In the absence of what Ken as described below the Windows Firewall is turned on and left on, and its pretty hassle free from using it in the past.
If you are lucky to have internal firewalls, security zones and proper segmentation on your internal network ( most are not that lucky) then defintely can manage it via the rules in the Internal FW set, but that doesn't stop a trusted admins installing something on the server that then makes outbound calls on allowed ports ( 80/443/etc), it also doesn't stop pivoting internally if they compromise a box and then abuse the trust of the allowed ports to other systems, unless you got a good bit of egress filtering and logging and its being reviewed. I am sure in Ken's case that is the case and even more stringent, but its not like that in most places. EZ On Mon, May 19, 2014 at 7:22 PM, Ken Schaefer <[email protected]> wrote: > We have the Windows FW off. > > Traffic between major apps, and/or between internal security zones, is > routed via internal firewalls. So, we rely on the internal FWs to avoid the > scenario you describe below. > > Cheers > Ken > > -----Original Message----- > From: [email protected] [mailto: > [email protected]] On Behalf Of Kennedy, Jim > Sent: Tuesday, 20 May 2014 1:16 AM > To: [email protected] > Subject: RE: [NTSysADM] Do you run Windows firewall on your internal > servers? > > He needs to think about what is called pivoting. Where a box is > compromised and they use it to pivot to the next box. Your external > firewall won't see that happening. Windows Firewall might. The firewall on > 2008 and up is pretty hassle free as far as I have experienced. > > -----Original Message----- > From: [email protected] [mailto: > [email protected]] On Behalf Of Dave Lum > Sent: Monday, May 19, 2014 11:11 AM > To: [email protected] > Subject: [NTSysADM] Do you run Windows firewall on your internal servers? > > All y'all leave Windows Firewall on on your servers right? I heard a > comment recently that "Win 2008 R2 and later have so many services off by > default nowadays, running with it off saves headaches vs. the value it adds > for servers that are behind our firewall". > > I leave it on and spend the time to make exceptions as necessary - > sometimes it's frustrating and does take a lot of time, but still it seems > like the prudent way to go. > > Seems odd to not run it, but I'm willing to change my thinking if I can > hear reasonable arguments, but they'd have to be pretty convincing... > > Dave > > > > > > > >
