Might be a good idea to disable Windows Firewall altogether when in an Active Directory Domain

Discussion in 'Windows Vista Networking' started by Edward Ray, Sep 27, 2006.

  1. Edward Ray

    Edward Ray Guest

    I have had MANY problems since upgrading to Vista RC1 (now v5728) with
    connectivity in my Windows 2003 R2 native Ad domain. Windows time not
    working, netdiag crashing, not picking up Kerberos tickets for Vista
    machine...

    Once I disabled the firewall, things improved. Windows Time started
    automatically.

    Let me sasy first that the new Windows Firewall is a great leap forward, but
    it is very complex and difficult to configure. I suspect once adm/admx
    files are available that it may become easier. Third-party firewalls are
    much easier to configure than Vista Firewall. Complexity is the hobgoblin
    of security, and Microsoft has made the Windows Firewall very diffiuclt to
    understand an onerous to configure. Rules that I put in to open the
    firewall to domain connectivity appear not to work.

    I would recommend to anyone deploying Vista in a pre-existing domain
    infrastructure to disable Windows Firewall completely for the near term.
     
    Edward Ray, Sep 27, 2006
    #1
    1. Advertisements

  2. I haven't had a single problem with the Vista firewall in my AD domain.

    --
    Richard G. Harper [MVP Shell/User]
    * PLEASE post all messages and replies in the newsgroups
    * for the benefit of all. Private mail is usually not replied to.
    * My website, such as it is ... http://rgharper.mvps.org/
    * HELP us help YOU ... http://www.dts-l.org/goodpost.htm
     
    Richard G. Harper, Sep 27, 2006
    #2
    1. Advertisements

  3. Edward Ray

    Edward Ray Guest

    I would be interested in what your configuration is. Do you use IPSec
    encryption (I do)? Do you use NetBIOS (I do not)? Did you upgrade from and
    existing Windows XP SP2 install?

    This firewall makes it very challenging to troubleshoot problems, so I find
    it best to disable it until you have everything working right, then enable.
     
    Edward Ray, Sep 28, 2006
    #3
  4. No IPSec, and all forms of name resolution (NetBIOS, WINS and DNS) are
    supported.

    --
    Richard G. Harper [MVP Shell/User]
    * PLEASE post all messages and replies in the newsgroups
    * for the benefit of all. Private mail is usually not replied to.
    * My website, such as it is ... http://rgharper.mvps.org/
    * HELP us help YOU ... http://www.dts-l.org/goodpost.htm
     
    Richard G. Harper, Sep 28, 2006
    #4
  5. Oh sorry, only half-answered. Also have done both upgrades and clean
    installs with no problems.

    --
    Richard G. Harper [MVP Shell/User]
    * PLEASE post all messages and replies in the newsgroups
    * for the benefit of all. Private mail is usually not replied to.
    * My website, such as it is ... http://rgharper.mvps.org/
    * HELP us help YOU ... http://www.dts-l.org/goodpost.htm
     
    Richard G. Harper, Sep 28, 2006
    #5
  6. Edward Ray

    Edward Ray Guest

    I do not use NetBIOS/WINS, due to security risks as wells as not necessary
    (no Win9x or NT boxes in my domain). I IPSec encrypt ALL SMB/CIFS port 445
    traffic using PKI authentication. As I said before, it takes a few boots to
    get it right when I had RC 1 5600; for 5728 I just disabled the firewall at
    first then re-enabled it. Having custom GPOs for Wista will help in the
    future.
     
    Edward Ray, Sep 28, 2006
    #6
  7. Edward Ray

    Jeff Guest

    Ed,
    Gettin all wrapped up in this huh?
    If you look at Windows Firewall; it's easy to setup now
    And it's easy to use;
    Jeff
     
    Jeff, Sep 28, 2006
    #7
  8. Edward Ray

    Edward Ray Guest

    Jeff:

    It may be easy for a single user, but when you have an organization with
    have to report its shortcomings. Vista is geared primarily to get Windows
    2000 (and potentially Windows XP pre-SP2) clients to upgrade to Vista.
    Stand-alone I am sure it works great, but for corporate buy-in it must play
    well with existing infrastructures. As I said in previous posts, my advice
    is to disable the firewall initially, then reenable after GPO's have been
    applied. In a network with multiple layers of protection, this does not
    present a major security risks. Perhaps when Vista ADM/ADMX files are
    released this will be an easier transition, but I will still prefer
    third-party AV/Firewall/IPS/App Protection over Windows Firewall for
    laptops, PDAs and other wireless devices that use the Windows OS.

    Just becasue it annoys you, my certifications are below. I also have a BSEE
    from Cornell and an MSEE from UCLA (nose turns upward... :) )
     
    Edward Ray, Sep 28, 2006
    #8
  9. Edward Ray

    Jeff Guest

    Ed,
    It doesn't annoy me;
    in fact;
    I think it's kind of humorous;that you feel the need to include your
    certifications in a post.

    And; if I'm not mistaken; MSFT has devoted a whole bunch of resources to
    business migration.

    Here for example:
    http://www.microsoft.com/technet/windowsvista/library/default.mspx


    You outta know; that;the best defense is hardware firewalls;
    and all those initials-lol
    BTW-running a laptop on mutiple networks; Vista firewall; no hacks;no
    breakins;etc.
    And at home;behind a hardware firewall;just for giggles.

    Jeff
     
    Jeff, Sep 28, 2006
    #9
  10. Edward Ray

    AJR Guest

    Edward - Although you are probably aware of it - but Vista provides a
    "Windows Firewall and Security" snap-in for the Management Console which
    provides more options than control panel security center.
     
    AJR, Sep 28, 2006
    #10
  11. Edward Ray

    Edward Ray Guest

    "> Ed,
    I had always left it there for other newsgroups, to let them know I was not
    a dork and had already tried the usual suggestions to mitigate my problem.
    Got tired of the canned responses to problems.
    The issues with Windows Firewall I expected, as beta versions do not have
    the usual ADM/ADMX GPOs that one can import into Domina Controller and
    configure.
    These days it is the drive by downloads that worry me. ZoneAlarm Pro and
    Kaspersky Internet Suite have some good IPS and Layer 7 firewall features
    that most software firewalls do not. Windows Firewall (Windows XP SP2,
    Windows 2003 SP1, Vista RC1) are a definite improvement, but they still have
    a way to go IMHO to catch up wiht third party features. Now ISA Server
    2004/2006 is pretty good as a host-based firewall/IPS, but at $1500 (plus
    Windows 2003 license to run it) price is a bit steep for client deployment.
    Works great on domain controllers though, which are the family jewels of any
    windows network.
     
    Edward Ray, Sep 28, 2006
    #11
  12. Security risks in WINS and NetBIOS? None that I know of.

    Anyway, if you insist on pooching the network settings you're going to have
    issues. Leave well enough alone, that's what I say. ;-)

    --
    Richard G. Harper [MVP Shell/User]
    * PLEASE post all messages and replies in the newsgroups
    * for the benefit of all. Private mail is usually not replied to.
    * My website, such as it is ... http://rgharper.mvps.org/
    * HELP us help YOU ... http://www.dts-l.org/goodpost.htm
     
    Richard G. Harper, Sep 28, 2006
    #12
  13. Please do not run your machine without Windows firewall - especially
    considering that you are exposing yourself not only to your normal
    LAN, but also to the IPV6 world.

    --
    Jeffrey Randow

    Windows Networking MVP 2001-2006

    http://www.networkblog.net
     
    Jeffrey Randow, Sep 29, 2006
    #13
  14. To clarify my last posting -

    Remember that Vista support P2P/Teredo tunnelling and PNRP (Peer Name
    Resolution Protocol). To keep things simple - using PNRP/P2P/Teredo,
    it is possible to connect to services (IIS, Remote Desktop, etc) from
    another Vista computer if you know what your PNRP name is - without
    any port forwarding or other tunnelling solutions.

    When you have the firewall enabled, it becomes much more difficult to
    get hacked.

    --
    Jeffrey Randow

    Windows Networking MVP 2001-2006

    http://www.networkblog.net

    ..On Wed, 27 Sep 2006 09:49:53 -0700, "Edward Ray"
     
    Jeffrey Randow, Sep 29, 2006
    #14
  15. Edward Ray

    cyanna Guest

    You have not disabled IPv6? I'd never leave that thing on, it slows down
    internet access and it is a major security risk for the reasons you explained
    in the next post. Untill I have a firewall that will interact with me and
    tell me exactly which app wants access to what and which way and I can
    temporarely/permanently allow/disallow said access (Anybody knows how far the
    people at ZoneLabs have come with a firewall for Vista?), IPv6 gets disabled
    BEFORE I ever connect to the Internet.
     
    cyanna, Sep 29, 2006
    #15
  16. Edward Ray

    Jeff Guest

    Major security risk?
    lol-maybe ya outta read up.
    IPv6 is not a security threat. It's a protocol.
    following your logic. IPv4 is a major security risk too.
    A little Wiki refresher for ya.

    http://en.wikipedia.org/wiki/IPv6
    Too funny; maybe ya shouldn;t connect to the net. It's a security risk.
    Jeff
     
    Jeff, Sep 29, 2006
    #16
  17. Edward Ray

    AJR Guest

    Keep in mind that Vista uses iVP6 internally for functions such as "Network
    Presentation" and "Meeting Space".
     
    AJR, Sep 29, 2006
    #17
  18. I leave it enabled to gain access to machines behind my home router
    without having to do port redirection on my router (Teredo/PNRP)

    --
    Jeffrey Randow

    Windows Networking MVP 2001-2006

    http://www.networkblog.net
     
    Jeffrey Randow, Oct 1, 2006
    #18
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.