I have recently been instructed to disable the firewall on all of our Win7 desktops by my director. I feel a bit uncomfortable doing this and wanted some other thoughts on the safety of this or if there is a recommended best practice. Here is a run down of our setup. We are primarily an AD environment. We use an ASA firewall on the network. It is a wired network with 8e6 authentication for going outside the local network. It is a single subnet that our workstations exist on. We run in the neighborhood of 300-350 workstations and 150 or so laptops. The laptops go out into the field and attach to various unsecured networks (read home networks and coffee shops). My concern really stems from the laptops. If a laptop does get a bug on it is there any security for our other networks when it is plugged in again? We don't have health monitoring setup on the network (and no plans are in place to do this). Our users do not have admin rights to their local workstations or laptops, there are only 8 of us in the agency that have that clearance. I have been administering the local firewalls through a series of GPOs (our domain is 2008). Originally my director wanted the firewall dropped from the workstations but I refused as we had an unsecure wireless network that was attached to our network at the time. But now that has been moved to a different VLAN so it shouldn't be an issue again.

Here are the reasons I was given when asked why I should follow the order to disable the firewall: 1. It causes latency 2. Makes network trouble shooting difficult 3. The ASA and our 8e6 filter protect the network 4. We never used it in WinXP 5. Our security vendors say that it is best practice not to have the Windows Firewall enabled on workstations I seriously doubt that #5 is correct, but thats what my director and the network security admin insist. I'm not sure what brought this desire to turn this off, I know that I have been administering it through GPO since the beginning and have only made a handful of exceptions in the firewall and no additional restrictions. Everything our desktop support group does is working flawlessly with it in place, so I just don't get it. Power/control issue? Security moved from being controlled by the network security admin and into my realm with the introduction of Win7 back in August.

Best practice is to have firewall enabled & manage through GPO which you're already doing. There are many reasons why, but not least the threat from malicious machines / malware on your internal network - maybe brought in on your laptops which connect to potentially hostile networks frequently. Surely any reason your Director has for disabling it can be addressed with a rule change though the GPO, without just disabling it all together. Douks

That is what my opinion has been. The idea of on/off configuartions for the firewall on the laptops was an idea I had considered as well. The idea being if the Director is that insistent I allow firewalls off on the internal network but on for when off the network, which if I read the info on configuring the GPOs should be workable. But the issue here remains that if a machine does become infected the firewall will still be down for everyone else once they plug back into the lan.

Absoluteley! I would still have the firewall on for both laptops & desktops, but... The way I handle my laptops is to have different firewall rule sets for public / domain networks. In this way a more restrictive rule set can apply to the laptops when they are away from the internal domain network. Windows takes care of detecting if the machine is on the domain & applies the appropriate rule set. I even go to the lengths of restricting some outbound traffic when on public networks.Douks

Here are the reasons I was given when asked why I should follow the order to disable the firewall: 1. It causes latency 2. Makes network trouble shooting difficult 3. The ASA and our 8e6 filter protect the network 4. We never used it in WinXP 5. Our security vendors say that it is best practice not to have the Windows Firewall enabled on workstations I seriously doubt that #5 is correct, but thats what my director and the network security admin insist. I'm not sure what brought this desire to turn this off, I know that I have been administering it through GPO since the beginning and have only made a handful of exceptions in the firewall and no additional restrictions. Everything our desktop support group does is working flawlessly with it in place, so I just don't get it. Power/control issue? Security moved from being controlled by the network security admin and into my realm with the introduction of Win7 back in August.