Might be a good idea to disable Windows Firewall altogether when in an Active Directory Domain

  • Thread starter Thread starter Edward Ray
  • Start date Start date
E

Edward Ray

I have had MANY problems since upgrading to Vista RC1 (now v5728) with
connectivity in my Windows 2003 R2 native Ad domain. Windows time not
working, netdiag crashing, not picking up Kerberos tickets for Vista
machine...

Once I disabled the firewall, things improved. Windows Time started
automatically.

Let me sasy first that the new Windows Firewall is a great leap forward, but
it is very complex and difficult to configure. I suspect once adm/admx
files are available that it may become easier. Third-party firewalls are
much easier to configure than Vista Firewall. Complexity is the hobgoblin
of security, and Microsoft has made the Windows Firewall very diffiuclt to
understand an onerous to configure. Rules that I put in to open the
firewall to domain connectivity appear not to work.

I would recommend to anyone deploying Vista in a pre-existing domain
infrastructure to disable Windows Firewall completely for the near term.
 
I haven't had a single problem with the Vista firewall in my AD domain.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm
 
Richard G. Harper said:
I haven't had a single problem with the Vista firewall in my AD domain.
Click to expand...

I would be interested in what your configuration is. Do you use IPSec
encryption (I do)? Do you use NetBIOS (I do not)? Did you upgrade from and
existing Windows XP SP2 install?

This firewall makes it very challenging to troubleshoot problems, so I find
it best to disable it until you have everything working right, then enable.
 
No IPSec, and all forms of name resolution (NetBIOS, WINS and DNS) are
supported.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm
 
Oh sorry, only half-answered. Also have done both upgrades and clean
installs with no problems.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm
 
Richard G. Harper said:
No IPSec, and all forms of name resolution (NetBIOS, WINS and DNS) are
supported.
Click to expand...
I do not use NetBIOS/WINS, due to security risks as wells as not necessary
(no Win9x or NT boxes in my domain). I IPSec encrypt ALL SMB/CIFS port 445
traffic using PKI authentication. As I said before, it takes a few boots to
get it right when I had RC 1 5600; for 5728 I just disabled the firewall at
first then re-enabled it. Having custom GPOs for Wista will help in the
future.
 
Ed,
Gettin all wrapped up in this huh?
If you look at Windows Firewall; it's easy to setup now
And it's easy to use;
Jeff
 
Jeff said:
Ed,
Gettin all wrapped up in this huh?
If you look at Windows Firewall; it's easy to setup now
And it's easy to use;
Jeff
Click to expand...

Jeff:

It may be easy for a single user, but when you have an organization with
500 potential Vista clients who is paying me for advice on ease of use, I
Click to expand...
have to report its shortcomings. Vista is geared primarily to get Windows
2000 (and potentially Windows XP pre-SP2) clients to upgrade to Vista.
Stand-alone I am sure it works great, but for corporate buy-in it must play
well with existing infrastructures. As I said in previous posts, my advice
is to disable the firewall initially, then reenable after GPO's have been
applied. In a network with multiple layers of protection, this does not
present a major security risks. Perhaps when Vista ADM/ADMX files are
released this will be an easier transition, but I will still prefer
third-party AV/Firewall/IPS/App Protection over Windows Firewall for
laptops, PDAs and other wireless devices that use the Windows OS.

Just becasue it annoys you, my certifications are below. I also have a BSEE
from Cornell and an MSEE from UCLA (nose turns upward... :) )
 
Ed,
It doesn't annoy me;
in fact;
I think it's kind of humorous;that you feel the need to include your
certifications in a post.

And; if I'm not mistaken; MSFT has devoted a whole bunch of resources to
business migration.

Here for example:
http://www.microsoft.com/technet/windowsvista/library/default.mspx


You outta know; that;the best defense is hardware firewalls;
and all those initials-lol
BTW-running a laptop on mutiple networks; Vista firewall; no hacks;no
breakins;etc.
And at home;behind a hardware firewall;just for giggles.

Jeff
 
Edward - Although you are probably aware of it - but Vista provides a
"Windows Firewall and Security" snap-in for the Management Console which
provides more options than control panel security center.
 
"> Ed,
It doesn't annoy me;
in fact;
I think it's kind of humorous;that you feel the need to include your
certifications in a post.
Click to expand...

I had always left it there for other newsgroups, to let them know I was not
a dork and had already tried the usual suggestions to mitigate my problem.
Got tired of the canned responses to problems.
And; if I'm not mistaken; MSFT has devoted a whole bunch of resources to
business migration.

Here for example:
http://www.microsoft.com/technet/windowsvista/library/default.mspx
Click to expand...
The issues with Windows Firewall I expected, as beta versions do not have
the usual ADM/ADMX GPOs that one can import into Domina Controller and
configure.
You outta know; that;the best defense is hardware firewalls;
and all those initials-lol
BTW-running a laptop on mutiple networks; Vista firewall; no hacks;no
breakins;etc.
And at home;behind a hardware firewall;just for giggles.
Click to expand...

These days it is the drive by downloads that worry me. ZoneAlarm Pro and
Kaspersky Internet Suite have some good IPS and Layer 7 firewall features
that most software firewalls do not. Windows Firewall (Windows XP SP2,
Windows 2003 SP1, Vista RC1) are a definite improvement, but they still have
a way to go IMHO to catch up wiht third party features. Now ISA Server
2004/2006 is pretty good as a host-based firewall/IPS, but at $1500 (plus
Windows 2003 license to run it) price is a bit steep for client deployment.
Works great on domain controllers though, which are the family jewels of any
windows network.
 
Security risks in WINS and NetBIOS? None that I know of.

Anyway, if you insist on pooching the network settings you're going to have
issues. Leave well enough alone, that's what I say. ;-)

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm
 
Please do not run your machine without Windows firewall - especially
considering that you are exposing yourself not only to your normal
LAN, but also to the IPV6 world.

--
Jeffrey Randow
(e-mail address removed)
Windows Networking MVP 2001-2006

http://www.networkblog.net
 
To clarify my last posting -

Remember that Vista support P2P/Teredo tunnelling and PNRP (Peer Name
Resolution Protocol). To keep things simple - using PNRP/P2P/Teredo,
it is possible to connect to services (IIS, Remote Desktop, etc) from
another Vista computer if you know what your PNRP name is - without
any port forwarding or other tunnelling solutions.

When you have the firewall enabled, it becomes much more difficult to
get hacked.

--
Jeffrey Randow
(e-mail address removed)
Windows Networking MVP 2001-2006

http://www.networkblog.net

..On Wed, 27 Sep 2006 09:49:53 -0700, "Edward Ray"
 
You have not disabled IPv6? I'd never leave that thing on, it slows down
internet access and it is a major security risk for the reasons you explained
in the next post. Untill I have a firewall that will interact with me and
tell me exactly which app wants access to what and which way and I can
temporarely/permanently allow/disallow said access (Anybody knows how far the
people at ZoneLabs have come with a firewall for Vista?), IPv6 gets disabled
BEFORE I ever connect to the Internet.
 
Major security risk?
lol-maybe ya outta read up.
IPv6 is not a security threat. It's a protocol.
following your logic. IPv4 is a major security risk too.
A little Wiki refresher for ya.

http://en.wikipedia.org/wiki/IPv6
Too funny; maybe ya shouldn;t connect to the net. It's a security risk.
Jeff
 
Keep in mind that Vista uses iVP6 internally for functions such as "Network
Presentation" and "Meeting Space".
 
I leave it enabled to gain access to machines behind my home router
without having to do port redirection on my router (Teredo/PNRP)

--
Jeffrey Randow
(e-mail address removed)
Windows Networking MVP 2001-2006

http://www.networkblog.net
 
Back
Top