Ce site est optimisé pour être consulté depuis un navigateur moderne dans lequel JavaScript est activé.

Que peut-on faire pour réactiver correctement le pare-feu Windows sur un domaine ?

ayi

BACKGROUND/RESEARCH

I honestly believe that questions like this one: Using GPO in Active Directory domain to force workstations Windows Firewall to disabled - how? existed parce que Windows Admins in general were taught long ago that:

"the easiest thing to do quand dealing avec a domain computer is to
juste have a GPO on le domain to désactivez le Windows Firewall...it
will cause you much less heartache in le end." - random IT instructors/mentors depuis years gone by

I can aussi say that at MOST companies J'ai done side work for this has been le case, où a GPO at a minimum disabled le Windows Firewall for le domain profile et at WORST disabled it aussi for le public profile.

Even further, certains will disable it for le servers themselves: Disable firewall for all network profiles on Windows Server 2008 R2 through GPO

A Microsoft Technet Article on the WINDOWS FIREWALL recommends you DO NOT désactivez le Windows Firewall:

Because Windows Firewall avec Advanced Security plays an important
part in helping to protect votre computer depuis security threats, we
recommend that you do pas disable it sauf si you install another
firewall depuis a reputable vendor that provides an equivalent level of
protection.

This ServerFault question asks le real question: Is it alright to turn off firewall in a LAN using Group Policy? -- et le experts here are even mixed in leur view.

And understand Je suis pas referring to disabling/enabling le SERVICE: How can I back up my recommendation to NOT disable the Windows Firewall service? -- so as to be clear that this is about si ou pas le firewall service enables le firewall ou disables it.

THE QUESTION AT HAND

So I get back to le Title of this question...what can be done to properly re-activez le Windows firewall on a domain? Specifically for client workstations et leur domain profile.

Before simply switching le GPO depuis Disabled to Enabled, what planning steps should be taken to ensure that flipping le switch ne cause critical client/server applications, allowable traffic, etc. to suddenly fail? Most places ne va pas tolerate le "change it et see who calls le Helpdesk" mindset here.

Are there checklists/utilities/procedures disponible depuis Microsoft to handle such a situation? Have you been in this situation yourself et how did you deal avec it?

ayi

What can be done to properly re-enable the Windows firewall on a domain?

Well, le short answer is that c'est going to be a lot of work si you decide to forge ahead, et for le record, Je suis pas sure I would.

In le general case, client firewalls ne provide much security in a corporate network (which typically has hardware firewalls et controls this type of thing at le edge), et malware authors these days are smart enough to use port 80 for leur traffic, parce que virtually no one blocks that port, so you get a lot of effort putting something in place to provided limited security benefit.

Having said that, le long answer is:

Inventory applications et leur connectivity needs as best you can.
If you can safely activez le Windows Firewall avec an allow all rule et set logging, this will be a treasure trove of data for determining what apps you have that need firewall exculsions.
If you ne peut pas collect logging data non-intrusively, you'll have to make do avec a simple inventory, ou do votre logging on users who can handle disruption et intrusive IT activity (like yourself et autre techs, par exemple).
Think about votre troubleshooting needs.
Il y a things that probably ne va pas come up in a software audit that you need to think about. Par exemple:
You might want to allow ICMP (or ICMP depuis approved address spaces) to make troubleshooting et IP address management pas horrible.
Likewise, exclusions for tout remote management applications you guys use.
You'll aussi probably want to set firewall logging by policy
Créez un baseline GPO et deploy it to a test group, ou multiple test groups.
While you ne peut pas juste do it et let le helpdesk sort it out for everyone, management is going to be a lot more open to piloting le changes avec a select group of hand-picked employees, especially si they think il y a a valid security concern.
Pick votre test group carefully. It might be wise to use IT folk first, alors widen le group to include people depuis autre departments.
Évidemment, monitor votre test group et stay in constant communication avec them to quickly resolve issues you didn't catch le premier time around.
Roll out le change slowly, et in stages.
Once you've tested it to votre satisfaction, you should encore exercise caution, et pas juste push it out to le whole domain at once. Roll it out to smaller groups, qui you'll have to define according to votre organization's structure et needs.
Make sure you have something in place to handle future changes.
Just making it work for what you have in votre environment now n'est pas going to be enough, parce que you will end up avec nouveau applications on votre domain, et you'll have to make sure le firewall policy is updated to accommodate them, ou someone ci-dessus you will decide le firewall is more trouble than c'est worth et will have le policy removed, eliminating et le work you've put into it so far.