Re: Proposed Internet Connection Firewall change in WinXP SP2

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 12/08/03


Date: Sun, 7 Dec 2003 23:49:17 -0700

You may be jumping the gun.
While MS has tentatively indicated that they are looking at
making this default with SP 2, I for one have not heard under
what circumstances. For example, it would be reather simple
to detect whether a machine is in a domain or not, and behave
differently based on that. We also do not yet know what might
be made available for management for ICF from group policy.

However, I must say that I differ with your assessment of the
need or not of ICF on individual machines. Most of the worms
of recent infamy had no problem crossing into corp networks,
and once there caused widespread damage. Perimeter defense
is good, but I believe that the only real, long-term solution to
the issues assuaging the internet will be found by hardening the
end-point systems.

-- 
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Jon Robertson" <jon.robertson@medevolve.dontspamme.com> wrote in message
news:%23C03zmPvDHA.2180@TK2MSFTNGP09.phx.gbl...
> I read the following in eWeek (November 24, 2003, "Building on
> 'Trust'", pg 10, 2nd paragraph that begins with "WIndows XP will also
> get").
>
> The article states that ICF will be enabled by default in WinXP SP2.
>
> Where can I get official information from Microsoft regarding this?  I
> could open an MSDN incident, but I'd rather not.
>
> Turning on ICF by default on the LAN connection would be disasterous to
> our customers.  We have over 100 customers using our product, which
> relies on DCOM & IP to communicate between the client workstations and
> the server.
>
> Our customers that have an Internet connection have either a firewall
> or at least a basic router that protects their internal network.  The
> workstations only have a single network connection, and that's the LAN
> connection.  Enabling ICF by default on the LAN connection would
> definitely prevent our software from functioning, and I suspect would
> cause problems for other ISVs that use DCOM.
>
> Firewalls are not intended to be run at the workstation level, blocking
> data to that workstation.  They are intended to protect the entire
> local network from outside access.  I've always thought ICF was a dumb
> idea to begin with, but enabling ICF by default will cost our company a
> lot of time and money to go back and disable it on every one of our
> customer workstations (well over 2,000 workstations).
>
> Jon


Relevant Pages

  • Proposed Internet Connection Firewall change in WinXP SP2
    ... The article states that ICF will be enabled by default in WinXP SP2. ... Turning on ICF by default on the LAN connection would be disasterous to ... our customers. ... workstations only have a single network connection, ...
    (microsoft.public.windowsxp.security_admin)
  • No intensive enthusiastic pauses will loosely compel the dragons.
    ... workstations. ... wined, you endured, yet Robette never cautiously sliped amid the ... Sometimes, I'll host the connection. ... tops locomotives in accordance with Hakim's musical seed. ...
    (sci.crypt)
  • Re: Trouble integrating existing SBS 2003 server into a home netwo
    ... How to configure Internet access in Windows Small Business Server 2003 ... Turn off DHCP on the wireless router (and ICS on any of the workstations, ... Connect the SBS server NIC to a port on the wired router and ... Ethernet adapter Server Local Area Connection ...
    (microsoft.public.windows.server.sbs)
  • Re: Tips on setting up Remote Access
    ... Configure Email and Internet Connection Wizard Walthrough - Andy ... Merv Porter [SBS MVP] ... RWW requires that the workstations be joined to the domain and running ... WinXP Pro (for remote desktop access). ...
    (microsoft.public.windows.server.sbs)
  • Re: RWW connection to client computers
    ... I don't have a server here to compare, but the RRAS being on the same subnet ... workstations. ... My computer, r click, properties, remote... ... connections, as i have been using remote connection and connecting via ...
    (microsoft.public.windows.server.sbs)