Microsoft undertook a large-scale project to bolster security in Windows Server 2003 Service Pack 2, including a full-featured endpoint firewall (Windows Firewall). This resulted in what was known at the time as the Vista reset, putting a temporary freeze on development of Microsoft’s next operating system.
Despite that Server 2003 and XP had only been released a couple of years before the arrival of SP2, the security landscape had changed dramatically, with Windows XP on the client side becoming increasingly vulnerable to attack.
While Windows had previously included the Internet Connection Firewall (ICF), it was turned off by default and offered limited functionality, so a complete endpoint firewall solution was something new for Windows administrators.
It was common practice to turn off Firewall in Windows as part of the build for PCs and servers on the corporate intranet. This was largely because it was considered that the network edge firewall provided enough protection for intranet devices, and system administrators didn’t know how to work with the new firewall. In situations where it was considered unnecessary, removing it from the equation was the easiest way to get systems up and running quickly.
Fast forward to 2013, and all too often I come across servers where Windows Firewall has been switched off, either as part of the build or it’s been temporarily turned off in an attempt to resolve an issue and never re-enabled.
Disabling Windows Firewall increases the attack surface of Windows Server. Any infected machine that gets access to your corporate intranet can potentially make a connection to an unprotected server and compromise it by exposing a vulnerability in a Windows service or 3rd-party application. Windows Firewall is also useful in defending against denial of service attacks, which bombard a server with network traffic in an attempt to crash it or simply make it unavailable to the rest of the network.
Windows Server has a couple of tools that can help configure Windows Firewall to ensure that your server is functional. The Security Configuration Wizard (SCW) can be used as a standalone tool or to help configure a Group Policy Object (GPO) for applying firewall settings across multiple servers. SCW works by asking administrators to answer a few questions about what services, roles and features the server is expected to host and then configures security appropriately, including Windows Firewall.
For more advanced troubleshooting, Windows Firewall has its own logs (disabled by default) so you can see dropped packets and successful connections. There’s also the netstat command line tool which shows all active TCP and UDP connections for a given device. In any situation, disabling Windows Firewall should only ever be a temporary solution in the troubleshooting process.