XP Firewall Quandry

[Guest]

Hopefully someone here will know the answer to this, I have searched the web
in vain.

I would like to deploy XP firewall to our clients and use for Wireless
connections. I have created a Domain and Standard policy and distrubuted via
GP.

The domain policy disables the firewall, the Standard enables it. I
understand that when a DC is located the domain policy is applied and when it
isn't the standard is applied.

Now, here's the problem. If someone connects to a wireless network AND LAN
simultaneously the domain policy is applied to both interfaces - not good.
This effectively provides a free tunnel from an insecure network into our
private one.

It doesn't matter the order in which the network connections are made.

I need to find a way to either apply the domain and standard policies to
separate connections or to disable the Wireless interface if a LAN is
detected, any help would be appreciated. Regardless of the argument on the
merits of the XP Firewall, this is an XP Firewall killer if there isn't a
solution.

regards,
Remy

 

[Steven L Umbach]

I have seen this request a number of times and have not seen a good
resolution that is easily deployable. I suggest that you also cross post in
the Microsoft wireless and networking newsgroups of which there are two good
ones - sever.networking and windowsxp.network_web. One solution would be to
enable the Windows Firewall in both domain and standard policy. Then if
needed you could select the option to allow exceptions from specific admin
computers such as those that run rsop against the domain computers or use
Computer Management to access and manage. That would leave the domain
computers still functional while protecting the wireless network adapters
from the internet. Enabling the Windows Firewall does not prevent domain
computers/users from logging onto the domain and to access domain
sources. --- Steve

 

[Guest]

Many thanks Steve, thats pretty much confirmed what I thought, my only
concern with this approach is enabling a subnet exception when there is the
possibility that users connecting to another network connect using a similar
addressing scheme. We wish to enable network connections on external private
LANs/WiFi and these are likely to use the same non-internet routable
addresses 10.x etc.,

 

[Steven L Umbach]

Instead of using a subnet in the exception consider using individual IPs of
admin workstations if that would work and possibly even requiring an ipsec
security association for those exceptions which would not allow computers
outside of your domain to access those ports because ipsec can require
computer authentication. That would greatly reduce such risk but do not
implement ipsec unless you have a good understanding of how it works,
creating policies, and the need for special considerations for domain
controllers. Even the risk of having another network available can be
largely mitigated by enforcing strong passwords on your domain computers and
managing the user rights for access this computer from the network to not
include everyone/users but instead the specific users/groups you want to
have access. Of course keeping your computers patched with needed critical
security updates is important. I know this is not an ideal solution but it
is much better than not having the Windows Firewall enabled on either
adapter. Like I suggested posting on some of the other related newsgroups
may also point you to some other solutions as your situation is becoming
more common. --- Steve

http://support.microsoft.com/?kbid=254949 -- important consideration about
implementing ipsec