I can't argue about the different affectiveness of varios firewall options
I thought SP3 finally had some outbound filtering as did the shiny new Win7 firewall. Either way, if something can get admin rights your Windows firewall is boned since they can simply open any desired port as you point out.
"The situation is not very different on a Windows server, really. If the most common ports used for attack are open on the firewall, then what is the firewall really doing for you?"
This is where I limit services to given IP ranges as minimaly required. It's not if a port is open or closed but from which addresses it is open or closed.
My real understanding of network packet filtering came with building *nix servers after growing up on Windows boxes. You can't even get a TCP three way handshake without allowing it in the firewall if setup properly and prot/source/destination values are an expected given
iptables -A INPUT -p TCP --dport 22 -s 192.168.0.5 -d 192.168.0.10 -j ACCEPT
iptables -A INPUT -j DROP
If it isn't a TCP packet on port 22 from ip .5 going to my NIC with ip .10 then drop it like a hot potato. it'll ignore .4 and less or .6 and greater. I won't even be able to hit the loopback localhost without allowing it through a nother iptables line.
Granted, a hardware firewall is even better but no one is going to put a Sonicwall infront of every network node. There is a nifty usb dongle which includes firewall though I'm not sure how effective it is. Still, if software is all you got then it's better than nothing.
Anyhow, my original point was simply that the requirnments of the server (SMB available to all internal) does not change the security aproach of minimizing surface area regardless of server location. If your server requires those frequently attacked ports be open to your entire LAN then that's your minimum not justification for opening additional unrequired ports.
(edit) spelling but I'm sure I missed some still.
