If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
Proposed Internet Connection Firewall change in WinXP SP2
I read the following in eWeek (November 24, 2003, "Building on
'Trust'", pg 10, 2nd paragraph that begins with "WIndows XP will also get"). The article states that ICF will be enabled by default in WinXP SP2. Where can I get official information from Microsoft regarding this? I could open an MSDN incident, but I'd rather not. Turning on ICF by default on the LAN connection would be disasterous to our customers. We have over 100 customers using our product, which relies on DCOM & IP to communicate between the client workstations and the server. Our customers that have an Internet connection have either a firewall or at least a basic router that protects their internal network. The workstations only have a single network connection, and that's the LAN connection. Enabling ICF by default on the LAN connection would definitely prevent our software from functioning, and I suspect would cause problems for other ISVs that use DCOM. Firewalls are not intended to be run at the workstation level, blocking data to that workstation. They are intended to protect the entire local network from outside access. I've always thought ICF was a dumb idea to begin with, but enabling ICF by default will cost our company a lot of time and money to go back and disable it on every one of our customer workstations (well over 2,000 workstations). Jon |
Ads |
#2
|
|||
|
|||
Proposed Internet Connection Firewall change in WinXP SP2
You may be jumping the gun.
While MS has tentatively indicated that they are looking at making this default with SP 2, I for one have not heard under what circumstances. For example, it would be reather simple to detect whether a machine is in a domain or not, and behave differently based on that. We also do not yet know what might be made available for management for ICF from group policy. However, I must say that I differ with your assessment of the need or not of ICF on individual machines. Most of the worms of recent infamy had no problem crossing into corp networks, and once there caused widespread damage. Perimeter defense is good, but I believe that the only real, long-term solution to the issues assuaging the internet will be found by hardening the end-point systems. -- Roger Abell Microsoft MVP (Windows Server System: Security) MCSE (W2k3,W2k,Nt4) MCDBA "Jon Robertson" wrote in message ... I read the following in eWeek (November 24, 2003, "Building on 'Trust'", pg 10, 2nd paragraph that begins with "WIndows XP will also get"). The article states that ICF will be enabled by default in WinXP SP2. Where can I get official information from Microsoft regarding this? I could open an MSDN incident, but I'd rather not. Turning on ICF by default on the LAN connection would be disasterous to our customers. We have over 100 customers using our product, which relies on DCOM & IP to communicate between the client workstations and the server. Our customers that have an Internet connection have either a firewall or at least a basic router that protects their internal network. The workstations only have a single network connection, and that's the LAN connection. Enabling ICF by default on the LAN connection would definitely prevent our software from functioning, and I suspect would cause problems for other ISVs that use DCOM. Firewalls are not intended to be run at the workstation level, blocking data to that workstation. They are intended to protect the entire local network from outside access. I've always thought ICF was a dumb idea to begin with, but enabling ICF by default will cost our company a lot of time and money to go back and disable it on every one of our customer workstations (well over 2,000 workstations). Jon |
#3
|
|||
|
|||
Proposed Internet Connection Firewall change in WinXP SP2
You may be jumping the gun.
True. The article did not, for instance, mention if DCOM was being modified to be more firewall friendly. This is why I asked where I can get OFFICIAL information from Microsoft. We also do not yet know what might be made available for management for ICF from group policy. Microsoft does not have a history of loudly notifying when steps such as these need to be taken. If XP SP2 does enable ICF by default even in a domain environment, and Group Policy administration is available, Microsoft should very loudly announce that DCOM will be not be available unless a Group Policy for ICF is created. If Group Policy administration is not available and ICF is enabled within a domain, Microsoft should announce very loudly that a default SP2 installation will break DCOM within the LAN. However, I must say that I differ with your assessment of the need or not of ICF on individual machines. Most of the worms of recent infamy had no problem crossing into corp networks, and once there caused widespread damage. Perimeter defense is good, but I believe that the only real, long-term solution to the issues assuaging the internet will be found by hardening the end-point systems. I'm not a security expert. I'm a developer who is trying desparately to keep up with the impact of Microsoft's security changes. Please enlighten me: If a worm/virus is able to get through a corporate firewall, what would prevent it from getting through a software firewall like ICF? Furthermore, if ICF can be configured to truly proteect individual systems, why can't a corporate firewall be configured to truly protect the entire corporation? I agree with steps such as blocking network access from workstations that are not updated with the most recent security updates. But a firewall on every workstation on the corporate network? I might as well disconnect my machine from the network. How many distributed software solutions exists that would function if every workstation had an individual firewall? For that matter, without making custom changes (that are not easy to the end user), I can't share files or printers from my workstation if I have ICF enabled. I would hope a completely redesigned ICF would be available before such drastic steps are taken. One that easily allows the user to custom configure which services they need access to, similar to the new configuration of Server 2003. Thanks |
#4
|
|||
|
|||
Proposed Internet Connection Firewall change in WinXP SP2
Look, we are all waiting to see how this announced SP2
feature is implemented. The beta bits are not widely available and where they are things cannot be definitively discussed. It is very difficult for me to see this being automatically turned on within a domain, as it will break not just your application, but all of MS tools for centrally managing the remote systems (event viewer, regedit, mmcs focused on remote system, WMI and other scripts, etc.). Some of the things that have been around can infect and unpatched system if it is merely visible to Tcp/Ip traffic, such as recent DCOM and RPC exploits. A per-machine firewall prevents this from spreading to those machines. Of course a firewall is totally ineffectual against unintelligent user actions. I would advise you to look at alternatives to DCOM based instancing for your application anyway, as the tide has turned and you will likely be finding customers (like myself) that would be unwilling to buy a product that required them (me) to re-enable DCOM on servers and clients. I have (the D part in) DCOM pretty completely killed and have no desire to go back. -- Roger Abell Microsoft MVP (Windows Server System: Security) MCSE (W2k3,W2k,Nt4) MCDBA "Jon Robertson" wrote in message ... You may be jumping the gun. True. The article did not, for instance, mention if DCOM was being modified to be more firewall friendly. This is why I asked where I can get OFFICIAL information from Microsoft. We also do not yet know what might be made available for management for ICF from group policy. Microsoft does not have a history of loudly notifying when steps such as these need to be taken. If XP SP2 does enable ICF by default even in a domain environment, and Group Policy administration is available, Microsoft should very loudly announce that DCOM will be not be available unless a Group Policy for ICF is created. If Group Policy administration is not available and ICF is enabled within a domain, Microsoft should announce very loudly that a default SP2 installation will break DCOM within the LAN. However, I must say that I differ with your assessment of the need or not of ICF on individual machines. Most of the worms of recent infamy had no problem crossing into corp networks, and once there caused widespread damage. Perimeter defense is good, but I believe that the only real, long-term solution to the issues assuaging the internet will be found by hardening the end-point systems. I'm not a security expert. I'm a developer who is trying desparately to keep up with the impact of Microsoft's security changes. Please enlighten me: If a worm/virus is able to get through a corporate firewall, what would prevent it from getting through a software firewall like ICF? Furthermore, if ICF can be configured to truly proteect individual systems, why can't a corporate firewall be configured to truly protect the entire corporation? I agree with steps such as blocking network access from workstations that are not updated with the most recent security updates. But a firewall on every workstation on the corporate network? I might as well disconnect my machine from the network. How many distributed software solutions exists that would function if every workstation had an individual firewall? For that matter, without making custom changes (that are not easy to the end user), I can't share files or printers from my workstation if I have ICF enabled. I would hope a completely redesigned ICF would be available before such drastic steps are taken. One that easily allows the user to custom configure which services they need access to, similar to the new configuration of Server 2003. Thanks |
#5
|
|||
|
|||
Proposed Internet Connection Firewall change in WinXP SP2
Jon,
I forgot to mention that posting this over in the microsoft.public.security newsgroup may be the way to get your concerns to the attention of the highest level security planning group members. -- Roger Abell Microsoft MVP (Windows Server System: Security) MCSE (W2k3,W2k,Nt4) MCDBA |
Thread Tools | |
Display Modes | |
|
|