Windows Tip Sheet

Dude, Where's My Firewall?

The fix is in for Windows Firewall settings on XP systems sitting on Small Business Server 2003 domains.

One new feature of Windows XP SP2 — a feature I'm sure you've heard about ad infinitum by now — is Windows Firewall. It's sexier, more functional and more automated than its predecessor, the Internet Connection Firewall (ICF). It’s even enabled automatically when you install SP2 and can be accessed from SP2’s new Security Center. I was a bit surprised, though, to learn that one of my clients couldn’t enable Windows Firewall after installing SP2. That didn't seem at all like the message Microsoft was trying to deliver about security. Provide a great new firewall and then make it impossible to turn on? Something had to be going on.

-- sponsor --
Trying to decipher the many aspects of Sarbanes Oxley and its impact on the use of e-mail within the organization? This white paper highlights the importance of a holistic approach to email security and illustrates the value IronMail® brings to an organization subject to Sarbanes-Oxley compliance.

It's in the Policy
Windows Firewall can be centrally controlled through a bunch of new Group Policy Object settings, enabling domain admins to centrally lock down their client computers in whatever way they like. Of course, helping your users to keep their mitts off of the firewall's configuration is part of the equation, so Windows Firewall can be locked down in such a way that end users can't modify its configuration. I figured that had to be what was going on with my client, but he informed me that he'd never so much as touched a GPO setting in his domain. Still, his clients were encountering the message "For your security, some settings are controlled by Group Policy" whenever he tired to configure them. Was he lying?

Nope. Turns out his domain was a Small Business Server (SBS) 2003 domain. Some quick spelunking through the Microsoft Knowledge Base turned up article 872769, which explains that SBS turns off Windows Firewall on XP SP2 clients. It doesn't say why, but the article does contain a link to a download that will fix the problem. So, if you're running an SBS2003-based domain, you'll probably want to put this fix into place ASAP, before (or soon after) upgrading any clients to XP SP2. That way your clients' firewalls work properly.

Micro Tip Sheet

Windows XP SP2 prevents most types of incoming connections to client computers, thanks to Windows Firewall. This can include things like Remote Desktop, remote scripting, remote WMI connections and more. Be sure to carefully review the firewall's settings on a test machine and implement a Group Policy Object to centrally configure the firewall settings that are appropriate for your environment. As you roll out SP2, clients will automatically pick up the GPO settings and won't experience any loss of functionality due to blocked ports.

More Resources
The full text of the Knowledge Base article is available at http://support.microsoft.com/default.aspx?scid=kb;en-us;872769.

Microsoft's SBS2003 Web site is at http://www.microsoft.com/sbs.

Microsoft TechNet has a big section on XP SP2 at http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/
winxpsp2.mspx
.

About the Author

Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is an Author/Evangelist for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.

comments powered by Disqus

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.