What are the best practices regarding Windows Firewall in enterprise environment
In enterprise environments there are several reasons to disable Windows Firewall on clients or servers. The best practice is to leave the service enabled, but disable all the profiles inside the Firewall in Control Panel. It is not a good advice to disable the service itself as there are many services and features that are depending on it and processes that will not work due to service disabled.
If you have already the service disabled and you will enable Firewall on Remote Server that you don’t have physical access to control it – you will be locked out (because the profiles in Firewall service might be on) and you won’t be able to use Remote Desktop Connection. The problem is that you can set the profile state only when the service is running. In that case you can use PsExec from Windows SysInternals Suite to disable Windows Firewall remotely.
How to disable Windows Firewall remotely with Psexec if you don’t have an option to login to the server / client
. Download PsExec from “PsExec download page”.
. Connect to your Client Computer / Server with Remote Desktop.
. Run “services.msc”.
. DoubleClick the "Windows Firewall" / "Windows Defender Firewall" Service
Startup type: Automatic
. If you were disconnected, open Command Line as Administrator
*** Run “PsExec.exe” from the location that you downloaded or you can put “PsExec.exe” into “C:\Windows\system32\” and run it from any location, without specifying the full path to it.
. In CMD run:
psexec –s –h \\<NameOfYourComputer> cmd
-s: is for running the service with SYSTEM account
-h: is for Administrative privileges
For example, if your computer name is “KitchenComputer001” then your command:
psexec –s –h \\KitchenComputer001 cmd
Now you’re connected with Psexec’s service to the Command Line on a remote computer
. Type and run in cmd:
netsh advfirewall set AllProfiles state off
This will disable all profiles in the Firewall.
Also, you don’t have to connect first to the computer, you can run everything in one command:
psexec -s -h \\KitchenComputer001 cmd /c netsh advfirewall set AllProfiles state off
. Connect again to your remote computer. If you’re connected then you’re fine.
. Check that all profiles are disabled in:
Control Panel => Windows Firewall / Windows Defender Firewall
*** If you see red marks on every Network type, then you’re fine.
. To manually enable or disable profiles, on the left pane click “Turn Windows Firewall /Windows Defender Firewall on or off”.