Is it recomended to turn on and use the XP Firewall on workstations even if our network sits behind a router with it's own Firewall? Will this cause problems? Until the last XP service pack, I only used the XP firewall when connecting from home or on the road. Now all connections are firewalled by default. Thanks.
SP2's Firewall's most important virtues, I think, are it's improved compatibility with internal LANs and its configurability via group policies. Now, there's a simple, cheap tool that system admins can use to protect the LAN workstations from that occasional - but not rare enough - fool who manages to bypass the perimeter firewall and manually install some malware that could then spread throughout the LAN via shared drives.
On Tue, 08 Mar 2005 19:47:57 -0700, Bruce Chambers
There may be a shadow over that, given recent concerns about how File and Print Services can be erroneously mapped to the whole Internet.
"Why do I keep open buckets of petrol next to all the ashtrays in the lounge, when I don't even have a car?"
A possibility, if there's no perimeter defense in place. Why does every silver lining have to come with a dark cloud? ;-}
Leythos wrote:
We enable the firewall using group policies and limit file & printer sharing access to a few machines in the domain - mainly servers and certain administrators machines. This limits accessibilitry to the individual workstations shares to only a few machines and complete prevents one authenticated user from mapping shares on another users PC and effectively stops the spread of most worms UNLESS one of the few machines that are allowed access to the workstations in the domain get infected, which is much less likely than the users themselves getting infected.
We also limit file and print sharing to only those workstations where there is no other economically feasible work-around.
"Depth" means not assuming perimeter defences will hold, and thus planning what to do when these are breached. De facto scopes are your friend; hardening against PC to PC spread within LAN is guud.
Hmm... I think blurring LAN and Internet awareness is a very serious matter, especially where F&PS are concerned, and especially when the OS is dumb enough to have hidden writable shares exposing the startup axis and OS, and with known names at that. Win9x wasn't *that* dumb.
We had this problem in Win9x, but in a different way. That OS was dumb enough to bind everything to everything by duhfault, whenever network settings were nudged. It was quite common to do something or other, then find IPX, NetBEUI and TCP/IP bound to both LAN and DUN, with F&PS bound to all of the above.
Seems like the more things change, the more they stay the same?
"Why do I keep open buckets of petrol next to all the ashtrays in the lounge, when I don't even have a car?"
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.