In the wake of last year's Blaster worms, Microsoft decided to delay Windows XP Service Pack 2 (SP2) until the company could incorporate more security into the service pack. One step the company decided to take in SP2 is to automatically turn on XP's Windows Firewall (formerly Internet Connection Firewall—ICF) for all NICs.
This is a drastic step, and one that can make XP work differently from the way you expect it to, whether in a corporate domain or a home workgroup. By "work differently," I mean cause things that used to work to stop working. Administrators whose hands are already full will greet this news with a rueful sigh and might simply turn off Windows Firewall—certainly that was my first inclination. After thinking about it, though, I decided to leave Windows Firewall on. However, I discovered that I needed to relax its constraints a bit because Windows Firewall's default setting disables all remote control and remote support tools.
Whether you decide to disable Windows Firewall or modify its settings, you'll probably want to implement your decision over dozens, hundreds, or thousands of systems as easily as possible. In this article, I show you how to turn Windows Firewall on and off and configure the firewall's domain and mobile profiles. In a future article, I'll handle the finer settings.
How Windows Firewall Works
First, what exactly does Windows Firewall do? It examines and potentially blocks only incoming traffic—it doesn't affect outgoing traffic. By default, Windows Firewall rejects all incoming traffic unless that traffic is in response to a previous outgoing request.
For example, if I open Microsoft Internet Explorer (IE) from my XP box and type
www.cnn.com
in the Address bar, IE causes the system to send a request to CNN for its home page. Windows Firewall doesn't block the outgoing traffic, but it does note where that traffic is going. A few moments later, CNN's Web server tries to send IE the data that it requested. Windows Firewall sees the incoming traffic, determines that it's from www.cnn.com—a site to which my system had sent a request—and lets the traffic pass. Basically, Windows Firewall ensures that you can communicate with the rest of the Internet and with your intranet as long as your system initiates the conversation.
In contrast, suppose an outside system—perhaps one that's infected with the Blaster worm—tries to strike up a conversation with my XP system. The external system attempts to send a packet to port 135 on my system, trying to infect my system with Blaster. Because Windows Firewall doesn't interpret this communication as a response to a conversation that my system initiated, the firewall discards the packet. In a sense, Windows Firewall says to the network, "Speak to me only when I speak first."
What would happen if you enabled Windows Firewall on a system inside your intranet—an intranet connected to a domain? You might at first think that rejecting all communications except for those initiated by a client would somehow inhibit a workstation's usual participation in a domain—certainly that was my initial, hasty conclusion. After some thought, however, I realized that all domain communication is initiated by a client: The client asks to log on, the client asks for Group Policy refreshes, the client asks for roaming profiles, and so on. To test this theory, in September 2003, I enabled Windows Firewall on several XP workstations in my Active Directory (AD)-based domain. Since then, I haven't experienced any loss in domain function. However, as I mentioned earlier, my remote administration tools don't work unless I disable or modify Windows Firewall.
Your network might experience problems mine didn't. For example, I know someone who, after enabling the pre-SP2 firewall, lost the ability to browse Network Neighborhood and map to shares. Realize that every network segment needs a browse master—a machine that creates a census of servers on its segment. Any server can act as a browse master, and in most networks every workstation is a server. On a segment that doesn't have an actual server, such as a file server or print server, some workstation takes up the job of browse master. But in a segment that's populated only by workstations that have a personal firewall installed, no system would step forward to assume the role of browse master and Network Neighborhood browsing would fail. You'd also see that behavior on a segment populated only by SP2-equipped XP systems unless you modified the firewall on at least one system on the segment to open the port and allow that system to function as a file and print server.
Let's start looking at the most fundamental aspect of Windows Firewall control: turning it off and on. You can disable and enable Windows Firewall under SP2 in three ways: through the GUI, from the command line, and through Group Policy.