Windows Server Security - Firewall Specific RRS feed

  • Question

  • I work on a small network, 12 servers and all Windows Server 2012 R2. In reading about more of the breaches happening across the business landscape, a new project has come up to secure the internal network better. There are many areas to this so in this post I am focusing only on the Windows Firewall.

    The firewall is pre-configured to have certain protocols and apps allowed access when on a domain. As you install more applications, say SQL, an automatic rule is added to the firewall. This is great but as you look at the specific inbound and outbound rules, you start to notice that connections are allowed from anywhere on the internal network to the server as long as it transmits over the right port. This to me seems like weak security. To me, like a firewall that protects your internal network from the Internet, the rules should be specific to where the traffic is going. A NAT rule for port 443 is allowed to only one server and no others. So then doesn't it make sense to adjust the rules in the Windows Firewall to do the same? Shouldn't the automatic inbound SQL rule only be accepting traffic from a specific server or workstations and not all of them?

    I think security is great, but how far is too far and what is a best practice when it comes to the Windows Firewall? Is just turning it on good enough? Are there tools out there that can help with adjusting the rules on the servers so you don't have to methodically go through 12 servers and hundreds of rules?

    Friday, October 2, 2015 2:24 AM

All replies

  • You can automate Firewall through policy or whatever your Enterprise is using to manage settings. Whilst your point is valid in your circumstance MS are in a difficult position of trying to please those who want the exact behaviour your are seeing. Perhaps it would be nice to ask the quest at install time but you could end up with lots of permutations to consider.


    Monday, October 5, 2015 8:53 AM