Is the XP SP2 firewall getting a raw deal?
A recent report on a new denial of service vulnerability involving Windows RDP (Remote Desktop Protocol) blaming the Windows XP SP2 (Service Pack 2) firewall has touched off a rash of sensationalism from other media outlets that gets blindly regurgitated in the forums. This has caused some unwarranted confusion and fear in the IT industry. The original story incorrectly blamed the XP SP2 firewall for failing to protect against the RDP flaw. This was a false characterization of the XP SP2 firewall which has a history of being mischaracterized as something that breaks a lot of applications or is somehow unreliable. This has resulted in some harm to the general public because too many windows users are refusing to protect themselves with Windows XP SP2. Larry Seltzer did a wonderfully accurate and educational assessment on XP SP2 but is drowned out by all the doom and gloom sensationalism.
When Microsoft first came out with XP SP2 last year, its new firewall feature was incorrectly blamed for breaking hundreds of applications when in fact any personal firewall installed without the proper holes drilled would have caused the exact same issues. This latest story on the RDP vulnerability seems to be yet another slam on the SP2 firewall with the incorrect accusation that it fails to protect against this new RDP denial of service vulnerability. While it's technically true that a SP2 firewall with port TCP 3389 (used by RDP) opened to anyone will result in a successful denial of service attack to an unpatched windows machine, this is the normal behavior of any stateful packet inspection firewall. The results would have been the same if it had been a $50,000 Cisco or Checkpoint firewall that had TCP 3389 open to the same Windows machine. Anyone who attempts to blame the firewall for this particular attack simply doesn't understand what a stateful packet inspection firewall can and can't do. Rather than sensationalize the story with inaccurate characterizations of the unrelated firewall, it would have been much more beneficial to the public to correctly point out the actual vulnerability and perhaps tell the public how they can protect themselves.
You can protect all the PCs in your office or home by simply implementing a router with a basic firewall or just NAT (Network Address Translation) capability. A router for the home with a built-in switch can be purchased for less than $40. Not only does the router protect you from a vast array of attacks, it also acts as an Internet sharing device. Another easy thing to do is to turn on the Windows XP SP2 firewall make sure that the RDP service is either entirely blocked or only permitted to enter from trusted network sources. You can find more in-depth information here to turn off the RDP service entirely or configure the XP SP2 firewall. One of the nicest features of the XP SP2 firewall besides the fact that it's free with Windows is that it can easily be managed from a central location. This can be done from a legacy Windows NT 4.0 domain environment using a script or better yet from a group policy in a Windows 2000/2003 Active Directory. This allows a Microsoft network administrator to quickly configure every single windows XP computer in the company with a single login script or a single group policy. While there are third part firewalls that can do a more thorough job of protecting your PC and have their own centralized management tools, they aren't free and they can have their own serious vulnerabilities that require patching. The XP SP2 firewall provides a decent and manageable baseline solution for those who don't have anything else.
Next month on the second Tuesday, Microsoft will release their monthly batch of patches that will fix this RDP vulnerability. There are no known instances of this denial of service attack and you would definitely know if it had actually hit you. Now that you're armed with the facts and know how to mitigate the risks, just let the monthly patch process do its job in an orderly manner.