Is it a good idea or common practice to completely turn off windows firewall in an AD domain using Group Policy? At this time, even the servers' firewall are turned off. The only device not affected is the WAN facing router/firewall.
Firewall – Is It Safe to Turn Off Firewall in a LAN Using Group Policy?
firewallgroup-policy
Best Answer
This is a practice we used to partake in, on an AD domain with VPNs to multiple offices in multiple countries, and thought it was fine.
Until someone in a remote island office plugged a client's laptop into the network. Within 10 minutes, every office was infected with Conficker, we had to pull all internet connections and 3 engineers spent the best part of a week cleaning the worm out of all our systems (p.s. A/V at the time was Symantec, it wasn't for long after this).
Worms are less prevalent these days, however do you really need file and printer sharing ports open on your workstations? You'll need them on various servers, but that's where the beauty of GPO comes in. Default policy locks it down, add a policy object for the ports you need and apply only to the servers that really need it.
Whilst it's obvious that company policy should be no external laptops plugged into the domain (and it was), accidents happen, people bring viruses/worms in from visits etc. Better to be safe than very very sorry!