CITES Suggested Windows XP Firewall Customizations

Overview

Microsoft Windows XP Service Packs 2 and later (available through Windows Update) makes several important changes to your computer’s network settings. While these changes will help protect you from harmful viruses and popups, they were not written specifically for the university’s computing needs.

The easiest way to configure the Windows XP Service Pack 2 firewall to CITES specifications is to download and install the two .reg files provided by CITES Security. These files will automatically configure your firewall to the specifications found in the next section.

If you are very comfortable making changes to your registry files, you may edit your service pack's Firewall ICMP - Remote Desktop.reg and Firewall Popup Config.reg files by hand. CITES does not recommend manual configuration for non-expert users.

CITES recommendations

ICMP ­ Remote Desktop

CITES recommends enabling Remote Desktop (TCP Port 3389) globally. This will allow you to connect to your computer from a remote location, either by computer name or IP address, to administer technical support.

This change also enables ICMP Echo Request (Ping reply), which is useful in preliminary troubleshooting to determine whether you have point to point communication across the network.

Popup Config

This registry entry modifies the default popup blocker settings for Internet Explorer, allowing all popups from the uiuc.edu and uillinois.edu domains to be displayed on your computer.

This change allows Banner, Compass, and other university-hosted websites to function properly.

Other firewall configuration caveats and recommendations

• File Sharing From a Workstation
  (Note: This is different than sharing files on a server.)
  Enabling workstation file sharing opens the required ports (137, 138, 139, 445) to the local subnet only, which may provide some insulation from malicious network activity as not all viruses and worms are able to traverse subnets.

  Problems may arise if access to a shared folder is needed from another subnet (e.g., from a classroom computer to an office computer) due to the local subnet restriction. While it is possible to share the folder globally, opening the folder to the world can make your workstation vulnerable to attack.
  

• SQL Issues
  Because port 445 is turned off (blocked) by default under some XP service packs, you may have problems with SQL server software (any version) running on a computer with those service packs installed.

  XP machines should not have any problems connecting to SQL server software installed on a fully patched Windows 2000 Server or a fully patched Windows Server 2003.
  

• Security Center
  Do not disable the Security Center! The Security Center will tell you if your firewall is disabled, if antivirus software is out of date, or if new Windows patches are available for installation.

  If you must disable the firewall, leave the Security Center running but disable the firewall alerts within the Security Center. This will leave active the alerts for Virus Protection and Automatic Updates.