I read the following in eWeek (November 24, 2003, "Building on
'Trust'", pg 10, 2nd paragraph that begins with "WIndows XP will also
get").

The article states that ICF will be enabled by default in WinXP SP2.

Where can I get official information from Microsoft regarding this? I
could open an MSDN incident, but I'd rather not.

Turning on ICF by default on the LAN connection would be disasterous to
our customers. We have over 100 customers using our product, which
relies on DCOM & IP to communicate between the client workstations and
the server.

Our customers that have an Internet connection have either a firewall
or at least a basic router that protects their internal network. The
workstations only have a single network connection, and that's the LAN
connection. Enabling ICF by default on the LAN connection would
definitely prevent our software from functioning, and I suspect would
cause problems for other ISVs that use DCOM.

Firewalls are not intended to be run at the workstation level, blocking
data to that workstation. They are intended to protect the entire
local network from outside access. I've always thought ICF was a dumb
idea to begin with, but enabling ICF by default will cost our company a
lot of time and money to go back and disable it on every one of our
customer workstations (well over 2,000 workstations).

Jon

You may be jumping the gun.
While MS has tentatively indicated that they are looking at
making this default with SP 2, I for one have not heard under
what circumstances. For example, it would be reather simple
to detect whether a machine is in a domain or not, and behave
differently based on that. We also do not yet know what might
be made available for management for ICF from group policy.

However, I must say that I differ with your assessment of the
need or not of ICF on individual machines. Most of the worms
of recent infamy had no problem crossing into corp networks,
and once there caused widespread damage. Perimeter defense
is good, but I believe that the only real, long-term solution to
the issues assuaging the internet will be found by hardening the
end-point systems.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Jon Robertson" > wrote in message
...
> I read the following in eWeek (November 24, 2003, "Building on
> 'Trust'", pg 10, 2nd paragraph that begins with "WIndows XP will also
> get").
>
> The article states that ICF will be enabled by default in WinXP SP2.
>
> Where can I get official information from Microsoft regarding this? I
> could open an MSDN incident, but I'd rather not.
>
> Turning on ICF by default on the LAN connection would be disasterous to
> our customers. We have over 100 customers using our product, which
> relies on DCOM & IP to communicate between the client workstations and
> the server.
>
> Our customers that have an Internet connection have either a firewall
> or at least a basic router that protects their internal network. The
> workstations only have a single network connection, and that's the LAN
> connection. Enabling ICF by default on the LAN connection would
> definitely prevent our software from functioning, and I suspect would
> cause problems for other ISVs that use DCOM.
>
> Firewalls are not intended to be run at the workstation level, blocking
> data to that workstation. They are intended to protect the entire
> local network from outside access. I've always thought ICF was a dumb
> idea to begin with, but enabling ICF by default will cost our company a
> lot of time and money to go back and disable it on every one of our
> customer workstations (well over 2,000 workstations).
>
> Jon

> You may be jumping the gun.

True. The article did not, for instance, mention if DCOM was being
modified to be more firewall friendly. This is why I asked where I can
get OFFICIAL information from Microsoft.

> We also do not yet know what might be made
> available for management for ICF from group policy.

Microsoft does not have a history of loudly notifying when steps such
as these need to be taken. If XP SP2 does enable ICF by default even
in a domain environment, and Group Policy administration is available,
Microsoft should very loudly announce that DCOM will be not be
available unless a Group Policy for ICF is created.

If Group Policy administration is not available and ICF is enabled
within a domain, Microsoft should announce very loudly that a default
SP2 installation will break DCOM within the LAN.

> However, I must say that I differ with your assessment of the
> need or not of ICF on individual machines. Most of the worms
> of recent infamy had no problem crossing into corp networks,
> and once there caused widespread damage. Perimeter defense
> is good, but I believe that the only real, long-term solution to
> the issues assuaging the internet will be found by hardening the
> end-point systems.

I'm not a security expert. I'm a developer who is trying desparately
to keep up with the impact of Microsoft's security changes. Please
enlighten me:

If a worm/virus is able to get through a corporate firewall, what would
prevent it from getting through a software firewall like ICF?
Furthermore, if ICF can be configured to truly proteect individual
systems, why can't a corporate firewall be configured to truly protect
the entire corporation?

I agree with steps such as blocking network access from workstations
that are not updated with the most recent security updates.

But a firewall on every workstation on the corporate network? I might
as well disconnect my machine from the network. How many distributed
software solutions exists that would function if every workstation had
an individual firewall? For that matter, without making custom changes
(that are not easy to the end user), I can't share files or printers
from my workstation if I have ICF enabled.

I would hope a completely redesigned ICF would be available before such
drastic steps are taken. One that easily allows the user to custom
configure which services they need access to, similar to the new
configuration of Server 2003.

Thanks

Look, we are all waiting to see how this announced SP2
feature is implemented. The beta bits are not widely
available and where they are things cannot be definitively
discussed.

It is very difficult for me to see this being automatically
turned on within a domain, as it will break not just your
application, but all of MS tools for centrally managing
the remote systems (event viewer, regedit, mmcs focused
on remote system, WMI and other scripts, etc.).

Some of the things that have been around can infect and
unpatched system if it is merely visible to Tcp/Ip traffic,
such as recent DCOM and RPC exploits. A per-machine
firewall prevents this from spreading to those machines.
Of course a firewall is totally ineffectual against unintelligent
user actions.

I would advise you to look at alternatives to DCOM based
instancing for your application anyway, as the tide has turned
and you will likely be finding customers (like myself) that would
be unwilling to buy a product that required them (me) to re-enable
DCOM on servers and clients. I have (the D part in) DCOM pretty
completely killed and have no desire to go back.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Jon Robertson" > wrote in message
...
> > You may be jumping the gun.
>
> True. The article did not, for instance, mention if DCOM was being
> modified to be more firewall friendly. This is why I asked where I can
> get OFFICIAL information from Microsoft.
>
> > We also do not yet know what might be made
> > available for management for ICF from group policy.
>
> Microsoft does not have a history of loudly notifying when steps such
> as these need to be taken. If XP SP2 does enable ICF by default even
> in a domain environment, and Group Policy administration is available,
> Microsoft should very loudly announce that DCOM will be not be
> available unless a Group Policy for ICF is created.
>
> If Group Policy administration is not available and ICF is enabled
> within a domain, Microsoft should announce very loudly that a default
> SP2 installation will break DCOM within the LAN.
>
> > However, I must say that I differ with your assessment of the
> > need or not of ICF on individual machines. Most of the worms
> > of recent infamy had no problem crossing into corp networks,
> > and once there caused widespread damage. Perimeter defense
> > is good, but I believe that the only real, long-term solution to
> > the issues assuaging the internet will be found by hardening the
> > end-point systems.
>
> I'm not a security expert. I'm a developer who is trying desparately
> to keep up with the impact of Microsoft's security changes. Please
> enlighten me:
>
> If a worm/virus is able to get through a corporate firewall, what would
> prevent it from getting through a software firewall like ICF?
> Furthermore, if ICF can be configured to truly proteect individual
> systems, why can't a corporate firewall be configured to truly protect
> the entire corporation?
>
> I agree with steps such as blocking network access from workstations
> that are not updated with the most recent security updates.
>
> But a firewall on every workstation on the corporate network? I might
> as well disconnect my machine from the network. How many distributed
> software solutions exists that would function if every workstation had
> an individual firewall? For that matter, without making custom changes
> (that are not easy to the end user), I can't share files or printers
> from my workstation if I have ICF enabled.
>
> I would hope a completely redesigned ICF would be available before such
> drastic steps are taken. One that easily allows the user to custom
> configure which services they need access to, similar to the new
> configuration of Server 2003.
>
> Thanks

Jon,

I forgot to mention that posting this over in the
microsoft.public.security
newsgroup may be the way to get your concerns
to the attention of the highest level security planning
group members.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA