XPsp2 firewall - bug? - disables on certain networks

• Previous message: James: "Admin Logging on problem in xp pro"
• Next in thread: John M: "Re: XPsp2 firewall - bug? - disables on certain networks"
• Reply: John M: "Re: XPsp2 firewall - bug? - disables on certain networks"
• Reply: Ross Smith: "Re: XPsp2 firewall - bug? - disables on certain networks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 20 Jan 2005 02:56:21 -0800

I've posted this a few times, but never with "full details" - so
hoping that this will clarify the question, the fault, and hopefully
others may recognise the issue and either panic or offer a solution!

We are having an issue with the XPsp2 firewall in a corporate
environment which we believe affects everyone. However, we are unable
to find any solutions for it. The result is that companies may be
exposing remote workers to firewall-less clients which, if connected
via VPN, could expose a companys network.

Here are the details, and I would really appreciate your thoughts!

We deploy firewall settings via GPO. The Domain setting is "Windows
Firewall Off". The Standard setting is "Windows Firewall On".

So – when removing a computer form the corporate LAN to any other LAN
then the firewall automatically enables. This is superb and perfect.
However…

Windows XPsp2 firewall determines connection state via the DNS suffix
of the connection. This is usually proved by the DHCP server. As
such, a DHCP server saying "internetcafe.com" for example will get the
machine to enable the firewall.

But this leaves three issues:-

1. A deliberately designed DHCP server that publishes the same DNS
domain name as the corporate domain name will get the computer to
disable the firewall and expose itself.
2. Certain DHCP servers where DNS Domain Name is not set will not send
a default "blank" domain. This makes the computer default to the DNS
domain name of the company, resulting in the firewall being disabled.
This can be seen with WatchGuard SoHo 6TC DHCP server. Windows 2003
DHCP server defaults to "blank".
3. If you use settings on the client to disable Auto IP Addressing in
the event of no DHCP server (we need this setting) – then if the
computer is plugged into any LAN without a DHCP server, the laptop
(correctly) defaults to the last known DHCP settings, including DNS
suffix, and disables the firewall!

We were just about to roll our a IPSec SecurID VPN solution to allow
users to connect over the Internet, but this discovery means that
there may be situations where a deliberately configured DHCP server
(unlikely) or a badly configured DHCP server (more likely) may well
disable the firewall on our clients and cause us major security issues
for obvious reasons.

Options that are not appropriate:-

1. Permanently enabling firewall. (On the LAN we need quite a few
ports open for remote management tools, admin access etc. These
exceptions would also be applied when remote (due to above issue) and
hence open up the system anyway)

We were under the impression the Windows firewall was a little more
intelligent than just checking DNS suffixes – e.g. actually
communicating with the Active Directory to confirm connection, but
alas not.

So – we feel anyone using XPsp2 firewall and trusting it in a
corporate environment is making a mistake – UNLESS we are wrong! If
so, please tell us where we are going wrong! Is there any 3rd party
firewall that can more accurately detect if network connections are
the corporate LAN or not?

Many thanks!

RJ

• Previous message: James: "Admin Logging on problem in xp pro"
• Next in thread: John M: "Re: XPsp2 firewall - bug? - disables on certain networks"
• Reply: John M: "Re: XPsp2 firewall - bug? - disables on certain networks"
• Reply: Ross Smith: "Re: XPsp2 firewall - bug? - disables on certain networks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]