Windows XPSP2 and Windows 2003SP1 Firewall Settings

Windows XP/SP2 and Windows 2003/SP1 Firewall Settings

Both Windows XP (no SP) and Windows 2003 (no SP) have a built-in firewall. However, Windows XP/SP2 turns on the firewall by default, prohibiting inbound communication. We saw this phenomenon in Chapter 2 when we tried to perform a "Group Policy Results" to our Windows XP client system and got an RPC error (which is the same error we'd get if the Windows XP machine were off).

Note that Windows 2003/SP1 and Windows XP/SP2's firewall are functionally equivalent. However, Windows 2003/SP1's firewall is not turned on by default when the system is running. (It is, however, turned on by default if you're performing an integrated Windows 2003/SP1 installation, but that's another story.)

In short, there are some things you need to know about working with the policy settings that affect the Windows firewall on Windows XP/SP2 and Windows 2003/SP1. Although we can't go over every setting, here's a hot list of information you should know about before sallying forth and deploying any of these policy settings.

Domain vs. Standard Profiles

If you dive down into the new firewall policy settings, contained within Computer Configuration ˜ Administrative Templates ˜ Network ˜ Network Connections ˜ Windows Firewall, you'll notice two branches: Domain Profile and Standard Profile.

Inside each branch, you'll see a gaggle of settings that are exactly the same.

So, what gives?

When policy settings within the "Domain Profile" are enabled, they affect the firewall when they make contact and get authenticated to a Domain Controller. This is usual when a computer is at the central office and a normal logon occurs.

When policy settings within the "Standard Profile" are enabled, they affect the firewall when users cannot authenticate to a Domain Controller. This might happen when the user is in a hotel room, an Internet caf, or other areas with public connectivity.

You might set up your "Domain Profile" settings to disable the firewall when the user is in the central office and your "Standard Profile" settings to ensure it's at maximum force. In short, you get to choose how strong the firewall will act in each of these circumstances.

Microsoft has a great little article on how the computer fundamentally determines if it should use the "Domain Profile" or the "Standard Profile." Check it out here: http://tinyurl.com/cao73 .

Killing the Firewall

There might be times when you just want to outright kill Windows XP's firewall. Additionally, you can prevent an inadvertent mishap should someone try to enable it on a Windows 2003/SP1 server!

In Chapter 2, I explained how to kill Windows XP's firewall (which is the same process for killing Windows 2003's firewall.)

Again, to kill the XP/SP2 firewall, drill down to Administrative Templates ˜ Network ˜ Network Connections ˜ Windows Firewall ˜ Domain Profile and select Windows Firewall: Protect All Network Connections. But here's the thing. You don't chose to enable this policy. No, no. You disable it. Yes, you read that rightyou disable it. Read the Explaintext help inside the policy for more information on specific usage examples.

Opening Specific Ports, Managing Exceptions, and More

Microsoft did a lot of the hard work for me. That is, they've put together a stellar document in how to fully manage all aspects of your Windows XP/SP2 (and Windows 2003/SP1) firewall with Group Policy. By using the techniques Microsoft provides, you'll be able to have very granular control over how the firewall is used in your company (and when users are away from your company).

You can learn how to open specific ports, make specific program exceptions, turn on logging, and more.

For more information about deploying Windows Firewall, see "Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2" on the Microsoft Download Center website at http://tinyurl.com/a8bfc .

Firewall Warning

Before you go headlong into manipulating and changing the default firewall settings for Windows XP/SP2 (or Windows 2003/SP1), I recommend that you use caution. In other words, the firewall is, in fact, turned on by default for Windows XP/SP2 (and off for Windows 2003/SP1).

This is done for a reason.

It provides the most protection from the bad guys trying to infect and hack your Windows XP/ SP2 machines. So, if you're going to start opening up ports (or kill the firewall altogether), please use these policy settings with caution. Know what you're changing and why you're changing it.

Again, the defaults are there for a reason!!!



Group Policy, Profiles, and IntelliMirror for Windows 2003, Windows XP, and Windows 2000
Group Policy, Profiles, and IntelliMirror for Windows2003, WindowsXP, and Windows 2000 (Mark Minasi Windows Administrator Library)
ISBN: 0782144470
EAN: 2147483647
Year: 2005
Pages: 110

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net