main

Deploying Windows Firewall Settings XP SP2 (v2.4)

Unknown   on 13 August 2004 - 14:29 · 35 comments & 4311 views

Advertisement (Why?)
Windows XP Service Pack 2 (SP2) includes the Windows Firewall, a replacement for the Internet Connection Firewall (ICF) in previous versions of Windows XP. Windows Firewall is a stateful host-based firewall that discards unsolicited incoming traffic, providing a level of protection for computers against malicious users or programs. To provide better protection for computers connected to any kind of network (such as the Internet, a home network, or an organization network), Windows XP SP2 enables Windows Firewall on all network connections by default. This new behavior can impair some types of communications. This article describes how to deploy the appropriate configuration settings for Windows Firewall on an organization network so that it is enabled and providing protection, and so that communications are not impaired.

Download: Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2
View: Manually Configuring Windows Firewall in Windows XP Service Pack 2
View: Get ready for Windows XP SP2: Turn on Automatic Updates


The event will climax on Thursday, 23rd September, when Sony's guests and competitions winners will be given VIP access to the Alton Towers Park, including priority access to rides and exclusive access to gaming areas.

They will also be able to enjoy musical performances from various artists - including breakthrough urban acts, established chart artists and upcoming rock bands - as they zoom over sets installed in amidst the park's various spiralling attractions.

Sony is also planning a multi-artist finale within the Alton Towers' castle walls, to be followed by an after-show party in the Stateroom adjacent to the Alton Towers Hotel, with overnight accommodation and a chance for guests and competition winners to mingle with the artists.

The finale performance will also form the basis for a 90-minute televised trip around the PlayStation-tinted Alton Towers, something that Alton Towers' marketing manager Mike Lorimer believes will prove very popular.

"We are very excited to be hosting this event. Not only will it showcase our fantastic rides and attractions to a key audience on TV, but it will also allow every one of our guests access to some fabulous added experiences in the Sony PlayStation areas," he said.

SCE UK's marketing director Alan Duncan, meanwhile, said the new look of the event is important to the development of the PlayStation brand.

"The PlayStation Experience at Alton Towers reflects both our commitment to the evolution of sampling events and to creating original broadcast content which communicates the values of PlayStation to new and existing audiences," he said on Friday.


Post a comment · Send to friend Comments · There are 35 additional comments
#1 StaticX on 13 Aug 2004 - 14:35
cool! thanks!
#2 LPC on 13 Aug 2004 - 14:40
Wonderful ... cheers for this link ... just want I was starting to look for .
(1 reply) #3 z0phi3l on 13 Aug 2004 - 15:06
I assume that if you already have a good Firewall then you just turn MSs firewall off right?
#3.1 mram on 13 Aug 2004 - 17:52
You could, however this article is more for corporate deployments with active directory.
(1 reply) #4 Hexum on 13 Aug 2004 - 15:06
Great, this will come in handy

On a side note, this new Windows Firewall is actually pretty damn good, I went www.grc.com and ran the Sheilds Up test and it passed all tests in full stealth mode, same as Zone Alarm did. So bye bye third party firewall for me
#4.1 chacho on 13 Aug 2004 - 15:15
really?? i'll be doing that as well, then.
(4 replies) #5 Jazkal on 13 Aug 2004 - 15:50
With Microsoft's record/history concerning security, why would anyone use this new Firewall?

I'm not trolling, this is a serious question.
#5.1 bucko on 13 Aug 2004 - 16:19
I'd probebly trust it since m$ has access to the OS source code. I'm using it in conjunction with my Router firewall for extra security. All good so far no problems. I don't recommend running two software firewalls at once. Though running a hardware firewall (e.g. a routers firewall or linux bo and XP firewall should be fine .
#5.2 Hexum on 13 Aug 2004 - 16:44
Look up at my post above yours (#4) That is why I'm using it

Its the same as anything else, to each their own
#5.3 SchVanZ on 13 Aug 2004 - 16:55
I'd take you a little more seriously if you didn't use M$ in place of MS or Microsoft.

Otherwise your post is useful and I agree with you.
#5.4 PseudoRandomDragon on 13 Aug 2004 - 19:41
Ignoring MS' rep, I still wouldn't use MS's firewall. ZoneAlarm Pro is better, it delivers more security, so I will use that.
(1 reply) #6 stuey82 on 13 Aug 2004 - 15:53
Do u think it would be a good idea to use a third party firewall as well or instead of the windows firewall?
#6.1 mram on 13 Aug 2004 - 17:54
If you truly only were concerned about traffic in/out then yes... because Windows Firewall only looks at inbound traffic. However, if you have a good antivirus product already (most have) then that takes care of your outbound.

Microsoft deals with 3 levels for real security: Firewall, AV, Patch Mgmt. Turn on autoupdate, get an antivirus, turn on the firewall, you're fine. However if you choose to not use a piece of that puzzle, you may have to take other options to be as well secured. Your choice.
(2 replies) #7 madd_matt on 13 Aug 2004 - 16:04
I have Norton firewall, how will it compare to win firewall?
#7.1 rogerroger on 13 Aug 2004 - 18:44
See the post above yours. If you already have AV, I would ditch the Norton firewall as you are pretty covered by AV plus XP firewall.
#7.2 PseudoRandomDragon on 13 Aug 2004 - 19:43
Nah, I disagree, Norton Firewall is better.
(10 replies) #8 PROGAME on 13 Aug 2004 - 16:12
any other firewall which actually watch outgoing connections is better than the SP2 firewall (and almost every other firewall do that)
#8.1 Hexum on 13 Aug 2004 - 16:46
Well actually it does monitor outgoing to an extent, since i've installed SP2 everytime I launch a new program, the Windows Firewall asks me if I want to allow it

Besides as long as the Windows Firewall tests well (meaning full stealth) like it has thus far, I'll be using it.

Last edited by 10647 on 13 Aug 2004 - 17:30
#8.2 JTBurn on 13 Aug 2004 - 17:06
From Microsoft:

Windows Firewall provides a level of protection from malicious users and programs that use unsolicited incoming traffic to attack computers. With the exception of some Internet Control Message Protocol (ICMP) messages, Windows Firewall does not drop outgoing traffic.
#8.3 mram on 13 Aug 2004 - 17:58
Why would a firewall need to watch outgoing traffic? Seriously?
...now before you answer that, understand that it's a level of trust here. Your answer would inevitably contain some degree of "because I don't trust what's running on my machine".

If you had an up-to-date antivirus product, you should be catching any trojan program that might be running on your machine, that's the primary job of that program. To catch it with a firewall creates unnecessary intrusive work on the part of the user.

Firewall + AV + Patch Mgmt. The firewall is not the "end" to the security principles -- it is a part of the puzzle.

And to answer the question directly - the firewall only prompts when a program running potentially receives unsolicited communication from the internet, such as UDP streams (WMP, doom3 server for example) or server services (FTP/Web server). Read the prompts the next time they come up very carefully...
#8.4 PseudoRandomDragon on 13 Aug 2004 - 19:46
This isn't an issue of trust, this is an issue of security. When you add outbound traffic monitoring in your firewall software, you add a layer of security. Is that important to you? That is up to you. I find that it is needed.
#8.5 mram on 13 Aug 2004 - 21:41
No, I disagree on the trust thing. Not in the operating system or vendor, that has nothing to do with it. Adding outbound filtering is better security, I agree there, but I'll explain why I say it's a trust issue overall.

Security is a paradigm that involves many factors. Is your house secure? Well you have locks, you'd hope so. You have alarms preventing people to go into your house. Why have sensors that watch when people leave?

That's the idea here. Even if this were MacOS, the same logic applies. Lets assume on the mac, that you had a firewall that only prevented unsolicited traffic. What would be the point of blocking outbound traffic? User annoyances? Why put that in if you trust the programs running on your machine?

The only viable reason for having an outbound filter on your machine is that you don't trust the applications that may or may not be running, to be doing things you feel are right. And the antivirus products are better suited to analyze malicious code, in my opinion. It is far more likely for an uneducated home user to know what perfectly benign DNS lookup traffic means when it pops up as a warning in zonealarm for outbound traffic, and cause problems, for example. I consider myself a pretty savvy computer user, yet I was annoyed at the basic filters zonealarm or blackice warned me about when I'd do simple things in IE the first time I used it. Too many prompts, and a naive home user will just brush them aside as "whatever", esp since it'd be like "USER32.EXE tried to access port 443 for process token iexplorer.exe" or somesuch...

I don't disagree that the better firewalls (zonealarm et al) are better at security, they certainly are. But my stance is that the reason those exist are due to the lack of trust of the programs running on your system. I'm completely in support of the Firewall + AV + Patch 3-step security that MS is condoning for home users. If you need more, go for it, and there are better products. However, this is a pretty small footprint solution that works just as well, with less user hassle.
#8.6 em_te on 14 Aug 2004 - 05:43
Also, if you catch a virus through other means such as a floppy disk or CDROM then blocking an outgoing connection helps to stop the virus from bring sent outwards.
#8.7 mram on 14 Aug 2004 - 06:47
QUOTE
Also, if you catch a virus through other means ...


You just answered in that quote why inbound-outbound firewalls still aren't necessary in the MS "3-step security program". Antivirus programs would've caught the virus. Right? It's still a matter of trusting your system. Besides, you'd want this because not all viruses (but, regretfully, most) propagate; some just destroy your system or files... or do both. A two-way firewall still isn't the "ultimate answer".
#8.8 mram on 14 Aug 2004 - 06:54
Let me explain further on something that bugs me.

Lets say you use an inbound/outbound firewall product and get a virus (somehow, like via a disk). Would you be really running Windows without AV? Which program do you want catching this problem? Why would you want two programs double teaming -- especially when the firewall product can only suspend traffic, yet not actually fix the problem?

Lets say it was Norton Internet Security (a nifty product btw, but imho high memory overhead, by far...). That's a suite that does both isolation of outbound traffic and virus protection. In that case you've got the double duty. But your AV section of that product will catch the problem first, and the traffic will never occur. So what benefit is the outbound firewall providing, if you truly were catching viruses? And in 95% or more of the cases where the Norton firewall warned or blocked on outbound traffic, it's either benign or simply hard to decypher for "novice" users. So where's the benefit?

The only situation I can think of is 0-day viruses, where there is no dat protection, or you don't update dats (stupid admin syndrome) or your dats aren't updated fast enough (stupid admin syndrome), etc... or you simply have a perfectly good program on your system that you want to block traffic outbound. In the case of the "stupid admin syndrome" the chances are quite great that by the time a virus somehow bypassed any AV, the user would be more likely to allow the outbound traffic, having already been thoroughly de-sensitized by all the benign outbound "warnings"...

I'm not trying to be a pill here, I am simply advocating that the windows firewall, while thin (and very memory/cpu friendly btw), is quite good at handling the problems, I just don't see the actual tangible benefit of the outbound firewall unless you simply want to be paranoid.... (which don't take that the wrong way, that's just the best word to describe it) I'd like to know if there's something I'm missing though.

Last edited by 48053 on 14 Aug 2004 - 08:06
#8.9 em_te on 14 Aug 2004 - 08:16
QUOTE
You just answered in that quote why inbound-outbound firewalls still aren't necessary in the MS "3-step security program". Antivirus programs would've caught the virus. Right? It's still a matter of trusting your system. Besides, you'd want this because not all viruses (but, regretfully, most) propagate; some just destroy your system or files... or do both. A two-way firewall still isn't the "ultimate answer".

Antivirus software can only detect well known viruses. For the undetected viruses you want some way to block it from propagating.

And what do you mean by "trusting your system"? Do you mean trust the author of a program? Trust the hardware? Trust the company? Trust a digital signature? Why do you have to trust it to run a Firewall/AV/Patch?

Edit: I just reread some of your posts and kinda of understand something.
So you are saying that we don't need to block outgoing traffic because we trust our AV? What what about malicious programs that aren't viruses such as spyware, or programs that are a mix of good and evil or programs that turn malicious because of a software/hardware glitch that puts a program in a loop? Do you trust a program because it is written by a reputable company or do you trust it because you compiled it yourself?

Last edited by 30836 on 14 Aug 2004 - 08:27
#8.10 PROGAME on 14 Aug 2004 - 10:18
Asking for an outgoing connections protection doesn't mean being paranoid.
I have a short ICQ UIN which seems to attract script kiddies. They often use 0day trojans and even some old trojans still undetected by AV (of course I send them to AV/AT vendors and they take care of it).

While my case may be special, I do think an outgoing connections protection should have been an option in the SP2 firewall.
It may not be that useful for the average home user, but XP has a Pro version too.
Trojans aren't covered that well by AV...
#9 stuey82 on 13 Aug 2004 - 17:02
Well for the moment i have disabled my windows firewall and trying out zonealarm. I hate it already but if it protects me I will be happy!
(1 reply) #10 phkhoury on 13 Aug 2004 - 17:26
Should I enable it if a have a hardware firewall (a linksys router) or is it just a waste of ressources (as I think it is)?
#10.1 mram on 13 Aug 2004 - 18:02
IMHO - the windows firewall would be redundant.

Bear in mind it would only be checking outbound connectivity too, so you'd need AV on your systems.

I would put Windows Firewall back on if there were other machines behind your linksys that you may not trust.

Also, the memory/CPU overhead of WF is the lowest I checked out there in beta, I haven't checked the gold SP2 yet, but I imagine it's quite low compared to the others (but also not as full featured -- but I think that's by design -- see my other posts in this thread).
(3 replies) #11 Magallanes on 13 Aug 2004 - 19:56
I don't use firewall, i close any useless service and i update my system often, i don't have a lan so i disable a lot of service=bugholes

I need a firewall? WHY?


My pc will run almost 24h x 7days and i have no troubles since the first release of xp devilsown (prior to xp retail release).
#11.1 mram on 14 Aug 2004 - 01:18
If your machine doesn't "listen" on any ports, then you don't need a firewall... You're basically invisible.

However I would suspect that you might be answering on the standard ports, like ICMP, which isn't necessarily vulnerable (who knows, really).

I'd recommend finding or using a portscanner for your machine and verifying you have no listening or open ports due to services, and making an assessment based upon those results. IMHO ICMP being open isn't really an issue; but if machines can determine "live" IPs from the internet -- your machine can receive traffic even if it doesn't do anything with it -- it's like verifying you are live and creating possible DOS attacks by overusing your pipe. So it's still a bit of a concern.

Most hardware firewalls disable ICMP for precisely that reason...

Great point though really, if you don't run the server services, you don't really need to have the protections.
#11.2 em_te on 14 Aug 2004 - 05:46
I thought Windows XP has to have at least some ports open to function properly such as the RPC service. The firewall can block data from the outside connecting to your RPC port.
#11.3 mram on 14 Aug 2004 - 06:56
The server service closes those ports and is not required to be on for XP to function correctly. I ran my machines many many years that way, that's an old NT4 security trick...

You can go so far as to disable it in the network stack (file & printer sharing), and it does the same thing more or less. Shutting down the service not only saves a whopper on memory but it's more controllable via policies and such if you're a security conscious administrator ... like me ...
#12 Kboom on 15 Aug 2004 - 01:53
Wow, I've been waiting. Thanks

Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!

Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.

Advertisement (Why?)