If you've spent any time on the Microsoft Web site or in newsgroups lately, you've probably already heard the buzz about the upcoming Service Pack release for Windows XP. Service Pack 2 is a major release and the culmination of a huge amount of software updates and security improvements. Even though the update is still in Release Candidate format, if you're a Windows administrator who's responsible for maintaining XP machines, get your hands on a copy and install it on a test machine post-haste. The "preview version" can be downloaded from www.microsoft.com/SP2Preview.
Why the big rush? Because there are major changes at work here -- especially to the built-in firewall software -- that will at the very least require you to examine your current administration procedures. You should also check out your production applications to make sure that they all still behave the way you expect them to, especially if they communicate across a network in either a peer-to-peer or client-server format.
The Internet Connection Firewall (ICF) has been renamed the Windows Firewall, and is now enabled by default on all new installations. This means that XP will automatically drop any inbound traffic that wasn't specifically requested by the workstation. You'll hear router and firewall gurus refer to this as a "stateful firewall," because it bases its decisions on the status of any open connections that were initiated by the workstation.
The Windows Firewall is also enabled earlier in the boot-up process than ICF. This means that every administrator who installed a new machine -- only to have Blaster infect it before they got to Windows Update -- can breathe a sigh of relief: The firewall is now active before the workstation ever "sets foot" on the network. Don't panic, though; there's a special startup policy that will still allow your clients to get to your domain controllers, DHCP and DNS servers while they're booting.
So, this sounds like a great idea, right? Unfortunately, these firewall changes do create a bit of a concern for network administrators in a domain configuration. With the Windows Firewall enabled, your XP workstations no longer will be able to function as a server, meaning that any unsolicited network requests simply will be dropped. "So what?" you may think, "Any unsolicited network requests to a workstation could only be a virus or a worm anyway!" Not necessarily. Think about any time that you've needed to connect to a workstation to do troubleshooting or preventative maintenance. How did you do it?
- The Computer Management MMC's "connect to a remote computer" function
- Remote desktop
- The hidden C$/D$ administrative shares on your XP hard drives
In each of these cases, the XP workstation you're trying to connect to is acting (you guessed it) as a server. And with the Windows Firewall turned on, any of these connection attempts will be dropped automatically.
What's an administrator to do?
Enter: the new Group Policy settings for configuring the Windows Firewall. Instead of the old world of only being able to disable ICF via GPO, you can now:
- Define a consistent firewall configuration profile for all of your domain clients
- Determine whether specific executables can be permitted to pass through the firewall
- Create exceptions to the firewall policy to allow for file sharing, remote desktop, and remote administration tools
In our next installment, we'll talk about the advantages of configuring the Windows Firewall via Group Policy, and the level of very granular control that it can offer you in a domain environment.
Laura E. Hunter is a Microsoft MVP and SearchWin2000.com site expert.
This article originally appeared on SearchWin2000.com.