2. Service Pack Firewall Modifications
The security operations changed in Windows XP SP2
represent a radical departure from earlier versions of Windows. SP2
does this by making security configuration changes that interfere with
the functional operation of Windows applications. Both Microsoft and
third-party programs must be adjusted to enable them to continue to run
after the application of SP2. This is a departure from traditional
Windows updates, since earlier updates usually attempted to add features
and correct bugs while seeking to maintain compatibility.
SP 2 changes are of interest to those who
administer Windows Server 2003 networks because the changes provide
additional centralized management features, change the default behavior
of clients on the network, and are representative of changes in SP1 for
Windows Server 2003. All service packs introduce change into a network
and should be carefully reviewed before installation. However, SP2 for
Windows XP makes radical changes that can interfere with the management
of network clients.
Because the Windows XP SP2 firewall is enabled by
default, and its default behavior is to block all unsolicited incoming
traffic, network management and local computer services will be
disrupted. Table 9-1
lists specific tools, applications, and services that are impacted.
This should be referred to as an example of the type of issues that will
occur, not as the definitive list of problems that must happen. The
remote use of common Microsoft Management Console (MMC) based
administration tools will be blocked. If the local computer offers
network services (for example, web services), access to these services
may be blocked as well. When SP2 is installed, the firewall is enabled
by default. Administrators should review the impact this will have in
their organizations and modify (as necessary) the Firewall INF file
before installing SP2. In a domain, the firewall can be controlled using
Group Policy.
Table 1. Examples of tools and services blocked by default
| Item | Specifics |
|---|
| Management Tools | SNMP, WMI, remote use of netsh or mmc snap-ins, Remote Assistance, Remote Desktop |
| Network Services | File and print sharing, message queuing, web services |
| Listening Services | Universal Plug-and-Play (UPnP), Routing Information Protocol (RIP) |
| Applications | Instant messaging, peer-to-peer network programs |
SP1 for Windows Server 2003 will not enable the firewall by default. |
|
2.1. Modifications
The Windows XP firewall is turned on by default
after the installation of SP2. The following are a few key changes to
the firewall and its administration :
Security Center
A new service, the Security Center, is added to help end user security management.
Startup security
This offers protection during system boot before firewall service is operational.
Firewall INF File
This allows you to use the INF file to configure Windows Firewall behavior.
Control Panel Firewall Applet
This allows you to configure the firewall from a new Control Panel applet.
Windows registry control of alerting and notification
Three registry settings are available to control the alerting and notification feature.
New Group Policy settings
These enable better central management of firewall behavior.
Netsh commands
This set firewall configuration using the netsh commands.
A couple of these changes (the Security Center
and startup security) deem some extra attention.
2.1.1. Security Center
A new service, the Security Center, is added.
The Security Center monitors security services such as a host firewall,
Windows updates, and local antivirus protection. It also provides a
central location for changing security settings. It may be able to also
determine if the antivirus protection is up to date. The Security Center
uses a red icon in the notification area of the user's taskbar and
provides an alert message at logon with links to the interface. This
feature is turned on by default for XP computers in a workgroup, but
turned off by default for computers joined in a domain. Figure 9-13 shows the Security Center on a computer where no virus protection is provided. (Note the Alert.)
The Security Center is not turned on for
clients joined to a domain. However, if you wish to do so, a Group
Policy setting can be used to turn it on. This Group Policy setting is
"Turn on SecurityCenter (computers in Windows domains only)" and is
located in Administrative Templates → Windows Components → Security
Center. By default, this is not configured, as shown in Figure 9-14.
2.1.2. Startup Security
A new startup Windows Firewall Policy
performs stateful packet filtering at boot after the network service is
started and until the firewall service is successfully started. This
means that startup tasks for services such as DHCP and DNS can operate,
but unsolicited traffic will be dropped. After the firewall service has
loaded, the startup policy is dropped.
