To determine which settings you need to enable on your XP workstations requires thorough research and testing. I suggest you start out by disabling RPC and DCOM access on a test network, then fully testing all system management functions (e.g., Microsoft Systems Management Server—SMS) and remote support functions (e.g., Computer Management console functions, WMI scripts) that you use to administer workstations from over the network. If you can't connect to a feature, determine the name of the corresponding server program and enable that program for incoming RPC requests.
The Allow File and Printer Sharing setting is a shortcut policy that enables all the ports necessary for file sharing—specifically, UDP ports 137, 138, and 139 and TCP ports 139 and 445. If you enable this policy, you must set visibility to Local subnet only or Global visibility.
The Allow ICMP Settings policy lets you control how Windows Firewall handles Internet Control Message Protocol (ICMP) messages. If you enable the policy, you must enable specific permitted ICMP message types.
The Allow Remote Assistance Support setting is another shortcut policy that controls whether Windows Firewall will permit unsolicited Remote Assistance requests. (Enabling TCP port 135 for the entire network and adding helpsvc.exe to the allowed programs list accomplishes the same goal as enabling this setting.)
The Allow Universal Plug and Play setting is a shortcut policy that controls whether Windows Firewall will let Universal Plug and Play (UPnP) work on your XP SP2 systems. If you enable the setting, Windows Firewall opens TCP ports 1900 and 2869 and UDP port 2869 for the entire network.
Safe Haven
I'm excited about XP SP2's new security features—especially Windows Firewall. Carefully determine which ports and programs can accept incoming connections when workstations are connected to the internal network, and use the LocalSubnet scope whenever possible. (The only major complaint I have with Windows Firewall is that it doesn't have an option similar to the LocalSubnet scope to let you define multiple subnets so that large companies can configure the firewall to differentiate between internal and external connection attempts.) When you configure the standard profile, make sure to differentiate between the ports and services that should be open when your workstations connect to the intranet as opposed to when the computers connect to some other network. And when you roll out SP2 via Group Policy, make sure you coordinate the rollout with users so that you don't create problems for them when they reboot and launch the SP2 installation process.
After you've rolled out SP2 to all the workstations and given them a chance to reboot, I suggest you use Microsoft Baseline Security Analyzer (MBSA) to find computers that for whatever reason are missing SP2. You can also use a port scanner against a sampling of systems to confirm that your Group Policy settings are performing as expected. And as always, carefully perform impact analysis and testing before rolling out SP2. Doing so will let you successfully build up the fortress around your workstations.
Register
"Windows XP SP2: Centralized Deployment and Defense" (August 2004, InstantDoc ID 43199), states that you can use "disabled" rules to prepopulate the Control Panel Windows Firewall applet's Programs and Services list with unselected exceptions and that doing so makes it easy to temporarily enable certain programs or ports. But this explanation isn't valid, mainly because the GUI doesn't let you edit an entry that you've already entered. The real reason why you'd want to put disabled entries into the exception list is to stop users from getting security warnings for applications that the AD administrators have deemed blockable. Users will get warnings for only unknown programs.
--Philip Colmer
philip.colmer@proquest.co.uk
grodcay October 06, 2004