Windows Tip Sheet

Dude, Where's My Firewall?

The fix is in for Windows Firewall settings on XP systems sitting on Small Business Server 2003 domains.

One new feature of Windows XP SP2 — a feature I'm sure you've heard about ad infinitum by now — is Windows Firewall. It's sexier, more functional and more automated than its predecessor, the Internet Connection Firewall (ICF). It’s even enabled automatically when you install SP2 and can be accessed from SP2’s new Security Center. I was a bit surprised, though, to learn that one of my clients couldn’t enable Windows Firewall after installing SP2. That didn't seem at all like the message Microsoft was trying to deliver about security. Provide a great new firewall and then make it impossible to turn on? Something had to be going on.

-- sponsor --
Trying to decipher the many aspects of Sarbanes Oxley and its impact on the use of e-mail within the organization? This white paper highlights the importance of a holistic approach to email security and illustrates the value IronMail® brings to an organization subject to Sarbanes-Oxley compliance.

It's in the Policy
Windows Firewall can be centrally controlled through a bunch of new Group Policy Object settings, enabling domain admins to centrally lock down their client computers in whatever way they like. Of course, helping your users to keep their mitts off of the firewall's configuration is part of the equation, so Windows Firewall can be locked down in such a way that end users can't modify its configuration. I figured that had to be what was going on with my client, but he informed me that he'd never so much as touched a GPO setting in his domain. Still, his clients were encountering the message "For your security, some settings are controlled by Group Policy" whenever he tired to configure them. Was he lying?

Nope. Turns out his domain was a Small Business Server (SBS) 2003 domain. Some quick spelunking through the Microsoft Knowledge Base turned up article 872769, which explains that SBS turns off Windows Firewall on XP SP2 clients. It doesn't say why, but the article does contain a link to a download that will fix the problem. So, if you're running an SBS2003-based domain, you'll probably want to put this fix into place ASAP, before (or soon after) upgrading any clients to XP SP2. That way your clients' firewalls work properly.

Micro Tip Sheet

Windows XP SP2 prevents most types of incoming connections to client computers, thanks to Windows Firewall. This can include things like Remote Desktop, remote scripting, remote WMI connections and more. Be sure to carefully review the firewall's settings on a test machine and implement a Group Policy Object to centrally configure the firewall settings that are appropriate for your environment. As you roll out SP2, clients will automatically pick up the GPO settings and won't experience any loss of functionality due to blocked ports.

More Resources
The full text of the Knowledge Base article is available at http://support.microsoft.com/default.aspx?scid=kb;en-us;872769.

Microsoft's SBS2003 Web site is at http://www.microsoft.com/sbs.

Microsoft TechNet has a big section on XP SP2 at http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/
winxpsp2.mspx
.

About the Author

With more than fifteen years of IT experience, Don Jones is one of the world’s leading experts on the Microsoft business technology platform. He’s the author of more than 35 books, including Windows PowerShell: TFM, Windows Administrator’s Scripting Toolkit, VBScript WMI and ADSI Unleashed, PHP-Nuke Garage, Special Edition Using Commerce Server 2002, Definitive Guide to SQL Server Performance Optimization, and many more. Don is a top-rated and in-demand speaker and serves on the advisory board for TechMentor. He is an accomplished IT journalist with features and monthly columns in Microsoft TechNet Magazine, Redmond Magazine, and on Web sites such as TechTarget and MCPMag.com. Don is also a multiple-year recipient of Microsoft’s prestigious Most Valuable Professional (MVP) Award, and is the Editor-in-Chief for Realtime Publishers.

comments powered by Disqus

Reader Comments:

Fri, Dec 4, 2009 Nicole georgia

i updated my service pack now i can't surf the internet on my other computer..something 2 do with my fire wall..HELPPPP

Tue, Jun 30, 2009 lilly uk

hi how do i turn my firewall dow cous my dad ut it on and now it wont let me on msn where can i find it please help me xxx love lilly

Tue, Nov 15, 2005 Richard NZ

hey, i was recently on a server, and now im not but it still wont let me change my firewall...what can i do?

Thu, Jun 16, 2005 Anonymous Anonymous

just a big mess with information all over and no concrete steps to get rid of this (one more) microsoft annoyance.
Everyone always starts with "if you are running a fucking sbs ..." ... well I don;t have no asshole sbs and the son of bitch cannot be turned off... sigh !

Fri, Dec 24, 2004 Kostas UK

I'll agree with the guys from Kansas and Honolulu.

What's the reason of having local firewalls if youre inside a domain? The only reason I would like this turned on by default is for some of my users who are on laptops.

Actually, I was trying to find how to turn SP2 firewall OFF when I came up with this article. Thanks to Anonymous for the .doc link ;)

Thu, Sep 9, 2004 Brian Blaine

So funny! Microsoft has outrun itself and needs a beter dictionary. What a timely note from your desk.

Thu, Sep 9, 2004 John Jones Honolulu, Hawaii

"....a download that will fix the problem"?

Don, you've incorrectly categorized and communicated this 'feature' as a problem. This setting is intentional and appropriate for the majority of SBS 2003 clients. I suppose that there may be some extremely cautious admins with a lot of time on their hands, but the majority of SBS admins would not want this firewall turned on.

Wed, Sep 8, 2004 Jonathan Hutchins Kansas City, Missouri

An SBS site without a site-wide firewall wouldn't be a very well designed site. I certainly wouldn't deploy one. Workstation firewalls shouldn't be necessary, and would only add to the administrative burden that SBS works so hard to lessen. Turning them off by default policy only makes sense.

Wed, Sep 8, 2004 Jim NJ

Be sure to test a workstation with a manually installed SP2 prior to unleashing it on your Domain. In domains upgraded from SBS2000 you may have to do some tweeks to get allthings working smoothly. It usually works but is a pain when it doesn't.

Wed, Sep 8, 2004 Richard Denver, Co.

Hi Don, The local XP SP2 firewall is by default turned off in SBS2003? Could this be due to the integration of the ISA Server in SBS? Could the assumption be that the clients are behind the ISA Server firewall and that the clients are not connecting to the Internet outside of the ISA Server? Also, does a small office that uses a stand-a-lone ISA Server for connectivity need to implement the windows firewall on the clients at all? Thanks, Richard.

Wed, Sep 8, 2004 Tim Goodvin Carlsbad, CA

Don...
Funny... seems like everytime i'm looking into a new technology or product, i get the mcpmag magazine or the news update from you guys that is totally on target with exactly the info i have been looking into or the answer to an issue i have been grappling with.

I had been grappling with this issue with SBS 2003 and XP SP2. After scrambling around, i too found the patches that both turn this on, and then take the control away from the end-user.

I was hoping to see a breakout of the policy keys that get touched with these updates, but have yet to get wrest the knowledge from any of my normal sources.

I suppose it's off to the salt mines to do a new install an a test environment and do a compare/contrast on the changes before/after in the policies.

Anyway, thanks and gratz again on always being (on my) cutting edge

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.