Thursday, January 27, 2005

Let’s Stop Complaining About Microsoft Doing the Right Thing

I’m on the road this week teaching a one-day class on supporting Windows XP for a private client. The classroom conversation, as usual, drifts frequently to a discussion of the pros and cons of Service Pack 2. This blog entry is not about Service Pack 2, but it is about the Internet Connection Firewall.

As you probably know, the ICF is now turned on by default on Windows XP systems updated with Service Pack 2. Many students complain about this default configuration, but they’re missing the point.

First, we in the IT community have complained for years about the lack of security in Microsoft products. We compared their products to Novell and UNIX products in which only essential modules or daemons were enabled and we had to explicitly enable everything else. Microsoft, on the other hand, shipped their products with a multitude of services enabled by default. That made for great ease-of-use, but lousy security. Now, Microsoft shuts down network access to workstations unless specific ports or programs are explicitly allowed and people start whining. Gee, isn’t that a step toward what we were asking for? Can we pause for a moment in support of the theory of least privilege?

Here’s the deal: Certain services are permitted by default such as Remote Assistance. You can use Group Policy settings to easily configure the ICF to permit whatever other traffic you wish on multiple workstations or perform simple configurations on an individual workstation to allow the desired traffic through the firewall. One example of desirable traffic that you might wish to allow through the firewall is Remote Desktop. The real question, though, is why on earth would someone in an enterprise want to allow most other types of incoming connections on the average workstation, especially an average user’s workstation? Put it (whatever it is) on a server. That shared printer? Put it on a print server. That shared file or folder that everyone needs to access? That goes on a file server. Certainly, there are times when, as an IT professional, you might need to enable certain services such as TFTP for backing up or restoring configurations on your laptop. That should, however, be the exception and definitely not the rule. The point is simple: Let’s quit complaining about Microsoft doing the right thing and learn how to configure the firewall. Better yet, use workstations as workstations and leave the serving to servers.

No comments: