SBS 2003 security policy...
From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: 12/16/03
- Previous message: Russ: "Re: IIS user credentials caching"
- Next in thread: rotaiv: "Problems with Exchange 2000 as open relay"
- Reply: rotaiv: "Problems with Exchange 2000 as open relay"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 16 Dec 2003 10:09:23 -0500 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
So it started with an email from Roger van Unen observing thusly;
-----Original message-----
Date: Tue, 9 Dec 2003 12:15:53 +0100
From: "Roger van Unen"
Hi
I just discovered an amazing new feature of SBS 2003 security policy:
after adding a Windows XP computer to the new domain the tab for
enabling the firewall features is gone for all connections!
In these times where so much trouble is cause by people running
computers without at least a simple firewall like the one from Microsoft
it is amazing that Microsoft itselfs takes this feature out on one of
the newest products they offer. Apperently they think that this feature
gives to much trouble for Small Size Businesses and just took it out.
-----
<snipped extraneous complaints>
I contacted Susan Bradley, MVP for SBS, and asked her what was up with
this claim.
-----Original message-----
From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]"
Date: Wed, 10 Dec 2003 07:30:27 -0800
When the system joins the domain, as long as it's on the domain the
firewall cannot be enabled. If you unplug the laptop the firewall can be
re-enabled. You don't have to "unjoin" the domain or anything ...
Trust me... we slightly freaked on that too and ensured that when we
join laptops to our SBS boxes that we could protect them if they were
roaming. When you join the domain, you build a new profile. It's that
profile...while it's connected to the domain that will be affected. It
would still be enabled on the local profile.
It's done in anticipation of XP sp2 where the firewall is enabled by
default. You stick that firewall on inside the office ... and you're not
talking to that LAN.
-----
Ok, I suppose I can understand this somewhat. Rather than configuring
ICF to keep the requisite ports open to talk to the SBS environment,
they simply disable ICF altogether *while* its connected to the domain.
Roaming profiles won't be affected. However, I can see situations when
this would definitely not be desired. Imagine a Branch Office without
any servers of its own, connected to the Internet and using VPNs to get
to the Head Office. ICF might be used to protect all of the machines in
that Branch Office, while its still part of the DNS domain of the Head
Office.
That said, there is a GPO option which can be changed to alter this
behavior, although its set by default to disable ICF.
Then Susan sent me this link (which may be wrapped);
http://download.microsoft.com/download/8/7/9/879a7b46-5ddb-4a82-b64d-64e
791b3c9ae/WinXPSP2_Documentation.doc
and she highlighted this portion;
-----
Detailed description
In earlier versions of Windows, ICF had a single Group Policy object
(GPO): Prohibit Use of Internet Connection Firewall on your DNS domain.
With Windows XP Service Pack 2, the following new objects are available:
- Operational mode (On, Off, or Shielded)
- Allowed Programs
- Opened Ports (static)
- ICMP settings
- Enable RPC
Each of these objects can be set for both the corporate and standard
profile.
These Group Policy objects apply to ICF for IPv4 only. IPv6 ICF only has
the single GPO option: Prohibit use of Internet Connection Firewall on
your DNS domain. Final GPOs are still under development.
-----
Thanks very much to Susan for the research, and especially the link to
the Windows XP SP2 preliminary documentation. I did ask if it was NDA'd;
she says it isn't. The public beta hasn't begun yet for Windows XP SP2,
although calls for participation have gone out. Ergo the documentation
may well change before its released.
Cheers,
Russ - NTBugtraq Editor
-----
Want to reply to the person who sent this message?
This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you''ll have to copy their email address out of the message and place it in your TO: field.
-----
- Previous message: Russ: "Re: IIS user credentials caching"
- Next in thread: rotaiv: "Problems with Exchange 2000 as open relay"
- Reply: rotaiv: "Problems with Exchange 2000 as open relay"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
