As a consultant, I get to see a lot of different environments. It’s also incumbent upon me to know Microsoft best practices, as well as real world best practices. There are two common configurations that I see constantly which really need to be addressed. Those two things are Windows Firewall and IPv6. In case this article becomes a victim of TL;DR, let me cut to the chase. Windows Firewall should be ON. And IPv6 should be ENABLED. The reasons why are just past the break.
It’s a fact that there was a time when the Windows Server operating system did not have a firewall. And then it did have a firewall, and everyone turned it off. In part that was because most Windows sysadmins were not used to dealing with an OS firewall, and also in part because Microsoft didn’t make it all that easy to use. That is no longer the case. Windows Server 2008 and 2012 make it simple and straightforward to configure your firewall, and also have a ton of canned rules to get you started. You can use the GUI or netsh, or PowerShell, or Group Policy. The management of Windows Firewall is not hard, and that excuse is no longer valid.
So why do people disable Windows Firewall now? The first reason I hear is that the servers are behind a firewall already, so there’s no need to enable it. To that I have a few questions:
- Is the firewall between the server and all of your clients?
- Is the firewall between the server and all other servers?
- Is the firewall between the server and all other network ports?
I have heard some concerns that leaving IPv6 enabled and bound will cause an increase in network traffic. The perception is that somehow your OS is going to send packets through both stacks every time for common protocols like DNS or Web traffic. Fortunately this is does not happen. Microsoft has committed to supporting the IPv6 stack and it tests all applications for compatibility. You know what Microsoft doesn’t test for? The impact of disabling and unbinding IPv6. So if you get on a support call with Microsoft, they’re probably going to tell you to enable and bind it as part of the troubleshooting process. That’s what I would say too.
So in closing, when it comes to Windows Firewall and IPv6, leave them on! You’ll be glad you did.
Director, Cloud Solutions and Microsoft MVP: Cloud (Azure/Azure Stack) & DC Mgmt