Archived from groups: microsoft.public.windowsxp.general,comp.security.firewalls,microsoft.public.windowsxp.security_admin (
More info?)
John wrote:
> Is it recomended to turn on and use the XP Firewall on workstations
> even if our network sits behind a router with it's own Firewall?
> Will this cause problems? Until the last XP service pack, I only
> used the XP firewall when connecting from home or on the road. Now
> all connections are firewalled by default.
Bruce Chambers wrote:
> SP2's Firewall's most important virtues, I think, are it's
> improved compatibility with internal LANs and its configurability via
> group policies. Now, there's a simple, cheap tool that system admins
> can use to protect the LAN workstations from that occasional - but
> not rare enough - fool who manages to bypass the perimeter firewall
> and manually install some malware that could then spread throughout
> the LAN via shared drives.
Leythos wrote:
> Got news for you, but if you're in a LAN and using the SP2 firewall
> it's already setup to allow access to shares and will not protect
> your computer while it's in a LAN/Domain.
Bruce Chambers wrote:
> It's not 100% effective, but it's still better than nothing. It
> depends upon the specific type of threat, of course. Things like
> Blaster, Welchia, and Sasser, that are not spread via network shares,
> get stopped.
Leythos wrote:
> I agree, but the poster specifically implied that the SP2 firewall
> would stop the spread of nasties that use file sharing.
Bruce Chambers wrote:
> Good point. I'll need to reword that one, won't I?
Leythos wrote:
> I've actually taken to disabling the firewall service on every
> workstation inside a network that we've setup security for. I've
> found the FW to be nothing but a pain in a secure network.
We enable the firewall using group policies and limit file & printer sharing
access to a few machines in the domain - mainly servers and certain
administrators machines. This limits accessibilitry to the individual
workstations shares to only a few machines and complete prevents one
authenticated user from mapping shares on another users PC and effectively
stops the spread of most worms UNLESS one of the few machines that are
allowed access to the workstations in the domain get infected, which is much
less likely than the users themselves getting infected.
--
<- Shenan ->
--
The information is provided "as is", it is suggested you research for
yourself before you take any advice - you are the one ultimately
responsible for your actions/problems/solutions. Know what you are
getting into before you jump in with both feet.