Manage Learn to apply best practices and optimize your operations.

Best Practice: When to run the Windows XP SP2 Windows Firewall

Windows Firewall is a great way to secure your computers for free. But, if you have already purchased and deployed a third-party firewall, there's no need to run both. Here's why.

The Windows Firewall included in Windows XP SP2 is a great new feature to secure the operating system. But Microsoft recommends that you run only one firewall on your computer, because the Windows Firewall may not have enough of a feature set to allow corporate users to manage intrusions.

The Windows Firewall is primarily intended for home users and users who don't run a personal firewall at all. If you aren't currently running a local firewall on your company's computers, Windows Firewall is a great way to secure your computers for free. But, if you have already purchased and deployed a third-party firewall, there's no need to run both.

Microsoft has already advised third-party firewall vendors to programmatically turn off the Windows Firewall in their future releases; this will eventually be automatic. I can attest to this since I received a Live Update for my Symantec firewall. After the update, I was prompted to turn off the Windows Firewall.

You can run the Windows Firewall in addition to any other firewall products you use, but it does not make you safer. It only gives you an additional area to manage. Basically, you'll need to manage both firewall products separately, increasing the complexity of your administration duties.

Microsoft also suggests that you may want more advanced features than the Windows Firewall provides. The Windows Firewall, for example, doesn't provide alerting or intrusion detection and doesn't offer outbound filtering capabilities. Although the Windows Firewall focuses on preventing attacks from successfully penetrating a system, it doesn't do anything to protect systems once bad software is already installed locally.

Some of the other firewall products also have better diagnostics and centralized reporting than the Windows Firewall (i.e., Windows Firewall has no reporting capability at all).

You should consider all of these factors when determining which firewall product you should purchase. If you choose the Windows Firewall, make sure you understand its limited capabilities and plan for it. For a corporate environment where centralized management and reporting is critical, you may want to revise your plans to use the new Windows Firewall.

ABOUT THE AUTHOR: Rod Trent, manager of and Microsoft MVP is a leading expert on Microsoft Systems Management Server. He has more than 18 years of IT experience -- eight of which have been dedicated to SMS. He is the author of such books as Microsoft SMS Installer, Admin911:SMS, and IIS 5.0: A Beginner's Guide, and has written literally thousands of articles on technology topics.

This article first appeared in myITforum, the premier online destination for IT professionals responsible for managing their corporations' Microsoft Windows systems. The centerpiece of is a collection of member forums where IT professionals actively exchange technical tips, share their expertise, and download utilities that help them better manage their Windows environments, specifically Microsoft Systems Management Server (SMS). It is part of the TechTarget network of Web sites. To register for the site and sign up for the myITforum daily newsletter, click here.

Dig Deeper on Windows client management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.