Re: Proposed Internet Connection Firewall change in WinXP SP2

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 12/09/03 

Date: Tue, 9 Dec 2003 01:04:57 -0700

Look, we are all waiting to see how this announced SP2
feature is implemented. The beta bits are not widely
available and where they are things cannot be definitively
discussed.

It is very difficult for me to see this being automatically
turned on within a domain, as it will break not just your
application, but all of MS tools for centrally managing
the remote systems (event viewer, regedit, mmcs focused
on remote system, WMI and other scripts, etc.).

Some of the things that have been around can infect and
unpatched system if it is merely visible to Tcp/Ip traffic,
such as recent DCOM and RPC exploits. A per-machine
firewall prevents this from spreading to those machines.
Of course a firewall is totally ineffectual against unintelligent
user actions.

I would advise you to look at alternatives to DCOM based
instancing for your application anyway, as the tide has turned
and you will likely be finding customers (like myself) that would
be unwilling to buy a product that required them (me) to re-enable
DCOM on servers and clients. I have (the D part in) DCOM pretty
completely killed and have no desire to go back. 

-- 
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Jon Robertson" <jon.robertson@medevolve.dontspamme.com> wrote in message
news:eKvQqYavDHA.2000@TK2MSFTNGP11.phx.gbl...
> > You may be jumping the gun.
>
> True.  The article did not, for instance, mention if DCOM was being
> modified to be more firewall friendly.  This is why I asked where I can
> get OFFICIAL information from Microsoft.
>
> > We also do not yet know what might be made
> > available for management for ICF from group policy.
>
> Microsoft does not have a history of loudly notifying when steps such
> as these need to be taken.  If XP SP2 does enable ICF by default even
> in a domain environment, and Group Policy administration is available,
> Microsoft should very loudly announce that DCOM will be not be
> available unless a Group Policy for ICF is created.
>
> If Group Policy administration is not available and ICF is enabled
> within a domain, Microsoft should announce very loudly that a default
> SP2 installation will break DCOM within the LAN.
>
> > However, I must say that I differ with your assessment of the
> > need or not of ICF on individual machines.  Most of the worms
> > of recent infamy had no problem crossing into corp networks,
> > and once there caused widespread damage.  Perimeter defense
> > is good, but I believe that the only real, long-term solution to
> > the issues assuaging the internet will be found by hardening the
> > end-point systems.
>
> I'm not a security expert.  I'm a developer who is trying desparately
> to keep up with the impact of Microsoft's security changes.  Please
> enlighten me:
>
> If a worm/virus is able to get through a corporate firewall, what would
> prevent it from getting through a software firewall like ICF?
> Furthermore, if ICF can be configured to truly proteect individual
> systems, why can't a corporate firewall be configured to truly protect
> the entire corporation?
>
> I agree with steps such as blocking network access from workstations
> that are not updated with the most recent security updates.
>
> But a firewall on every workstation on the corporate network?  I might
> as well disconnect my machine from the network.  How many distributed
> software solutions exists that would function if every workstation had
> an individual firewall?  For that matter, without making custom changes
> (that are not easy to the end user), I can't share files or printers
> from my workstation if I have ICF enabled.
>
> I would hope a completely redesigned ICF would be available before such
> drastic steps are taken.  One that easily allows the user to custom
> configure which services they need access to, similar to the new
> configuration of Server 2003.
>
> Thanks

Relevant Pages

  • Concerned about security changes in XP SP2 (Particularly enabling ICF)
    ... Where can I get official information from Microsoft regarding security ... The article states that ICF will be enabled by default in WinXP SP2. ... The article did not mention if DCOM was being modified to be ... I'm not a security expert. ...
    (microsoft.public.security)
  • Re: Concerned about security changes in XP SP2 (Particularly enabling ICF)
    ... > Where can I get official information from Microsoft regarding security ... > The article states that ICF will be enabled by default in WinXP SP2. ... which relies on DCOM & IP to communicate between the client ... > I'm not a security expert. ...
    (microsoft.public.security)
  • Re: Proposed Internet Connection Firewall change in WinXP SP2
    ... > available for management for ICF from group policy. ... Microsoft should very loudly announce that DCOM will be not be ... If a worm/virus is able to get through a corporate firewall, ... But a firewall on every workstation on the corporate network? ...
    (microsoft.public.windowsxp.security_admin)
  • Re: DCOM on VPN
    ... Microsoft MVP, MCSD ... > the server is behind a firewall, but I can handle this similar to the way ... > port 135 and a dynamic range of other ports DCOM ...
    (microsoft.public.win32.programmer.ole)
  • Re: Low cost software firewall for MS Server 2003?
    ... are plenty of firewall/packet filtering stuff available for free:) ... My reasons to distrust the ICF was more that i was worried that it was meant ... Im also looking at using the RRAS / Basic Firewall as i have seen it ... You seem to have a very bad opinion of Microsoft, ...
    (comp.security.firewalls)