Microsoft to ship new versions with firewall enabled

• Previous message (by thread): East Coast outage?
• Next message (by thread): Microsoft to ship new versions with firewall enabled
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 12:07 PM 8/14/2003, Eric A. Hall wrote:


>on 8/14/2003 9:29 AM Sean Donelan wrote:
>
> > John Markoff reports in the New York Times that Microsoft plans to change
> > how it ships Windows XP due to the worm.  In the future Microsoft will
> > ship both business and consumer verisons of Windows XP with the included
> > firewall enabled by default.
>
>Wouldn't it make more sense to ship with all of the services disabled?
>
>I mean, if the role of the firewall is to block packets to weak services,
>wouldn't it be simpler to just disable the damn services since they aren't
>going to be usable anyway?

Ah, no.

There are many services that ARE useful on the local machine, which may not 
need to listen to the outside world in all configurations. While I think 
the intent of your question was reasonable, the better way to phrase it 
would be:

"Wouldn't it make more sense to ship products with services listening only 
on loopback interfaces, rather than listening on all interfaces?"

The same exact issue applies to every operating system. Indeed, some 
vendors are dealing with this well. RedHat changed the default 
configuration of sendmail in RH9 to listen only on 127.0.0.1. The user can 
change that to listen to the outside IF the machine in question has a need 
to listen (i.e. it really was intended to me a mail server). This approach 
is to be commended, and should be followed for other services that may be 
necessary to run on a local machine, but which need not be reachable from 
outside the machine.

• Previous message (by thread): East Coast outage?
• Next message (by thread): Microsoft to ship new versions with firewall enabled
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]