Gemineye said:
I want to protect all my Windows XP professional clients within the domain
and am using Windows 2003 as my domain controller.
What problems am I likely to face by turning on the XP firewall on my
clients?
Traditional wisdom had a firewall at the network perimiter, and the internal
machines essentially open to each other.
This provided unfettered communication between internal machines.
Those days are coming to an end now.
Using host firewalls on individual machines in addition to a a border
firewall is porbably the way things are going to move.
There are 2 main reasons I can see to go this route.
1) Border firewalls can't prevent all malware from entering a network. There
are too many other infection vectors. Eg. clicking on malicious attachments
in e-mails, visiting malicious websites which exploit browser
vulnerabilities, laptops being moved to insecure networks and becoming
infected and then being returned to the LAN.
Once a machine is infected within the classic security model of a border
firewall only, then it's possibly game over.
The LAN is hard and crunchy on the outside, but soft and squidgy on the
inside.
Host-based firewalls can block to some extent attacks aimed against it from
other machines on the LAN which have been compromised by means which the
border firewall can't detect.
The level of protection offered may not be much, however.
You need to open ports through the host firewall to permit any
legitimate inbound traffic to the client machines.
And these will most likely be the same ports that are potential targets for
malware,
ie the NetBIOS ports and SMB DirectHosting ports.
One strategy might be to simply disallow sharing on the clinet machines.
All shared data belongs on the server.
And keep the ports I mentioned firewalled on the clients.
Another strategy is to use a more selective firewall which you can specify
your local IP addresses on the LAN as a local zone which is allowed access,
but other zones are blocked.
XP-SP2 is due for release Real Soon Now, and includes a new version
firewall.
I'd wait and see what you can do with this.
There's alredy a description of it here:
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2chngs.mspx
Read about local subnet restriction.
Also read here:
http://www.microsoft.com/technet/community/columns/cableguy/cg0204.mspx
And:
Deploying Windows Firewall Settings for Microsoft Windows XP with Service
Pack 2
http://www.microsoft.com/downloads/...e1-61fa-447a-bdcd-499f73a637d1&DisplayLang=en
2) Host-based firewalls can determine which program is establishing outbound
connections, and block them. This can prevent the spread of infections
from machines which have been compromised by means which the border firewall
can't detect. Eg. clicking on malicious attachments in e-mails. We can
also use this facility to prevent apps from phoning home if we want.
As to how this will work in your domain environment,
I'd basically read the refs I gave, then suck it and see.
But I'd definately wait for SP2.
Install SP2 on a test box.
Enable the firewall, and try enabling f+p sharing for the local subnet.
Try it out.
