Windows firewall: Overhead or additional protection?

Too many times the value of built-in firewalls may be overlooked. IT pro Rick Vanover explains pros and cons of using firewalls in the operating system.

In the course of administering servers, I’ve generally preferred to use firewalls via an appliance to dictate traffic patterns at the network level. Using firewalls, namely Windows firewall, that comes built-in with operating systems, I have generally preferred not to use. So much so, that I have committed to memory the command on modern Windows systems to disable the firewall service for all profiles:

netsh advfirewall set allprofiles state off

In a conversation with another administrator who specializes in Linux systems, the topic came up about using built-in firewalls. The other administrator commented, “I’d love to see all of your Windows systems use Windows firewall.” The comment made me stop and think for a bit. Primarily, I was expecting something snarky related to the Windows vs. Linux differences that we have. The other administrator continued to say that Windows firewall does a good job at what it is intended to do.

My background is Windows-centric, and that much I did agree with. Windows firewall does do a good job of managing traffic patterns in and out of the system, including block rules and configurations to the port level. This can go one step further and utilize what I feel is the best product Microsoft has ever made in Group Policy. Group Policy in Active Directory can be configured to centrally manage and push Windows firewall configurations very easily.

So the question becomes, do we forgo the use of appliance firewalls and favor firewalls built-in to operating systems? I don’t think that is realistic, but I do think that a case can be made to rethink the use of Windows firewall for systems generally on the network. This isn’t to say that the practice wouldn’t require some enhanced governance and management, however. Besides, a firewall rule that is too restrictive on the host can not only cut off desired communication patterns; but can possibly remove the administrative interfaces.

The only way I see built-in firewalls being a viable option, even for trust zones that are not security-critical, is to be centrally managed. In the case of Windows firewall, Group Policy is the right vehicle for this.

What are your thoughts on using Windows Firewall on a widespread basis? Share your comments below.