BACKGROUND/RESEARCH
I honestly believe that questions like this one: Using GPO in Active Directory domain to force workstations Windows Firewall to disabled - how? existed because Windows Admins in general were taught long ago that:
"the easiest thing to do when dealing with a domain computer is to just have a GPO on the domain to disable the Windows Firewall...it will cause you much less heartache in the end." - random IT instructors/mentors from years gone by
I can also say that at MOST companies I've done side work for this has been the case, where a GPO at a minimum disabled the Windows Firewall for the domain profile and at WORST disabled it also for the public profile.
Even further, some will disable it for the servers themselves: Disable firewall for all network profiles on Windows Server 2008 R2 through GPO
A Microsoft Technet Article on the WINDOWS FIREWALL recommends you DO NOT disable the Windows Firewall:
Because Windows Firewall with Advanced Security plays an important part in helping to protect your computer from security threats, we recommend that you do not disable it unless you install another firewall from a reputable vendor that provides an equivalent level of protection.
This ServerFault question asks the real question: Is it alright to turn off firewall in a LAN using Group Policy? -- and the experts here are even mixed in their view.
And understand I'm not referring to disabling/enabling the SERVICE: How can I back up my recommendation to NOT disable the Windows Firewall service? -- so as to be clear that this is about whether or not the firewall service enables the firewall or disables it.
THE QUESTION AT HAND
So I get back to the Title of this question...what can be done to properly re-enable the Windows firewall on a domain? Specifically for client workstations and their domain profile.
Before simply switching the GPO from Disabled to Enabled, what planning steps should be taken to ensure that flipping the switch doesn't cause critical client/server applications, allowable traffic, etc. to suddenly fail? Most places won't tolerate the "change it and see who calls the Helpdesk" mindset here.
Are there checklists/utilities/procedures available from Microsoft to handle such a situation? Have you been in this situation yourself and how did you deal with it?
What can be done to properly re-enable the Windows firewall on a domain?Well, the short answer is that it's going to be a lot of work if you decide to forge ahead, and for the record, I'm not sure I would.
In the general case, client firewalls don't provide much security in a corporate network (which typically has hardware firewalls and controls this type of thing at the edge), and malware authors these days are smart enough to use port 80 for their traffic, because virtually no one blocks that port, so you get a lot of effort putting something in place to provided limited security benefit.
Having said that, the long answer is:
allow allrule and set logging, this will be a treasure trove of data for determining what apps you have that need firewall exculsions.Edit: I would just like to state that there is nothing inherently wrong with Windows Firewall. It is a perfectly acceptable part of an overall defense-in-depth strategy. The fact of the matter is, most shops are too incompetent or too lazy to be bothered to figure out what firewall rules are needed for the applications that they run, and so they just force it off ubiquitously.
If Windows Firewall, for instance, prevents your domain controllers from doing their job, it's because you didn't know what ports Active Directory needed before you turned the firewall on, or because you configured the policy incorrectly.
That's the bottom line of the matter.
First, communicate with your project managers, your bosses, your stake holders, your change advisory cabinet, whatever the process is in your company, and inform them all that you will be undergoing a gradual remediation involving the Windows Firewall in order to increase the overall security posture of your environment.
Make sure that they understand that there are risks. Yes, of course we'll do everything we can, all the planning that we can, to ensure that there will be no interruptions, but don't make any promises. Trying to whip an old domain into shape is hard work.
Next, you have to inventory applications that are in use in your environment and what ports they require. Depending on the environment, this can be very difficult. But it has to be done. Monitoring agents? SCCM agents? Antivirus agents? The list goes on.
Develop a Windows Firewall GPO that includes custom rules for your enterprise applications. You may require multiple policies with different scopes that apply to different servers. For instance, a separate policy that applies only to web servers for ports 80, 443, etc.
The built-in Windows Firewall policies will be very helpful to you, as they are perfectly scoped to accommodate most common Windows activities. These built in rules are better because they don't just open or close a port to the entire system - they're scoped to very specific process and protocol activity taking place on the machine, etc. But they don't cover your custom applications, so add those rules to the policies as auxiliary ACEs.
Roll out in a test environment first if possible, and when rolling out to production, do so in limited chunks first. Don't just plop the GPO on the entire domain on your first go.
That last statement is probably the best piece of advice that I can give you - roll out your changes in very small, controlled scopes.
Okay, I'm about to suggest something that may or may not get you in trouble, but it's what I use when I'm turning on the firewall.
Nmap. (Any port scanner would do.) I fear I don't trust documentation of what ports are in use. I want to see for myself.
Background: I'm from an academic environment where student laptops rubbed elbows with our servers (Ugh!). When I started using nmap on my own servers, we had no IDS, either, so I could nmap at will and no one would notice. Then they implemented IDS and I'd get emails forwarded to me that basically said, "NETWORK PORT SCAN ATTACK ON YOUR SERVER FROM YOUR WORKSTATION!!!!!" and I'd reply and say, "Yep, that's me." Heh. After awhile they developed a sense of humor about it. ;)
I also used nmap on workstations, for example, to look for conficker. Nmap would likely turn up the AV management ports, any other management software ports, etc. (Desktop will be very crabby if you break their management software.) It might also turn up unauthorized software, depending on your environment.
Anyway. Some environments will freak out about nmap and some won't even notice. I generally only nmap my own servers, or workstations for a specific purpose, which helps. But yes, you probably want to clear that you're going to be running a port scan with anyone who might freak out on you.
Then, you know. What Ryan Ries said. Management/change management/group policy/etc.
I don't believe there's any utilities available from Microsoft on this, but if I were to use Windows Firewall on our domain (it's enabled where I work) I would ensure the following:
Servers are a bit of a different beast. I currently have the firewall disabled for our servers because enabling it caused many problems even with exceptions in place. You basically have to apply a blanket "skeleton" policy for all servers (disallowing unsafe ports, for example) then going to each server and individually customizing settings. Because of this, I can see the reason a lot of IT folk just disable the firewall. Your perimeter firewall should protect these machines enough without their own firewalls. However, sometimes it's worth the effort to individually configure servers for high-security environments.
As a side note, Windows Firewall also governs use of IPsec, so if that's used you need the firewall anyway.