload is used on the box.

joe
joe

if your router has a firewall then why do we need the Windows firewall? is it really any better? can't I just turn it off and forget it? you know it is sad to think that every computer in a windows network must have it's own firewall, anti-virus, malicious spyware removal, etc. etc tools for security.

Gis Bun
Gis Bun

I'm not sure if Rick implied that the firewall should be turned off just for the work prior to going live or maybe just to turn off the firewall permanently - is what I meant.

pgit
pgit

I don't have a problem with freeware. AVG outperforms Norton and MacAfee in virus recognition. And Malware Bytes' "mbam" is great, it catches stuff the antivirus missed. The bad guys are well aware of mbam, many trojans & etc are written to specifically not allow mbam-setup to run. You have to rename it, I usually just take the - (dash) out of the name. It's been a long time since the answer to that mayhem is to image the drive from scratch. But since mbam came along I have been able to repair sick machines. Working on one atm.

whatisnew
whatisnew

I have never used freeware on my servers. And I don't browse Internet on the server. Windows Update is the only thing which requires my servers to connect to Internet.

gshort
gshort

I'm new with this company and Not only do we have a firewall on the router, I've found several client machines running adware and MacAfee at the same time. If I'm not mistaken - this can cause some problems. I have turned off the server 2008 firewall and in the process of removing alot of unwanted freeware virus programs. What do you think?

Editor's Picks