Manage computer account profiles for Windows Firewall centrally with Group Policy, but beware of a potential risk.
While running firewalls is a good practice to protect systems from harm, it also can get in the way. One thing I really like about Windows Firewall is its ability to be centrally managed, and the best way to do this is through a Group Policy Object (GPO). On a per-server basis, Windows Firewall can still be managed through the interface in the Control Panel. For Windows Core editions, you can learn the command to disable Windows Firewall via a prompt. (I've committed the command to memory.)For Windows Firewall, you can set a computer's account profiles in the Computer Configuration | Policies | Windows Settings | Security Settings | Windows Firewall with Advanced Security area of Group Policy. In this GPO, you can set rules for a computer account for each of the profile types (Public, Private, and Domain) (Figure A). Figure A
Click the image to enlarge.
This is a good situation for using a security group to filter membership for a GPO. It may not make sense to apply this GPO to an entire organizational unit. This can be due to different operating systems, mixed requirements, and policy. Broad application of this type of configuration is less desirable, so GPO filtering by security group becomes attractive.
You might be wondering: What happens when the computer account is not connected to the Active Directory domain and is unable to execute this policy? In most situations, Windows Server systems aren't often disconnected from their Active Directory domain controllers, but it can happen. When a computer that has this policy applied is removed from the domain, the configuration is retained.
The risky thing about Windows Firewall being used with Group Policy is that it would supersede the local configuration. For example, if a firewall policy is deployed via a GPO that blocks certain traffic, the GPO would need to be changed. You cannot make the change on the fly by simply going into the firewall console or using netsh advfirewall commands.
Do you think using GPOs to manage Windows Firewall is a good idea? If so, how have you used GPOs for Windows Firewall? Let us know in the discussion.