Desktop Client Configuration

The most recent releases and service packs of Microsoft Windows and Microsoft Office Outlook include many security and virus-fighting enhancements. For example, beginning with Outlook 2002, attachment blocking and Object Model Guard are included and enabled by default. Windows XP Service Pack 2 (SP2) includes Windows Firewall, formerly Internet Connection Firewall, built into the network properties page. In some cases, functionality can be applied to earlier versions of Microsoft software through updates. However, to help maintain a secure environment, it is recommended that you run the latest versions of Windows and Outlook. This section gives recommendations for client updates that are specific to Windows and Outlook, with links to more in-depth implementation details.

In addition to keeping Windows and Outlook up-to-date, it is critical that your antivirus signatures are up-to-date across your organization. Also, implementing an aggressive update management solution for the software in your organization is extremely important. For more information about update management for Microsoft software, see Understanding Patch and Update Management: Microsoft's Software Update Strategy.

Configure Windows Firewall or Other Personal Firewall Software

Windows XP SP2 includes Windows Firewall (formerly Internet Connection Firewall), which allows users to block traffic on seldom-used ports by selecting a single check box. Running Windows Firewall or other third-party personal firewall software on client computers is critical to help slow or stop many viruses. For example, when the MyDoom worm infects a computer, TCP ports 3127 through 3198 will respond to inbound requests. Their response allows the potential for an attacker to connect to the computer and use the computer as a proxy to access network resources. Installing and configuring a firewall on client computers blocks the effectiveness of this type of worm.

By default, Internet Connection Firewall is disabled in Windows XP and Windows XP SP1. By default, in Windows XP SP2, Windows Firewall is enabled for all connections. In addition, Windows Firewall can now be managed by Group Policy objects (GPOs), allowing administrators to configure different levels of protection based on the location of mobile computers. For example, consider a scenario where a laptop is connected to an enterprise's domain. The port restrictions may be less restrictive than if the laptop was connected to a public wireless Internet access point.

It is important to recognize that there are hundreds of applications that use various ports to communicate. Some examples of applications that define their own ports include instant messaging, peer-to-peer file sharing and communication software, and line-of-business applications. Running Windows Firewall or other personal firewall software may cause these applications to fail. Make sure you review all firewall documentation carefully. Test the configuration before deploying it across your organization.

Recommendations

• Upgrade all Windows clients to Windows XP SP2, or deploy other third-party personal firewall software.

• Develop a standardized set of allowed ports. If you are deploying the Windows XP Windows Firewall, define the allowed ports for the "Domain" and "Mobile" cases.

• Deploy firewall configurations to all clients. If you are deploying the Windows XP Windows Firewall, deploy the client configuration through Group Policy objects.

Resources

• For more information about updates to Windows Firewall in Windows XP SP2, see Changes to Functionality in Microsoft Windows XP Service Pack 2.

• For more information about using Group Policy objects to deploy and configure Windows Firewall in your enterprise, see Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2.