Before you install XP SP2 on your Enterprise network know this!
I've been digging around and experimenting with the new SP2 firewall. I'm assuming you guys have a positive attitude towards it and aren't trying to take the "we'll just disable it" attitude towards it as while it will require a little bit more work, I believe it adds a whole new layer to network security. Here's what I've learned about the firewall from my experimentation. I have not attempted to find a manual or white paper on the firewall (I probably should). Everything listed below is from trial & error. Please note I have made some assumptions from my limited knowledge of Windows Admin experience and I could be wrong, I welcome any questions or issues with what I've written below.
Executive Summary....
In order to keep the SP2 firewall enabled in our network we must:
- Enable floating profiles in our domain
- Push new firewall configs with ANY patch/update that relates to a networking app
Nerdy details:
In a nutshell SP2 has an outbound detection firewall and only detects outbound attempts of communication. It works not by port, but by checksum of the file (EXE) trying to do the communications. MS has already included checksums (aka definitions) for all their applications so those applications do not need to be authorized. If you have used SP2 at all, you'll see the first time an application tries to talk out on the network, a user friendly box pops up explaining a new type of communication is attempting to start. This popup ONLY appears for a user with administration privileges. Non admin users DO NOT get a popup and their communication attempt simply fails. When a communication is approved, it is specific to that user account, not to the machine. This means floating profiles would be mandatory in order to use the firewall setup so that firewall settings will follow a user (and more importantly a network technician) from one machine to another.
Also since the firewall is checksum based, this means anytime a patch/update/upgrade is applied to a user's machine, we MUST push a firewall checksum update because most changes to a networking application will generate a new checksum, unless MS plans on putting checksums within the patches, which pushes them into the firewall. Hopefully this is their plan as it relieves a bid headache from software updates.
PS: In case anybody was wondering, there are 783 updates in SP2, you can find the list at MS