Switching on local firewall on all domain servers and client pcs

glenimp617 · 8 Mar 2019 at 12:48

Everywhere I have ever worked has automatically disabled the local firewall, rightly or wrongly.

I'm looking into switching on ours here, but want to know the things to check before doing so.

any powershell scripts to check for used ports etc etc? The last thing I want to do is turn it on only to have a million things stop working.......or even worse, stop working on us not finding out for six months.

Thanks!!

LizardKing · 8 Mar 2019 at 17:08

This is a proper hangup from the XP/vista days when the firewall was a neglected feature!, luckily these days most decent software will put the necessary firewall rules in place when they install so you shouldn't have to do that much work! (he says!...) its services that don't get installed that are likely to fall foul ie Tomcat

theoretically If you have a central syslog you could use that to log the connections.

andshrew · 10 Mar 2019 at 13:58

The firewall can be configured to log all connections to a file, so one thing you could do is turn it on with everything allowed to pass through and leave it running for a few weeks. You can then capture those log files to help build out any specific rules which something may need.

glenimp617 · 10 Mar 2019 at 16:53

andshrew said:
The firewall can be configured to log all connections to a file, so one thing you could do is turn it on with everything allowed to pass through and leave it running for a few weeks. You can then capture those log files to help build out any specific rules which something may need.

That's a brilliant idea

Thanks

blueboy2001 · 10 Mar 2019 at 21:57

Don’t do what one of my customers did and enable the firewall on all Clients with a GPO that blocks everything outbound except DNS, then wonder why nobody is able to log on!

“Can I just disable the GPO and wait for the machines to update?” he said

Fortunately it was only a school so everything was within walking distance.

glenimp617 · 11 Mar 2019 at 10:33

blueboy2001 said:
Don’t do what one of my customers did and enable the firewall on all Clients with a GPO that blocks everything outbound except DNS, then wonder why nobody is able to log on!

“Can I just disable the GPO and wait for the machines to update?” he said

Fortunately it was only a school so everything was within walking distance.

ouch

I remember years ago someone in the office installed the direct access role with default settings, not knowing it creates a domain wide GPO to drop clients off the domain network lol

That was a fun afternoon

Felix · 12 Mar 2019 at 16:07

Run in monitor mode. Then test on a group of PCs. Then the rest.