In my two most recent Web Exclusive VIP articles, "Countdown to XP SP2: Forced Protection" (April 2004, InstantDoc ID 42496) and "Countdown to XP SP2: Dealing with ICF" (April 2004, InstantDoc ID 42497), I discuss the Windows XP Service Pack 2 (SP2)—specifically, my initial reservations about the service pack's automatic enabling of Windows Firewall (the XP SP2 version of Internet Connection Firewall—ICF) and the tweaks you'll need to work around some of its behavior. Now that Microsoft has pushed back SP2's release date to later this year, I have more time to give you a quick overview of Windows Firewall's features.
XP SP2 will automatically turn on Windows Firewall, and (as I've mentioned) that behavior could give you some trouble. After all, the wisdom of enabling a software firewall on a system that's inside a corporate intranet is questionable. But the idea of turning on such a firewall on a system that's outside the office—one that's, say, connected to a coffee shop's wireless network, a hotel's high-speed Internet, or a home cable modem or DSL—isn’t questionable at all. So, how might you tell your XP laptop to turn on its firewall only when you take it out of the office? Windows Firewall makes that task easy. At startup, Windows Firewall checks whether your system is logged on to a domain. If so, Windows Firewall engages its domain profile; if not, Windows Firewall’s mobile profile kicks in. You can use these two profiles to give ICF a split personality of sorts.
The Windows Firewall GUI is extremely thorough. Whereas earlier versions of XP's ICF GUI just let you turn on or off ICF and open a few ports, the SP2 Windows Firewall GUI is festooned with options. And SP2 features a completely new set of command-line tools to control Windows Firewall.
SP2 also offers nine new Group Policy settings for Windows Firewall control. (Where these policies reside, however, isn’t so obvious—at least not on the beta SP2 version that I've seen. I finally found them in the Domain Profile and Mobile Profile folders under Computer Configuration\Administrative Templates\Network\Network Connections\Internet Connection Firewall.) As I say in "Countdown to XP SP2: Dealing with ICF," leaving Windows Firewall on, even inside the domain, might serve you well, but you'll need to open certain ports if you want to use any remote control tools (e.g., the Microsoft Management Console—MMC—Manage Computer snap-in, Ping, Remote Assistance, Remote Desktop, Virtual Network Computing—VNC). Fortunately, six of the new Group Policy settings—Allow Dynamically Assigned Ports for RPC and DCOM, Allow File and Print Sharing, Allow ICMP Settings, Allow Remote Assistance Support, Allow Universal Plug and Play, and Define Custom Open Ports—let you open ports. Furthermore, you can do more than just enable or disable most of these settings. A new Visibility option lets you open ports only to the local subnet. For example, you might want to open dynamic remote procedure call (RPC) ports because you need them for, say, the Manage Computer snap-in, but you might not want those ports to be accessible to the Internet in general. In that case, you can use the Allow Dynamically Assigned Ports for RPC and DCOM setting's Visibility option to open the necessary ports to the local subnet only.
Insofar as I can see, then, SP2’s firewall will be a net good. But before you launch a massive rollout, putt a plan in place to configure Windows Firewall. (If you don’t use any remote-control tools and never share volumes on XP workstations, the service pack's default settings will be fine ... but I can’t imagine anyone being in that situation.) Think about what ports you’ll need to open, then ask, “How will I tell my dozens (or hundreds, or thousands) of systems to open those ports?” If you deploy XP in an Active Directory (AD) domain, the best answer is probably "through Group Policy;" update your Group Policy Objects (GPOs) to apply the new settings now. XP will ignore the new settings' effects until you install SP2 (you can find more information about this process in the Microsoft white paper "Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2"). Otherwise, start creating and testing logon batch scripts that will configure Windows Firewall. (You could put the necessary commands into your logon scripts now—the commands won’t have any effect until you install SP2—but they would generate error messages and make you a bit unpopular with users.) Either way, a bit of planning will make your SP2 rollout a welcome event instead of an unpleasant crisis.