Transcript: Windows XP SP2: Windows Firewall, January 12, 2005
Published: February 2, 2005
Chat Date: January 12, 2005
Please note: Portions of this transcript have been edited for clarity
Introduction
rebecca (Moderator):
Welcome to today’s chat about using and managing the Windows Firewall in Windows XP SP2. The Windows Firewall product group can answer questions about anything from configuration to group policy management. Please keep your questions limited to the subject of the firewall. We are pleased to welcome our experts for today. I will have them introduce themselves now.
Michael [MS] (Expert):
I am a program manager with the Windows Firewall.
rebecca (Moderator):
…and your pleasant host, Rebecca. We will try to answer as many questions as we can today. Participants should type their questions, click “Submit a question,” and click “Send.” Those posts will go into a private queue, from which our experts will draft answers and repost questions in the upper window with their answers. (To confirm: if you clicked “Submit a question” when you posted, you don’t need to resubmit. We’ll get to them as soon as we can before the end of the chat (11 a.m. Pacific).
rebecca (Moderator):
We will post a transcript of the upper window within a few days at http://msdn.microsoft.com/chats/transcripts/default.aspx. Let’s begin the chat. Feel free to ask your firewall questions now.
Joe_MS (Expert):
I am a technical writer for the Windows Networking and Devices group.
Michael [MS] (Expert):
I am curious to hear if any of the chat participants are using the XP SP2 Windows Firewall. Has anyone disabled it?
rebecca (Moderator):
Remember that to address a question to our experts, you should type your questions, click “Submit a question,” and then click “Send.”
Start of Chat
Michael [MS] (Expert):
Q: We are using group policies to manage the exception for the firewall, problem is we have about 500 users with laptops that dont get our policy but they need the sp for the added protection, any ideas?
A: For machines that aren't using group policy, you could create login scripts to set policy.
Michael [MS] (Expert):
Q: About the Firewall, and the Security Center alerts when it goes down. When spyware is removed, winsock is usually damaged, and the firewall goes down. Is it possible the firewall could issue that info thru security center, to users? 'winsock down'
A: Thank you for the suggestion. We will consider this as a way to improve the product in the future.
Michael [MS] (Expert):
Q: Are there plans for future versions of the Widows Firewall to catch attempts to get OUT to the internet?
A: There are no plans to implement outbound filtering in the Windows firewall at this time. Some of our research has shown that this is very hard to make work for most users, since most people aren't really sure what should, or shouldn’t be allowed, to go out. Throwing up lots of pop-ups gets a lot of people confused.
Joe_MS (Expert):
Q: Is the Windows Firewall an basic solution that gets people started, but would be better with a full blown firewall.? Something similar to the building defragmentation software.
A: Windows Firewall is designed for basic firewall functionality to protect computers from unsolicited incoming traffic. If customers need a more fully featured firewall (such as the ability to monitor both incoming and outgoing traffic), then they should purchase one and disable Windows Firewall.
Michael [MS] (Expert):
Q: Trouble with internet explorer accessing any web sites. With the sp2 firewall activated.Takes 3 or 4 refresh to finally get the page up. Is there a fix for this. Besides having to put all the web pages in the trusted zone. No problem before sp2 firewall
A: Are you sure this is a Windows Firewall issue? If you turn the Windows Firewall off does this problem go away? There were a lot of changes in IE for SP2 that change the way it behaves with security. From what you describe it sounds like this may be related to IE security behavior.
Michael [MS] (Expert):
Q: regarding your answer re: outbound connections... Why not make it an option (Expert Mode)?
A: This is something we can consider for the future. Thanks for the suggestion.
rebecca (Moderator):
Q: can xp home and pro pcs run local logon policies same as server policies
A: Can you clarify your question and how it relates to the firewall? Please repost it when you do. This will make it easier for our experts. Thanks!
Michael [MS] (Expert):
Q: Is it normal for IE to load pages much slower after sp2 update,I ahve several machines on lan now taking longer to web than before.Is there a way to speed up access.
A: No, I don't think IE should necessarily be slower. However, you might want to post your question on an IE related newsgroup. My expertise is related to the Windows Firewall. :)
Michael [MS] (Expert):
Q: By creating logon policies per user if firewall is on or off and settings for firewall per user.
A: The Windows Firewall does not support per-user settings. It doesn't really make sense to allow an exception to expose a given machine to attack when one user is logged in but not another.
rebecca (Moderator):
For those just joining us, today’s chat is about using and managing the Windows Firewall in Windows XP SP2. The Windows Firewall product group can answer questions about anything from configuration to group policy management. To post a question, please click “Submit a question,” type your question, and click “Send.” That way, we can track which questions we still need to answer.
Michael [MS] (Expert):
Q: To make little clearer ie is only slower with firewall on if it is off speed is same as before update.
A: IE shouldn't be slowed down just because the Windows Firewall is on. Thanks for telling us about this, we can try and experiment more with this ourselves. Is IE slower ALL the time, or just with certain web sites? Also, from what you are describing, you seem to say it is only slower to get the initial connection, but subsequent use of a given site would have no speed degradation, right?
Joe_MS (Expert):
Q: We presently have a CyberGuard corp firewall and will be considering the Pros/Cons of enabling the personal F/W once we roll out SP2. Have there been many studies by MS or others on a similar architecture? or are there known issues?
A: Many companies use the combination of an Internet edge firewall and host-based firewalls such as Windows Firewall, and in fact it is the recommended configuration. Because the firewalls are running on separate computers, there should be no conflicts or issues.
Michael [MS] (Expert):
Q: What default ports should be considered for corporate environments, such as, remote management, wmi queries, basically how do I not end up with a firewall that looks like swiss cheese?
A: Our general guidance is to open as few exceptions as possible. You will have to look at what the needs are in your specific environment (e.g. what management tools you rely on, etc) to determine which exceptions make the most sense.
Joe_MS (Expert):
Q: What layer does the SP2 F/W filter?
A: The Windows Firewall uses the Firewall Hook API within the IP component of the TCP/IP protocol as described in the Microsoft Developer Network (MSDN). Windows Firewall analyzes incoming packets before further processing by IP and other client protocols.
Michael [MS] (Expert):
Q: Do you have a specific recommendation NOT to run Windows F/W at the same time as another F/W, say Zone Alarm?
A: Yes. Our recommendation is that you only run one firewall on your system. Multiple firewalls do not make you safer, they just add complexity to security configuration (i.e. you have to configure BOTH firewalls).
Michael [MS] (Expert):
Q: with the firewall turned on cant open web pages or they are very slow. Turn off the sp2 firewall they open right away. There is something in the firewall that is stopping this can you have this looked into please
A: Thanks for telling us about this. We will try this out and investigate.
Michael [MS] (Expert):
Q: Refering to chuck's question, our laptops already have a Sygate F/W so can I assume the SP2 F/W should not be enabled on these or is the answer the same as for most questions i.e.."you will have to test this". :S
A: We recommend that you turn off the Windows Firewall if you are using a third party product. Having more than one firewall does not make you safer and only makes policy configuration more complicated.
Michael [MS] (Expert):
Q: Will Windows throw out an alert if code/software makes changes (or tries) to Windows XP firewall settings?
A: If you turn on security auditing, the Windows Firewall will log every policy change that occurs. However, there are no pop-up notices when changes take place. Keep in mind that the Windows Firewall is focused on preventing unwanted traffic from getting in. It doesn't do any anti-virus, or mal-ware prevention once something gets on your system.
rebecca (Moderator):
Q: trouble with internet explorer accessing any web sites. With the sp2 firewall activated.Takes 3 or 4 refresh to finally get the page up. Is there a fix for this. Besides having to put all the web pages in the trusted zone. No problem before sp2 firewall
A: For those just joining us, today’s chat is about using and managing the Windows Firewall in Windows XP SP2. The Windows Firewall product group can answer questions about anything from configuration to group policy management. To post a question, please click “Submit a question,” type your question, and click “Send.” That way, we can track which questions we still need to answer.
Joe_MS (Expert):
Q: Will Windows throw out an alert if code/software makes changes (or tries) to Windows XP firewall settings?
A: Windows Firewall will notify the user when an unknown application tries to listen on a port. To see changes in Windows Firewall settings, you must enable audit logging and view the entries in the security event log. See http://www.microsoft.com/downloads/details.aspx?FamilyID=a7628646-131d-4617-bf68-f0532d8db131&displaylang=en for details.
Michael [MS] (Expert):
Q: I understand the common sense side of the firewall configuration, keeping ports to a minimum, more specifically: Are there ports for Office apps that I need to consider so that it is not prompting the user every time they launch a Word doc or Excel workbook.
A: You can prevent users from being prompted for particular apps by adding the executables as exceptions in group policy, but setting the exceptions to "disabled". You would need to look up information for Office specifically to find out what ports they want to use.
Joe_MS (Expert):
Q: When looking at firewall logs .Is there some thing to look for as an attacker or are these just connections in general?
A: To see evidence of port scanning, look for log entries that try a consecutive series of ports. Also, look for entries that attempt to connect to well-known network resource ports (such as those for file or printer sharing or RPC endpoint mapper) from unknown IP addresses.
Michael [MS] (Expert):
Q: How can I distinguish F/W issues from IE issues? What security switch(es) do I need to reset to open http? I feel like I've tried every permutation of connection options and f/w exceptions, but no luck.
A: An easy way to tell if an issue is related to Windows Firewall is to turn the firewall off and see if it still occurs.
Michael [MS] (Expert):
Q: Are there any plans to add Advanced features to the SP2 firewall, including real-time analysis of current connections, process tree options (kill, kill-all), built in WHOIS, or graphical Traceroute?
A: No, there are no current plans for these features. Thanks for the suggestions though.
Joe_MS (Expert):
Q: I would think that the very least you could do is warn the user when the Firewall is being disabled (instantly at time of it being disabled) by code (since code could also change the way Security Center Alerts)
A: Currently, the Windows Security Center (the shield icon in the notification area) will inform you when the Windows Firewall is disabled.
Michael [MS] (Expert):
Q: Everyday I notice an audit failure in the Security category in the Event Viewer. It says: "The Windows Firewall has detected an application listening for incoming traffic." That application is svhost.exe and port is 68. How do I fix this?
A: Unfortunately, svchost.exe can have many things running under it. You would need to determine which specific svchost service is trying to listen for traffic and determine if you wanted to allow it or not. If it was an app you wanted to allow listening, then you could just open port 68. You could check with IANA to see which service is officially mapped to port 68.
Joe_MS (Expert):
Q: There are known compatability issues with SMS 2003 when the F/W is enabled. Are these the same issues with SMS 2.0?
A: Unfortunately, I am not an expert in SMS 2.0. Please send this question to smsdocs@microsoft.com mailto:smsdocs@microsoft.com and request that they add this information to http://www.microsoft.com/technet/prodtechnol/sms/sms2003/techfaq/tfaq03.mspx#EABAA.
Michael [MS] (Expert):
Q: SP2 firewall is good for people with little to no knowledge, but as XP Pro was advanced over Xp Home, what plans are in the future for advanced firewall configuration options?
A: We have no plans at present to add features into the Windows Firewall, but we would welcome your suggestions.
Joe_MS (Expert):
Q: Is the windows f/w capable of stealth running if so how?
A: If by "stealth mode", you mean that ICMP traffic is disabled, then Windows Firewall is capable of stealth mode and is enabled for stealth mode by default (unless the file and printer sharing exception is enabled, in which case ICMP echo traffic is allowed).
rebecca (Moderator):
For those of you asking questions that we can't answer here today, here is a link to Microsoft's support newsgroups: http://www.microsoft.com/communities
rebecca (Moderator):
One of our participants has posted a helpful link for those of you experiencing troubles with sound on your computer: http://support.microsoft.com/default.aspx?scid=kb;en-us;307918&Product=winxp
rebecca (Moderator):
We will need to wrap up this chat in about 5 minutes. Please post any other questions (click “Submit a Question”) that you would like us to answer. Thanks.
Michael [MS] (Expert):
Q: What type of footprint (resource-wise) does SP2 firewall take up?
A: You shouldn't notice much of an impact from running the Windows Firewall. Our tests showed the impact was negligible under normal usage. Performance impacts show up under extremely high traffic volume situations in server-type scenarios.
rebecca (Moderator):
As we wrap up today's chat, here are some links for you to look at for more information: Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2
http://www.microsoft.com/downloads/details.aspx?FamilyID=4454e0e1-61fa-447a-bdcd-499f73a637d1&DisplayLang=en
rebecca (Moderator):
And here's another useful link: Troubleshooting Windows Firewall in Microsoft Windows XP Service Pack 2
http://www.microsoft.com/downloads/details.aspx?FamilyID=a7628646-131d-4617-bf68-f0532d8db131&displaylang=en
Michael [MS] (Expert):
Q: Is there a MS app that will permit me to Configure and Manage Domain Policies from my XP Workstation?
A: You can install the admin tool pack on an XP workstation to administer servers. Also, you can manage group policy just by loading the group policy MMC snap-in on any machine. Just point the MMC snap-in to the AD object you wish to manage.
rebecca (Moderator):
Thank you for joining us today on a Microsoft Community Chat to talk about the Windows Firewall in Windows XP SP2. I would like to thank our hosts Michael and Joe and the rest of you for your questions and comments. If you would like further information on this topic please visit the following. We will be chatting again next month on Februarary 9 at 10 a.m. Pacific Time. Hope to see you then!
For further information on this topic please visit the following:
Newsgroups: Windows XP General Discussion
Transcripts: Read the archive of past Windows XP chats.
Website: Visit the home page for Windows XP
