Windows Tip Sheet
Dude, Where's My Firewall?
The fix is in for Windows Firewall settings on XP systems sitting on Small Business Server 2003 domains.
One new feature of Windows XP SP2 — a feature I'm sure you've
heard about ad infinitum by now — is Windows Firewall. It's sexier,
more functional and more automated than its predecessor, the Internet
Connection Firewall (ICF). It’s even enabled automatically when
you install SP2 and can be accessed from SP2’s new Security Center.
I was a bit surprised, though, to learn that one of my clients couldn’t
enable Windows Firewall after installing SP2. That didn't seem at all
like the message Microsoft was trying to deliver about security. Provide
a great new firewall and then make it impossible to turn on? Something
had to be going on.
-- sponsor --
It's in the Policy
Windows Firewall can be centrally controlled through a bunch of new Group
Policy Object settings, enabling domain admins to centrally lock down
their client computers in whatever way they like. Of course, helping your
users to keep their mitts off of the firewall's configuration is part
of the equation, so Windows Firewall can be locked down in such a way
that end users can't modify its configuration. I figured that had to be
what was going on with my client, but he informed me that he'd never so
much as touched a GPO setting in his domain. Still, his clients were encountering
the message "For your security, some settings are controlled by Group
Policy" whenever he tired to configure them. Was he lying?
Nope. Turns out his domain was a Small Business Server (SBS) 2003 domain.
Some quick spelunking through the Microsoft Knowledge Base turned up article
explains that SBS turns off Windows Firewall on XP SP2 clients. It doesn't
say why, but the article does contain a link to a download that will fix
the problem. So, if you're running an SBS2003-based domain, you'll probably
want to put this fix into place ASAP, before (or soon after) upgrading
any clients to XP SP2. That way your clients' firewalls work properly.
Windows XP SP2 prevents most types of
incoming connections to client computers, thanks to
Windows Firewall. This can include things like Remote
Desktop, remote scripting, remote WMI connections and
more. Be sure to carefully review the firewall's settings
on a test machine and implement a Group Policy Object
to centrally configure the firewall settings that are
appropriate for your environment. As you roll out SP2,
clients will automatically pick up the GPO settings
and won't experience any loss of functionality due to
The full text of the Knowledge Base article is available at http://support.microsoft.com/default.aspx?scid=kb;en-us;872769.
Microsoft's SBS2003 Web site is at http://www.microsoft.com/sbs.
Microsoft TechNet has a big section on XP SP2 at http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/
With more than fifteen years of IT experience, Don Jones is one of the world’s leading experts on the Microsoft business technology platform. He’s the author of more than 35 books, including Windows PowerShell: TFM, Windows Administrator’s Scripting Toolkit, VBScript WMI and ADSI Unleashed, PHP-Nuke Garage, Special Edition Using Commerce Server 2002, Definitive Guide to SQL Server Performance Optimization, and many more. Don is a top-rated and in-demand speaker and serves on the advisory board for TechMentor. He is an accomplished IT journalist with features and monthly columns in Microsoft TechNet Magazine, Redmond Magazine, and on Web sites such as TechTarget and MCPMag.com. Don is also a multiple-year recipient of Microsoft’s prestigious Most Valuable Professional (MVP) Award, and is the Editor-in-Chief for Realtime Publishers.