[OPLINTECH] update on deploying windows 7 computers for public use

Nathan Eady oplintech at galionlibrary.net
Thu Feb 17 12:26:15 EST 2011


Marlene Pelyhes <mpl_marlenep at yahoo.com> writes:

> Unfortunately, Our Panda software setup requires Windows Firewall
> Service to be off on the workstation. 

This is a big huge red flag, as far as I'm concerned.

If the software required certain ports to be open via firewall
exceptions, that might be potentially acceptable (depending on what
the software does and why it needs this), but requiring the firewall
to be entirely turned off is completely unreasonable.  I question
whether there is, or even potentially could be, any such thing as
legitimate software that requires this.  

There is some legitimate software that _recommends_ turning off the
Windows firewall, on the grounds that it is redundant with
functionality provided by the software itself.  (Some Symantec
software, for instance, does this.)  Even there, however, the only
consequence if you don't turn the Windows firewall off is that any
exceptions you need to make have to be made in two places instead of
just one, a rather minor inconvenience.  The software still works
just fine with the firewall on.

With that said...

> When we turn the Windows Firewall Service off - Windows 7
> automatically turns Network Discovery back on!

If you then turn Network Discovery back off, does that turn the
Windows Firewall back on?  (I have difficulty imagining it would,
although admittedly I've not tested this, since turning the firewall
off is something I have seldom had any reason to do, and never in a
deployed production environment.)

Assuming that it doesn't, you can just do things in the opposite
order: turn off the firewall first and then turn the network discovery
off afterward.

However, it is worth noting that most or all of the advantages of
having network discovery off are effectively forfeit if the firewall
is off.  

I imagine the reason Windows 7 does this (turns on network discovery
when the firewall is turned off) is because logically that's generally
how the user is going to want things.  There's virtually no downside,
because from a security perspective the door is open.

-- 
Nathan Eady
Galion Public Library


More information about the OPLINTECH mailing list