Re: XPsp2 firewall - bug? - disables on certain networks
ryanjjones_at_mail.com
Date: 01/24/05
- Next message: Heiko Mo?mann: "PIX 501, fehlerhafte Konfiguration für DMZ"
- Previous message: Mike: "Re: want to hire a consultant for helping with new homebased fireaall appliance device"
- In reply to: John M: "Re: XPsp2 firewall - bug? - disables on certain networks"
- Next in thread: ryanjjones_at_mail.com: "Re: XPsp2 firewall - bug? - disables on certain networks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 24 Jan 2005 01:55:46 -0800
Your options both have the same effect - having firewall on all the
time.
Now with the amount of tools we need for management tools; software
deployment; audit; and general remote IT administration - so many ports
need to be open with so many exceptions - that this the firewall will
not be able to do its job. Hence the "external" standard policy is
"enabled with no exceptions". Okay you can lock it down to subnets, but
obviously, private subnets (10.x) are hardly rare!
We would not consider the exceptions we need as being secure enough for
connection to the Internet.
John M wrote:
> I have reread the document from the cable guy and the "Deploying
Windows
> Firewall Settings for Microsoft Windows XP with Service Pack 2"
document
> from microsoft
>
http://www.microsoft.com/downloads/details.aspx?FamilyID=4454e0e1-61fa-447a-bdcd-499f73a637d1&DisplayLang=en
.
> Even if the DNS suffix is different, the computer can get a new
policy from
> a different domain controller. To me, I interperet this as "If the
computer
> cannot contact a domain controller and get the current policy or a
new
> policy, then it will be on an unmanaged network". I can see where the
> concern is from DHCP servers mimicking your domain settings.
>
> We came down to two choices:
> 1) Make the domain profile and standard profile excatly the same, so
it
> wouldn't matter where the computer was and deal with the consequences
of
> some stuff not working for users while away from our network. Again,
when
> using group policy for windows firewall, when we define port
exceptions, you
> can not grant access by dns names, only by IP subnets.
>
> 2) Since our DNS server is accessible to the outside world, we could
> manually enter the DNS server and suffix settings for all
connections. This
> can also be done via group policy. Thus, the computer would always be
> consider on a managed network and we just configure the domain
profile.
>
> Both give us the desired results because general concensus is that it
is
> better to always have the firewall on no matter where the computer
is.
>
>
>
> "Torgeir Bakken (MVP)" <Torgeir.Bakken-spam@hydro.com> wrote in
message
> news:ORF6xVw$EHA.1524@TK2MSFTNGP09.phx.gbl...
> > John M wrote:
> >
> >> I'm curious as to where you learned that SP2 firewall determines
> >> it's connection via the DNS suffix, I could only find that it is
> >> determined wether it can contact a domain controller or not.
> > Hi
> >
> > For the WinXP SP2 FW, contact with the domain controller is not
> > a part of this determination process (where did you find that
> > statement?).
> >
> > Here is how the SP2 firewall determines if it is to activate
> > the domain or standard profile:
> >
> > If last-received Group Policy update DNS name match any of the
> > connection-specific DNS suffixes of the currently connected
> > connections (not PPP or SLIP-based) on the computer the FW's
> > domain settings will be used. There is no way to change this
> > behavior.
> >
> > From
> > The Cable Guy - May 2004
> > Network Determination Behavior for Network-Related Group Policy
Settings
> >
http://www.microsoft.com/technet/community/columns/cableguy/cg0504.mspx
> >
> > <quote>
> > To apply this behavior to Windows Firewall settings:
> >
> > () If the connection-specific DNS suffix of a currently connected
> > connection on the computer that is not PPP or SLIP-based (such as
> > an Ethernet or 802.11 wireless network adapter) matches the value
> > of the
> > HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group
> > Policy\History\NetworkName registry entry, Windows Firewall uses
> > the domain profile.
> >
> > () If the connection-specific DNS suffix of a currently connected
> > connection on the computer that is not PPP or SLIP-based does not
> > match the value of the
> > HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group
> > Policy\History\NetworkName registry entry, Windows Firewall uses
> > the standard profile.
> >
> > You can determine the connection-specific DNS suffixes of the
> > currently connected connections on the computer from the display
> > of the ipconfig command issued from a command prompt.
> >
> > </quote>
> >
> > Read the Cable Guy article for more about this.
> >
> >
> > --
> > torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
> > Administration scripting examples and an ONLINE version of
> > the 1328 page Scripting Guide:
> > http://www.microsoft.com/technet/scriptcenter/default.mspx
- Next message: Heiko Mo?mann: "PIX 501, fehlerhafte Konfiguration für DMZ"
- Previous message: Mike: "Re: want to hire a consultant for helping with new homebased fireaall appliance device"
- In reply to: John M: "Re: XPsp2 firewall - bug? - disables on certain networks"
- Next in thread: ryanjjones_at_mail.com: "Re: XPsp2 firewall - bug? - disables on certain networks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
