ICF on Corporate LAN and Program distribution

[Guest]

Hi all
Q
We are in the middle of planning XP instalation in a large enviroment where LAN is protected by Cisco FW against "the dangerous" Internet
The customer IT Security guys want to ena ICF on the desktop PC and the labtops and also disable unnecessary services
What i can read at MS support and forum is that ICF is only for SOHO users, right
So if i ena ICF what will i loose in connectivity to F/P and software update throug SMS and SUS, anybody knows

Q
Can i through GPO's filter the ports in ICF or is it per machine basis. Lot's of administration to enable ports in 7000 units

Regards
Zek

 

[Roger Abell]

inlined . . .

Hi all.
Q1
We are in the middle of planning XP instalation in a large enviroment

where LAN is protected by Cisco FW against "the dangerous" Internet.

The customer IT Security guys want to ena ICF on the desktop PC and the

labtops and also disable unnecessary services.
make sense to me

What i can read at MS support and forum is that ICF is only for SOHO

users, right.
Opinions differ on this.
Large enterprises were hit hard by the SQL worm and some of the recent
virii.
Once something does get it, it can spread much more unimpeded without as
compared to with each end-point machine having a firewall in use.

So if i ena ICF what will i loose in connectivity to F/P and software

update throug SMS and SUS, anybody knows.
Any client pull technology is not affected as the MS ICF lets whatever
starts
inside the machine receive its responses. It is push technologies that
break.
SMS and SUS are client pull, although some discovery aspects of SMS may
not be considered to he as such, if you look closely, most things bootstrap
up from the client app of SMS.

Q2
Can i through GPO's filter the ports in ICF or is it per machine basis.

Lot's of administration to enable ports in 7000 units.This is not available with the released versions of things. You may expect
some change.

 

[Bruce Chambers]

Greetings --

Your customer's "IT security guys" need to learn a little about
computers, firewalls, and networks before they start making such
requests.

The built-in firewall is not designed to be used on internal LAN
connections. The _only_ connection on which you should have ICF
enabled is the direct connection to the Internet.

Internet Firewalls Can Prevent Browsing and File Sharing
http://support.microsoft.com/default.aspx?scid=kb;EN-US;298804


Bruce Chambers

--
Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH

Hi all.
Q1
We are in the middle of planning XP instalation in a large

enviroment where LAN is protected by Cisco FW against "the dangerous"
Internet.

The customer IT Security guys want to ena ICF on the desktop PC and

the labtops and also disable unnecessary services.

What i can read at MS support and forum is that ICF is only for SOHO users, right.
So if i ena ICF what will i loose in connectivity to F/P and

software update throug SMS and SUS, anybody knows.

Q2
Can i through GPO's filter the ports in ICF or is it per machine

basis. Lot's of administration to enable ports in 7000 units.