The following question and answer thread was excerpted from ITKnowledge Exchange. Click here to read the entire thread or to start a new one.
A user identified as stanslad posted the following
"We would like to activate an XP firewall in our corporate LAN. However, I've been advised not to do so because activating such a firewall causes complications for LAN-based users, applications and services. What should we do?"
A user identified as hedgehog advised:
"I would enable it first on a small test bed of controlled clients and see how it goes. Keep in mind that, as with most personal firewalls, the WinXP firewall will have some connectivity problems, especially with client-server apps or with those that need to 'ping' the machines to work. You will need to determine which ports/services are in use and open them in the firewalls. If you allow laptops into your corporate LAN, a personal firewall should be mandatory on those machines. While having a personal firewall on a desktop is not as critical, they also contribute to your overall security."
A user identified as csmric advised:
"When I initially deployed SP2 throughout our organization, I enabled an XP firewall and created 'holes' in it as necessary. However, as we proceeded, I found more and more LAN-related problems. The Terminal Server users, the various antispyware and antivirus solutions we employ became too much to keep up with as I opened more and more holes. Since we use a hardware (PIX) firewall and an ISA Server, I decided to disable the XP firewall on all computers. We have used this configuration for 6 months now and haven't experienced any adverse reactions. I would also recommend configuring the laptops so they use the XP firewall. This protects the laptops when the user is not on your LAN."
A user identified as gstornelli advised:
"On small, well-protected networks, I have used group policy to disable the firewall while the workstation is on the network, and enable the firewall while the workstation is off the network. That way you don't have to deal with apps that are only run while in the office, while protecting the notebook users when they're on the road."
A user identified as poppaman2 advised:
"While I agree that a desktop firewall is a good idea, I disagree that the XPSP2 firewall should be deployed. It is an ingress-only firewall and leaves outgoing data untouched. I suggest, depending upon how much security is needed, something a bit more robust, such as Sygate, Tiny, Black Ice or Zone Alarm."
A user identified as amigus advised:
"I disagree with the notion that an ingress-only firewall is not useful or adequate. Egress filtering usually comes with a significant maintenance burden. While egress filtering is very useful (and often recommended) on network firewalls it's not that useful on workstations. In my opinion, there are only two reasons you would want to use egress filtering:
- You want to limit the communications of user-installed applications.
- You have spyware problems.
With respect to limiting application network exposure, it's rather difficult because (most of
the time) if they can install applications, they can also pass through the firewall using the same
privilege they used to install it. With respect to spyware, again, the user probably has too much
privilege. With that said, I believe egress filtering is more trouble than it's worth and for what
it's worth, it seems Microsoft agrees. If you're serious about security, spend your time making
your network work with unprivileged user accounts, rather than wasting your helpdesk resources
configuring cranky firewalls. If you really want egress filtering, implement it on your network
firewall. And, if you really want to limit the scope of workstation communication, use IPSec."
This was first published in October 2005