Hi there, is there documentation on the security of windows firewall? We have a customer asking how much a local administrator can do if the Windows Firewall is managed through GPO. So far we have test some basic things, like adding exceptions as a local admin. If the merge local rules option is off this doesn't do anything. You can turn them on/off (2nd tab of windows firewall) but nothing actually changes. So we figured we'd just stop the Windows Firewall Service. Apparently that blocks all incoming traffic (our connection over RDP dropped dead, the webserver running on it was no longer reachable, basically any service we tried was no longer reachable). So it seems that if one stops the Windows Firewall service it blocks all incoming traffic regardless of ruleset. Outgoing traffic however was still allowed. Or so it seems, as backup we had teamviewer host installed and we could connect to the machine over teamviewer. Anyways, we'd basically like a complete list of what windows firewall will do if local admin tries X. Is there any documentation on this already? Don't quite want to reinvent the wheel :). At least would like some info on what would happen if one would try to add rules through the registry. TIA

Never heard of this before, i disable windows firewall when i need to connect. on wich OS are you doing this? i dont know of any documentation about this. SorryKind regards, Dennis van Wankum MCSA - MCDST - MCP

Windows 2008 32 bit, in Amazon VPC actually. Couldn't connect from other machines in the same VPC subnet anymore either. Do note there is a GPO on this computer, stating local firewall rules are not allowed with a default deny on both ingress and egress. Basic outbound stuff is then allowed (core networking and file sharing, both required to retrieve GPO's, as is lsass.exe). Then inbound tcp/3389 is allowed. All these settings are in 1 GPO. Then stopped the firewall service (disabling the firewall through the Windows Firewall UI oc isn't possible as the GPO prevents this). Not sure if there will be a difference in stopping the service or disabling it, haven't tried disabling it.

strange i do this with windows xp and windows 7 all the time without problems and with the same reasons you disable the services. i guess it indeed has something to do with the gpo stating if the firewall is not enabled disable all or something like that.Kind regards, Dennis van Wankum MCSA - MCDST - MCP

Hi, Yes. If the Windows Firewall service is stopped, inbound connection is blocked because of the boot-time policy being applied. The proper way to completely stop the firewall is through one of the the GUIs or Netsh and then setting the service to disabled in Services Manager. Regarding the policy merge model, please see http://technet.microsoft.com/en-us/library/cc766312(WS.10).aspxThis posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.