Use XP Firewall with Router & Firewall?

[Shenan Stanley]

Is it recomended to turn on and use the XP Firewall on workstations
even if our network sits behind a router with it's own Firewall?
Will this cause problems? Until the last XP service pack, I only
used the XP firewall when connecting from home or on the road. Now
all connections are firewalled by default.

SP2's Firewall's most important virtues, I think, are it's
improved compatibility with internal LANs and its configurability via
group policies. Now, there's a simple, cheap tool that system admins
can use to protect the LAN workstations from that occasional - but
not rare enough - fool who manages to bypass the perimeter firewall
and manually install some malware that could then spread throughout
the LAN via shared drives.

Got news for you, but if you're in a LAN and using the SP2 firewall
it's already setup to allow access to shares and will not protect
your computer while it's in a LAN/Domain.

It's not 100% effective, but it's still better than nothing. It
depends upon the specific type of threat, of course. Things like
Blaster, Welchia, and Sasser, that are not spread via network shares,
get stopped.

I agree, but the poster specifically implied that the SP2 firewall
would stop the spread of nasties that use file sharing.

Good point. I'll need to reword that one, won't I?

I've actually taken to disabling the firewall service on every
workstation inside a network that we've setup security for. I've
found the FW to be nothing but a pain in a secure network.

We enable the firewall using group policies and limit file & printer sharing
access to a few machines in the domain - mainly servers and certain
administrators machines. This limits accessibilitry to the individual
workstations shares to only a few machines and complete prevents one
authenticated user from mapping shares on another users PC and effectively
stops the spread of most worms UNLESS one of the few machines that are
allowed access to the workstations in the domain get infected, which is much
less likely than the users themselves getting infected.

 

[Bruce Chambers]

We enable the firewall using group policies and limit file & printer sharing
access to a few machines in the domain - mainly servers and certain
administrators machines. This limits accessibilitry to the individual
workstations shares to only a few machines and complete prevents one
authenticated user from mapping shares on another users PC and effectively
stops the spread of most worms UNLESS one of the few machines that are
allowed access to the workstations in the domain get infected, which is much
less likely than the users themselves getting infected.

We also limit file and print sharing to only those workstations where
there is no other economically feasible work-around.


--

Bruce Chambers

Help us help you:



You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH

 

[cquirke (MVP Windows shell/user)]

cquirke (MVP Windows shell/user) wrote:

A possibility, if there's no perimeter defense in place.

"Depth" means not assuming perimeter defences will hold, and thus
planning what to do when these are breached. De facto scopes are your
friend; hardening against PC to PC spread within LAN is guud.

Why does every silver lining have to come with a dark cloud? ;-}

Hmm... I think blurring LAN and Internet awareness is a very serious
matter, especially where F&PS are concerned, and especially when the
OS is dumb enough to have hidden writable shares exposing the startup
axis and OS, and with known names at that. Win9x wasn't *that* dumb.

We had this problem in Win9x, but in a different way. That OS was
dumb enough to bind everything to everything by duhfault, whenever
network settings were nudged. It was quite common to do something or
other, then find IPX, NetBEUI and TCP/IP bound to both LAN and DUN,
with F&PS bound to all of the above.

Seems like the more things change, the more they stay the same?

-- Risk Management is the clue that asks:

"Why do I keep open buckets of petrol next to all the
ashtrays in the lounge, when I don't even have a car?"

 

[Guest]

What everyone seems to be forgetting in this discussion is that Windows
Firewall has a "start-up filter". Which means that it protects the computer
in the time window before the system has started all applications (like your
software firewall...). A normal firewall is usually turned on at the end of
the boot-up process which leaves the computer vunerable in this time window.
You can turn the firewall off with GPO's and keep the "start-up filter"