Disable Domain Firewall

[CHiLL]

Hey,

I've just set up a Server 2008 R2 x64 member server on our domain (fully joined correctly), and I can't ping it because the firewall is enabled. I have disabled the firewall for public and private networks. But I cannot disable the domain firewall. The server is subject to no domain policies, except the default domain policy, which isn't configured anyway.

I have tried "netsh advfirewall domainprofile state off" command, but that didn't work. I get "Access Denied", despite using the domain admin account, and using CMD in administrator mode.

If I try to edit it through Control Panel > Firewall Settings, it just doesn't accept the changes. No error messages, it just doesn't apply the changes or reverts back to its default.

[ihaveaproblem]

Can you stop the firewall service?
Or set a group policy to disable the domain firewall for you.

[plexer]

Why would you want to disable the firewall?

Ben

[Arthur]

I can't ping it because the firewall is enabled.

You could simply allow pings, while keeping the firewall enabled.

Code:

netsh advfirewall firewall add rule name="ICMP Allow Incoming v4 Echo Request" protocol=icmpv4:8,any dir=in action=allow

[CHiLL]

Can you stop the firewall service?
Or set a group policy to disable the domain firewall for you.

I could, but Microsoft say that can cause problems with other services that depend on the Firewall services. (Can't remember which)

Why would you want to disable the firewall?

Ben

Because that's how all our other servers are set up (not by myself). This is a test environment, and I wanted to simulate the real one as much as possible.

You could simply allow pings, while keeping the firewall enabled.

Code:

netsh advfirewall firewall add rule name="ICMP Allow Incoming v4 Echo Request" protocol=icmpv4:8,any dir=in action=allow

I'll try that, thanks.

[SYNACK]

Your servers make baby security jesus cry

Firewalls are there for a reason, so many worms etc. would have been prevented if people left them enabled.

Arthur's way is the right one, only open up what you need. Most of the services open up what they need by default anyway which leaves you with a much more robust server in the end.