Windows XP Service Pack 2 is currently in beta testing, with an anticipated release expected sometime in this spring or summer.  As a general rule Microsoft tries not to change anything or add any features with service packs, but they are breaking that rule in a big way with SP2 for XP with Internet Connection Firewall (ICF).

Microsoft has been badly beaten in the press and in the courts of public opinion over lack of security, the main reason being worms like MSBlaster.  The ICF appears to be a stop-gap measure until Microsoft can bring their security efforts up to a higher level.  It is a firewall for Windows, not a security panacea. 

The First Thing You Should Know
Upon the installation of SP2, the ICF is enabled by default.  This will mean different things to different people in firms and organizations of differing sizes.  If you are sharing files or printers from your computer, updating to SP2 will disable it until you specifically allow it again in the ICF settings. 

Features of the ICF
As updates go, Windows ICF is quite feature-dense.  To keep everyone from having to learn about TCP/IP and associated protocols and ports the administration is simplified.  There are three different ICF operational modes: “On” (filtering), “Shielded” (“On” with no exceptions) and “Off” (disabled).

Another feature of the ICF – one that’s supposed to make it easier for non-technical users to administer – is the option to allow an application.  By defining an executable, you will permit the ICF to examine what TCP or UDP ports are required when the program starts and open them.  Note that if the application you are allowing is prone to buffer overflows or has other serious security flaws, the ICF will not secure the application.  This applies to third-party programs, as well as Windows applications or components you might allow, such as file and printer sharing.

The ICF Management and Deployment
If yours is a smaller law firm, the Windows ICF will probably have little effect as long as you are aware of it and take some time to understand its operation and plan for it.  If all your work is done on one or two computers, setting up the ICF will be trivial.  In a peer- to-peer network you may need to enable file and printer sharing.

In a larger law firm you will want to automate the management of the ICF to some degree.  Several options exist, including scripting and Active Directory Group Policies.  During installation of SP2 you can use an unattend.txt to modify the deployed settings to your specifications.

If you do not have Active Directory deployed you will probably have to make use of scripts to manage the ICF.  There are additions made to NETSH to modify settings that can be used now.  Microsoft indicates that an API will be available (think WSH) to manage settings too, but the interface was not made available to beta testers.

Tools exist for managing the ICF through Active Directory Group Policies.  This will be the best method if you have Active Directory Management implemented.  In Group Policy there are provisions for two ICF profiles: a domain profile and a mobile profile.  The domain profile is active when the computer is authenticated to the network, and the mobile profile becomes active when the computer is off the domain network.  Enabling the ICF in group policy removes control over the ICF from the user.  A plug-in must be installed to add the management controls to Group Policy.  Active Directory also adds the ability to lock down the entire network during a worm outbreak, placing it in shielded mode.

Microsoft has made an interesting compromise of giving firewall-like security, while not forcing the end-user to become an expert on TCP/IP ports and protocols. 

Other Features of the ICF

• You can configure new protosol types using specific settings for TCP, UDP and ports.
• On system startup the network is blocked until the ICF service starts.
• If you have Active Directory, you can lock down every computer on your network during a worm outbreak.
• Domain and Mobile profiles are included.

What Else Can You Expect?
Chances are Microsoft may will make more changes to SP2 before it is officially released, so some of the preceding information could change; and even though it is probably under scrutiny by those using it in beta you can probably expect glitches caused by the ICF feature.  It makes sense to test SP2 in an experimental environment so that if problems arise you can roll back to the original state.

Remember, the Internet Connection Firewall is not a substitute for antivirus software,  better software development or common sense.  However, when properly applied, it could help save your systems from the next worm or exploit.

About our author . . .

Nathan Smith is employed by McKee, Voorhees & Sease, P.L.C., an intellectual property law firm in Des Moines, IA.  He is a 12-year veteran of PC network administration and information technology.  Nathan can be contacted at smith@ipmvs.com.