|
Posted by Steven L Umbach on August 11, 2005, 8:53 pm
If you were Registered and logged in, you could reply and use other advanced thread options
I think it may make sense as part of defense in depth strategy to consider
using it on your domain but it is up to you guys to decide to what degree
you want to manage risk as there is some cost involved in implementing the
associated Group Policy for Windows Firewall and testing it.
You can of course configure exceptions for ports/protocol/IP and/or
applications to allow the Windows Firewall to be enabled yet functional and
may want to try a test group of computers in an OU at first to see if it
will work without being too problematic. Remember that the Windows Firewall
is stateful and only manages outbound traffic which means that you could
enable it on a workstation and the workstation would be able to use file and
print sharing to access shares/printers on resource computers in the domain
that have exceptions for file and print sharing enabled. You may have the
need to create exceptions on the domain workstations for file and print
sharing if you use RSOP or manage the workstations remotely via Computer
Management or other smb tools. However you can configure the exceptions to
allow access from domain controllers and admin workstations. That could
still allow the domain workstations to have extra protection from an
infected/compromised computer on the network whether it is an authorized
computer or not. The Windows Firewall can also prevent domain users from
trying to access and share files on their computers with other domain users
if they happen to be power users or local administrators which can improve
security and productivity. If you decide to try it you will find that
enabling firewall logging on a test computer can help track down access
problems. --- Steve
> In my organization I've deployed Internet Connection Firewall in our AD
> domain. It works great so far and our laptops get ICF enabled when
> machines
> are not logged on to the domain. In my view it is countrproductive and it
> defeats the purpose of enabling ICF while machines are in the domain,
> since
> e-mail, file & print, etc would run into issues there.
>
> Now one of our network folks would like to enable a type of desktop
> firewall
> in the internal network, for all desktops connected to the domain.
> Do you see a need for that ?
>
> The way I see it, is that I could enable ICF on the domain in case of
> emergencies for example, or even deploy IPSec filters in the entire domain
> in case of an emegency hits.
>
> Please advise.
>
>
>
| 
XML site map