Second of two parts. (Click here to read Part 1.)
One of the largest improvements in Windows XP Service Pack 2,
Particularly useful are the new Group Policy Object (GPO) settings that administrators can use to configure firewall settings for all machines on their network. In this article, I'll go over some of the new features of the Windows Firewall, and how you can use GPOs to deploy a consistent security configuration to any size network.
If you're like me, you found
yourself pretty disappointed with the Group Policy settings that were available in the first incarnation of the built-in firewall software. What could you do to configure firewall settings across your network? You could disable the firewall, and that was it. Not very useful in the grand scheme of things.
With the Windows Firewall in SP2, all of that changes. You can now deploy the Protect All Network Connections setting to any part of your Active Directory forest or domain. The opposite of disabling the firewall en masse, this setting ensures that the Windows Firewall is enabled no matter what else is configured on the local machine or within Group Policy. (Be careful not to disable this setting, since that will prevent anyone from activating the Windows Firewall, even a local administrator on the machine.)
You can also create exception lists to allow specific software to run while the Windows Firewall is protecting a machine. There are pre-configured GPO settings that will enable the following exceptions for the Windows Firewall (found in Group Policy under Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows Firewall):
- Allow File and Print Sharing
- Allow Remote Administration (This gives you back your C$/D$ shares, as well as the use of the Computer Management MMC)
- Allow Remote Desktop
- Allow UPnP Framework (Please don't enable this option; I'll sleep better at night.)
You can exert even finer control over these settings by specifying that your workstations can use these applications only when communicating with certain IP addresses or subnets. For example, you can specify that only your administrative workstations can open a remote administration session with the workstations in your domain. You can also create a centralized list of permitted exceptions using .exe filenames or TCP/UDP ports. If your network requires a bit more flexibility than that, you can loosen your firewall controls so that local administrators can create their own individual exception lists.
Now, you may think that this is all fine and well for your locally connected users, but it's another story if you've got a fleet of "road warrior" laptops that are continually coming back from business trips infected with the latest Blaster/Sasser variant. In such cases, enter: firewall profiles. With the Windows Firewall, you can actually specify and configure two separate firewall configurations based on whether a machine is locally connected or using an insecure connection in an airport, hotel room, etc. You can create a Domain Profile, which will apply to any machine that's connected to the same network as your domain controllers. This is typically the profile where you'd create any exceptions for remote administration and file sharing.
For those situations where your laptops are out roaming the world, you can also create a Standard Profile, which will apply when a machine is connected to an ISP or other non-secure wired or wireless network. If you want the utmost in security in this situation, you can configure the Standard Profile with the Do Not Allow Exceptions setting, which means that any unsolicited network traffic will be automatically dropped. This combination of firewall profiles and exception lists demonstrates a marked improvement in the usefulness and configurability of the Windows Firewall in Service Pack 2, and certainly makes this built-in security measure a valuable tool in any desktop administrator's arsenal.
Laura E. Hunter is a Microsoft MVP and SearchWin2000.com site expert.