|
 |  |  |  |  |  |  |
| Welcome to Windows Vista Forums. Our forum is dedicated to helping you find solutions with any problems, errors or issues you are experiencing with Windows Vista. The Vista forum also covers news and updates and has an extensive Windows Vista tutorial section that covers a wide range of tips and tricks. |
| |||||||
 |
| |
09-27-2006
| #1 (permalink) |
| | Might be a good idea to disable Windows Firewall altogether when in an Active Directory Domain I have had MANY problems since upgrading to Vista RC1 (now v5728) with connectivity in my Windows 2003 R2 native Ad domain. Windows time not working, netdiag crashing, not picking up Kerberos tickets for Vista machine... Once I disabled the firewall, things improved. Windows Time started automatically. Let me sasy first that the new Windows Firewall is a great leap forward, but it is very complex and difficult to configure. I suspect once adm/admx files are available that it may become easier. Third-party firewalls are much easier to configure than Vista Firewall. Complexity is the hobgoblin of security, and Microsoft has made the Windows Firewall very diffiuclt to understand an onerous to configure. Rules that I put in to open the firewall to domain connectivity appear not to work. I would recommend to anyone deploying Vista in a pre-existing domain infrastructure to disable Windows Firewall completely for the near term. -- Edward Ray CCIE Security, CISSP, GCIA Gold, GCIH Gold, MCSE+Security, PE |
My System Specs |
|
09-27-2006
| #2 (permalink) |
| | Re: Might be a good idea to disable Windows Firewall altogether when in an Active Directory Domain I haven't had a single problem with the Vista firewall in my AD domain. -- Richard G. Harper [MVP Shell/User] rgharper@gmail.com * PLEASE post all messages and replies in the newsgroups * for the benefit of all. Private mail is usually not replied to. * My website, such as it is ... http://rgharper.mvps.org/ * HELP us help YOU ... http://www.dts-l.org/goodpost.htm "Edward Ray" <ewray@newsgroup.nospam> wrote in message news:3692A5FD-07BD-4BE1-B8C3-EA2C1400CB74@microsoft.com... >I have had MANY problems since upgrading to Vista RC1 (now v5728) with >connectivity in my Windows 2003 R2 native Ad domain. Windows time not >working, netdiag crashing, not picking up Kerberos tickets for Vista >machine... > > Once I disabled the firewall, things improved. Windows Time started > automatically. > > Let me sasy first that the new Windows Firewall is a great leap forward, > but it is very complex and difficult to configure. I suspect once > adm/admx files are available that it may become easier. Third-party > firewalls are much easier to configure than Vista Firewall. Complexity is > the hobgoblin of security, and Microsoft has made the Windows Firewall > very diffiuclt to understand an onerous to configure. Rules that I put in > to open the firewall to domain connectivity appear not to work. > > I would recommend to anyone deploying Vista in a pre-existing domain > infrastructure to disable Windows Firewall completely for the near term. > > -- > Edward Ray > CCIE Security, CISSP, GCIA Gold, GCIH Gold, MCSE+Security, PE > |
| My System Specs |
|
09-27-2006
| #3 (permalink) |
| | Re: Might be a good idea to disable Windows Firewall altogether when in an Active Directory Domain "Richard G. Harper" <rgharper@email.com> wrote in message news:%23BqyGDo4GHA.4616@TK2MSFTNGP05.phx.gbl... >I haven't had a single problem with the Vista firewall in my AD domain. > I would be interested in what your configuration is. Do you use IPSec encryption (I do)? Do you use NetBIOS (I do not)? Did you upgrade from and existing Windows XP SP2 install? This firewall makes it very challenging to troubleshoot problems, so I find it best to disable it until you have everything working right, then enable. -- Edward Ray CCIE Security, CISSP, GCIA Gold, GCIH Gold, MCSE+Security, PE |
| My System Specs |
|
09-28-2006
| #4 (permalink) |
| | Re: Might be a good idea to disable Windows Firewall altogether when in an Active Directory Domain No IPSec, and all forms of name resolution (NetBIOS, WINS and DNS) are supported. -- Richard G. Harper [MVP Shell/User] rgharper@gmail.com * PLEASE post all messages and replies in the newsgroups * for the benefit of all. Private mail is usually not replied to. * My website, such as it is ... http://rgharper.mvps.org/ * HELP us help YOU ... http://www.dts-l.org/goodpost.htm "Edward Ray" <ewray@newsgroup.nospam> wrote in message news:A78503D1-EDF3-4493-872B-2EE0336BB849@microsoft.com... > > "Richard G. Harper" <rgharper@email.com> wrote in message > news:%23BqyGDo4GHA.4616@TK2MSFTNGP05.phx.gbl... >>I haven't had a single problem with the Vista firewall in my AD domain. >> > > I would be interested in what your configuration is. Do you use IPSec > encryption (I do)? Do you use NetBIOS (I do not)? Did you upgrade from > and existing Windows XP SP2 install? > > This firewall makes it very challenging to troubleshoot problems, so I > find it best to disable it until you have everything working right, then > enable. > > > > -- > Edward Ray > CCIE Security, CISSP, GCIA Gold, GCIH Gold, MCSE+Security, PE > |
| My System Specs |
|
09-28-2006
| #5 (permalink) |
| | Re: Might be a good idea to disable Windows Firewall altogether when in an Active Directory Domain Oh sorry, only half-answered. Also have done both upgrades and clean installs with no problems. -- Richard G. Harper [MVP Shell/User] rgharper@gmail.com * PLEASE post all messages and replies in the newsgroups * for the benefit of all. Private mail is usually not replied to. * My website, such as it is ... http://rgharper.mvps.org/ * HELP us help YOU ... http://www.dts-l.org/goodpost.htm "Edward Ray" <ewray@newsgroup.nospam> wrote in message news:A78503D1-EDF3-4493-872B-2EE0336BB849@microsoft.com... > > "Richard G. Harper" <rgharper@email.com> wrote in message > news:%23BqyGDo4GHA.4616@TK2MSFTNGP05.phx.gbl... >>I haven't had a single problem with the Vista firewall in my AD domain. >> > > I would be interested in what your configuration is. Do you use IPSec > encryption (I do)? Do you use NetBIOS (I do not)? Did you upgrade from > and existing Windows XP SP2 install? > > This firewall makes it very challenging to troubleshoot problems, so I > find it best to disable it until you have everything working right, then > enable. > > > > -- > Edward Ray > CCIE Security, CISSP, GCIA Gold, GCIH Gold, MCSE+Security, PE > |
| My System Specs |
|
09-28-2006
| #6 (permalink) |
| | Re: Might be a good idea to disable Windows Firewall altogether when in an Active Directory Domain "Richard G. Harper" <rgharper@email.com> wrote in message news:%23VlL%23Yu4GHA.772@TK2MSFTNGP02.phx.gbl... > No IPSec, and all forms of name resolution (NetBIOS, WINS and DNS) are > supported. > I do not use NetBIOS/WINS, due to security risks as wells as not necessary (no Win9x or NT boxes in my domain). I IPSec encrypt ALL SMB/CIFS port 445 traffic using PKI authentication. As I said before, it takes a few boots to get it right when I had RC 1 5600; for 5728 I just disabled the firewall at first then re-enabled it. Having custom GPOs for Wista will help in the future. |
| My System Specs |
|
09-28-2006
| #7 (permalink) |
| | Re: Might be a good idea to disable Windows Firewall altogether when in an Active Directory Domain Ed, Gettin all wrapped up in this huh? If you look at Windows Firewall; it's easy to setup now And it's easy to use; Jeff "Edward Ray" <ewray@newsgroup.nospam> wrote in message news:239CB91A-3A39-454F-95E3-99ED82D89F8C@microsoft.com... > > "Richard G. Harper" <rgharper@email.com> wrote in message > news:%23VlL%23Yu4GHA.772@TK2MSFTNGP02.phx.gbl... >> No IPSec, and all forms of name resolution (NetBIOS, WINS and DNS) are >> supported. >> > I do not use NetBIOS/WINS, due to security risks as wells as not necessary > (no Win9x or NT boxes in my domain). I IPSec encrypt ALL SMB/CIFS port > 445 traffic using PKI authentication. As I said before, it takes a few > boots to get it right when I had RC 1 5600; for 5728 I just disabled the > firewall at first then re-enabled it. Having custom GPOs for Wista will > help in the future. |
| My System Specs |
|
09-28-2006
| #8 (permalink) |
| | Re: Might be a good idea to disable Windows Firewall altogether when in an Active Directory Domain "Jeff" <scerevisiae@gmail.com> wrote in message news:eV5yusw4GHA.4832@TK2MSFTNGP06.phx.gbl... > Ed, > Gettin all wrapped up in this huh? > If you look at Windows Firewall; it's easy to setup now > And it's easy to use; > Jeff Jeff: It may be easy for a single user, but when you have an organization with >500 potential Vista clients who is paying me for advice on ease of use, I have to report its shortcomings. Vista is geared primarily to get Windows 2000 (and potentially Windows XP pre-SP2) clients to upgrade to Vista. Stand-alone I am sure it works great, but for corporate buy-in it must play well with existing infrastructures. As I said in previous posts, my advice is to disable the firewall initially, then reenable after GPO's have been applied. In a network with multiple layers of protection, this does not present a major security risks. Perhaps when Vista ADM/ADMX files are released this will be an easier transition, but I will still prefer third-party AV/Firewall/IPS/App Protection over Windows Firewall for laptops, PDAs and other wireless devices that use the Windows OS. Just becasue it annoys you, my certifications are below. I also have a BSEE from Cornell and an MSEE from UCLA (nose turns upward...  )-- Edward Ray CCIE Security, CISSP, GCIA Gold, GCIH Gold, MCSE+Security, PE |
| My System Specs |
|
09-28-2006
| #9 (permalink) |
| | Re: Might be a good idea to disable Windows Firewall altogether when in an Active Directory Domain Ed, It doesn't annoy me; in fact; I think it's kind of humorous;that you feel the need to include your certifications in a post. And; if I'm not mistaken; MSFT has devoted a whole bunch of resources to business migration. Here for example: http://www.microsoft.com/technet/win...y/default.mspx You outta know; that;the best defense is hardware firewalls; and all those initials-lol BTW-running a laptop on mutiple networks; Vista firewall; no hacks;no breakins;etc. And at home;behind a hardware firewall;just for giggles. Jeff "Edward Ray" <ewray@newsgroup.nospam> wrote in message news:92B9F241-D74A-4A1B-9ACB-EBFC1EFF0DE4@microsoft.com... > > "Jeff" <scerevisiae@gmail.com> wrote in message > news:eV5yusw4GHA.4832@TK2MSFTNGP06.phx.gbl... >> Ed, >> Gettin all wrapped up in this huh? >> If you look at Windows Firewall; it's easy to setup now >> And it's easy to use; >> Jeff > > Jeff: > > It may be easy for a single user, but when you have an organization with > >500 potential Vista clients who is paying me for advice on ease of use, I > have to report its shortcomings. Vista is geared primarily to get Windows > 2000 (and potentially Windows XP pre-SP2) clients to upgrade to Vista. > Stand-alone I am sure it works great, but for corporate buy-in it must > play well with existing infrastructures. As I said in previous posts, my > advice is to disable the firewall initially, then reenable after GPO's > have been applied. In a network with multiple layers of protection, this > does not present a major security risks. Perhaps when Vista ADM/ADMX > files are released this will be an easier transition, but I will still > prefer third-party AV/Firewall/IPS/App Protection over Windows Firewall > for laptops, PDAs and other wireless devices that use the Windows OS. > > Just becasue it annoys you, my certifications are below. I also have a > BSEE from Cornell and an MSEE from UCLA (nose turns upward... )> > > -- > Edward Ray > CCIE Security, CISSP, GCIA Gold, GCIH Gold, MCSE+Security, PE > |
| My System Specs |
|
09-28-2006
| #10 (permalink) |
| | Re: Might be a good idea to disable Windows Firewall altogether when in an Active Directory Domain Edward - Although you are probably aware of it - but Vista provides a "Windows Firewall and Security" snap-in for the Management Console which provides more options than control panel security center. "Edward Ray" <ewray@newsgroup.nospam> wrote in message news:3692A5FD-07BD-4BE1-B8C3-EA2C1400CB74@microsoft.com... >I have had MANY problems since upgrading to Vista RC1 (now v5728) with >connectivity in my Windows 2003 R2 native Ad domain. Windows time not >working, netdiag crashing, not picking up Kerberos tickets for Vista >machine... > > Once I disabled the firewall, things improved. Windows Time started > automatically. > > Let me sasy first that the new Windows Firewall is a great leap forward, > but it is very complex and difficult to configure. I suspect once > adm/admx files are available that it may become easier. Third-party > firewalls are much easier to configure than Vista Firewall. Complexity is > the hobgoblin of security, and Microsoft has made the Windows Firewall > very diffiuclt to understand an onerous to configure. Rules that I put in > to open the firewall to domain connectivity appear not to work. > > I would recommend to anyone deploying Vista in a pre-existing domain > infrastructure to disable Windows Firewall completely for the near term. > > -- > Edward Ray > CCIE Security, CISSP, GCIA Gold, GCIH Gold, MCSE+Security, PE > |
| My System Specs |
|
| Thread Tools | |
| |
Similar Threads | ||||
| Thread | Forum | |||
| Active Directory Domain Services Is Currently Not Available? | Vista networking & sharing | |||
| Active directory domain | Network & Sharing | |||
| Active Directory Domain Membership | Vista account administration | |||
| Disable Windows Firewall when first joining Vista to an Ad domain | Vista networking & sharing | |||
| Group Policy for Vista in Windows 2000 Active Directory Domain | Vista General | |||
