vic102482
Premium
join:2002-04-30
Upper Marlboro, MD
1 edit | I like it too but I hope
That they come with a server installation and some GPO options that can be edited. A firewall for PC isnt nessesary for the enterprise and it isnt feasable for system administrators to manually do it. I hope they are thinking server side as well.
Good job Microsoft!:)
--
I tie a rope around my penis and jump from a tree, don't you wanna grow up to be just like me!!!! |
|
astamand
Premium
join:2003-10-11
Temple, NH
| said by vic102482  :
That they come with a server installation and some GPO options that can be edited. A firewall for PC isnt nessesary for the enterprise and it isnt feasable for system administrators to manually do it. I hope they are thinking server side as well.
Good job Microsoft!:)
I used to think this way as well, but with the latest run of Internet worms, I have changed my mind.
As IT Managers, we can patch all the holes and run the firewall on the outside of the building, but it's not enough. All you need is ONE USER to break the whole thing down.
An example with the last Sasser worm we had what we thought were all the required patches on our hosts. We checked with port scanning tools such as Retina to find systems on our network before the worms do. When we find them, we patch them. The systems with Firewalls always pass.
Anyway, since you don’t need to open a payload to get infected with Sasser, it managed to come into the build via some loser’s laptop (we assume). Once in, it had the run of the place because the latest virus definitions were not yet out and the patch was just being released.
We got a hold of it, but if everyone had a Firewall like ZoneAlarm or the new MS firewall it would have been a non issue.
Yes, the management of client side firewalls has been a pain in the past but the new MS Firewall will allow the settings of all clients to be part of a domain policy (see previous post), so it should be a piece of cake. |
|
vic102482
Premium
join:2002-04-30
Upper Marlboro, MD
| said by astamand :
Yes, the management of client side firewalls has been a pain in the past but the new MS Firewall will allow the settings of all clients to be part of a domain policy (see previous post), so it should be a piece of cake.
Yes now firewalls for corporate is a feasable plan. When there was no domain management before it was not feasable. You are right about the laptops, I use SUS and .MSI packages on AD to roll out patches, so any machine that is part of my domain (which is every machine on the network - except servers) is patched immediatly (after some testing).
That is good that MS allows for domain management of the firewall and popup blockers, it would be useless if they didnt. Just on DSLR I never read of any GPO managment or such.
I will research more into this. I need to find out if they have a template that will allow windows 2000 server to take control of the XP firewall.
--
I tie a rope around my penis and jump from a tree, don't you wanna grow up to be just like me!!!! |
|
vic102482
Premium
join:2002-04-30
Upper Marlboro, MD
1 edit | reply to astamand
Yup you are right:)!!! I found it!
»www.microsoft.com/technet/images···_big.gif
Now THAT is kick ass. No more worries about worms, wont even need to patch as fast (as in emergency 2:00AM upgrades) that firewall can be managed for every computer in the domain is sooooo SWEET now I cant wait for it to come out!!!
Edit: What about Windows 2k lol.
--
I tie a rope around my penis and jump from a tree, don't you wanna grow up to be just like me!!!! |
|
astamand
Premium
join:2003-10-11
Temple, NH
1 edit | Yeah, aint that cool! I hear ya about the 2:00am emergency. I'll sleep better knowing the firewalls are working.
Now if we can just get everyone to log into the domain (mostly a lab issue here) and get rid of those last few 2K boxes we'll be all set.
On a side note, another thing we have started to do corporate wide is put all of our conference rooms outside of our firewall. We just get a little Linksys box in the computer room and punch it down to all of the confrence rooms and that's give them a basic firewall and DHCP.
This keeps all of our vendors OUTSIDE. They are the #1 were getting viruses in-house. I can't expect them all to check in with IT before plugging in. We have hundreds of vendors and OEM's in a month to our site alone.
Our users simply use the wireless in the building (which is off limits to all but full time employees and runs a rolling encryption code). If they don't have a wireless card they just VPN back in.
Things are looking better... |
|
vic102482
Premium
join:2002-04-30
Upper Marlboro, MD
| said by astamand :
Yeah, aint that cool! I hear ya about the 2:00am emergency. I'll sleep better knowing the firewalls are working.
Now if we can just get everyone to log into the domain (mostly a lab issue here) and get rid of those last few 2K boxes we'll be all set.
On a side note, another thing we have started to do corporate wide is put all of our conference rooms outside of our firewall. We just get a little Linksys box in the computer room and punch it down to all of the confrence rooms and that's give them a basic firewall and DHCP.
This keeps all of our vendors OUTSIDE. They are the #1 were getting viruses in-house. I can't expect them all to check in with IT before plugging in. We have hundreds of vendors and OEM's in a month to our site alone.
Our users simply use the wireless in the building (which is off limits to all but full time employees and runs a rolling encryption code). If they don't have a wireless card they just VPN back in.
Things are looking better...
Good call on the conference room. I understand the feeling on the viruses. Those laptops of theirs are like cheap hookers theyve been through so many networks so many different times who knows what kind of garbage is on there.
Also Im not sure if you saw it before, but I use SUS to update my machines. Its windows update for the internal network. It works great, and you can force every machine to manually update from your server via GPO.
Its free to, from Microsoft.
--
I tie a rope around my penis and jump from a tree, don't you wanna grow up to be just like me!!!! |
|
wentlanc
You Can't Fix Dumb..
join:2003-07-30
Maineville, OH
| reply to astamand
said by astamand :
Our users simply use the wireless in the building (which is off limits to all but full time employees and runs a rolling encryption code). If they don't have a wireless card they just VPN back in.
You can also firewall your wireless, and only allow access to your VPN. Anyone who caould connect to your wireless would only be allowed to connect to the VPN server. Adds another layer of authentication, and encryption, to the connection.
puritan |
|
astamand
Premium
join:2003-10-11
Temple, NH
| reply to vic102482
said by vic102482 :
Good call on the conference room. I understand the feeling on the viruses. Those laptops of theirs are like cheap hookers theyve been through so many networks so many different times who knows what kind of garbage is on there.
LOL!!!
said by vic102482 :
Also Im not sure if you saw it before, but I use SUS to update my machines. Its windows update for the internal network. It works great, and you can force every machine to manually update from your server via GPO.
Yes I just caught that. Our corporate office uses that and pushes all the critical updates to our office as well. We hope to build a local server soon to speed up the process. |
|
vic102482
Premium
join:2002-04-30
Upper Marlboro, MD
| said by astamand :
said by vic102482 :
Good call on the conference room. I understand the feeling on the viruses. Those laptops of theirs are like cheap hookers theyve been through so many networks so many different times who knows what kind of garbage is on there.
LOL!!!
said by vic102482 :
Also Im not sure if you saw it before, but I use SUS to update my machines. Its windows update for the internal network. It works great, and you can force every machine to manually update from your server via GPO.
Yes I just caught that. Our corporate office uses that and pushes all the critical updates to our office as well. We hope to build a local server soon to speed up the process.
Yup and you can have that SUS server pull updates from the Corporate one, no use in wasting all that precious WAN bandwith.:)
--
I tie a rope around my penis and jump from a tree, don't you wanna grow up to be just like me!!!! |
|
Jeremy341
Bye
Premium
join:2000-01-06
localhost
| reply to wentlanc
said by wentlanc :
You can also firewall your wireless, and only allow access to your VPN. Anyone who caould connect to your wireless would only be allowed to connect to the VPN server. Adds another layer of authentication, and encryption, to the connection.
It also adds something else that can break. I believe astamand 's wireless security practices are perfectly fine. No need to add another layer that is completely unnecessary. |
|
