Windows XP SP2 Firewall Deployment Guide

Discussion in 'Windows Small Business Server' started by Steven Banks [SBS MVP], Jan 29, 2004.

  1. Hi!

    The developopment team responsible for the revised Windows XP firewall that
    will be released in the coming months as part of Service Pack 2 have asked
    that we start spreading the word about the firewall. It will install in the
    "on" mode when you run SP2 and has a different feature set than the current
    Windows XP firewall, so they want all of us to be aware of it and begin
    educating ourselves on it.

    The current document is at:
    http://www.microsoft.com/downloads/...e1-61fa-447a-bdcd-499f73a637d1&DisplayLang=en


    Thanks,
    Steve
     
    Steven Banks [SBS MVP], Jan 29, 2004
    #1
    1. Advertisements

  2. Steven Banks [SBS MVP]

    John LeMay Guest

    Wouldn't it make more sense for the installer to detect a couple of
    things on the machine and then determine if the firewall should be on or
    not? For example:

    - If the firewall is currently enabled, enable it.
    - If the machine is running XP Home, enable it.
    - If the machine is running XP Pro AND the machine is joined to a
    domain, don't enable it.

    This would be pretty simple to do and would have made for a better
    install, IMHO.
     
    John LeMay, Jan 30, 2004
    #2
    1. Advertisements

  3. AFAIK-> you can disable and/or configure the ICF by using group policy.

    Remember that there are a lot of people who use Win XP Pro in a domain
    without firewalls (or incorrectly configured ones). IMHO-> the best setup is
    the one that you can configure.
     
    Javier Gomez [SBS MVP], Jan 30, 2004
    #3
  4. Steven Banks [SBS MVP]

    C P Guest

    When I read the doc, it seemed to imply (at first) that you could block
    specific applications. However, after further reading it seems like ICF
    will just watch what ports those apps use, then open those ports (presumably
    for any app that uses the same ports). This part was a little vague to me,
    so maybe I'm misunderstanding.

    I wish ICF could be more configurable along the lines of ZoneAlarm Pro. It
    is very customizable - by IP range, application, port etc. It can also
    block Javascript etc. in web pages too. While it is very customizable, it
    is pretty intuitive for the user. When an app tries to access the local
    network or web, ZoneAlarm will prompt you if you want to allow this, and can
    remember what you tell it. This way to don't have to mess around with
    setting these things before hand if you don't know what you're doing. I
    expect most (home) users of ICF will have trouble setting it up to allow
    specific apps to pass through. I don't think this sort of firewall would
    have to be a threat to ISA server, because this sort of firewall would be of
    most use to home users. For people in a domain, it would be easier (better)
    to have ISA than such a firewall. MS could limit this more powerful
    firewall to XP or 2000 workstations so that if you had a server you'd still
    really need ISA to protect it - thus protecting MS'es ISA sales.
     
    C P, Jan 30, 2004
    #4
  5. Wow, another 40 page white paper. I'll have to put this underneath my
    110-page "getting started" guide for SBS 2003 and the 290-page Sonicwall
    manual.

    I'm riding around with so much computer documentation, there's no room in
    the car for passengers : )
     
    Dave Nickason [SBS MVP], Jan 30, 2004
    #5
  6. Steven Banks [SBS MVP]

    John LeMay Guest

    True, and that's really the bottom line. However, I just thought there
    was some much better automatic options for how to decide whether to
    enable XP's firewall. By the way, what if the user already has another
    firewall installed? There's another time the XP firewall shouldn't be
    enabled!
     
    John LeMay, Jan 31, 2004
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.