Windows client XP firewall activation or not in a corporate lan ?

pts.
Tags:
Microsoft Windows XP
Security
Should we activate the XP firewall in a firewall protected LAN or does it cause complications for services and apps & users. I have been advised not to use it as it causes problems and confusion for LAN based users and complications and conflicts with the external firewalls. thanks.

Answer Wiki

Thanks. We'll let you know when a new response is added.

I would enable it and just allow the services that you need to go in and out of those machines. If it causes any other problems then disable it. It is just added security.

Discuss This Question: 10  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Hedgehog
    Hi stanslad, I would enable it initially on a small test bed of controlled clients (perhaps just your own machine if it's of similar type and has same apps as rest of your LAN), and see how it goes. As with any (most) personal firewalls, the WinXP FW will give you some problems of connectivity esp with client-server apps or in apps that need to "ping" the machines to work. So keep this in mind. As Blessen suggests, you will need to find out the ports/services used and open them in the firewalls. If you allow laptops into your corporate LAN, a personal firewall should be mandatory on those machines. On your desktops it's not so critical, although if you configure them properly with the above in mind, they will add to your overall security. Good luck, Hedgehog
    0 pointsBadges:
    report
  • Csmric
    Hi, When i initially deployed SP2 in throughout our organization, I had the XP firewall enabled. I made the "holes" in it as necessary. However, as we proceeded, I found more and more LAN related problems. The proprietary apps we use throught the domain, the Terminal Server users, and the various anti-spy and anti-virus solutions we employ became too much too keep up with as i opened more and more holes. Since we use both a hardware (PIX) firewall and ISA Server, I decided to disable the XP firewall on all computers. We have had this configuration for 6 months with no adverse reactions. I would say that hedgehog is correct in advising that you configure the laptops to use the XP firewall. This keeps them protected when the user is not on your LAN. Good luck! csmric
    0 pointsBadges:
    report
  • Cptrelentless
    I'd keep the Windows firewall on, it's easy to configure through group policy. Use Sysinternal's TCP view or another similar program to look at what ports are open and by which programs. Vendor websites will also tell you which ports their software uses. Packet analysis with ethereal will also give you an in-depth picture of which ports traffic is moving. For programs which use multiple random ports, allow the exe file to receive incoming calls, rather than assigning all the ports. This can all be configured as a computer policy in computer config/network/network connections. I did this all once about 6 months ago, I've never touched it since and everything works just fine. Easy-peasy.
    0 pointsBadges:
    report
  • Gstornelli
    On small, well protected networks I have used group policy to disable the firewall while the workstation is on the network, and enable the firewall while the workstation is off of the network. This removes the hassle of dealing with apps that are only run while in the office, while protecting the notebook users when they are on the road.
    0 pointsBadges:
    report
  • Poppaman2
    While I agree that a desktop firewall is a good idea (and TCPView is an excellent addition to yopur tool array....), I disagree that the XPSP2 firewall should be deployed. It is a one way firewall (ingress only) leaving outgoing data untouched. I would suggest (of course depending upon how much security you are looking to implement) something a bit more robust, such as Sygate, Tiny, Black Ice or Zone Alarm. There are many out there, my personal preference being Sygate, but that's my opinion only...
    0 pointsBadges:
    report
  • Amigus
    I on the other hand disagree with the notion that an ingress only firewall is not useful or adequate. Egress filtering on workstations usually comes with a significant maintenance burden and while egress filtering is very useful (and often recommended) on network firewalls it's not really that useful on workstations. The only reasons, in my opinion, one would contemplate egress filtering is if the workstation users have the ability to install applications yet you want to limit the communication of those applications or if you have spyware problems. With respect to limiting application network exposure it's rather difficult since (most of the time) if they can install applications they can also allow them through the firewall themselves using the same privilege they used to install it in the first place. With respect to the spyware, again, the user probably has too much privilege if they get infected with spyware and that spyware can (using the users privilge) likely bypass the firewall if it's smart enough. Given the above I believe egress filtering is more trouble than it's worth and for what it's worth it seems Microsoft agrees. If you're really serious about security spend your time making your network work with unprivileged user accounts rather than wasting your helpdesk resources configuring cranky firewalls. If you really want egress filtering do it on your network firewall and if you really want to limit the scope of workstation communication use IPSec.
    0 pointsBadges:
    report
  • Poppaman2
    re: amigus' reply of 26 Jul 2005 At the risk of sounding cranky (like some desktop firewalls!), and while I agree that setting up a network with only user level rights is the most efficient way to do things from a network / network administrator's viewpoint (and it would make MY life easier if this was the case...), many organizations still feel that the end user should have certain local rights (ie: local admin status). I have found this to be true in the pharmaceutical/research and development and publishing industriesn especially. Change in these situations (and they exist in other environments as well) is slow to happen, as management generally opposes it. Case in point: while planning an upgrade from Win95 to Win2K, the division director was strongly in favor of deploying 200+ notebook and 250+ desktop computers with FAT32 hard drives and full local administrator rights. It took the Sr. Systems Admin, the Network Admin and the Sr. Desktop Admin and the better part of a two hour department meeting to convince him otherwise; to utilize an NTFS file system with user rights on the notebooks and poweruser rights (and that was a compromise on our part...) for the desktops. When the first hard drive (of 50+) failed on the notebooks (but that's another story...), his was very much an "I told you so" attitude. It's a political game: allow the user rights to install software, but block access to the network. Not the most efficient way to run a business, but some people must play games (literally, as well as figuratively).
    0 pointsBadges:
    report
  • Djlsky
    The XP firewall on clients has caused problems with some apps. If you have a network firewall in place (hardware, not just software) you would be best to leave it off, one more layer of client complexity avoided. In addition the MS client firewall only protects against Outbound traffic, not inbound. If you do not have a hardware firewall, get one! Comments on software firewalls here: http://www.securityfocus.com/infocus/1839 Microsoft acknowledges problems here: http://support.microsoft.com/kb/842242 djl
    0 pointsBadges:
    report
  • Cptrelentless
    Erm, I think you mean that the other way round, djl - Windows Firewall is an inbound blocker. The only reason an app will stop working is if the ports it needs are closed. I might point out that you still have to open ports on a third party firewall to make your apps work so I'm having trouble seeing the difference here.
    0 pointsBadges:
    report
  • Djlsky
    Whoops, cptrelentless is correct I got the direction reversed. Still a single direction firewall is not worth the support. I agree that on laptops a firewall is important for continued data secutrity when not on the network. We use BlackIce. Thanks, djl
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following