T L Anews.com

Information for Security Concerned People
 
TLA
About Us
Home
FLApro
Jobjects
Jclntauth
Consulting
Learning Center
FW-1 FAQ
Agenda
TLAnews
Search
 
 

TLAflash Registration
 
Tech Doc
Archive
Advertising
 
 
 
 
 
 
 
 
 
 
 
 
 
 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Manage XP firewall through GPO

15.01.2007

One of the largest improvements in Windows XP Service Pack 2, due to be released later this summer, is the new Windows Firewall -- formerly known as the Internet Connection Firewall. Windows Firewall offers greater firewall protection to all XP desktops, but where it really shines is in its capabilities within a managed domain environment.

 Particularly useful are the new Group Policy Object (GPO) settings that administrators can use to configure firewall settings for all machines on their network. In this article, I'll go over some of the new features of the Windows Firewall, and how you can use GPOs to deploy a consistent security configuration to any size network.

If you're like me, you found yourself pretty disappointed with the Group Policy settings that were available in the first incarnation of the built-in firewall software. What could you do to configure firewall settings across your network? You could disable the firewall, and that was it. Not very useful in the grand scheme of things.

With the Windows Firewall in SP2, all of that changes. You can now deploy the Protect All Network Connections setting to any part of your Active Directory forest or domain. The opposite of disabling the firewall en masse, this setting ensures that the Windows Firewall is enabled no matter what else is configured on the local machine or within Group Policy. (Be careful not to disable this setting, since that will prevent anyone from activating the Windows Firewall, even a local administrator on the machine.)

You can also create exception lists to allow specific software to run while the Windows Firewall is protecting a machine. There are pre-configured GPO settings that will enable the following exceptions for the Windows Firewall (found in Group Policy under Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows Firewall):

  • Allow File and Print Sharing
  • Allow Remote Administration (This gives you back your C$/D$ shares, as well as the use of the Computer Management MMC)
  • Allow Remote Desktop
  • Allow UPnP Framework (Please don't enable this option; I'll sleep better at night.)

You can exert even finer control over these settings by specifying that your workstations can use these applications only when communicating with certain IP addresses or subnets. For example, you can specify that only your administrative workstations can open a remote administration session with the workstations in your domain. You can also create a centralized list of permitted exceptions using .exe filenames or TCP/UDP ports. If your network requires a bit more flexibility than that, you can loosen your firewall controls so that local administrators can create their own individual exception lists.

Now, you may think that this is all fine and well for your locally connected users, but it's another story if you've got a fleet of "road warrior" laptops that are continually coming back from business trips infected with the latest Blaster/Sasser variant. In such cases, enter: firewall profiles. With the Windows Firewall, you can actually specify and configure two separate firewall configurations based on whether a machine is locally connected or using an insecure connection in an airport, hotel room, etc. You can create a Domain Profile, which will apply to any machine that's connected to the same network as your domain controllers. This is typically the profile where you'd create any exceptions for remote administration and file sharing.

For those situations where your laptops are out roaming the world, you can also create a Standard Profile, which will apply when a machine is connected to an ISP or other non-secure wired or wireless network. If you want the utmost in security in this situation, you can configure the Standard Profile with the Do Not Allow Exceptions setting, which means that any unsolicited network traffic will be automatically dropped. This combination of firewall profiles and exception lists demonstrates a marked improvement in the usefulness and configurability of the Windows Firewall in Service Pack 2, and certainly makes this built-in security measure a valuable tool in any desktop administrator's arsenal.

 

 

 

Related information


Back to Latest News

 

Author information.
Copyright © [Telecom and Logistics Associates Sàrl]. All rights reserved.
Revised: janvier 14, 2007 .

All information provided is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the facts of the particular situation.

 Network Security
  
 Christian ALT  
      
As a founding member of Telecom and Logistics Associates, Christian is an expert in network security. Has performed installations over three continents and has taught more than 100 seminars on networking and security.

 He is also ISO 27001 Lead Auditor for Management of  Information System Security. 

 
Translate this page from: