Subscribe to Windows IT Pro
October 13, 2011 05:36 PM

Windows Server 2008 R2 Firewall Security

Best practices for enabling a firewall in a production environment
Alan Sugano
Windows IT Pro
InstantDoc ID #140901
Rating: (0)

Today's security model is all about layers. If your network suffers a breach, security layers can at least limit the scope of the attack or slow down the hacker. In my experience, Windows Server 2008 R2 and Windows Server 2008 are the first versions of Windows Server in which you can successfully keep your firewall enabled and still have the server work in a production environment. The Microsoft Management Console (MMC) Firewall with Advanced Security snap-in is key to this capability.

Firewall Profiles

There are three different Windows Firewall profiles that can be configured with a Server 2008 R2 firewall. Only one of these profiles can be active at a time.

1.     Domain profile—This profile is active when the server is connected to an Active Directory (AD) domain via an internal network. This is the profile that's typically active, because most servers are members of an AD domain.

2.     Private profile—This profile is active when the server is a member of a workgroup. Microsoft recommends more restrictive firewall settings for this profile than for the domain profile.

3.     Public profile—This profile is active when the server is connected to an AD domain via a public network. Microsoft recommends the most restrictive settings for this profile.

When you start the Firewall with Advanced Security snap-in, you can view which firewall profile is active. Although Microsoft recommends that you can have different security settings based on the firewall profile, I typically configure the firewall as if a perimeter firewall doesn't exist. With this approach, if any ports are accidentally opened on perimeter firewalls, Server 2008's Windows Firewall will block the traffic. Just as with previous versions of Windows Firewall, all inbound connections are blocked and all outbound connections from the server are allowed by default in Server 2008 R2 (as long as there's no existing Deny rule).

With these settings, my organization's firewall configuration leans toward a public profile environment. When we create a rule, we make it active for all three profiles. By using a firewall configuration that's consistent across all three domain profiles, we don't have to worry about exposing any unwanted ports in case the Windows Firewall profile changes.

Related Content:

ARTICLE TOOLS

Comments
Add A Comment
    There are no comments to display. Be the first one!
You must log on before posting a comment.

Are you a new visitor? Register Here

advertisement

advertisement

Dev Pro Left-Brain SharePoint Pro SQL Server Pro SuperSite for Windows Windows IT Pro

© 2012 Penton Media, Inc.

Home About Us Advertise Customer Service Privacy Statement Subscribe/Renew Terms Of Use

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.