Re: Disable Windows Firewall

wrote:
> Using SBS 2003 Premium R2.
>
> How do we disable the Windows Firewall on XP SP2 clients? It's greyed
> out. Is this controlled through a GPO... If so, where? How do we
> change it?
>
> We need to disable it to deploy Symantec EPP to clients.
>
> Thanks.

It's controlled by group policy (you can always find out which if you run an
rsop.msc on a workstation). Instead of disabling it, I would suggest
settting up exceptions in it.

Hello,

Thank you for posting here.

According to your description, I understand that:

You have a concern about the Windows Firewall on the SBS domain clients.

If I have misunderstood the problem, please don't hesitate to let me know.

Explanation:
========================
For SBS client computers, there is a Group Policy named Small Business
Server Windows Firewall that controls the behave of the Windows XP SP2
firewall. You can verify the applied Windows Firewall settings on the
clients in RSOP.msc.

Just as Lanwench and Russ mentioned, generally speaking, we should never
disable Windows Firewall as a whole; instead, you could configure Windows
Firewall exception based on applications requirement. To configure Windows
Firewall group policy, please refer to the following Microsoft Knowledge
Base articles:

Windows XP Service Pack 2 and Windows Small Business Server
http://technet.microsoft.com/en-us/l.../cc672128.aspx

How to Configure Windows Firewall in a Small Business Environment Using
Group Policy
http://www.microsoft.com/technet/sec...ch/windowsxp/f
wgrppol.mspx

872769 You cannot configure Windows Firewall settings or
Security Center settings on a Windows XP Service Pack 2-based client
computer that is in a Windows Small Business Server 2003-based network
http://support.microsoft.com/kb/872769

If you really need to disable Windows Firewall for all Windows XP clients,
you can perform the following steps:

1. On the SBS server, type "GPMC.msc" in the command prompt to open the
Group Policy Management Console.
2. In the left panel, expand Domains---->SBS.local.
3. Right click the Small Business Server Windows Firewall GPO, and click
edit.
4. Disable the Windows Firewall: Protect all network connections in the
[computer configuration--->Administrative Template--->Network--->Network
connections--->Windows Firewall--->Domain profile].
5. On the client, run "gpupdate /force" to refresh the Windows Firewall
settings.

Hope it helps. If you have any questions or concerns, please do not
hesitate to let me know. I am glad to help.


Best regards,
Miles Li

Microsoft Online Partner Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
================================================== ===
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
================================================== ===
This posting is provided "AS IS" with no warranties, and confers no rights.

Leythos <> wrote:
> In article <>,
> says...
>> I agree Permanent disable windows firewall assumes all your
>> employees are security experts and know not to load this COOL app
>> they've downloaded on their USB Thumb Drive.
>>
>
> Since the default for SBS users is to make them all Local
> Administrators, it doesn't really matter - malware running as the user
> that is a local admin can bypass the GPO settings and do what it
> wants - not to mention that the default is File and Printer sharing
> ENABLED in a SBS network, so it can spread easily.
>
> It's easy enough to disable USB drives.

True, that. However, a local admin can also bypass that if they can bypass
other GPO settings.

Users are only granted local admin rights when you first join a workstation
to the domain & assign a user to it, which you do only if you're migrating
an existing local profile to a domain profile. So it shouldn't happen when
you've got a running network. Even then, it takes only a few seconds to
remove them immediately afterwards (or use restricted groups) which is what
I do at all my client sites.

Leythos wrote:
> In article <>,
> says...
>> Good luck with that
>>
>
> Russ, help me out here: If Windows Firewall has File/Print sharing
> enabled then how is a computer protected from malware?
>
>
SQL slammer.

If Windows Firewalls had been enabled inside a network, SQL slammer
would not have occurred.

We haven't had a really good juicy worm BECAUSE firewalls are on by
default. The bad guys had to change their play book as a result.

I think you are missing the point that the security theater changed
because firewalls are now on.

If you really wanna do the right thing you set it up so that
workstations cannot directly email out their port 25.

There were internal only databases listening on those sQL ports, but
they did not have to be open to an internal worm. Chip from SQL
security amassed a huge list of MSDE based apps that most of us had no
clue were SQL based and did not need 1433 or 1434 listening on the
inside of the LAN. Just like blaster, someone VPN'd in and nailed the
network. The internal firewall on blocks this behavior.

"The point I'm trying to make is that with File/Printer sharing enabled
by default, with the firewall exception for F/P sharing, and then we
have UPNP enabled as an exception on some..... With those enabled and
the exceptions you're computer is almost completely unprotected by
Windows Firewall."

That's very much stretching it.

And certainly you can adjust the file and printing ports so that they
only respond to certain connections. Just as you have certain ways to
deploy networks and don't use all the defaults, so do many of us.

There's no blanket 'one size' here, merely opinions and what we feel
comfortable with.

Vista firewall is even more granular.


Leythos wrote:
> In article <>,
> says...
>> Leythos wrote:
>>> In article <>,
>>> says...
>>>> Good luck with that
>>>>
>>> Russ, help me out here: If Windows Firewall has File/Print sharing
>>> enabled then how is a computer protected from malware?
>>>
>>>
>> SQL slammer.
>>
>> If Windows Firewalls had been enabled inside a network, SQL slammer
>> would not have occurred.
>
> Sure it would, because SQL came in on 1433/1434, those ports have to be
> open of the computers running SQL for it to work.
>
> If you had a computer that wasn't running SQL you didn't have an issue,
> since the worm didn't infect computers not running SQL.
>
> I saw tons of SQL servers exposed directly through firewalls to the
> public, and I also saw masses of personal computers directly connected
> to the internet with no NAT or Firewall that were compromised, but the
> ones that had a firewall also had a exception for 1433/1434 because the
> software installed an exception for SQL in the firewall.
>
>> We haven't had a really good juicy worm BECAUSE firewalls are on by
>> default. The bad guys had to change their play book as a result.
>
> While I agree, in a Business it's not quite the same. A PC directly
> connected to the net, say from Dell, will have File/Printer sharing
> enabled by default with XP SP2 installed - that means that anyone on the
> internet can try and connect on the standard file sharing ports of that
> default PC, so, they are open to massively more hacks than if it was
> just SQL Slammer.
>
> Anyone behind a NAT router didn't have to worry about the SQL Slammer,
> other than the disruption to service.
>
> Anyone that had a clue about firewalls and threats wasn't compromised by
> SQL Slammer because the checked or knew enough to block 1433/1434 access
> to the WAN side. They also knew to not allow 1433/1434 Outbound to start
> with. Some NAT Routers also allow trapping output ports, but most people
> using them didn't have any idea how to do that.
>
>> I think you are missing the point that the security theater changed
>> because firewalls are now on.
>
> The point I'm trying to make is that with File/Printer sharing enabled
> by default, with the firewall exception for F/P sharing, and then we
> have UPNP enabled as an exception on some..... With those enabled and
> the exceptions you're computer is almost completely unprotected by
> Windows Firewall.
>
>> If you really wanna do the right thing you set it up so that
>> workstations cannot directly email out their port 25.
>
> Won't make a difference as our networks only allow Outbound SMTP from
> the Exchange server IP. That's an entirely different subject.
>
> I'll ask again - if your windows firewall has File/Printer sharing
> enabled by default, just how protected are you really?
>

I done all as you suggested, but when I run RSOP.msc on the client Pc it still remains enable. The problem is that I have 3 Pc's on the network that has an accounting package and the firewall has to be disabled for them to work. The last thing I want is to resettup the server. Is there another way around or do I need to ressstup.



v-milel wrote:

Hello,Thank you for posting here.
18-Sep-08

Hello

Thank you for posting here

According to your description, I understand that

You have a concern about the Windows Firewall on the SBS domain clients

If I have misunderstood the problem, please don't hesitate to let me know

Explanation
=======================
For SBS client computers, there is a Group Policy named Small Business
Server Windows Firewall that controls the behave of the Windows XP SP2
firewall. You can verify the applied Windows Firewall settings on the
clients in RSOP.msc.

Just as Lanwench and Russ mentioned, generally speaking, we should never
disable Windows Firewall as a whole; instead, you could configure Windows
Firewall exception based on applications requirement. To configure Windows
Firewall group policy, please refer to the following Microsoft Knowledge
Base articles

Windows XP Service Pack 2 and Windows Small Business Serve
http://technet.microsoft.com/en-us/library/cc672128.asp

How to Configure Windows Firewall in a Small Business Environment Using
Group Polic
http://www.microsoft.com/technet/sec...ech/windowsxp/
wgrppol.msp

872769 You cannot configure Windows Firewall settings or
Security Center settings on a Windows XP Service Pack 2-based client
computer that is in a Windows Small Business Server 2003-based networ
http://support.microsoft.com/kb/87276

If you really need to disable Windows Firewall for all Windows XP clients,
you can perform the following steps:

1. On the SBS server, type "GPMC.msc" in the command prompt to open the
Group Policy Management Console
2. In the left panel, expand Domains---->SBS.local
3. Right click the Small Business Server Windows Firewall GPO, and click
edit
4. Disable the Windows Firewall: Protect all network connections in the
[computer configuration--->Administrative Template--->Network--->Network
connections--->Windows Firewall--->Domain profile]
5. On the client, run "gpupdate /force" to refresh the Windows Firewall
settings

Hope it helps. If you have any questions or concerns, please do not
hesitate to let me know. I am glad to help

Best regards
Miles L

Microsoft Online Partner Suppor
Microsoft Global Technical Support Cente

Get Secure! - www.microsoft.com/securit
================================================== ==
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
================================================== ==
This posting is provided "AS IS" with no warranties, and confers no rights.

Previous Posts In This Thread:

On Wednesday, September 17, 2008 5:17 PM
Holz wrote:

Re: Disable Windows Firewall
It is controlled by the SBS Firewall policies
Unlees you are installing another firewall, Why would you disable it

-
Holz

On Wednesday, September 17, 2008 6:49 PM
Lanwench [MVP - Exchange] wrote:

Re: Disable Windows Firewall
it is controlled by group policy (you can always find out which if you run a
rsop.msc on a workstation). Instead of disabling it, I would sugges
settting up exceptions in it.

On Wednesday, September 17, 2008 7:59 PM
Michael Jenkin [SBS-MVP] wrote:

Actually, I have seen the need to do this for some Accounting packages.
Actually, I have seen the need to do this for some Accounting packages
They do not play well with the firewall, especially some versions o
MYOB.

Holz wrote

--
Michael J. Jenkin MVP - SBS, MCP, Small Business Specialist, Senio
Systems Engineer
Visit http://www.mickyj.com

On Wednesday, September 17, 2008 8:24 PM
Holz wrote:

Re: Disable Windows Firewall
Michael Jenkin [SBS-MVP] wrote

I would not run anything that will force me to compromise my security
but that is my opinion.

--
Jerry McGuire: Help me, help you...

On Wednesday, September 17, 2008 8:25 PM
Holz wrote:

Re: Disable Windows Firewall
in the SBS management console, advanced management.

--
Jerry McGuire: Help me, help you...

On Wednesday, September 17, 2008 11:02 PM
Lanwench [MVP - Exchange] wrote:

Re: Disable Windows Firewall
Yes, in GPOs. Start | run | gpmc.msc

On Thursday, September 18, 2008 12:32 AM
Russ \(www.SBITS.Biz\) wrote:

I agree Permanent disable windows firewall assumes all your employees are
I agree Permanent disable windows firewall assumes all your employees are
security experts and know not to load this COOL app they've downloaded on
their USB Thumb Drive.


Russ

--
Russell Grover - SBITS.Biz
Microsoft Gold Certified Partner
Microsoft Small Business Specialist
World Wide 24hr Remote SBS2003 Support - http://www.SBITS.Biz


"Lanwench [MVP - Exchange]"
< hoo.com> wrote in message
news:...

On Thursday, September 18, 2008 5:44 AM
v-milel wrote:

Hello,Thank you for posting here.
Hello,

Thank you for posting here.

According to your description, I understand that:

You have a concern about the Windows Firewall on the SBS domain clients.

If I have misunderstood the problem, please don't hesitate to let me know.

Explanation:
========================
For SBS client computers, there is a Group Policy named Small Business
Server Windows Firewall that controls the behave of the Windows XP SP2
firewall. You can verify the applied Windows Firewall settings on the
clients in RSOP.msc.

Just as Lanwench and Russ mentioned, generally speaking, we should never
disable Windows Firewall as a whole; instead, you could configure Windows
Firewall exception based on applications requirement. To configure Windows
Firewall group policy, please refer to the following Microsoft Knowledge
Base articles:

Windows XP Service Pack 2 and Windows Small Business Server
http://technet.microsoft.com/en-us/l.../cc672128.aspx

How to Configure Windows Firewall in a Small Business Environment Using
Group Policy
http://www.microsoft.com/technet/sec...ch/windowsxp/f
wgrppol.mspx

872769 You cannot configure Windows Firewall settings or
Security Center settings on a Windows XP Service Pack 2-based client
computer that is in a Windows Small Business Server 2003-based network
http://support.microsoft.com/kb/872769

If you really need to disable Windows Firewall for all Windows XP clients,
you can perform the following steps:

1. On the SBS server, type "GPMC.msc" in the command prompt to open the
Group Policy Management Console.
2. In the left panel, expand Domains---->SBS.local.
3. Right click the Small Business Server Windows Firewall GPO, and click
edit.
4. Disable the Windows Firewall: Protect all network connections in the
[computer configuration--->Administrative Template--->Network--->Network
connections--->Windows Firewall--->Domain profile].
5. On the client, run "gpupdate /force" to refresh the Windows Firewall
settings.

Hope it helps. If you have any questions or concerns, please do not
hesitate to let me know. I am glad to help.


Best regards,
Miles Li

Microsoft Online Partner Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
================================================== ===
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
================================================== ===
This posting is provided "AS IS" with no warranties, and confers no rights.

On Thursday, September 18, 2008 8:02 AM
Leythos wrote:

Re: Disable Windows Firewall
In article <>,
says...

Since the default for SBS users is to make them all Local
Administrators, it doesn't really matter - malware running as the user
that is a local admin can bypass the GPO settings and do what it wants -
not to mention that the default is File and Printer sharing ENABLED in a
SBS network, so it can spread easily.

It's easy enough to disable USB drives.

--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(remove 999 for proper email address)

On Thursday, September 18, 2008 9:26 AM
Lanwench [MVP - Exchange] wrote:

Re: Disable Windows Firewall
Leythos <> wrote:

True, that. However, a local admin can also bypass that if they can bypass
other GPO settings.

Users are only granted local admin rights when you first join a workstation
to the domain & assign a user to it, which you do only if you're migrating
an existing local profile to a domain profile. So it shouldn't happen when
you've got a running network. Even then, it takes only a few seconds to
remove them immediately afterwards (or use restricted groups) which is what
I do at all my client sites.

On Thursday, September 18, 2008 10:39 AM
Russ \(www.SBITS.Biz\) wrote:

So they guy who brings in his own laptop and plugs into the network?
So they guy who brings in his own laptop and plugs into the network?
How do you stop the virus on his PC from causing network Havok?

Just like I don't leave my wallet on the dashboard on my car when I go into
the store
I think Disabling a PC firewall is Foolish.

I'm pretty sure MOST Security Experts would agree...
However I'm just an Amateur So I listen to what Experts say.

Russ

--
Russell Grover - SBITS.Biz
Microsoft Gold Certified Partner
Microsoft Small Business Specialist
World Wide 24hr Remote SBS2003 Support - http://www.SBITS.Biz


"Leythos" <> wrote in message
news:...

On Thursday, September 18, 2008 10:42 AM
Russ \(www.SBITS.Biz\) wrote:

I'd like to addAny Product that required to Disable Security Features?
I'd like to add
Any Product that required to Disable Security Features?
Would NEVER been on any network I implement

Russ

--
Russell Grover - SBITS.Biz
Microsoft Gold Certified Partner
Microsoft Small Business Specialist
World Wide 24hr Remote SBS2003 Support - http://www.SBITS.Biz


"Russ (www.SBITS.Biz)" <> wrote in message
news:...

On Thursday, September 18, 2008 2:22 PM
Cliff Galiher wrote:

No.
No. A firewall forced enabled by a GPO cannot be disabled by a local admin,
actually. But more importantly, I'm a firm believer that once a machine is
owned, it doesn't matter. The firewall protects the threat from spreading
by protecting the OTHER machines from incoming connections, not by
protecting that machine's outgoing connections. And the SBS wizard only
makes a user a local admin on that one machine, they don't have any admin
privileges on the other machines that the malware might try to spread to.

And finally, as I indicated in my first post on this subject, some
environments require USB keys, so disabling the USB drive is not a
legitimate argument in this case.

Ultimately though my question is this: Why *not* run the firewall? More
security is never a bad thing.

-Cliff


"Leythos" <> wrote in message
news:...

On Thursday, September 18, 2008 2:25 PM
Cliff Galiher wrote:

Since this conversation has already wandered well off point, I figure it is
Since this conversation has already wandered well off point, I figure it is
safe to go ahead and mention that...although I agree with you (after all I'm
the one that started the whole "keep the firewall enabled" argument) that
this shouldn't be your only defense. In any reasonably sized network, you
should also be using IPSec and, if appropriate, a managed switch with 802.1X
authenticating ports. That would help mitigate the risk of a rogue laptop.

And can I say I'm *Really* looking forward to full network quarantine with
SBS2k8?

-Cliff


"Russ (www.SBITS.Biz)" <> wrote in message
news:...

On Thursday, September 18, 2008 2:34 PM
Leythos wrote:

Re: Disable Windows Firewall
In article <u$>,
...latyah oo.com says...

If you don't make all users that MIGHT use a computer a local admin the
SBS script will not properly configure their Outlook for them when they
logon.

When you have 30 users and 50 PC's, and users can sit at any PC, it's an
impossible task to go log each and ever combination of users on to each
PC. Needing Local Admin rights is a serious security flaw in SBS.

--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(remove 999 for proper email address)

On Thursday, September 18, 2008 2:36 PM
Leythos wrote:

Re: Disable Windows Firewall
In article <>,
says...

First, laptops that are not company are not permitted.

Second, if each computer in the network has File/Printer sharing
enabled, by default, the malware can spread easily, so WF does nothing.

All AV is controlled by server, users can't disable it, so, between
company policy, people that police each other, and AV, that's more
protection than WF.


What you need to be asking is WHY does SBS make users local admins and
WHY are local workstations defaulted to File and Printer sharing
enabled?


--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(remove 999 for proper email address)

On Thursday, September 18, 2008 2:40 PM
Leythos wrote:

Re: Disable Windows Firewall
In article <>,
says...

In all my years of having Windows workstations, having never had a
single managed one compromised (notice I said Managed), I've never seen
the Windows firewall protect anyone at any other location that we don't
manage.

Every compromised computer I've seen has Windows Firewall enabled, every
new client we get that already has multiple systems compromised has
windows firewall running. etc....

With thousands of machines in many networks, none of them having WF
enabled, all of them have File/Printer sharing disabled, all of them
with as few local admin users, and tons of other protection, not one of
them has been compromised.

So, I'll stick with not using WF and having to deal with the problems it
causes, since I've not seen where it is of any benefit to anyone.

--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(remove 999 for proper email address)

On Thursday, September 18, 2008 5:00 PM
Russ \(www.SBITS.Biz\) wrote:

So you stop EVERYONE at the DOOR of EVERY Business and SayDo you have a Laptop
So you stop EVERYONE at the DOOR of EVERY Business and Say
Do you have a Laptop in that Backpack?

Or is it just Policy? as you know People don't follow policies.

and AV is not enough to stop Worms as you know some of the worms that have
been out

Go a head Turn OFF all Firewall.

I just PERSONALLY think it's not a good idea and I feel it's foolis
you just have a different Opinion that's all :

I have my policy with clients and you have yours

And you ask me why SBS makes everyone an admin
Since I didn't write SBS2003 code
I don't feel I'm qualified to answer that maybe ask Microsoft

I do what I believe..

Rus

--
Russell Grover - SBITS.Bi
Microsoft Gold Certified Partne
Microsoft Small Business Specialis
World Wide 24hr Remote SBS2003 Support - http://www.SBITS.Bi

"Leythos" <> wrote in message
news:...

On Thursday, September 18, 2008 5:20 PM
Cliff Galiher wrote:

Re: Disable Windows Firewall
Okay kids, lets not get hostile. As I've said, I'm pro-firewall.
But, to stop the rogue laptop I use IPSec. I use managed switches whenever
possible with 802.1X. A firewall is just ONE tool in a security setup

I also like my makita rotary sander. Some people prefer to sand by
hand....it just FEELS better. As you said Russ, it is a difference of
opinion. I'm with ya, but I wouldn't go so far as to call someone 'foolish'
for not doing it my way

Of course some things *are* foolish....like browsing the web from your
server (tongue-in-cheek here, I know people disagree with me on THAT one) so
I can see why you might feel that way about not using a firewall. But for
my own part, I feel Leythos has proven helpful to many posters here and
seems to be...aside from this difference of opinion....security conscious.
So maybe my personal opinion of the person affects my judgment of their
actions in this instance. I'd admittedly probably give a newcomer less
rope. But I'm kinda sorta abrasive that way...as many can attest to

Regardless, I think this thread has become unintentionally more hostile than
intended. Can we just accept that there are different people that hold the
merits of a workstation firewall in different regard without getting mean?
practices turn nasty because somebody misinterpreted post using the word
'foolish' as a personal attack. I've already said I have a high opinion of
Leythos, but I've also seen you be very helpful and I think I'm a good judge
of character. I'd be surprised if you meant your comment to be a personal
attack, but I also know that is how I first read it...even if
unintentional...so y'know...I could see how others might get a little bent

Maybe I'm just seeing ghosts though and trying to stop a fight that never
would've started. It has been known to happen

-Clif


"Russ (www.SBITS.Biz)" <> wrote in message
news:...

On Thursday, September 18, 2008 6:36 PM
Jim Behning SBS MVP wrote:

Re: Disable Windows Firewall
On Thu, 18 Sep 2008 14:34:07 -0400, Leythos <> wrote

Well you have a point about that Outlook profile. I don't have man
offices where people play musical chairs so I do not or have no
suffered but an occasional Outlook profile issue. Darned PSTs whe
they do it themselves
See what SBS support is working o
http://blogs.technet.com/sbs/default.asp
Check your SBS with the SBS Best Practices Analyze
http://blogs.technet.com/sbs/archive...A/default.aspx

On Thursday, September 18, 2008 7:11 PM
Leythos wrote:

Re: Disable Windows Firewall
In article <>,
says..

Nope, it's company policy, discipline up-to Discharge

Yep, but most do, when they think about the value of their job

If File/Printer sharing is enabled and others are enabled by default,
what is it really protecting you from

Yep, I use to think that way too, but, ask yourself, with the standard
exceptions, what is it really protecting you from

No, I'm asking you if you think it's a good idea?

--
- Igitur qui desiderat pacem, praeparet bellum
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist
(remove 999 for proper email address)

On Thursday, September 18, 2008 7:15 PM
Leythos wrote:

Re: Disable Windows Firewall
In article <>,
says...

In every installation we manage, everything is roaming, all profiles, my
documents, etc.... Even their desktops. While many people never use a
second computer, most, since we do a lot of medical, roam the facility.
While managers computers are only used by the single manager, that same
manager may logon to 10 different computers at any given time in a day.
Same with factory systems, they have the "freedom" to roam anywhere and
they love it.


--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(remove 999 for proper email address)

On Thursday, September 18, 2008 7:24 PM
Russ \(www.SBITS.Biz\) wrote:

I was calling my self Foolish.. If I did that..If you do that?
I was calling my self Foolish.. If I did that..
If you do that? Just part of your Business Model

To each his own

Russ

--
Russell Grover - SBITS.Biz
Microsoft Gold Certified Partner
Microsoft Small Business Specialist
World Wide 24hr Remote SBS2003 Support - http://www.SBITS.Biz


"Cliff Galiher" <> wrote in message
news:. ..

On Thursday, September 18, 2008 7:25 PM
Russ \(www.SBITS.Biz\) wrote:

Re: Disable Windows Firewall
Good luck with that

Russ

--
Russell Grover - SBITS.Biz
Microsoft Gold Certified Partner
Microsoft Small Business Specialist
World Wide 24hr Remote SBS2003 Support - http://www.SBITS.Biz

On Thursday, September 18, 2008 7:57 PM
Leythos wrote:

Re: Disable Windows Firewall
In article <>,
says...

Russ, help me out here: If Windows Firewall has File/Print sharing
enabled then how is a computer protected from malware?


--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(remove 999 for proper email address)

On Thursday, September 18, 2008 8:40 PM
Susan Bradley wrote:

Re: Disable Windows Firewall
Leythos wrote:
SQL slammer.

If Windows Firewalls had been enabled inside a network, SQL slammer
would not have occurred.

We haven't had a really good juicy worm BECAUSE firewalls are on by
default. The bad guys had to change their play book as a result.

I think you are missing the point that the security theater changed
because firewalls are now on.

If you really wanna do the right thing you set it up so that
workstations cannot directly email out their port 25.

On Thursday, September 18, 2008 8:58 PM
Leythos wrote:

Re: Disable Windows Firewall
In article <>,
says...

Sure it would, because SQL came in on 1433/1434, those ports have to be
open of the computers running SQL for it to work.

If you had a computer that wasn't running SQL you didn't have an issue,
since the worm didn't infect computers not running SQL.

I saw tons of SQL servers exposed directly through firewalls to the
public, and I also saw masses of personal computers directly connected
to the internet with no NAT or Firewall that were compromised, but the
ones that had a firewall also had a exception for 1433/1434 because the
software installed an exception for SQL in the firewall.


While I agree, in a Business it's not quite the same. A PC directly
connected to the net, say from Dell, will have File/Printer sharing
enabled by default with XP SP2 installed - that means that anyone on the
internet can try and connect on the standard file sharing ports of that
default PC, so, they are open to massively more hacks than if it was
just SQL Slammer.

Anyone behind a NAT router didn't have to worry about the SQL Slammer,
other than the disruption to service.

Anyone that had a clue about firewalls and threats wasn't compromised by
SQL Slammer because the checked or knew enough to block 1433/1434 access
to the WAN side. They also knew to not allow 1433/1434 Outbound to start
with. Some NAT Routers also allow trapping output ports, but most people
using them didn't have any idea how to do that.


The point I'm trying to make is that with File/Printer sharing enabled
by default, with the firewall exception for F/P sharing, and then we
have UPNP enabled as an exception on some..... With those enabled and
the exceptions you're computer is almost completely unprotected by
Windows Firewall.


Won't make a difference as our networks only allow Outbound SMTP from
the Exchange server IP. That's an entirely different subject.

I'll ask again - if your windows firewall has File/Printer sharing
enabled by default, just how protected are you really?

--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(remove 999 for proper email address)

On Thursday, September 18, 2008 9:19 PM
Russ \(www.SBITS.Biz\) wrote:

I'll bow out now, because I don't like Tilting at WindmillsLeythos if your
I'll bow out now, because I don't like Tilting at Windmills

Leythos if your company policy is to disable firewalls
then your Company Policy, is to disable firewalls.

I'm not going to Debate your policy.
Because your clients are yours Not MINE!

You can tell your clients to disable any security feature you'd like...
Me? Nope...

IMO this is a difference in consulting practices..
Mine is different that yours, and I think we should just leave it at that.

Russ

--
Russell Grover - SBITS.Biz
Microsoft Gold Certified Partner
Microsoft Small Business Specialist
World Wide 24hr Remote SBS2003 Support - http://www.SBITS.Biz


"Leythos" <> wrote in message
news:...

On Thursday, September 18, 2008 9:21 PM
Susan Bradley wrote:

There were internal only databases listening on those sQL ports, but they did
There were internal only databases listening on those sQL ports, but
they did not have to be open to an internal worm. Chip from SQL
security amassed a huge list of MSDE based apps that most of us had no
clue were SQL based and did not need 1433 or 1434 listening on the
inside of the LAN. Just like blaster, someone VPN'd in and nailed the
network. The internal firewall on blocks this behavior.

"The point I'm trying to make is that with File/Printer sharing enabled
by default, with the firewall exception for F/P sharing, and then we
have UPNP enabled as an exception on some..... With those enabled and
the exceptions you're computer is almost completely unprotected by
Windows Firewall."

That's very much stretching it.

And certainly you can adjust the file and printing ports so that they
only respond to certain connections. Just as you have certain ways to
deploy networks and don't use all the defaults, so do many of us.

There's no blanket 'one size' here, merely opinions and what we feel
comfortable with.

Vista firewall is even more granular.


Leythos wrote:

On Thursday, September 18, 2008 10:18 PM
Leythos wrote:

Re: Disable Windows Firewall
In article <>,
says...

Russ, this wasn't an argument, it was a question, Susan answered what
she thought, I just wondered what you thought WF offered if the default
F/P settings were to allow connections, that's all this is/was.


--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(remove 999 for proper email address)

On Thursday, September 18, 2008 11:56 PM
Cliff Galiher wrote:

For the record, file and printer sharing opens that SERVICE.
For the record, file and printer sharing opens that SERVICE. If you
properly use ACLs then the malware still can't spread....the client has the
service running but is not able to plant itself as a file anywhere because
it doesn't have appropriate access.

Now, if a blended threat uses a non-network exploit to elevate permissions
and it installs itself on a PC...perhaps from an email that is a zero-day
exploit so no AV caught it, or a USB key, or a CD, or whatever then it is
now on that PC running. As a blended threat, it tries to spread itself
multiple ways, including port scanning other machines and finding open RPC
ports. Since any RPC request gets assigned a random port above 1023, it
isn't predictable where this may open and the 3rd-party app may have an
undisclosed exploit. In many cases, a 3rd party program creates an RPC
listening port on all interfaces, even though it really only needed to
listen on the loopback interface. A firewall would prevent such an attack.

Over the last year, there have been exploits found for various RPC calls,
MSDTC, etc. So realistically it *is* possible to exploit these without a
firewall...and none of these are "file/printer sharing" based as none would
be attacked on ports 135/445.

You are correct though that, if an exploit was found with the file/print
sharing service on those ports then the firewall won't protect against a
threat if it is configured to allow traffic through. But that is only one
possible scenario. I, for one, still think firewalls have their uses.

-Cliff


"Leythos" <> wrote in message
news:...

On Friday, September 19, 2008 7:49 AM
Leythos wrote:

Re: Disable Windows Firewall
In article <>,
says...

Thanks for the info. I agree that a firewall can be good, was not
suggesting that anyone else make it part of their policy.

Based on what I've seen in this group over the years, I think that few
people actually install a Firewall Appliance (a real firewall), lock
users out of CD/DVD drives, lock them out of USB drives, limit them to
only Limited User status, use GPO to lock down their IE settings, their
firewall settings, and many other settings, as a standard setup - other
than what is shipped as default with SBS.

Maybe we've just been lucky, having never had a client, managed, that
had a malware outbreak on their networks.



--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(remove 999 for proper email address)

On Saturday, September 20, 2008 8:15 AM
melicka wrote:

Disable Windows Firewall
Using SBS 2003 Premium R2.

How do we disable the Windows Firewall on XP SP2 clients? It's greyed
out. Is this controlled through a GPO... If so, where? How do we
change it?

We need to disable it to deploy Symantec EPP to clients.

Thanks.

On Saturday, September 20, 2008 8:15 AM
compsosin wrote:

Re: Disable Windows Firewall
d

Where are those SBS Firewall policies exactly...in a GPO or else
where..thanks


Submitted via EggHeadCafe - Software Developer Portal of Choice
Integrate Windows Live ID Authentication with ASP.NET Membership, Profiles and Roles
http://www.eggheadcafe.com/tutorials...s-live-id.aspx

I have done all as you explained but it stays the same
I even restarted the server, but when I use RSOP.msc on the client its all enabled, is there naotherway around or something I can do without having to reinstall the server. There is an accounting software that has to be used between three users, and its doesn't work when it is installed on the server



v-milel wrote:

Hello,Thank you for posting here.
18-Sep-08

Hello

Thank you for posting here

According to your description, I understand that

You have a concern about the Windows Firewall on the SBS domain clients

If I have misunderstood the problem, please don't hesitate to let me know

Explanation
=======================
For SBS client computers, there is a Group Policy named Small Business
Server Windows Firewall that controls the behave of the Windows XP SP2
firewall. You can verify the applied Windows Firewall settings on the
clients in RSOP.msc.

Just as Lanwench and Russ mentioned, generally speaking, we should never
disable Windows Firewall as a whole; instead, you could configure Windows
Firewall exception based on applications requirement. To configure Windows
Firewall group policy, please refer to the following Microsoft Knowledge
Base articles

Windows XP Service Pack 2 and Windows Small Business Serve
http://technet.microsoft.com/en-us/library/cc672128.asp

How to Configure Windows Firewall in a Small Business Environment Using
Group Polic
http://www.microsoft.com/technet/sec...ech/windowsxp/
wgrppol.msp

872769 You cannot configure Windows Firewall settings or
Security Center settings on a Windows XP Service Pack 2-based client
computer that is in a Windows Small Business Server 2003-based networ
http://support.microsoft.com/kb/87276

If you really need to disable Windows Firewall for all Windows XP clients,
you can perform the following steps:

1. On the SBS server, type "GPMC.msc" in the command prompt to open the
Group Policy Management Console
2. In the left panel, expand Domains---->SBS.local
3. Right click the Small Business Server Windows Firewall GPO, and click
edit
4. Disable the Windows Firewall: Protect all network connections in the
[computer configuration--->Administrative Template--->Network--->Network
connections--->Windows Firewall--->Domain profile]
5. On the client, run "gpupdate /force" to refresh the Windows Firewall
settings

Hope it helps. If you have any questions or concerns, please do not
hesitate to let me know. I am glad to help

Best regards
Miles L

Microsoft Online Partner Suppor
Microsoft Global Technical Support Cente

Get Secure! - www.microsoft.com/securit
================================================== ==
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
================================================== ==
This posting is provided "AS IS" with no warranties, and confers no rights.

Previous Posts In This Thread:

On Wednesday, September 17, 2008 5:17 PM
Holz wrote:

Re: Disable Windows Firewall
It is controlled by the SBS Firewall policies
Unlees you are installing another firewall, Why would you disable it

-
Holz

On Wednesday, September 17, 2008 6:49 PM
Lanwench [MVP - Exchange] wrote:

Re: Disable Windows Firewall
it is controlled by group policy (you can always find out which if you run a
rsop.msc on a workstation). Instead of disabling it, I would sugges
settting up exceptions in it.

On Wednesday, September 17, 2008 7:59 PM
Michael Jenkin [SBS-MVP] wrote:

Actually, I have seen the need to do this for some Accounting packages.
Actually, I have seen the need to do this for some Accounting packages
They do not play well with the firewall, especially some versions o
MYOB.

Holz wrote

--
Michael J. Jenkin MVP - SBS, MCP, Small Business Specialist, Senio
Systems Engineer
Visit http://www.mickyj.com

On Wednesday, September 17, 2008 8:24 PM
Holz wrote:

Re: Disable Windows Firewall
Michael Jenkin [SBS-MVP] wrote

I would not run anything that will force me to compromise my security,
but that is my opinion.

--
Jerry McGuire: Help me, help you...

On Wednesday, September 17, 2008 8:25 PM
Holz wrote:

Re: Disable Windows Firewall
in the SBS management console, advanced management.

--
Jerry McGuire: Help me, help you...

On Wednesday, September 17, 2008 11:02 PM
Lanwench [MVP - Exchange] wrote:

Re: Disable Windows Firewall
Yes, in GPOs. Start | run | gpmc.msc

On Thursday, September 18, 2008 12:32 AM
Russ \(www.SBITS.Biz\) wrote:

I agree Permanent disable windows firewall assumes all your employees are
I agree Permanent disable windows firewall assumes all your employees are
security experts and know not to load this COOL app they've downloaded on
their USB Thumb Drive.


Russ

--
Russell Grover - SBITS.Biz
Microsoft Gold Certified Partner
Microsoft Small Business Specialist
World Wide 24hr Remote SBS2003 Support - http://www.SBITS.Biz


"Lanwench [MVP - Exchange]"
< hoo.com> wrote in message
news:...

On Thursday, September 18, 2008 5:44 AM
v-milel wrote:

Hello,Thank you for posting here.
Hello,

Thank you for posting here.

According to your description, I understand that:

You have a concern about the Windows Firewall on the SBS domain clients.

If I have misunderstood the problem, please don't hesitate to let me know.

Explanation:
========================
For SBS client computers, there is a Group Policy named Small Business
Server Windows Firewall that controls the behave of the Windows XP SP2
firewall. You can verify the applied Windows Firewall settings on the
clients in RSOP.msc.

Just as Lanwench and Russ mentioned, generally speaking, we should never
disable Windows Firewall as a whole; instead, you could configure Windows
Firewall exception based on applications requirement. To configure Windows
Firewall group policy, please refer to the following Microsoft Knowledge
Base articles:

Windows XP Service Pack 2 and Windows Small Business Server
http://technet.microsoft.com/en-us/l.../cc672128.aspx

How to Configure Windows Firewall in a Small Business Environment Using
Group Policy
http://www.microsoft.com/technet/sec...ch/windowsxp/f
wgrppol.mspx

872769 You cannot configure Windows Firewall settings or
Security Center settings on a Windows XP Service Pack 2-based client
computer that is in a Windows Small Business Server 2003-based network
http://support.microsoft.com/kb/872769

If you really need to disable Windows Firewall for all Windows XP clients,
you can perform the following steps:

1. On the SBS server, type "GPMC.msc" in the command prompt to open the
Group Policy Management Console.
2. In the left panel, expand Domains---->SBS.local.
3. Right click the Small Business Server Windows Firewall GPO, and click
edit.
4. Disable the Windows Firewall: Protect all network connections in the
[computer configuration--->Administrative Template--->Network--->Network
connections--->Windows Firewall--->Domain profile].
5. On the client, run "gpupdate /force" to refresh the Windows Firewall
settings.

Hope it helps. If you have any questions or concerns, please do not
hesitate to let me know. I am glad to help.


Best regards,
Miles Li

Microsoft Online Partner Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
================================================== ===
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
================================================== ===
This posting is provided "AS IS" with no warranties, and confers no rights.

On Thursday, September 18, 2008 8:02 AM
Leythos wrote:

Re: Disable Windows Firewall
In article <>,
says...

Since the default for SBS users is to make them all Local
Administrators, it doesn't really matter - malware running as the user
that is a local admin can bypass the GPO settings and do what it wants -
not to mention that the default is File and Printer sharing ENABLED in a
SBS network, so it can spread easily.

It's easy enough to disable USB drives.

--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(remove 999 for proper email address)

On Thursday, September 18, 2008 9:26 AM
Lanwench [MVP - Exchange] wrote:

Re: Disable Windows Firewall
Leythos <> wrote:

True, that. However, a local admin can also bypass that if they can bypass
other GPO settings.

Users are only granted local admin rights when you first join a workstation
to the domain & assign a user to it, which you do only if you're migrating
an existing local profile to a domain profile. So it shouldn't happen when
you've got a running network. Even then, it takes only a few seconds to
remove them immediately afterwards (or use restricted groups) which is what
I do at all my client sites.

On Thursday, September 18, 2008 10:39 AM
Russ \(www.SBITS.Biz\) wrote:

So they guy who brings in his own laptop and plugs into the network?
So they guy who brings in his own laptop and plugs into the network?
How do you stop the virus on his PC from causing network Havok?

Just like I don't leave my wallet on the dashboard on my car when I go into
the store
I think Disabling a PC firewall is Foolish.

I'm pretty sure MOST Security Experts would agree...
However I'm just an Amateur So I listen to what Experts say.

Russ

--
Russell Grover - SBITS.Biz
Microsoft Gold Certified Partner
Microsoft Small Business Specialist
World Wide 24hr Remote SBS2003 Support - http://www.SBITS.Biz


"Leythos" <> wrote in message
news:...

On Thursday, September 18, 2008 10:42 AM
Russ \(www.SBITS.Biz\) wrote:

I'd like to addAny Product that required to Disable Security Features?
I'd like to add
Any Product that required to Disable Security Features?
Would NEVER been on any network I implement

Russ

--
Russell Grover - SBITS.Biz
Microsoft Gold Certified Partner
Microsoft Small Business Specialist
World Wide 24hr Remote SBS2003 Support - http://www.SBITS.Biz


"Russ (www.SBITS.Biz)" <> wrote in message
news:...

On Thursday, September 18, 2008 2:22 PM
Cliff Galiher wrote:

No.
No. A firewall forced enabled by a GPO cannot be disabled by a local admin,
actually. But more importantly, I'm a firm believer that once a machine is
owned, it doesn't matter. The firewall protects the threat from spreading
by protecting the OTHER machines from incoming connections, not by
protecting that machine's outgoing connections. And the SBS wizard only
makes a user a local admin on that one machine, they don't have any admin
privileges on the other machines that the malware might try to spread to.

And finally, as I indicated in my first post on this subject, some
environments require USB keys, so disabling the USB drive is not a
legitimate argument in this case.

Ultimately though my question is this: Why *not* run the firewall? More
security is never a bad thing.

-Cliff


"Leythos" <> wrote in message
news:...

On Thursday, September 18, 2008 2:25 PM
Cliff Galiher wrote:

Since this conversation has already wandered well off point, I figure it is
Since this conversation has already wandered well off point, I figure it is
safe to go ahead and mention that...although I agree with you (after all I'm
the one that started the whole "keep the firewall enabled" argument) that
this shouldn't be your only defense. In any reasonably sized network, you
should also be using IPSec and, if appropriate, a managed switch with 802.1X
authenticating ports. That would help mitigate the risk of a rogue laptop.

And can I say I'm *Really* looking forward to full network quarantine with
SBS2k8?

-Cliff


"Russ (www.SBITS.Biz)" <> wrote in message
news:...

On Thursday, September 18, 2008 2:34 PM
Leythos wrote:

Re: Disable Windows Firewall
In article <u$>,
...latyah oo.com says...

If you don't make all users that MIGHT use a computer a local admin the
SBS script will not properly configure their Outlook for them when they
logon.

When you have 30 users and 50 PC's, and users can sit at any PC, it's an
impossible task to go log each and ever combination of users on to each
PC. Needing Local Admin rights is a serious security flaw in SBS.

--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(remove 999 for proper email address)

On Thursday, September 18, 2008 2:36 PM
Leythos wrote:

Re: Disable Windows Firewall
In article <>,
says...

First, laptops that are not company are not permitted.

Second, if each computer in the network has File/Printer sharing
enabled, by default, the malware can spread easily, so WF does nothing.

All AV is controlled by server, users can't disable it, so, between
company policy, people that police each other, and AV, that's more
protection than WF.


What you need to be asking is WHY does SBS make users local admins and
WHY are local workstations defaulted to File and Printer sharing
enabled?


--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(remove 999 for proper email address)

On Thursday, September 18, 2008 2:40 PM
Leythos wrote:

Re: Disable Windows Firewall
In article <>,
says...

In all my years of having Windows workstations, having never had a
single managed one compromised (notice I said Managed), I've never seen
the Windows firewall protect anyone at any other location that we don't
manage.

Every compromised computer I've seen has Windows Firewall enabled, every
new client we get that already has multiple systems compromised has
windows firewall running. etc....

With thousands of machines in many networks, none of them having WF
enabled, all of them have File/Printer sharing disabled, all of them
with as few local admin users, and tons of other protection, not one of
them has been compromised.

So, I'll stick with not using WF and having to deal with the problems it
causes, since I've not seen where it is of any benefit to anyone.

--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(remove 999 for proper email address)

On Thursday, September 18, 2008 5:00 PM
Russ \(www.SBITS.Biz\) wrote:

So you stop EVERYONE at the DOOR of EVERY Business and SayDo you have a Laptop
So you stop EVERYONE at the DOOR of EVERY Business and Say
Do you have a Laptop in that Backpack?

Or is it just Policy? as you know People don't follow policies.

and AV is not enough to stop Worms as you know some of the worms that have
been out.

Go a head Turn OFF all Firewall..

I just PERSONALLY think it's not a good idea and I feel it's foolish
you just have a different Opinion that's all

I have my policy with clients and you have yours

And you ask me why SBS makes everyone an admin
Since I didn't write SBS2003 code
I don't feel I'm qualified to answer that maybe ask Microsoft

I do what I believe..

Rus

--
Russell Grover - SBITS.Bi
Microsoft Gold Certified Partne
Microsoft Small Business Specialis
World Wide 24hr Remote SBS2003 Support - http://www.SBITS.Bi

"Leythos" <> wrote in message
news:...

On Thursday, September 18, 2008 5:20 PM
Cliff Galiher wrote:

Re: Disable Windows Firewall
Okay kids, lets not get hostile. As I've said, I'm pro-firewall.
But, to stop the rogue laptop I use IPSec. I use managed switches whenever
possible with 802.1X. A firewall is just ONE tool in a security setup

I also like my makita rotary sander. Some people prefer to sand by
hand....it just FEELS better. As you said Russ, it is a difference of
opinion. I'm with ya, but I wouldn't go so far as to call someone 'foolish'
for not doing it my way

Of course some things *are* foolish....like browsing the web from your
server (tongue-in-cheek here, I know people disagree with me on THAT one) so
I can see why you might feel that way about not using a firewall. But for
my own part, I feel Leythos has proven helpful to many posters here and
seems to be...aside from this difference of opinion....security conscious.
So maybe my personal opinion of the person affects my judgment of their
actions in this instance. I'd admittedly probably give a newcomer less
rope. But I'm kinda sorta abrasive that way...as many can attest to

Regardless, I think this thread has become unintentionally more hostile than
intended. Can we just accept that there are different people that hold the
merits of a workstation firewall in different regard without getting mean?
practices turn nasty because somebody misinterpreted post using the word
'foolish' as a personal attack. I've already said I have a high opinion of
Leythos, but I've also seen you be very helpful and I think I'm a good judge
of character. I'd be surprised if you meant your comment to be a personal
attack, but I also know that is how I first read it...even if
unintentional...so y'know...I could see how others might get a little bent

Maybe I'm just seeing ghosts though and trying to stop a fight that never
would've started. It has been known to happen

-Clif


"Russ (www.SBITS.Biz)" <> wrote in message
news:...

On Thursday, September 18, 2008 6:36 PM
Jim Behning SBS MVP wrote:

Re: Disable Windows Firewall
On Thu, 18 Sep 2008 14:34:07 -0400, Leythos <> wrote

Well you have a point about that Outlook profile. I don't have man
offices where people play musical chairs so I do not or have no
suffered but an occasional Outlook profile issue. Darned PSTs whe
they do it themselves
See what SBS support is working o
http://blogs.technet.com/sbs/default.asp
Check your SBS with the SBS Best Practices Analyze
http://blogs.technet.com/sbs/archive...A/default.aspx

On Thursday, September 18, 2008 7:11 PM
Leythos wrote:

Re: Disable Windows Firewall
In article <>,
says..

Nope, it's company policy, discipline up-to Discharge

Yep, but most do, when they think about the value of their job

If File/Printer sharing is enabled and others are enabled by default,
what is it really protecting you from

Yep, I use to think that way too, but, ask yourself, with the standard
exceptions, what is it really protecting you from

No, I'm asking you if you think it's a good idea?

--
- Igitur qui desiderat pacem, praeparet bellum
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist
(remove 999 for proper email address)

On Thursday, September 18, 2008 7:15 PM
Leythos wrote:

Re: Disable Windows Firewall
In article <>,
says...

In every installation we manage, everything is roaming, all profiles, my
documents, etc.... Even their desktops. While many people never use a
second computer, most, since we do a lot of medical, roam the facility.
While managers computers are only used by the single manager, that same
manager may logon to 10 different computers at any given time in a day.
Same with factory systems, they have the "freedom" to roam anywhere and
they love it.


--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(remove 999 for proper email address)

On Thursday, September 18, 2008 7:24 PM
Russ \(www.SBITS.Biz\) wrote:

I was calling my self Foolish.. If I did that..If you do that?
I was calling my self Foolish.. If I did that..
If you do that? Just part of your Business Model

To each his own

Russ

--
Russell Grover - SBITS.Biz
Microsoft Gold Certified Partner
Microsoft Small Business Specialist
World Wide 24hr Remote SBS2003 Support - http://www.SBITS.Biz


"Cliff Galiher" <> wrote in message
news:. ..

On Thursday, September 18, 2008 7:25 PM
Russ \(www.SBITS.Biz\) wrote:

Re: Disable Windows Firewall
Good luck with that

Russ

--
Russell Grover - SBITS.Biz
Microsoft Gold Certified Partner
Microsoft Small Business Specialist
World Wide 24hr Remote SBS2003 Support - http://www.SBITS.Biz

On Thursday, September 18, 2008 7:57 PM
Leythos wrote:

Re: Disable Windows Firewall
In article <>,
says...

Russ, help me out here: If Windows Firewall has File/Print sharing
enabled then how is a computer protected from malware?


--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(remove 999 for proper email address)

On Thursday, September 18, 2008 8:40 PM
Susan Bradley wrote:

Re: Disable Windows Firewall
Leythos wrote:
SQL slammer.

If Windows Firewalls had been enabled inside a network, SQL slammer
would not have occurred.

We haven't had a really good juicy worm BECAUSE firewalls are on by
default. The bad guys had to change their play book as a result.

I think you are missing the point that the security theater changed
because firewalls are now on.

If you really wanna do the right thing you set it up so that
workstations cannot directly email out their port 25.

On Thursday, September 18, 2008 8:58 PM
Leythos wrote:

Re: Disable Windows Firewall
In article <>,
says...

Sure it would, because SQL came in on 1433/1434, those ports have to be
open of the computers running SQL for it to work.

If you had a computer that wasn't running SQL you didn't have an issue,
since the worm didn't infect computers not running SQL.

I saw tons of SQL servers exposed directly through firewalls to the
public, and I also saw masses of personal computers directly connected
to the internet with no NAT or Firewall that were compromised, but the
ones that had a firewall also had a exception for 1433/1434 because the
software installed an exception for SQL in the firewall.


While I agree, in a Business it's not quite the same. A PC directly
connected to the net, say from Dell, will have File/Printer sharing
enabled by default with XP SP2 installed - that means that anyone on the
internet can try and connect on the standard file sharing ports of that
default PC, so, they are open to massively more hacks than if it was
just SQL Slammer.

Anyone behind a NAT router didn't have to worry about the SQL Slammer,
other than the disruption to service.

Anyone that had a clue about firewalls and threats wasn't compromised by
SQL Slammer because the checked or knew enough to block 1433/1434 access
to the WAN side. They also knew to not allow 1433/1434 Outbound to start
with. Some NAT Routers also allow trapping output ports, but most people
using them didn't have any idea how to do that.


The point I'm trying to make is that with File/Printer sharing enabled
by default, with the firewall exception for F/P sharing, and then we
have UPNP enabled as an exception on some..... With those enabled and
the exceptions you're computer is almost completely unprotected by
Windows Firewall.


Won't make a difference as our networks only allow Outbound SMTP from
the Exchange server IP. That's an entirely different subject.

I'll ask again - if your windows firewall has File/Printer sharing
enabled by default, just how protected are you really?

--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(remove 999 for proper email address)

On Thursday, September 18, 2008 9:19 PM
Russ \(www.SBITS.Biz\) wrote:

I'll bow out now, because I don't like Tilting at WindmillsLeythos if your
I'll bow out now, because I don't like Tilting at Windmills

Leythos if your company policy is to disable firewalls
then your Company Policy, is to disable firewalls.

I'm not going to Debate your policy.
Because your clients are yours Not MINE!

You can tell your clients to disable any security feature you'd like...
Me? Nope...

IMO this is a difference in consulting practices..
Mine is different that yours, and I think we should just leave it at that.

Russ

--
Russell Grover - SBITS.Biz
Microsoft Gold Certified Partner
Microsoft Small Business Specialist
World Wide 24hr Remote SBS2003 Support - http://www.SBITS.Biz


"Leythos" <> wrote in message
news:...

On Thursday, September 18, 2008 9:21 PM
Susan Bradley wrote:

There were internal only databases listening on those sQL ports, but they did
There were internal only databases listening on those sQL ports, but
they did not have to be open to an internal worm. Chip from SQL
security amassed a huge list of MSDE based apps that most of us had no
clue were SQL based and did not need 1433 or 1434 listening on the
inside of the LAN. Just like blaster, someone VPN'd in and nailed the
network. The internal firewall on blocks this behavior.

"The point I'm trying to make is that with File/Printer sharing enabled
by default, with the firewall exception for F/P sharing, and then we
have UPNP enabled as an exception on some..... With those enabled and
the exceptions you're computer is almost completely unprotected by
Windows Firewall."

That's very much stretching it.

And certainly you can adjust the file and printing ports so that they
only respond to certain connections. Just as you have certain ways to
deploy networks and don't use all the defaults, so do many of us.

There's no blanket 'one size' here, merely opinions and what we feel
comfortable with.

Vista firewall is even more granular.


Leythos wrote:

On Thursday, September 18, 2008 10:18 PM
Leythos wrote:

Re: Disable Windows Firewall
In article <>,
says...

Russ, this wasn't an argument, it was a question, Susan answered what
she thought, I just wondered what you thought WF offered if the default
F/P settings were to allow connections, that's all this is/was.


--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(remove 999 for proper email address)

On Thursday, September 18, 2008 11:56 PM
Cliff Galiher wrote:

For the record, file and printer sharing opens that SERVICE.
For the record, file and printer sharing opens that SERVICE. If you
properly use ACLs then the malware still can't spread....the client has the
service running but is not able to plant itself as a file anywhere because
it doesn't have appropriate access.

Now, if a blended threat uses a non-network exploit to elevate permissions
and it installs itself on a PC...perhaps from an email that is a zero-day
exploit so no AV caught it, or a USB key, or a CD, or whatever then it is
now on that PC running. As a blended threat, it tries to spread itself
multiple ways, including port scanning other machines and finding open RPC
ports. Since any RPC request gets assigned a random port above 1023, it
isn't predictable where this may open and the 3rd-party app may have an
undisclosed exploit. In many cases, a 3rd party program creates an RPC
listening port on all interfaces, even though it really only needed to
listen on the loopback interface. A firewall would prevent such an attack.

Over the last year, there have been exploits found for various RPC calls,
MSDTC, etc. So realistically it *is* possible to exploit these without a
firewall...and none of these are "file/printer sharing" based as none would
be attacked on ports 135/445.

You are correct though that, if an exploit was found with the file/print
sharing service on those ports then the firewall won't protect against a
threat if it is configured to allow traffic through. But that is only one
possible scenario. I, for one, still think firewalls have their uses.

-Cliff


"Leythos" <> wrote in message
news:...

On Friday, September 19, 2008 7:49 AM
Leythos wrote:

Re: Disable Windows Firewall
In article <>,
says...

Thanks for the info. I agree that a firewall can be good, was not
suggesting that anyone else make it part of their policy.

Based on what I've seen in this group over the years, I think that few
people actually install a Firewall Appliance (a real firewall), lock
users out of CD/DVD drives, lock them out of USB drives, limit them to
only Limited User status, use GPO to lock down their IE settings, their
firewall settings, and many other settings, as a standard setup - other
than what is shipped as default with SBS.

Maybe we've just been lucky, having never had a client, managed, that
had a malware outbreak on their networks.



--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
(remove 999 for proper email address)

On Saturday, September 20, 2008 8:15 AM
melicka wrote:

Disable Windows Firewall
Using SBS 2003 Premium R2.

How do we disable the Windows Firewall on XP SP2 clients? It's greyed
out. Is this controlled through a GPO... If so, where? How do we
change it?

We need to disable it to deploy Symantec EPP to clients.

Thanks.

On Saturday, September 20, 2008 8:15 AM
compsosin wrote:

Re: Disable Windows Firewall
d

Where are those SBS Firewall policies exactly...in a GPO or else
where..thanks

On Tuesday, January 05, 2010 6:43 AM
Damacene Felix wrote:

How do I disable firewall on remote client
I done all as you suggested, but when I run RSOP.msc on the client Pc it still remains enable. The problem is that I have 3 Pc's on the network that has an accounting package and the firewall has to be disabled for them to work. The last thing I want is to resettup the server. Is there another way around or do I need to ressstup.


Submitted via EggHeadCafe - Software Developer Portal of Choice
Lightweight Remote Scripting with Cookies
http://www.eggheadcafe.com/tutorials...te-script.aspx

On Tue, 05 Jan 2010 23:07:36 -0800, Damacene Felix wrote:

>I have done all as you explained but it stays the same
>I even restarted the server, but when I use RSOP.msc on the client its all enabled, is there naotherway around or something I can do without having to reinstall the server. There is an accounting software that has to be used between three users, and its doesn't work when it is installed on the server
>
>
You're replying to a thread that's well over a year old. Try using a
newsreader instead of the icky Egghead/Techarena interfaces
.....msnews.microsoft.com is the NNTP server you need to connect to.
Also avoid 'me too' posts; submit new questions as new messages to get
the most help.

That said, a) unless you're using two NICs (which you do not need
without ISA) there is no server-based firewall and b) a client
firewall should have exclusions set in it, not be disabled.

If you have further problems please post a *new* message, explaining
everything you''ve tried in detail so we can try to help. Thanks.

>
>v-milel wrote:
>
>Hello,Thank you for posting here.
>18-Sep-08
>
>Hello,
>
>Thank you for posting here.
>
>According to your description, I understand that:
>
>You have a concern about the Windows Firewall on the SBS domain clients.
>
>If I have misunderstood the problem, please don't hesitate to let me know.
>
>Explanation:
>========================
>For SBS client computers, there is a Group Policy named Small Business
>Server Windows Firewall that controls the behave of the Windows XP SP2
>firewall. You can verify the applied Windows Firewall settings on the
>clients in RSOP.msc.
>
>Just as Lanwench and Russ mentioned, generally speaking, we should never
>disable Windows Firewall as a whole; instead, you could configure Windows
>Firewall exception based on applications requirement. To configure Windows
>Firewall group policy, please refer to the following Microsoft Knowledge
>Base articles:
>
>Windows XP Service Pack 2 and Windows Small Business Server
>http://technet.microsoft.com/en-us/l.../cc672128.aspx
>
>How to Configure Windows Firewall in a Small Business Environment Using
>Group Policy
>http://www.microsoft.com/technet/sec...ch/windowsxp/f
>wgrppol.mspx
>
>872769 You cannot configure Windows Firewall settings or
>Security Center settings on a Windows XP Service Pack 2-based client
>computer that is in a Windows Small Business Server 2003-based network
>http://support.microsoft.com/kb/872769
>
>If you really need to disable Windows Firewall for all Windows XP clients,
>you can perform the following steps:
>
>1. On the SBS server, type "GPMC.msc" in the command prompt to open the
>Group Policy Management Console.
>2. In the left panel, expand Domains---->SBS.local.
>3. Right click the Small Business Server Windows Firewall GPO, and click
>edit.
>4. Disable the Windows Firewall: Protect all network connections in the
>[computer configuration--->Administrative Template--->Network--->Network
>connections--->Windows Firewall--->Domain profile].
>5. On the client, run "gpupdate /force" to refresh the Windows Firewall
>settings.
>
>Hope it helps. If you have any questions or concerns, please do not
>hesitate to let me know. I am glad to help.
>
>
>Best regards,
>Miles Li
>
>Microsoft Online Partner Support
>Microsoft Global Technical Support Center
>
>Get Secure! - www.microsoft.com/security
>================================================= ====
>When responding to posts, please "Reply to Group" via your newsreader so
>that others may learn and benefit from your issue.
>================================================= ====
>This posting is provided "AS IS" with no warranties, and confers no rights.
>
>Previous Posts In This Thread:
>
>On Wednesday, September 17, 2008 5:17 PM
>Holz wrote:
>
>Re: Disable Windows Firewall
>It is controlled by the SBS Firewall policies.
>Unlees you are installing another firewall, Why would you disable it?
>
>--
>Holz
>
>On Wednesday, September 17, 2008 6:49 PM
>Lanwench [MVP - Exchange] wrote:
>
>Re: Disable Windows Firewall
>it is controlled by group policy (you can always find out which if you run an
>rsop.msc on a workstation). Instead of disabling it, I would suggest
>settting up exceptions in it.
>
>On Wednesday, September 17, 2008 7:59 PM
>Michael Jenkin [SBS-MVP] wrote:
>
>Actually, I have seen the need to do this for some Accounting packages.
>Actually, I have seen the need to do this for some Accounting packages.
>They do not play well with the firewall, especially some versions of
>MYOB.
>
>Holz wrote:
>
>
>--
>Michael J. Jenkin MVP - SBS, MCP, Small Business Specialist, Senior
>Systems Engineer
>Visit http://www.mickyj.com
>
>On Wednesday, September 17, 2008 8:24 PM
>Holz wrote:
>
>Re: Disable Windows Firewall
>Michael Jenkin [SBS-MVP] wrote:
>
>I would not run anything that will force me to compromise my security,
>but that is my opinion.
>
>--
>Jerry McGuire: Help me, help you...
>
>On Wednesday, September 17, 2008 8:25 PM
>Holz wrote:
>
>Re: Disable Windows Firewall
>in the SBS management console, advanced management.
>
>--
>Jerry McGuire: Help me, help you...
>
>On Wednesday, September 17, 2008 11:02 PM
>Lanwench [MVP - Exchange] wrote:
>
>Re: Disable Windows Firewall
>Yes, in GPOs. Start | run | gpmc.msc
>
>On Thursday, September 18, 2008 12:32 AM
>Russ \(www.SBITS.Biz\) wrote:
>
>I agree Permanent disable windows firewall assumes all your employees are
>I agree Permanent disable windows firewall assumes all your employees are
>security experts and know not to load this COOL app they've downloaded on
>their USB Thumb Drive.
>
>
>Russ
>
>--
>Russell Grover - SBITS.Biz
>Microsoft Gold Certified Partner
>Microsoft Small Business Specialist
>World Wide 24hr Remote SBS2003 Support - http://www.SBITS.Biz
>
>
>"Lanwench [MVP - Exchange]"
>< ahoo.com> wrote in message
>news:...
>
>On Thursday, September 18, 2008 5:44 AM
>v-milel wrote:
>
>Hello,Thank you for posting here.
>Hello,
>
>Thank you for posting here.
>
>According to your description, I understand that:
>
>You have a concern about the Windows Firewall on the SBS domain clients.
>
>If I have misunderstood the problem, please don't hesitate to let me know.
>
>Explanation:
>========================
>For SBS client computers, there is a Group Policy named Small Business
>Server Windows Firewall that controls the behave of the Windows XP SP2
>firewall. You can verify the applied Windows Firewall settings on the
>clients in RSOP.msc.
>
>Just as Lanwench and Russ mentioned, generally speaking, we should never
>disable Windows Firewall as a whole; instead, you could configure Windows
>Firewall exception based on applications requirement. To configure Windows
>Firewall group policy, please refer to the following Microsoft Knowledge
>Base articles:
>
>Windows XP Service Pack 2 and Windows Small Business Server
>http://technet.microsoft.com/en-us/l.../cc672128.aspx
>
>How to Configure Windows Firewall in a Small Business Environment Using
>Group Policy
>http://www.microsoft.com/technet/sec...ch/windowsxp/f
>wgrppol.mspx
>
>872769 You cannot configure Windows Firewall settings or
>Security Center settings on a Windows XP Service Pack 2-based client
>computer that is in a Windows Small Business Server 2003-based network
>http://support.microsoft.com/kb/872769
>
>If you really need to disable Windows Firewall for all Windows XP clients,
>you can perform the following steps:
>
>1. On the SBS server, type "GPMC.msc" in the command prompt to open the
>Group Policy Management Console.
>2. In the left panel, expand Domains---->SBS.local.
>3. Right click the Small Business Server Windows Firewall GPO, and click
>edit.
>4. Disable the Windows Firewall: Protect all network connections in the
>[computer configuration--->Administrative Template--->Network--->Network
>connections--->Windows Firewall--->Domain profile].
>5. On the client, run "gpupdate /force" to refresh the Windows Firewall
>settings.
>
>Hope it helps. If you have any questions or concerns, please do not
>hesitate to let me know. I am glad to help.
>
>
>Best regards,
>Miles Li
>
>Microsoft Online Partner Support
>Microsoft Global Technical Support Center
>
>Get Secure! - www.microsoft.com/security
>================================================= ====
>When responding to posts, please "Reply to Group" via your newsreader so
>that others may learn and benefit from your issue.
>================================================= ====
>This posting is provided "AS IS" with no warranties, and confers no rights.
>
>On Thursday, September 18, 2008 8:02 AM
>Leythos wrote:
>
>Re: Disable Windows Firewall
>In article <>,
> says...
>
>Since the default for SBS users is to make them all Local
>Administrators, it doesn't really matter - malware running as the user
>that is a local admin can bypass the GPO settings and do what it wants -
>not to mention that the default is File and Printer sharing ENABLED in a
>SBS network, so it can spread easily.
>
>It's easy enough to disable USB drives.
>
>--
>- Igitur qui desiderat pacem, praeparet bellum.
>- Calling an illegal alien an "undocumented worker" is like calling a
> drug dealer an "unlicensed pharmacist"
> (remove 999 for proper email address)
>
>On Thursday, September 18, 2008 9:26 AM
>Lanwench [MVP - Exchange] wrote:
>
>Re: Disable Windows Firewall
>Leythos <> wrote:
>
>True, that. However, a local admin can also bypass that if they can bypass
>other GPO settings.
>
>Users are only granted local admin rights when you first join a workstation
>to the domain & assign a user to it, which you do only if you're migrating
>an existing local profile to a domain profile. So it shouldn't happen when
>you've got a running network. Even then, it takes only a few seconds to
>remove them immediately afterwards (or use restricted groups) which is what
>I do at all my client sites.
>
>On Thursday, September 18, 2008 10:39 AM
>Russ \(www.SBITS.Biz\) wrote:
>
>So they guy who brings in his own laptop and plugs into the network?
>So they guy who brings in his own laptop and plugs into the network?
>How do you stop the virus on his PC from causing network Havok?
>
>Just like I don't leave my wallet on the dashboard on my car when I go into
>the store
>I think Disabling a PC firewall is Foolish.
>
>I'm pretty sure MOST Security Experts would agree...
>However I'm just an Amateur So I listen to what Experts say.
>
>Russ
>
>--
>Russell Grover - SBITS.Biz
>Microsoft Gold Certified Partner
>Microsoft Small Business Specialist
>World Wide 24hr Remote SBS2003 Support - http://www.SBITS.Biz
>
>
>"Leythos" <> wrote in message
>news:...
>
>On Thursday, September 18, 2008 10:42 AM
>Russ \(www.SBITS.Biz\) wrote:
>
>I'd like to addAny Product that required to Disable Security Features?
>I'd like to add
>Any Product that required to Disable Security Features?
>Would NEVER been on any network I implement
>
>Russ
>
>--
>Russell Grover - SBITS.Biz
>Microsoft Gold Certified Partner
>Microsoft Small Business Specialist
>World Wide 24hr Remote SBS2003 Support - http://www.SBITS.Biz
>
>
>"Russ (www.SBITS.Biz)" <> wrote in message
>news:...
>
>On Thursday, September 18, 2008 2:22 PM
>Cliff Galiher wrote:
>
>No.
>No. A firewall forced enabled by a GPO cannot be disabled by a local admin,
>actually. But more importantly, I'm a firm believer that once a machine is
>owned, it doesn't matter. The firewall protects the threat from spreading
>by protecting the OTHER machines from incoming connections, not by
>protecting that machine's outgoing connections. And the SBS wizard only
>makes a user a local admin on that one machine, they don't have any admin
>privileges on the other machines that the malware might try to spread to.
>
>And finally, as I indicated in my first post on this subject, some
>environments require USB keys, so disabling the USB drive is not a
>legitimate argument in this case.
>
>Ultimately though my question is this: Why *not* run the firewall? More
>security is never a bad thing.
>
>-Cliff
>
>
>"Leythos" <> wrote in message
>news:...
>
>On Thursday, September 18, 2008 2:25 PM
>Cliff Galiher wrote:
>
>Since this conversation has already wandered well off point, I figure it is
>Since this conversation has already wandered well off point, I figure it is
>safe to go ahead and mention that...although I agree with you (after all I'm
>the one that started the whole "keep the firewall enabled" argument) that
>this shouldn't be your only defense. In any reasonably sized network, you
>should also be using IPSec and, if appropriate, a managed switch with 802.1X
>authenticating ports. That would help mitigate the risk of a rogue laptop.
>
>And can I say I'm *Really* looking forward to full network quarantine with
>SBS2k8?
>
>-Cliff
>
>
>"Russ (www.SBITS.Biz)" <> wrote in message
>news:...
>
>On Thursday, September 18, 2008 2:34 PM
>Leythos wrote:
>
>Re: Disable Windows Firewall
>In article <u$>,
> hoo.com says...
>
>If you don't make all users that MIGHT use a computer a local admin the
>SBS script will not properly configure their Outlook for them when they
>logon.
>
>When you have 30 users and 50 PC's, and users can sit at any PC, it's an
>impossible task to go log each and ever combination of users on to each
>PC. Needing Local Admin rights is a serious security flaw in SBS.
>
>--
>- Igitur qui desiderat pacem, praeparet bellum.
>- Calling an illegal alien an "undocumented worker" is like calling a
> drug dealer an "unlicensed pharmacist"
> (remove 999 for proper email address)
>
>On Thursday, September 18, 2008 2:36 PM
>Leythos wrote:
>
>Re: Disable Windows Firewall
>In article <>,
> says...
>
>First, laptops that are not company are not permitted.
>
>Second, if each computer in the network has File/Printer sharing
>enabled, by default, the malware can spread easily, so WF does nothing.
>
>All AV is controlled by server, users can't disable it, so, between
>company policy, people that police each other, and AV, that's more
>protection than WF.
>
>
>What you need to be asking is WHY does SBS make users local admins and
>WHY are local workstations defaulted to File and Printer sharing
>enabled?
>
>
>--
>- Igitur qui desiderat pacem, praeparet bellum.
>- Calling an illegal alien an "undocumented worker" is like calling a
> drug dealer an "unlicensed pharmacist"
> (remove 999 for proper email address)
>
>On Thursday, September 18, 2008 2:40 PM
>Leythos wrote:
>
>Re: Disable Windows Firewall
>In article <>,
> says...
>
>In all my years of having Windows workstations, having never had a
>single managed one compromised (notice I said Managed), I've never seen
>the Windows firewall protect anyone at any other location that we don't
>manage.
>
>Every compromised computer I've seen has Windows Firewall enabled, every
>new client we get that already has multiple systems compromised has
>windows firewall running. etc....
>
>With thousands of machines in many networks, none of them having WF
>enabled, all of them have File/Printer sharing disabled, all of them
>with as few local admin users, and tons of other protection, not one of
>them has been compromised.
>
>So, I'll stick with not using WF and having to deal with the problems it
>causes, since I've not seen where it is of any benefit to anyone.
>
>--
>- Igitur qui desiderat pacem, praeparet bellum.
>- Calling an illegal alien an "undocumented worker" is like calling a
> drug dealer an "unlicensed pharmacist"
> (remove 999 for proper email address)
>
>On Thursday, September 18, 2008 5:00 PM
>Russ \(www.SBITS.Biz\) wrote:
>
>So you stop EVERYONE at the DOOR of EVERY Business and SayDo you have a Laptop
>So you stop EVERYONE at the DOOR of EVERY Business and Say
>Do you have a Laptop in that Backpack?
>
>Or is it just Policy? as you know People don't follow policies.
>
>and AV is not enough to stop Worms as you know some of the worms that have
>been out.
>
>Go a head Turn OFF all Firewall..
>
>I just PERSONALLY think it's not a good idea and I feel it's foolish
>you just have a different Opinion that's all
>
>I have my policy with clients and you have yours.
>
>And you ask me why SBS makes everyone an admin?
>Since I didn't write SBS2003 code,
>I don't feel I'm qualified to answer that maybe ask Microsoft?
>
>I do what I believe...
>
>Russ
>
>--
>Russell Grover - SBITS.Biz
>Microsoft Gold Certified Partner
>Microsoft Small Business Specialist
>World Wide 24hr Remote SBS2003 Support - http://www.SBITS.Biz
>
>
>"Leythos" <> wrote in message
>news:...
>
>On Thursday, September 18, 2008 5:20 PM
>Cliff Galiher wrote:
>
>Re: Disable Windows Firewall
>Okay kids, lets not get hostile. As I've said, I'm pro-firewall.
>But, to stop the rogue laptop I use IPSec. I use managed switches whenever
>possible with 802.1X. A firewall is just ONE tool in a security setup.
>
>I also like my makita rotary sander. Some people prefer to sand by
>hand....it just FEELS better. As you said Russ, it is a difference of
>opinion. I'm with ya, but I wouldn't go so far as to call someone 'foolish'
>for not doing it my way.
>
>Of course some things *are* foolish....like browsing the web from your
>server (tongue-in-cheek here, I know people disagree with me on THAT one) so
>I can see why you might feel that way about not using a firewall. But for
>my own part, I feel Leythos has proven helpful to many posters here and
>seems to be...aside from this difference of opinion....security conscious.
>So maybe my personal opinion of the person affects my judgment of their
>actions in this instance. I'd admittedly probably give a newcomer less
>rope. But I'm kinda sorta abrasive that way...as many can attest to.
>
>Regardless, I think this thread has become unintentionally more hostile than
>intended. Can we just accept that there are different people that hold the
>merits of a workstation firewall in different regard without getting mean?
>practices turn nasty because somebody misinterpreted post using the word
>'foolish' as a personal attack. I've already said I have a high opinion of
>Leythos, but I've also seen you be very helpful and I think I'm a good judge
>of character. I'd be surprised if you meant your comment to be a personal
>attack, but I also know that is how I first read it...even if
>unintentional...so y'know...I could see how others might get a little bent.
>
>Maybe I'm just seeing ghosts though and trying to stop a fight that never
>would've started. It has been known to happen.
>
>-Cliff
>
>
>
>
>"Russ (www.SBITS.Biz)" <> wrote in message
>news:...
>
>On Thursday, September 18, 2008 6:36 PM
>Jim Behning SBS MVP wrote:
>
>Re: Disable Windows Firewall
>On Thu, 18 Sep 2008 14:34:07 -0400, Leythos <> wrote:
>
>
>Well you have a point about that Outlook profile. I don't have many
>offices where people play musical chairs so I do not or have not
>suffered but an occasional Outlook profile issue. Darned PSTs when
>they do it themselves.
>See what SBS support is working on
>http://blogs.technet.com/sbs/default.aspx
>Check your SBS with the SBS Best Practices Analyzer
>http://blogs.technet.com/sbs/archive...A/default.aspx
>
>On Thursday, September 18, 2008 7:11 PM
>Leythos wrote:
>
>Re: Disable Windows Firewall
>In article <>,
> says...
>
>Nope, it's company policy, discipline up-to Discharge.
>
>
>Yep, but most do, when they think about the value of their job.
>
>
>If File/Printer sharing is enabled and others are enabled by default,
>what is it really protecting you from?
>
>
>Yep, I use to think that way too, but, ask yourself, with the standard
>exceptions, what is it really protecting you from?
>
>
>No, I'm asking you if you think it's a good idea?
>
>--
>- Igitur qui desiderat pacem, praeparet bellum.
>- Calling an illegal alien an "undocumented worker" is like calling a
> drug dealer an "unlicensed pharmacist"
> (remove 999 for proper email address)
>
>On Thursday, September 18, 2008 7:15 PM
>Leythos wrote:
>
>Re: Disable Windows Firewall
>In article <>,
> says...
>
>In every installation we manage, everything is roaming, all profiles, my
>documents, etc.... Even their desktops. While many people never use a
>second computer, most, since we do a lot of medical, roam the facility.
>While managers computers are only used by the single manager, that same
>manager may logon to 10 different computers at any given time in a day.
>Same with factory systems, they have the "freedom" to roam anywhere and
>they love it.
>
>
>--
>- Igitur qui desiderat pacem, praeparet bellum.
>- Calling an illegal alien an "undocumented worker" is like calling a
> drug dealer an "unlicensed pharmacist"
> (remove 999 for proper email address)
>
>On Thursday, September 18, 2008 7:24 PM
>Russ \(www.SBITS.Biz\) wrote:
>
>I was calling my self Foolish.. If I did that..If you do that?
>I was calling my self Foolish.. If I did that..
>If you do that? Just part of your Business Model
>
>To each his own
>
>Russ
>
>--
>Russell Grover - SBITS.Biz
>Microsoft Gold Certified Partner
>Microsoft Small Business Specialist
>World Wide 24hr Remote SBS2003 Support - http://www.SBITS.Biz
>
>
>"Cliff Galiher" <> wrote in message
>news: ...
>
>On Thursday, September 18, 2008 7:25 PM
>Russ \(www.SBITS.Biz\) wrote:
>
>Re: Disable Windows Firewall
>Good luck with that
>
>Russ
>
>--
>Russell Grover - SBITS.Biz
>Microsoft Gold Certified Partner
>Microsoft Small Business Specialist
>World Wide 24hr Remote SBS2003 Support - http://www.SBITS.Biz
>
>On Thursday, September 18, 2008 7:57 PM
>Leythos wrote:
>
>Re: Disable Windows Firewall
>In article <>,
> says...
>
>Russ, help me out here: If Windows Firewall has File/Print sharing
>enabled then how is a computer protected from malware?
>
>
>--
>- Igitur qui desiderat pacem, praeparet bellum.
>- Calling an illegal alien an "undocumented worker" is like calling a
> drug dealer an "unlicensed pharmacist"
> (remove 999 for proper email address)
>
>On Thursday, September 18, 2008 8:40 PM
>Susan Bradley wrote:
>
>Re: Disable Windows Firewall
>Leythos wrote:
>SQL slammer.
>
>If Windows Firewalls had been enabled inside a network, SQL slammer
>would not have occurred.
>
>We haven't had a really good juicy worm BECAUSE firewalls are on by
>default. The bad guys had to change their play book as a result.
>
>I think you are missing the point that the security theater changed
>because firewalls are now on.
>
>If you really wanna do the right thing you set it up so that
>workstations cannot directly email out their port 25.
>
>On Thursday, September 18, 2008 8:58 PM
>Leythos wrote:
>
>Re: Disable Windows Firewall
>In article <>,
>says...
>
>Sure it would, because SQL came in on 1433/1434, those ports have to be
>open of the computers running SQL for it to work.
>
>If you had a computer that wasn't running SQL you didn't have an issue,
>since the worm didn't infect computers not running SQL.
>
>I saw tons of SQL servers exposed directly through firewalls to the
>public, and I also saw masses of personal computers directly connected
>to the internet with no NAT or Firewall that were compromised, but the
>ones that had a firewall also had a exception for 1433/1434 because the
>software installed an exception for SQL in the firewall.
>
>
>While I agree, in a Business it's not quite the same. A PC directly
>connected to the net, say from Dell, will have File/Printer sharing
>enabled by default with XP SP2 installed - that means that anyone on the
>internet can try and connect on the standard file sharing ports of that
>default PC, so, they are open to massively more hacks than if it was
>just SQL Slammer.
>
>Anyone behind a NAT router didn't have to worry about the SQL Slammer,
>other than the disruption to service.
>
>Anyone that had a clue about firewalls and threats wasn't compromised by
>SQL Slammer because the checked or knew enough to block 1433/1434 access
>to the WAN side. They also knew to not allow 1433/1434 Outbound to start
>with. Some NAT Routers also allow trapping output ports, but most people
>using them didn't have any idea how to do that.
>
>
>The point I'm trying to make is that with File/Printer sharing enabled
>by default, with the firewall exception for F/P sharing, and then we
>have UPNP enabled as an exception on some..... With those enabled and
>the exceptions you're computer is almost completely unprotected by
>Windows Firewall.
>
>
>Won't make a difference as our networks only allow Outbound SMTP from
>the Exchange server IP. That's an entirely different subject.
>
>I'll ask again - if your windows firewall has File/Printer sharing
>enabled by default, just how protected are you really?
>
>--
>- Igitur qui desiderat pacem, praeparet bellum.
>- Calling an illegal alien an "undocumented worker" is like calling a
> drug dealer an "unlicensed pharmacist"
> (remove 999 for proper email address)
>
>On Thursday, September 18, 2008 9:19 PM
>Russ \(www.SBITS.Biz\) wrote:
>
>I'll bow out now, because I don't like Tilting at WindmillsLeythos if your
>I'll bow out now, because I don't like Tilting at Windmills
>
>Leythos if your company policy is to disable firewalls
>then your Company Policy, is to disable firewalls.
>
>I'm not going to Debate your policy.
>Because your clients are yours Not MINE!
>
>You can tell your clients to disable any security feature you'd like...
>Me? Nope...
>
>IMO this is a difference in consulting practices..
>Mine is different that yours, and I think we should just leave it at that.
>
>Russ
>
>--
>Russell Grover - SBITS.Biz
>Microsoft Gold Certified Partner
>Microsoft Small Business Specialist
>World Wide 24hr Remote SBS2003 Support - http://www.SBITS.Biz
>
>
>"Leythos" <> wrote in message
>news:...
>
>On Thursday, September 18, 2008 9:21 PM
>Susan Bradley wrote:
>
>There were internal only databases listening on those sQL ports, but they did
>There were internal only databases listening on those sQL ports, but
>they did not have to be open to an internal worm. Chip from SQL
>security amassed a huge list of MSDE based apps that most of us had no
>clue were SQL based and did not need 1433 or 1434 listening on the
>inside of the LAN. Just like blaster, someone VPN'd in and nailed the
>network. The internal firewall on blocks this behavior.
>
>"The point I'm trying to make is that with File/Printer sharing enabled
>by default, with the firewall exception for F/P sharing, and then we
>have UPNP enabled as an exception on some..... With those enabled and
>the exceptions you're computer is almost completely unprotected by
>Windows Firewall."
>
>That's very much stretching it.
>
>And certainly you can adjust the file and printing ports so that they
>only respond to certain connections. Just as you have certain ways to
>deploy networks and don't use all the defaults, so do many of us.
>
>There's no blanket 'one size' here, merely opinions and what we feel
>comfortable with.
>
>Vista firewall is even more granular.
>
>
>Leythos wrote:
>
>On Thursday, September 18, 2008 10:18 PM
>Leythos wrote:
>
>Re: Disable Windows Firewall
>In article <>,
> says...
>
>Russ, this wasn't an argument, it was a question, Susan answered what
>she thought, I just wondered what you thought WF offered if the default
>F/P settings were to allow connections, that's all this is/was.
>
>
>--
>- Igitur qui desiderat pacem, praeparet bellum.
>- Calling an illegal alien an "undocumented worker" is like calling a
> drug dealer an "unlicensed pharmacist"
> (remove 999 for proper email address)
>
>On Thursday, September 18, 2008 11:56 PM
>Cliff Galiher wrote:
>
>For the record, file and printer sharing opens that SERVICE.
>For the record, file and printer sharing opens that SERVICE. If you
>properly use ACLs then the malware still can't spread....the client has the
>service running but is not able to plant itself as a file anywhere because
>it doesn't have appropriate access.
>
>Now, if a blended threat uses a non-network exploit to elevate permissions
>and it installs itself on a PC...perhaps from an email that is a zero-day
>exploit so no AV caught it, or a USB key, or a CD, or whatever then it is
>now on that PC running. As a blended threat, it tries to spread itself
>multiple ways, including port scanning other machines and finding open RPC
>ports. Since any RPC request gets assigned a random port above 1023, it
>isn't predictable where this may open and the 3rd-party app may have an
>undisclosed exploit. In many cases, a 3rd party program creates an RPC
>listening port on all interfaces, even though it really only needed to
>listen on the loopback interface. A firewall would prevent such an attack.
>
>Over the last year, there have been exploits found for various RPC calls,
>MSDTC, etc. So realistically it *is* possible to exploit these without a
>firewall...and none of these are "file/printer sharing" based as none would
>be attacked on ports 135/445.
>
>You are correct though that, if an exploit was found with the file/print
>sharing service on those ports then the firewall won't protect against a
>threat if it is configured to allow traffic through. But that is only one
>possible scenario. I, for one, still think firewalls have their uses.
>
>-Cliff
>
>
>"Leythos" <> wrote in message
>news:...
>
>On Friday, September 19, 2008 7:49 AM
>Leythos wrote:
>
>Re: Disable Windows Firewall
>In article <>,
> says...
>
>Thanks for the info. I agree that a firewall can be good, was not
>suggesting that anyone else make it part of their policy.
>
>Based on what I've seen in this group over the years, I think that few
>people actually install a Firewall Appliance (a real firewall), lock
>users out of CD/DVD drives, lock them out of USB drives, limit them to
>only Limited User status, use GPO to lock down their IE settings, their
>firewall settings, and many other settings, as a standard setup - other
>than what is shipped as default with SBS.
>
>Maybe we've just been lucky, having never had a client, managed, that
>had a malware outbreak on their networks.