Transcript: Windows XP SP2 Firewall, November 10, 2004
Published: October 27, 2004
Chat Date: November 10, 2004
Please note: Portions of this transcript have been edited for clarity
Introduction
rebecca_ms (Moderator):
Welcome to today’s chat about the Windows Firewall in Windows XP SP2. The Windows Firewall product group can answer questions about anything from configuration to group policy management. We are pleased to welcome our experts for today. I will have them introduce themselves now.
Michael_MS (Expert):
I am Michael Surkan, and am a Program Manager in the Windows Firewall group.
Pat_MS (Expert):
I'm Pat and I am the test lead for the Windows Firewall
Joe_MS (Expert):
I am a technical writer for networking topics in the Windows Networking and Devices group.
Chris Mitchell (Expert):
I'm Chris, I'm the Group Program Manager for the Windows Firewall team
Wajih_MSFT (Expert):
I am Wajih and I am a Program Manager for IPSec
rebecca_ms (Moderator):
…and your pleasant host, Rebecca. We will try to answer as many questions as we can today. Participants should type their questions, click “Submit a question,” and click “Send.” Those posts will go into a private queue, from which our experts will draft answers and repost questions in the upper window with their answers. (To confirm: if you clicked “Submit a question” when you posted, you don’t need to resubmit. We’ll get to them as soon as we can before the end of the chat (11 a.m. Pacific).
Pat_MS (Expert):
Howdy
rebecca_ms (Moderator):
You can start asking your questions now!
Start of Chat
rebecca_ms (Moderator):
Q: So does this mean no one can help me with my problem?
A: Marley, if your question is about the Windows XP SP2 firewall, we can try to answer it.
Pat_MS (Expert):
Q: we are about to roll out win xp with sp2 at our organization. Some techs are suggesting that we turn off the firewall for internal user(desktops) but turn on the firewall for laptop users that travel. What are your suggestions on this
A: We definitely recommend having the firewall on for your laptop users since they will roam on public networks. For your internal network, it depends on what applications you have the require machines to listen on the network
Pat_MS (Expert):
Q: Are there any benefits in using multiple firewalls?
A: Not really. You will most likely run into more problems than solutions by running multiple firewalls
Michael_MS (Expert):
Q: I know one reason to run the XP SP2 firewall, even if you have a hardware firewall in your router, is that it will also watch outgoing traffic from your PC. Are there any other compelling reasons to use SP2's firewall in addition to a hardware firewall?
A: Yes, there is value in running the Windows Firewall even if you have a hardware firewall if there are any other computers on your network. A host firewall (like the Windows Firewall) will protect you from possible attacks that could come from other computers in your own network. In other words, there is no such thing as a "safe" network anymore.
Pat_MS (Expert):
Q: I have a 3rd party firewall, can I use the Windows XP firewall with my firewall? Will it cause any problems?
A: No, it shouldn't. We did a lot of testing with our firewall and third party firewalls and didn't find any issues. That being said, it isn't necessary to use 2 firewalls on a machine.
Pat_MS (Expert):
Q: Can the windows Firewall be the cause of the MS business Contact Manager error: There was a problem connecting to the database engine?
A: Possibly, if the database sits on a remote machine that is firewalled.
Michael_MS (Expert):
Q: I have a 3rd party firewall, can I use the Windows XP firewall with my firewall? Will it cause any problems?
A: The Windows Firewall will co-exist with virtually all 3rd party host firewalls. However, running multiple firewalls doesn't make you more secure. Our recommendation is that you only use one host firewall on your system. If you prefer the features of an add-on firewall, then we suggest you turn off the Windows Firewall. This simplifies the management complexity of having to configure multiple firewalls for open ports, etc.
Michael_MS (Expert):
Q: I currently run Norton’s firewall and sp2. Would it be recommended that I off one? And which one should I off?
A: The Windows Firewall will co-exist with virtually all 3rd party host firewalls. However, running multiple firewalls doesn't make you more secure. Our recommendation is that you only use one host firewall on your system. If you prefer the features of an add-on firewall, then we suggest you turn off the Windows Firewall. This simplifies the management complexity of having to configure multiple firewalls for open ports, etc.
rebecca_ms (Moderator):
For those just joining us, today’s chat is about the Windows Firewall in Windows XP SP2. The Windows Firewall product group can answer questions about anything from configuration to group policy management. To post a question, please click “Submit a question,” type your question, and click “Send.” That way, we can track which questions we still need to answer.
Wajih_MSFT (Expert):
Q: what is the firewall supposed to do??
A: Firewall is a security mechanism that is used to filter data before it gets to your machine, the goal is to protect your machine ( or network) from outside intrusion, the firewall rules can be specified based on different criteria ( port type, application exceptions). A firewall can be software or a device. in short a firewall blocks traffic going into your machine except for what you have allowed
Pat_MS (Expert):
Q: after upgrading to xp sp2, I strangely can't seem to use my nero burning rom and also the starting up of my laptop takes ages. Is this compromise worth it when comparing to the security provided by windows firewall?
A: What you are seeing isn't firewall related. That being said, our app compat testing hasn't found any issues with Nero that I am aware of. Personally, I use it at home running SP2 with no problems. Have you tried updating Nero?
Michael_MS (Expert):
Q: after upgrading to xp sp2, I strangely can't seem to use my nero burning rom and also the starting up of my laptop takes ages. Is this compromise worth it when comparing to the security provided by windows firewall?
A: From what you are saying in the question, I assume that this application compatibility issue is generic to SP2, and not necessarily
Pat_MS (Expert):
Q: shois: Q:I have been watching my pfirewall.log and wonder if I should block sites when I see dropped tcp messages addressed to my ip (in spite of my router firewall). These messages usually follow tcp connections to web host sites and are from those sites.
A: You could certainly do this, however, if your machine is actually on the Internet, then your log will fill up daily, and very quickly. It sounds like the firewall is doing what it is supposed to do, so I would allow the packets to be dropped and save yourself the headache of daily adding new sites to you 'drop' list
Pat_MS (Expert):
Q: unfortunately I am not sure how to update nero, the copy of nero I had was bundled with my laptop
A: Try visiting their site and looking for an SP2 update. Even if you have a bundled version, it should be updatable.
Pat_MS (Expert):
Q: The database is on the local machine, and I have configured the firewall to pass 1433 TCP and 1434 UDP
A: If the DB is local, then the error is stemming from somewhere else, not the firewall.
Michael_MS (Expert):
Q: after upgrading to xp sp2, I strangely can't seem to use my nero burning rom and also the starting up of my laptop takes ages. Is this compromise worth it when comparing to the security provided by windows firewall?
A: There is no simple answer as to how to make the decision between using the Windows Firewall or some application that may not work due to app compat issues. It all depends on how important the particular app that won't work with SP2 is to you. SP2 offers a lot of security improvements, which can help protect your system from future attacks. My suggestion would be to contact the vendor of the software that isn't working with SP2 and ask if they have a fix to solve the problem.
Pat_MS (Expert):
Q: What pfirewall.log entries concern you?
A: That is hard to say since the log is VERY chatty. If you are seeing many Event Logs, that would be more concerning. Also, if your machine with the NOT the boundary machine, and the pfirewall.log is full, then I would check to se if you are protected at all.
Chris Mitchell (Expert):
Q: After I installed sp2 one of my computers is not accessible on the local pier-pier net in my home. I get the message "not enough server storage is available to process this command"
A: Bill, sorry to hear you're having problems after updating. There may be a lot of reason why this could happen, I would suggest reviewing the KB articles at: http://support.microsoft.com/search/default.aspx?mode=s&cat=false&query=%22Not+enough+server+storage%22&srch=sup Thanks
Pat_MS (Expert):
Q: I used GPO to disable Automatic Update since IT admin will take care of it. How can I restrict a user click Windows Update on Start Menu to download unauthorized Windows Update?
A: You can use GP to also limit what is seen in the Start menu, so if you don't want the browser seen in the Start menu, that is controllable via Group Policy as well. I have seen this work very well at customer sites, mainly schools.
Wajih_MSFT (Expert):
Omoba: My guess is that the signatures are outdated, contact Norton and see if they can tell you how to force the Norton signatures updated.
Michael_MS (Expert):
I would be very interested in hearing about what experiences people have had with the Windows Firewall. Is it generally easy to use? Does it work with your applications?
Pat_MS (Expert):
Q: hello i have a computer with the OS XP i have a screen that says windows exception error at then it has a bunch of letters and numbers my recovery disk is installed on the computer and then it says if i would like to send a error report to Microsoft what do
A: Click the "Send Error Report" button. By doing so, you might be referred to a site where there is a solution to your problem.
Pat_MS (Expert):
Q: My computer is behind a router. Is it normal for Windows Firewall to drop some Internet messages address to my LAN ip? Or does it indicate a hole in my router firewall?
A: It depends on how you define "normal". Is your router a NAT as well?
Wajih_MSFT (Expert):
Q: This is Dave seeking expertise on managing multiple users on a single computer using XP Home.
A: one solution would be to use Windows security groups, create windows security groups and add users to them
Michael_MS (Expert):
Q: We are looking to deploy SP2 at my location of about 1700 desktops... We have a corporate firewall (CheckPoint), and an enterprise level desktop firewall (Trend). Is there any issue to be aware of if we decide to disable the firewall?
A: There is no such thing as a "safe" network, as long as there is more than one device connected to it. As soon as as one machine gets infected, it can start initiating attacks. Microsoft recommends that all PCs should be running host firewalls to help protect them from possible attacks. That said, if you already have a third party firewall that you like, we recommend you turn off the Windows Firewall when SP2 is installed. There are no problems with having a third party firewall running with SP2, and turning off the Windows Firewall.
Pat_MS (Expert):
Q: It's a "stateful" firewall but I've never understood the difference, if any, between NAT and stateful
A: A "stateful" firewall will keep track what ports you have open, and in some cases what applications or processes have handles to those open ports. a NAT (Network Address Translator) does address translation between a private and public interface. Most home routers these days also do NAT functionality, but you have to configure it to do so.
Pat_MS (Expert):
Q: alright but can i format it and reinstall the OS and my recovery disk still be built in my recovery disk is on a partition all by itself
A: I'm not sure I understand what you are asking in comparison to your previous question. You can certainly re-install your OS, but until the OS is re-installed, you won't have access to the second partition.
Pat_MS (Expert):
Q: do u c bill gates in the Microsoft building anytime ir have you ever seen bill gates?
A: We have many buildings at Microsoft, and Mr. Gates is very quick, so it is usually pretty hard to get a glimpse of him.
Michael_MS (Expert):
Q: Popular insurance site generates loss control reports in html. To print the report users have to hit a "Format to Print" button that converts it to PDF and sends it over. The Firewall blocked the PDF without any error or indication. I found it though.
A: How do you know it was the firewall that was blocking the PDF file? The firewall allows responses to outgoing requests, so the scenario you mentioned would not have been impacted by the firewall.
Chris Mitchell (Expert):
Q: Popup Blocker will appear after SP2 installed. How can an IT admin control it or set a company wide standard?
A: Jeremey, I assume you asking if you can control the popup blocker via Group Policy or some other centralized solution. I would suggest reviewing the the following TechNet article: http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2brows.mspx. I hope that helps. Thanks
Michael_MS (Expert):
Q: Windows Firewall will occasionally drop internet communication for apps that I have configured permission for (eg Napster). The app functions but I wonder what it’s missing.
A: Are you sure the firewall is dropping the traffic? Have you checked the log files for dropped packets to verify? If you have created an exception for your application there is no reason the Windows Firewall would be dropping traffic for it.
rebecca_ms (Moderator):
We will need to wrap up this chat in about 5 minutes. Please post any other questions (click “Submit a Question”) that you would like us to answer. Thanks.
Michael_MS (Expert):
Q: As soon as I turned off blocking all reports came through.
A: The only situation I can think of where the firewall could be blocking files you click on in a web site would be if the file was actually being transferred via FTP, and not HTTP. HTTP file transfers should work fine, but FTP might require you create exceptions for an FTP client to make it work properly. I wonder, however, if when you refer to "blocking" you are actually talking about the pop-up blocking in Internet Explorer and not the Windows Firewall itself.
Pat_MS (Expert):
Q: Yes, I checked the pfirewall.log and it is in that log that I noticed it. Napster seems to have multiple IPs for various functions (eg cache.Napster). I think this has something to do with it...
A: Yep, that is your problem. There are other pieces of software that do the exact same thing. from what I have seen, media players will do this as they are trying to push advertizing to you, which is most likely what Napster is doing. I wouldn't worry too much about this as it sounds like the firewall is doing exactly what it should be, and what you want it to be.
rebecca_ms (Moderator):
Thank you for joining us today on a Microsoft Community Chat to talk about the Windows Firewall in Windows XP SP2. I would like to thank our experts, and the rest of you for your questions and comments. If you would like further information on this topic please visit the following URLs: http://www.microsoft.com/windowsxp/expertzone/newsgroups/reader.mspx?dg=microsoft.public.windowsxp.setup_deployment&lang=en&cr=US and http://search.microsoft.com/search/results.aspx?st=b&na=88&View=en-us&qu=Windows+Firewall
Pat_MS (Expert):
Q: Thanks!
A: No problem, hopefully this was helpful.
Michael_MS (Expert):
Q: SP2 FW is only controlling incoming traffic. Why I can see outgoing traffic in ICMP Settings?
A: Although the Windows Firewall generally only blocks unsolicited incoming traffic, it does have some limited support for blocking outbound ICMP messages. You can configure what ICMP traffic you wish to allow going out of your system.
rebecca_ms (Moderator):
Thank you for joining us today on a Microsoft Community Chat to talk about the Windows Firewall in Windows XP SP2. I would like to thank our experts, and the rest of you for your questions and comments. If you would like further information on this topic please visit the following URLs: http://www.microsoft.com/windowsxp/expertzone/newsgroups/reader.mspx?dg=microsoft.public.windowsxp.setup_deployment&lang=en&cr=US and http://search.microsoft.com/search/results.aspx?st=b&na=88&View=en-us&qu=Windows+Firewall. Remember there will be a chat another chat on December 8! Our experts are wrapping up their final questions right now.
Chris Mitchell (Expert):
Q: Does windows firewall create any issue if you have another firewall installed like the one that comes in with Cisco VPN client, PcCillin internet security .. etc
A: Kliph: We have worked with many third party firewall vendors to ensure compatibility however in some cases you may need to update the other product. I would suggest contacting your vendor to make sure that the product in question will work with SP2 Windows Firewall.
For further information on this topic please visit the following:
Newsgroups: Windows XP General Discussion
Transcripts: Read the archive of past Windows XP chats.
Website: Visit the home page for Windows XP
