Search This Blog

Tuesday, January 13, 2009

GPO: Disabling the Windows Firewall in Vista

Microsoft Best practiches advice to keep the Windows Firewall enabled at all times, yet a lot of companies prefer to diable the firewall inside there corporate networks. I know disabling might be the easy way out, as a proper configured firewall can surely be an added value towards corporate security.

Well if you do decide to take the easy way out, following information can be quit handy.

If you would ask me how to disable the Windows Firewall in Microsoft Vista through policy, i've would have answered:
"Enable the policy 'Do not allow the Windows Firewall to be run on your DNS domain'."

Recently I discovered that that polciy has no affect on Windows Vista. If you want to disable the Windows Firewall in Windows Vista you need to disable the policy "Windows Firewall: Protect all network connections".

You will find this setting on two different locations inside Computer Configuration\Administrative templates\Network\Network Connections\Windows Firewall\:
  1. Domain Profile
  2. Standard Profile

Now what is the difference between these two profiles?

The domain profile applies to when users where able to authenticate to a domain controller (not logged on by cached credentials). When user are connected to the LAN and able to communicate with a domain controller.

The standard profile on the other hand apply when users are unable to authenticate to the domain controller, and by that where logged on by way of cached credentials. Usually when users are not connected to the LAN, and thus unable to communicate (authenticate) with a domain controller (outside the office, hotelroom, etc).

As corporate LAN's are usually protected by enterprise firewalls, it might be acceptable to disable the Windows firewall inside the corporate network (Domain profile). But outside the corporate network it is surely not advisable. So inside the standard profile i would not disable the Windows firewall.

No comments:

Post a Comment