Re: Proposed Internet Connection Firewall change in WinXP SP2

From: Roger Abell (
Date: 12/08/03

Date: Sun, 7 Dec 2003 23:49:17 -0700

You may be jumping the gun.
While MS has tentatively indicated that they are looking at
making this default with SP 2, I for one have not heard under
what circumstances. For example, it would be reather simple
to detect whether a machine is in a domain or not, and behave
differently based on that. We also do not yet know what might
be made available for management for ICF from group policy.

However, I must say that I differ with your assessment of the
need or not of ICF on individual machines. Most of the worms
of recent infamy had no problem crossing into corp networks,
and once there caused widespread damage. Perimeter defense
is good, but I believe that the only real, long-term solution to
the issues assuaging the internet will be found by hardening the
end-point systems.

Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Jon Robertson" <> wrote in message
> I read the following in eWeek (November 24, 2003, "Building on
> 'Trust'", pg 10, 2nd paragraph that begins with "WIndows XP will also
> get").
> The article states that ICF will be enabled by default in WinXP SP2.
> Where can I get official information from Microsoft regarding this?  I
> could open an MSDN incident, but I'd rather not.
> Turning on ICF by default on the LAN connection would be disasterous to
> our customers.  We have over 100 customers using our product, which
> relies on DCOM & IP to communicate between the client workstations and
> the server.
> Our customers that have an Internet connection have either a firewall
> or at least a basic router that protects their internal network.  The
> workstations only have a single network connection, and that's the LAN
> connection.  Enabling ICF by default on the LAN connection would
> definitely prevent our software from functioning, and I suspect would
> cause problems for other ISVs that use DCOM.
> Firewalls are not intended to be run at the workstation level, blocking
> data to that workstation.  They are intended to protect the entire
> local network from outside access.  I've always thought ICF was a dumb
> idea to begin with, but enabling ICF by default will cost our company a
> lot of time and money to go back and disable it on every one of our
> customer workstations (well over 2,000 workstations).
> Jon