Admins who can install things on servers, can just as easily tweak the Windows FW to make “calls out” on whatever ports required. And by default, the Windows FW doesn’t block anything outbound.
FWIW, our servers (except in the restricted outbound DMZ) are not allowed to make calls out to the wider internet. All external access is via application proxies, so we have some control over what goes out, and we get logs on where it’s going. Centralising that outbound access gives us a choke point for IPS and DLP to examine the outbound content. Cheers Ken From: [email protected] [mailto:[email protected]] On Behalf Of Ed Ziots Sent: Friday, 23 May 2014 2:16 AM To: [email protected] Subject: Re: [NTSysADM] Do you run Windows firewall on your internal servers? In the absence of what Ken as described below the Windows Firewall is turned on and left on, and its pretty hassle free from using it in the past. If you are lucky to have internal firewalls, security zones and proper segmentation on your internal network ( most are not that lucky) then defintely can manage it via the rules in the Internal FW set, but that doesn't stop a trusted admins installing something on the server that then makes outbound calls on allowed ports ( 80/443/etc), it also doesn't stop pivoting internally if they compromise a box and then abuse the trust of the allowed ports to other systems, unless you got a good bit of egress filtering and logging and its being reviewed. I am sure in Ken's case that is the case and even more stringent, but its not like that in most places. EZ On Mon, May 19, 2014 at 7:22 PM, Ken Schaefer <[email protected]<mailto:[email protected]>> wrote: We have the Windows FW off. Traffic between major apps, and/or between internal security zones, is routed via internal firewalls. So, we rely on the internal FWs to avoid the scenario you describe below. Cheers Ken -----Original Message----- From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Kennedy, Jim Sent: Tuesday, 20 May 2014 1:16 AM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] Do you run Windows firewall on your internal servers? He needs to think about what is called pivoting. Where a box is compromised and they use it to pivot to the next box. Your external firewall won't see that happening. Windows Firewall might. The firewall on 2008 and up is pretty hassle free as far as I have experienced. -----Original Message----- From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Dave Lum Sent: Monday, May 19, 2014 11:11 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] Do you run Windows firewall on your internal servers? All y'all leave Windows Firewall on on your servers right? I heard a comment recently that "Win 2008 R2 and later have so many services off by default nowadays, running with it off saves headaches vs. the value it adds for servers that are behind our firewall". I leave it on and spend the time to make exceptions as necessary - sometimes it's frustrating and does take a lot of time, but still it seems like the prudent way to go. Seems odd to not run it, but I'm willing to change my thinking if I can hear reasonable arguments, but they'd have to be pretty convincing... Dave
