|The following excerpt series from Chapter 2 of the free eBook "The Definitive Guide to Securing Windows in the Enterprise" (Realtimepublishers) is written by Don Jones. To obtain all eBook chapters from this guide, go to cc.realtimepublishers.com.|
I'll risk starting a firestorm of debate with this statement: Every Windows client computer should have a local firewall. Now that I've said it, let me defend myself, because I know the topic of local firewalls is one that creates a lot of tension in the Windows administrative community.
Some administrators hate local firewalls, and for good reason. They definitely increase the administrative burden client computers represent. You'll need to be more concerned with what client computers are doing so that you can configure the firewall appropriately. I don't think that "additional administrative burden," however, is a good excuse for lax security. The fact is that most attacks target client computer vulnerabilities; because you can never tell what vulnerabilities might be lurking in Windows or your other corporate software, a firewall provides a good, solid line of defense. Keep in mind that most attacks come from within your network, so don't think that the corporate firewall is a perfect defense that obviates the need for a per-client defensive mechanism.
Microsoft's Windows Firewall, installed in Windows XP SP2, is a decent client-side firewall; other client-side firewalls are available from several companies. Windows Firewall has the benefit of being centrally configured through Group Policy: You can turn it on and off, configure port exceptions to allow incoming traffic, and so forth. Because most client computers don't need to accept incoming connections (excepting, of course, replies to network traffic that originated on the client; replies are allowed by default), you can often just configure the firewall to be on and leave it at that.
|If your domain controllers aren't showing the Windows Firewall Group Policy settings, you can add them by downloading the appropriate SP2 ADM files from Microsoft.|
My complaint about Group Policy is that it is not quite granular enough in its application. GPOs can be linked to OUs, domains, or sites; the application of a particular GPO can be blocked at any of those levels, as well. With Windows XP and Windows Server 2003 (WS2K3) systems, application can be made a bit more granular through the use of WMI filters. However, you can't easily, for example, apply a GPO only to members of a certain group who have a particular software application running on their computer. ScriptLogic Desktop Authority, however, can apply Windows Firewall settings at that kind of granularity. For example, Figure 2.7 shows, I've created a Desktop Authority setting that enables the Windows Firewall and creates a port exception allowing incoming traffic on TCP port 80 (strictly as a demonstration; few client computers would actually need such an exception).
Figure 2.7: Configuring a firewall setting in Desktop Authority.
I can restrict application of this setting to only those computers that are not members of the Administrator PCs group. In other words, administrators' PCs won't have this policy applied; a perfectly reasonable requirement in many environments in which administrators run software that ordinary users never will. A great many rules can be applied to the setting, such as the type of machine (desktop, laptop, tablet PC, and so forth), the OS, the type of connection, and so forth.
|Although Windows Firewall was first introduced in Windows XP SP2 and you will most commonly use it on client computers, WS2K3 SP1 also contains the Windows Firewall and makes it available on server computers.|
Click for the next excerpt in this series: NTFS permissions