Vista - Might be a good idea to disable Windows Firewall altogether when in an Active Directory Domain

"> Ed,
> It doesn't annoy me;
> in fact;
> I think it's kind of humorous;that you feel the need to include your
> certifications in a post.

I had always left it there for other newsgroups, to let them know I was not
a dork and had already tried the usual suggestions to mitigate my problem.
Got tired of the canned responses to problems.

>
> And; if I'm not mistaken; MSFT has devoted a whole bunch of resources to
> business migration.
>
> Here for example:
> http://www.microsoft.com/technet/win...y/default.mspx
>
>
The issues with Windows Firewall I expected, as beta versions do not have
the usual ADM/ADMX GPOs that one can import into Domina Controller and
configure.

> You outta know; that;the best defense is hardware firewalls;
> and all those initials-lol
> BTW-running a laptop on mutiple networks; Vista firewall; no hacks;no
> breakins;etc.
> And at home;behind a hardware firewall;just for giggles.

These days it is the drive by downloads that worry me. ZoneAlarm Pro and
Kaspersky Internet Suite have some good IPS and Layer 7 firewall features
that most software firewalls do not. Windows Firewall (Windows XP SP2,
Windows 2003 SP1, Vista RC1) are a definite improvement, but they still have
a way to go IMHO to catch up wiht third party features. Now ISA Server
2004/2006 is pretty good as a host-based firewall/IPS, but at $1500 (plus
Windows 2003 license to run it) price is a bit steep for client deployment.
Works great on domain controllers though, which are the family jewels of any
windows network.

Security risks in WINS and NetBIOS? None that I know of.

Anyway, if you insist on pooching the network settings you're going to have
issues. Leave well enough alone, that's what I say. ;-)

--
Richard G. Harper [MVP Shell/User] rgharper@gmail.com
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


"Edward Ray" <ewray@newsgroup.nospam> wrote in message
news:239CB91A-3A39-454F-95E3-99ED82D89F8C@microsoft.com...
>
> "Richard G. Harper" <rgharper@email.com> wrote in message
> news:%23VlL%23Yu4GHA.772@TK2MSFTNGP02.phx.gbl...
>> No IPSec, and all forms of name resolution (NetBIOS, WINS and DNS) are
>> supported.
>>
> I do not use NetBIOS/WINS, due to security risks as wells as not necessary
> (no Win9x or NT boxes in my domain). I IPSec encrypt ALL SMB/CIFS port
> 445 traffic using PKI authentication. As I said before, it takes a few
> boots to get it right when I had RC 1 5600; for 5728 I just disabled the
> firewall at first then re-enabled it. Having custom GPOs for Wista will
> help in the future.

Please do not run your machine without Windows firewall - especially
considering that you are exposing yourself not only to your normal
LAN, but also to the IPV6 world.

--
Jeffrey Randow
jeffreycentex@gmail.com
Windows Networking MVP 2001-2006

http://www.networkblog.net

On Wed, 27 Sep 2006 09:49:53 -0700, "Edward Ray"
<ewray@newsgroup.nospam> wrote:

>I have had MANY problems since upgrading to Vista RC1 (now v5728) with
>connectivity in my Windows 2003 R2 native Ad domain. Windows time not
>working, netdiag crashing, not picking up Kerberos tickets for Vista
>machine...
>
>Once I disabled the firewall, things improved. Windows Time started
>automatically.
>
>Let me sasy first that the new Windows Firewall is a great leap forward, but
>it is very complex and difficult to configure. I suspect once adm/admx
>files are available that it may become easier. Third-party firewalls are
>much easier to configure than Vista Firewall. Complexity is the hobgoblin
>of security, and Microsoft has made the Windows Firewall very diffiuclt to
>understand an onerous to configure. Rules that I put in to open the
>firewall to domain connectivity appear not to work.
>
>I would recommend to anyone deploying Vista in a pre-existing domain
>infrastructure to disable Windows Firewall completely for the near term.

To clarify my last posting -

Remember that Vista support P2P/Teredo tunnelling and PNRP (Peer Name
Resolution Protocol). To keep things simple - using PNRP/P2P/Teredo,
it is possible to connect to services (IIS, Remote Desktop, etc) from
another Vista computer if you know what your PNRP name is - without
any port forwarding or other tunnelling solutions.

When you have the firewall enabled, it becomes much more difficult to
get hacked.

--
Jeffrey Randow
jeffreycentex@gmail.com
Windows Networking MVP 2001-2006

http://www.networkblog.net

..On Wed, 27 Sep 2006 09:49:53 -0700, "Edward Ray"
<ewray@newsgroup.nospam> wrote:

>I have had MANY problems since upgrading to Vista RC1 (now v5728) with
>connectivity in my Windows 2003 R2 native Ad domain. Windows time not
>working, netdiag crashing, not picking up Kerberos tickets for Vista
>machine...
>
>Once I disabled the firewall, things improved. Windows Time started
>automatically.
>
>Let me sasy first that the new Windows Firewall is a great leap forward, but
>it is very complex and difficult to configure. I suspect once adm/admx
>files are available that it may become easier. Third-party firewalls are
>much easier to configure than Vista Firewall. Complexity is the hobgoblin
>of security, and Microsoft has made the Windows Firewall very diffiuclt to
>understand an onerous to configure. Rules that I put in to open the
>firewall to domain connectivity appear not to work.
>
>I would recommend to anyone deploying Vista in a pre-existing domain
>infrastructure to disable Windows Firewall completely for the near term.

You have not disabled IPv6? I'd never leave that thing on, it slows down
internet access and it is a major security risk for the reasons you explained
in the next post. Untill I have a firewall that will interact with me and
tell me exactly which app wants access to what and which way and I can
temporarely/permanently allow/disallow said access (Anybody knows how far the
people at ZoneLabs have come with a firewall for Vista?), IPv6 gets disabled
BEFORE I ever connect to the Internet.

"Jeffrey Randow" wrote:

> Please do not run your machine without Windows firewall - especially
> considering that you are exposing yourself not only to your normal
> LAN, but also to the IPV6 world.
>
> --
> Jeffrey Randow
> jeffreycentex@gmail.com
> Windows Networking MVP 2001-2006
>
> http://www.networkblog.net
>
> On Wed, 27 Sep 2006 09:49:53 -0700, "Edward Ray"
> <ewray@newsgroup.nospam> wrote:
>
> >I have had MANY problems since upgrading to Vista RC1 (now v5728) with
> >connectivity in my Windows 2003 R2 native Ad domain. Windows time not
> >working, netdiag crashing, not picking up Kerberos tickets for Vista
> >machine...
> >
> >Once I disabled the firewall, things improved. Windows Time started
> >automatically.
> >
> >Let me sasy first that the new Windows Firewall is a great leap forward, but
> >it is very complex and difficult to configure. I suspect once adm/admx
> >files are available that it may become easier. Third-party firewalls are
> >much easier to configure than Vista Firewall. Complexity is the hobgoblin
> >of security, and Microsoft has made the Windows Firewall very diffiuclt to
> >understand an onerous to configure. Rules that I put in to open the
> >firewall to domain connectivity appear not to work.
> >
> >I would recommend to anyone deploying Vista in a pre-existing domain
> >infrastructure to disable Windows Firewall completely for the near term.
>

Major security risk?
lol-maybe ya outta read up.
IPv6 is not a security threat. It's a protocol.
following your logic. IPv4 is a major security risk too.
A little Wiki refresher for ya.

http://en.wikipedia.org/wiki/IPv6
Too funny; maybe ya shouldn;t connect to the net. It's a security risk.
Jeff

"cyanna" <cyanna@discussions.microsoft.com> wrote in message
news:93F72DAC-A7E2-4C14-BB94-DC7623C8709E@microsoft.com...
> You have not disabled IPv6? I'd never leave that thing on, it slows down
> internet access and it is a major security risk for the reasons you
> explained
> in the next post. Untill I have a firewall that will interact with me and
> tell me exactly which app wants access to what and which way and I can
> temporarely/permanently allow/disallow said access (Anybody knows how far
> the
> people at ZoneLabs have come with a firewall for Vista?), IPv6 gets
> disabled
> BEFORE I ever connect to the Internet.
>
> "Jeffrey Randow" wrote:
>
>> Please do not run your machine without Windows firewall - especially
>> considering that you are exposing yourself not only to your normal
>> LAN, but also to the IPV6 world.
>>
>> --
>> Jeffrey Randow
>> jeffreycentex@gmail.com
>> Windows Networking MVP 2001-2006
>>
>> http://www.networkblog.net
>>
>> On Wed, 27 Sep 2006 09:49:53 -0700, "Edward Ray"
>> <ewray@newsgroup.nospam> wrote:
>>
>> >I have had MANY problems since upgrading to Vista RC1 (now v5728) with
>> >connectivity in my Windows 2003 R2 native Ad domain. Windows time not
>> >working, netdiag crashing, not picking up Kerberos tickets for Vista
>> >machine...
>> >
>> >Once I disabled the firewall, things improved. Windows Time started
>> >automatically.
>> >
>> >Let me sasy first that the new Windows Firewall is a great leap forward,
>> >but
>> >it is very complex and difficult to configure. I suspect once adm/admx
>> >files are available that it may become easier. Third-party firewalls
>> >are
>> >much easier to configure than Vista Firewall. Complexity is the
>> >hobgoblin
>> >of security, and Microsoft has made the Windows Firewall very diffiuclt
>> >to
>> >understand an onerous to configure. Rules that I put in to open the
>> >firewall to domain connectivity appear not to work.
>> >
>> >I would recommend to anyone deploying Vista in a pre-existing domain
>> >infrastructure to disable Windows Firewall completely for the near term.
>>

Keep in mind that Vista uses iVP6 internally for functions such as "Network
Presentation" and "Meeting Space".

"Edward Ray" <ewray@newsgroup.nospam> wrote in message
news:3692A5FD-07BD-4BE1-B8C3-EA2C1400CB74@microsoft.com...
>I have had MANY problems since upgrading to Vista RC1 (now v5728) with
>connectivity in my Windows 2003 R2 native Ad domain. Windows time not
>working, netdiag crashing, not picking up Kerberos tickets for Vista
>machine...
>
> Once I disabled the firewall, things improved. Windows Time started
> automatically.
>
> Let me sasy first that the new Windows Firewall is a great leap forward,
> but it is very complex and difficult to configure. I suspect once
> adm/admx files are available that it may become easier. Third-party
> firewalls are much easier to configure than Vista Firewall. Complexity is
> the hobgoblin of security, and Microsoft has made the Windows Firewall
> very diffiuclt to understand an onerous to configure. Rules that I put in
> to open the firewall to domain connectivity appear not to work.
>
> I would recommend to anyone deploying Vista in a pre-existing domain
> infrastructure to disable Windows Firewall completely for the near term.
>
> --
> Edward Ray
> CCIE Security, CISSP, GCIA Gold, GCIH Gold, MCSE+Security, PE
>

I leave it enabled to gain access to machines behind my home router
without having to do port redirection on my router (Teredo/PNRP)

--
Jeffrey Randow
jeffreycentex@gmail.com
Windows Networking MVP 2001-2006

http://www.networkblog.net

On Fri, 29 Sep 2006 03:26:02 -0700, cyanna
<cyanna@discussions.microsoft.com> wrote:

>You have not disabled IPv6? I'd never leave that thing on, it slows down
>internet access and it is a major security risk for the reasons you explained
>in the next post. Untill I have a firewall that will interact with me and
>tell me exactly which app wants access to what and which way and I can
>temporarely/permanently allow/disallow said access (Anybody knows how far the
>people at ZoneLabs have come with a firewall for Vista?), IPv6 gets disabled
>BEFORE I ever connect to the Internet.
>
>"Jeffrey Randow" wrote:
>
>> Please do not run your machine without Windows firewall - especially
>> considering that you are exposing yourself not only to your normal
>> LAN, but also to the IPV6 world.
>>
>> --
>> Jeffrey Randow
>> jeffreycentex@gmail.com
>> Windows Networking MVP 2001-2006
>>
>> http://www.networkblog.net
>>
>> On Wed, 27 Sep 2006 09:49:53 -0700, "Edward Ray"
>> <ewray@newsgroup.nospam> wrote:
>>
>> >I have had MANY problems since upgrading to Vista RC1 (now v5728) with
>> >connectivity in my Windows 2003 R2 native Ad domain. Windows time not
>> >working, netdiag crashing, not picking up Kerberos tickets for Vista
>> >machine...
>> >
>> >Once I disabled the firewall, things improved. Windows Time started
>> >automatically.
>> >
>> >Let me sasy first that the new Windows Firewall is a great leap forward, but
>> >it is very complex and difficult to configure. I suspect once adm/admx
>> >files are available that it may become easier. Third-party firewalls are
>> >much easier to configure than Vista Firewall. Complexity is the hobgoblin
>> >of security, and Microsoft has made the Windows Firewall very diffiuclt to
>> >understand an onerous to configure. Rules that I put in to open the
>> >firewall to domain connectivity appear not to work.
>> >
>> >I would recommend to anyone deploying Vista in a pre-existing domain
>> >infrastructure to disable Windows Firewall completely for the near term.
>>