That’s the subtext I picked up from Mark Burnett’s Security Focus column “Windows Firewalls Lacking” (later picked up by The Register as well). As it happens, I agree with Burnett 100% based on my own recent experiences trying to lock down a Windows 2000 Server.

I decided to give the IPSec functions a shot, and I used this article from Microsoft’s Service Providers site to build a firewall for my server. I followed the directions, only to find my server wouldn’t even accept responses to its own DNS requests. As such, I couldn’t surf the web or pull down Windows Updates, and even worse, the iMail server running on the box couldn’t deliver mail.

While the GUI-driven approach to building the policies was nice, I found the process a little restrictive and unnecessarily convoluted. I’m used to freely creating rulesets on hardware firewalls like the SonicWALL products or writing my own iptables scripts. This was a whole new animal, and I found the contents of the dropdowns too restrictive. I persevered, however, and after some wrestling got DNS working properly.

Then I decided to test the new setup. I ran a Nmap scan from a remote network, and to my dismay a long list of open ports, including many that should have been blocked, were open and available for connections. In fact, it looked to me as though the IPSec filter was looking at the last hop for the IP address rather than the true IP source. I’m hoping this isn’t the case, that Microsoft would be smarter than this; based on my ruleset, however, that’s how it looked.

It surprises me that Microsoft hasn’t made a better firewall available from the beginning, especially with iptables — and before that, ipchains — being readily available on Linux. Or the plethora of other options available on other Open systems like FreeBSD. There are times when Open systems just aren’t an option, however, so admins are left to make do with what they have. Even if Win2K3’s upcoming firewall improvements prove to be the cat’s meow, we’re going to have to pay out the licensing fees for the privilege of using it.

Not an exciting prospect for someone with a near-nil budget.

Incidentally, if you deal with IT security and you’re not reading Security Focus regularly, I highly recommend you start. The site’s a regular part of my daily reading thanks to RSS. They have news, columns, and technical articles, and following the Bugtraq list gives admins a good heads-up on vulnerabilities coming to light for software packages on just about any platform. Good stuff.