I am under the impression that the Domain Profile in the 2008\Vista Firewall automatically exempts the necessary ports for a domain-joined computer. If that is the case what is the purpose of the Netlogon Service Exception I see in the Exceptions tab??? If you look in the Advanced Security MMC it appears to allow the Netlogon Service (NP-In) Inbound over 445 TCP for the Netlogon Svc. It says for Remote Management...so is this really needed? What does it gain you and should it not be a exception as part of a security best practice??? Sorry just a bit confused by this setting. If anyone can shed some light I would appreciate it. Haven't found much in documentation.