Re: Proposed Internet Connection Firewall change in WinXP SP2
From: Jon Robertson (jon.robertson_at_medevolve.dontspamme.com)
Date: 12/08/03
- Next message: Jupiter Jones [MVP]: "Re: Email Attachments"
- Previous message: anonymous_at_discussions.microsoft.com: "Re: group policy and roaming profiles"
- In reply to: Roger Abell: "Re: Proposed Internet Connection Firewall change in WinXP SP2"
- Next in thread: Roger Abell: "Re: Proposed Internet Connection Firewall change in WinXP SP2"
- Reply: Roger Abell: "Re: Proposed Internet Connection Firewall change in WinXP SP2"
- Reply: Roger Abell: "Re: Proposed Internet Connection Firewall change in WinXP SP2"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 08 Dec 2003 08:13:05 -0800
> You may be jumping the gun.
True. The article did not, for instance, mention if DCOM was being
modified to be more firewall friendly. This is why I asked where I can
get OFFICIAL information from Microsoft.
> We also do not yet know what might be made
> available for management for ICF from group policy.
Microsoft does not have a history of loudly notifying when steps such
as these need to be taken. If XP SP2 does enable ICF by default even
in a domain environment, and Group Policy administration is available,
Microsoft should very loudly announce that DCOM will be not be
available unless a Group Policy for ICF is created.
If Group Policy administration is not available and ICF is enabled
within a domain, Microsoft should announce very loudly that a default
SP2 installation will break DCOM within the LAN.
> However, I must say that I differ with your assessment of the
> need or not of ICF on individual machines. Most of the worms
> of recent infamy had no problem crossing into corp networks,
> and once there caused widespread damage. Perimeter defense
> is good, but I believe that the only real, long-term solution to
> the issues assuaging the internet will be found by hardening the
> end-point systems.
I'm not a security expert. I'm a developer who is trying desparately
to keep up with the impact of Microsoft's security changes. Please
enlighten me:
If a worm/virus is able to get through a corporate firewall, what would
prevent it from getting through a software firewall like ICF?
Furthermore, if ICF can be configured to truly proteect individual
systems, why can't a corporate firewall be configured to truly protect
the entire corporation?
I agree with steps such as blocking network access from workstations
that are not updated with the most recent security updates.
But a firewall on every workstation on the corporate network? I might
as well disconnect my machine from the network. How many distributed
software solutions exists that would function if every workstation had
an individual firewall? For that matter, without making custom changes
(that are not easy to the end user), I can't share files or printers
from my workstation if I have ICF enabled.
I would hope a completely redesigned ICF would be available before such
drastic steps are taken. One that easily allows the user to custom
configure which services they need access to, similar to the new
configuration of Server 2003.
Thanks
- Next message: Jupiter Jones [MVP]: "Re: Email Attachments"
- Previous message: anonymous_at_discussions.microsoft.com: "Re: group policy and roaming profiles"
- In reply to: Roger Abell: "Re: Proposed Internet Connection Firewall change in WinXP SP2"
- Next in thread: Roger Abell: "Re: Proposed Internet Connection Firewall change in WinXP SP2"
- Reply: Roger Abell: "Re: Proposed Internet Connection Firewall change in WinXP SP2"
- Reply: Roger Abell: "Re: Proposed Internet Connection Firewall change in WinXP SP2"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
