Windows Firewall Part 7: Final Thoughts

phew…

If you made it here, congratulations. This series ended up being much longer and more detailed than I initially anticipated. It turns out that labbing up this type of configuration is a lot of work. Who could have guessed? I even learned a few new things, and relearned a few forgotten things, along the way.

If you know me from the WInAdmins Community, you may have seen me mention some of the configurations I’ve described in this series. None of this comes from just a lab. These configurations are something I assisted with setting up in a production environment in the past, and it worked surprisingly well. Before you make any assumptions, it wasn’t driven by the COVID-19 pandemic; IPSec was something already heavily utilized in the environment, and this just became the next step, at least up to part 5.

Part 6 is my most recent idea to take all of the previous configuration to the next level. I’ve only recently started the journey in learning how a modern-managed world functions, and the idea of Azure AD joined clients managed by Intune. Whenever I thought about these, my mind always went directly to remote endpoints, that were otherwise off the “internal” network. It was here where I realized that certificate authentication could be utilized across the board, and there can actually exist a configuration where all on-premises resources are truly accessible from anywhere.

I’m sure most will compare all of this to a tradition VPN connection, and see that as the easier/better configuration. I view it as just another possibility. Weigh the pros and cons of each configuration, and do what you see fit. I’m also aware that the idea of “Internet-facing Domain Controllers” (I love this line) scares most, if not all, IT security professionals, but this just shows and proves that yes, it can be done, and no, “internet-facing” does not equal “accessible to everything”. The Windows Firewall is extremely powerful, and in my opinion, extremely underused.

Thanks for coming to my Ted Talk. If you made it all the way here, tweet me your favorite emoji: @ajf8729

-Anthony