Windows Server Summit 2024
Mar 26 2024 08:00 AM - Mar 28 2024 04:30 PM (PDT)
Microsoft Tech Community
LIVE

Server Security Question

Copper Contributor

I work for small/medium size firm and have been made responsible for IT related matters. We have a local IT partner who manages all our employee laptops and our server. I've been asking questions about our server security and something does seem right to me. Is it possible and/or close to best practice to use the domain controller as our firewall i.e. not install a firewall as the rules on the domain controller can keep us secure? Appreciate any feedback. Thanks in advance. 

2 Replies

@EdwardL - I Spent 10 years working for a Managed Services Provider servicing SMBs and the Mid-Market specifically and it was our standard practice to ALWAYS install a firewall appliance (Like a Watchguard) at every location. Most modern routers will have some sort of rudimentary firewall, but they usually can't hold a candle to a dedicated firewall appliance. It's possible your IT support is relying on the router's firewall, or maybe has just neglected to mention that there is a firewall appliance in place. 

 

If your IT support is telling you, you don't need a firewall because your domain controller is keeping you safe, I would question it. Your Domain Controller is providing identity and authentication services (username/password) for your network, while a proper firewall appliance is designed to keep the bad people off your network to begin with.

 

Could be they are relying on the in-software Windows Firewall on each server/workstation to do the work, but best practice would state you don't even want attackers to be able to reach an endpoint. Hence, a firewall appliance at the entry-point of the network. 

 

I say this without knowing more specific information about your environment, but based on what you've said I would at least question it and try to get some more information from them. 

@Andy Syrewicze Thanks Andy, yes, you are correct our IT provider is suggesting that the domain controller will authenticate all traffic so no need for a firewall. Given I'm far from an expert I'm just not sure I can sleep at night with merely a domain controller for protection..