When it comes to securing systems, most organizations focus their efforts on servers. But many of the recent worms that have brought down entire networks and cost companies millions of dollars have done so simply by targeting the humble workstation. Malicious intruders—be they outsiders or disgruntled employees—who manage to take control of a workstation and impersonate the system's legitimate owner can access confidential information and resources on the local system and on the network. Gone are the days when you could trust your local LAN to be a safe haven. Between worms and malicious insiders, you need to protect all open ports on your workstations against attacks.
Microsoft evidently recognizes this new reality. Thus, as part of its Trustworthy Computing initiative, the company has made security the focus of Windows XP Service Pack 2 (SP2)—the most security-centric service pack since Windows NT 4.0 SP3. Many people in the user community dubbed that service pack "Security Pack 3," and XP SP2 (which as I write this article is scheduled for release late this summer) deserves the same moniker. SP2 is chock-full of new security features to combat worms and malware that can infect networks through unprotected workstations. SP2's most important feature is Windows Firewall, a much enhanced version of Internet Connection Firewall (ICF). The feature's name change reflects the emphasis that Microsoft is placing on using local firewall technology to protect workstations that connect solely to a local intranet as well as those that connect to the Internet. The best way to begin to take advantage of SP2's new firewall feature is to install SP2 on a standalone test server, which I'll show you how to do in this article. After you're familiar with the feature, you can install SP2 and centrally configure Windows Firewall on all the workstations on your network (something I'll show you how to do in a follow-up article).
Getting to Know You
To start learning about Windows Firewall, I suggest you manually install SP2 on an XP test system. Windows Firewall automatically activates after SP2 installation. The firewall accommodates two configuration profiles—domain and standard— on systems that are members of a domain. Windows Firewall uses the domain profile when the workstation is connected to the internal LAN; otherwise, the firewall uses the standard profile. You must use Group Policy to configure this dual capability, and I'll show you how to do so in my next article. For the purposes of this article, however, we'll assume that the test system isn't a member of a domain. Therefore, the system will use only one profile, which will apply when the computer is connected to the internal network as well as when the system is connected to the Internet. We'll take a look at Windows Firewall's nuts and bolts by stepping through the manual, local configuration process, which uses Control Panel to configure Windows Firewall on your standalone test system.
Start It Up
Open the Control Panel Windows Firewall applet. (Note that the dialog boxes in the XP SP2 version that I used when
writing this article still bore the firewall's original name—Internet Connection Firewall. Therefore, the dialog boxes in the final version of SP2 will probably look or be organized differently than in the figures that accompany this article. The sidebar "Windows Firewall Update" discusses some other changes that have taken place.) On the General tab, you'll see options for two operational modes: On and Off. Setting Windows Firewall to Off disables the feature and leaves the workstation (and your network) completely exposed to attack. Selecting On activates Windows Firewall. Windows Firewall is a stateful inspection firewall, meaning that it keeps track of the state of all TCP and UDP conversations and can thus identify incoming packets that aren't part of a valid conversation that the workstation initiated. By default, Windows Firewall drops such packets. However, in some situations you might want to permit incoming connection requests. For example, if the workstation is connected to a LAN, you might want to allow connections to port 3389, which both Remote Assistance and Remote Desktop use. When you enable Windows Firewall, it disables all incoming connections except those that you define on the applet's Exceptions tab.
To enforce a temporary lockdown—when, for example, a new worm is gathering speed on the network and your antivirus vendor hasn't yet released a signature update or you can't push out the necessary security patch in time—you can switch your workstations to Shielded mode until the patch is deployed or your antivirus product is updated. (This type of widespread configuration would take place through Group Policy.) Be aware that during this type of lockdown, services that need to accept incoming connections (e.g., Windows Messenger) will be broken. For information about Shielded mode, see "Windows Firewall Update."
The Exception to the Rule
Exceptions define how Windows Firewall handles unsolicited inbound packets. To configure global exceptions that apply to all network connections, including dialup, LAN, VPN, and WAN connections, go to the Windows Firewall applet's Exceptions tab, which Figure 1 shows. (I'll show you later how to configure exceptions that apply to specific network connections.)
Note that Windows Firewall doesn't enforce any policies on outgoing packets. Ideally, a workstation firewall such as Windows Firewall would also control outbound packets. Without such control, you can't prevent malicious users or programs on the workstation from attacking other computers on the network. In all fairness, however, controlling outbound traffic is much more complex than
controlling inbound traffic because distinguishing between legitimate and malicious outbound connections is difficult. (That's why personal firewall developers such as Internet Security Systems'—ISS's—BlackICE must employ an annoying learning mode.)
Previous
Register
