I picked up some bad habits from previous co-workers and I'm thinking I should change some of them. It was standard practice to just disable Windows firewall because it caused more problems than it solved in the past.
How can I slowly change this and is it worth the effort? I'd like to roll out a GPO that would allow traffic but log what apps are connecting to the internet. So I could then selectively start making exceptions to the GPO as needed.
Is this possible in XP (25% of PCs) and Windows 7 (75% of PCs) environment?
Thanks
Depending on how you have Active Directory configured, you could apply it to a temp OU for the desktops, apply the GPO to that and move them into it one at a time until they are all done. Then when you are happy, move it higher in AD so that it applies to even new machines.
We did this too and life is better when they are all enabled. Good part is that a central GP for this makes it easier to make bulk changes, but spend some time and find out what apps need to have what open. Most users don't need any open. But some services do (our Antivirus, RDP, and ports needed for a few that have printer sharing enabled).
I recently implemented network segmentation using the Windows firewall on XP and 7 for PCI-DSS purposes. It is most definitely possible (and recommended) to do so.
As long as you aren't restricting outbound traffic from your workstations there generally isn't a problem.
The only exceptions I've found to this tend to be one offs - printers shared via a workstation being a prime example. Most of the other stuff - remote RDP access, inbound WMI or antivirus, etc - can be discovered after the fact as it only impacts IS.
What I've done in the past is to create a group in AD and add certain test computers to it. That group will apply the firewall policy based on the policy delegation settings. That will let you test without muddying up your existing AD structure. It also allows you to update your policies for all in scope systems easily -
psexec \\testsystem gpupdate /target:Computer
is great for this.Go slowly and make sure that you don't cause unnecessary disruption. I also highly suggest using IPSec if possible. The authentication for inbound rules is extremely useful, more so on 7 then XP.