Hello, I am currently working on a larger deployment of Windows 7 clients (aprox. 250 in multiple locations) and I was wondering, how to configure the Windows onboard firewall for best performance while maintaining basic security. The clients are all on local networks, which are interconnected through a private WAN. The private WAN then offers access to the internet. At each network border, there is at least one central firewall deployed. When networks of different administrative domains are interconnected, each domain maintains their own firewall. The internet uplink is secured by a proxy server and a firewall with NAT. Since we (the company I am with) have deployed quite a few firewalls throughout the network, we do not want to rely on the desktop firewall of the clients. They are intended to be used as last line of defence (if at all). Therefore we want to allow all traffic from the domain (domain profile - allow all). I am not sure yet, if we are going to allow all private networks as well or if we just add the private networks providing service to the clients (which would nearly be 10.0.0.0/8). For public networks we want to allow all outbound traffic while all inbound traffic will be denied. The question is, how to do such a configuration so that performance and the ability to manage / audit the rules does not get compromised. As I see it, we have three options here: 1.) Disable the firewall for the domain and private networks profile. Set the public networks profile to allowoutbound, denyinbound. 2.) Enable the firewall for all profiles, but set the default actions to meet the criteria. Domain profile --> allowinbound, allowoutbound; Private profile --> allowinbound,allowoutbound; Public profile: denyinbound, allowoutbound 3.) Enable the firewall for all profiles and set the default action for outbound and inbound traffic to deny. Then add a default rule to allow any inbound / outbound traffic for each profile. So the rules would read something like any program can communicate with any source IP with any destination IP... Which configuration would you prefer? Does anybody here know about advice on best practises from Microsoft? Thanks already for joining the discussion!----------------------- Greetings from Germany, Martin

Hi Martin, You may refer to the following links to check if the information helps: Best Practices for Managing Windows Firewall Firewall Best Practices Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information. Regards, Sabrina TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.com This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hello Sabrina, thanks for the input. Unfortunately, it is not exactly what I am looking for. The linked technet article "Best Practise for Managing Windows Firewall" refer to Windows Kernel 5.2 instead of 6.1. Also they focus on managing the firewall on servers instead of Windows clients. The linked blog describes firewalls and their role in network security in general. While it is interesting to read, it does not provide any information which is completely new to me. I am more interested in the performance penalties which are caused by the various possible configurations for the firewall on a Windows client. Also I am wondering if there are any risks, problems or considerations I should be aware of before enabling / configurating the firewall service on Windows clients throughout a network.----------------------- Greetings from Germany, Martin

Hmm ... not really much activity on this thread. Is the question really that hard?----------------------- Greetings from Germany, Martin

Hello Martin, Network security settings were critical. Therefore, I would like suggest you submit a consult case to our consult service to get help to the detailed information. Support option Call now for $210 USD/hour Advisory Services (800) 936-5200 Personally, I prefer to the option 1. On Windows vista and later OSs, NLA service will detect current network environment. Then Windows firewall apply proper firewall profile depends on the detect result. Therefore, in your environment the clients should apply domain firewall profile. (Disable domain firewall profile will provide best performance and avoid potential network connectivity problem.) If one client was moved to a public network, then Windows firewall will provide basic protection of the client.

Thanks for the advice. I guess I will need the advisory services ...----------------------- Greetings from Germany, Martin