Server Security Question

EdwardL - I Spent 10 years working for a Managed Services Provider servicing SMBs and the Mid-Market specifically and it was our standard practice to ALWAYS install a firewall appliance (Like a Watchguard) at every location. Most modern routers will have some sort of rudimentary firewall, but they usually can't hold a candle to a dedicated firewall appliance. It's possible your IT support is relying on the router's firewall, or maybe has just neglected to mention that there is a firewall appliance in place. 

If your IT support is telling you, you don't need a firewall because your domain controller is keeping you safe, I would question it. Your Domain Controller is providing identity and authentication services (username/password) for your network, while a proper firewall appliance is designed to keep the bad people off your network to begin with.

Could be they are relying on the in-software Windows Firewall on each server/workstation to do the work, but best practice would state you don't even want attackers to be able to reach an endpoint. Hence, a firewall appliance at the entry-point of the network. 

I say this without knowing more specific information about your environment, but based on what you've said I would at least question it and try to get some more information from them.