The Cable Guy - January 2004
New Networking Features in Microsoft Windows XP Service Pack 2
Microsoft Windows XP Service Pack 2 (SP2) includes new networking features to provide enhanced security, additional functionality for wireless users, peer-to-peer network application support, updates to Internet Protocol version 6 (IPv6), and a new Netstat tool option.
New Windows Firewall
Windows XP SP2 includes the new Windows Firewall, which replaces the Internet Connection Firewall (ICF) provided with Windows XP with Service Pack 1 (SP1) and Windows XP with no service packs installed. Windows Firewall is a stateful firewall that drops unsolicited incoming traffic that does not correspond to either traffic sent in response to a request of the computer (solicited traffic) or unsolicited traffic that has been specified as allowed (excepted traffic). Windows Firewall provides a level of protection from malicious users and programs that rely on unsolicited incoming traffic to attack computers.
In Windows XP with SP1 and Windows XP with no service packs installed, ICF is disabled by default for all connections, unless changed by the Network Setup Wizard or Internet Connection Wizard. Manually enabling ICF is done per connection through a single checkbox on the Advanced tab of the properties of a connection, from which you can also configure the set of excepted traffic by specifying Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) ports.
In Windows XP SP2, there are many changes for Windows Firewall, including the following:
- Enabled by default for all the connections of the computer
- New global configuration options that apply to all connections
- New set of dialog boxes for local configuration
- New operating mode
- Startup security
- Excepted traffic can be specified by scope
- Excepted traffic can be specified by application filename
- Built-in support for IPv6
- New configuration options with Netsh and Group Policy
Enabled by Default for All the Connections of the Computer
Windows Firewall in Windows XP SP2 is globally enabled by default. This means that, by default, all the connections of a computer running Windows XP with SP2 have Windows Firewall enabled, including LAN (wired and wireless), dial-up, and virtual private network (VPN) connections. New connections also have Windows Firewall enabled by default.
Although this behavior provides more protection for Windows XP-based computers, this default behavior can have consequences for the information technology (IT) department of an organization network with regards to application compatibility and the ability to manage the computers on the network.
For more information about how to deploy Windows Firewall in Windows XP SP2 in an enterprise environment, see Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2.
New Global Configuration Options that Apply to All Connections
Windows Firewall in Windows XP SP2 allows you to configure settings that apply to all the connections of the computer (global configuration). In Windows XP with SP1 and Windows XP with no service packs installed, ICF settings are configured per connection, which means that if you want to enable Windows Firewall on multiple connections and configure excepted traffic, you must configure each connection separately. When you change a global Windows Firewall setting, the change is applied to all the connections on which Windows Firewall is enabled.
Windows Firewall in Windows XP SP2 also allows per-connection configuration. Connection-specific configuration overrides global configuration.
New Set of Dialog Boxes for Local Configuration
The settings for ICF in Windows XP with SP1 and Windows XP with no service packs installed consist of a single checkbox (the Protect my computer and network by limiting or preventing access to this computer from the Internet check box on the Advanced tab of the properties of a connection) and a Settings button from which you can configure excepted traffic, logging settings, and allowed ICMP traffic.
In Windows XP SP2, the check box has been replaced with a Settings button, which launches the new Windows Firewall component in Control Panel. From the new Windows Firewall dialog box, you can configure general settings, permissions for programs and services, connection-specific settings, log settings, and allowed ICMP traffic.
The following figure shows the new Windows Firewall dialog box.
For more information, see Manually Configuring Windows Firewall in Windows XP Service Pack 2, the February 2004 Cable Guy article.
New Operating Mode
With Windows XP with SP1 and Windows XP with no service packs installed, ICF is either enabled (allows solicited and excepted traffic) or disabled (allows all traffic).
With Windows XP SP2, a new operating mode can be selected, which corresponds to the Don't allow exceptions checkbox on the General tab of the Windows Firewall dialog box. When Windows Firewall is running in this new mode, all unsolicited incoming traffic is dropped, including excepted traffic. This mode can be used to temporarily lock down computers during a known network attack or when a malicious program is spreading. Once the network attack is over and appropriate updates are installed to prevent future attacks, then Windows Firewall can be placed in the normal operating mode (corresponding to the On (recommended) option), which allows excepted traffic.
In Windows XP with SP1 and Windows XP with no service packs installed, ICF is active on the connections on which it is enabled when the Internet Connection Firewall (ICF)/Internet Connection Sharing (ICS) service is started successfully. Therefore, when a computer running Windows XP with SP1 and Windows XP with no service packs installed is started, there is a delay between when the computer is active on the network and when the connections are protected with ICF. This delay makes it possible for the computer to be attacked by unsolicited traffic during startup.
In Windows XP SP2, there is a startup policy to perform stateful packet filtering, which allows the computer to perform basic networking startup tasks using Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) and communicate with a domain controller to obtain Group Policy updates. Once the Windows Firewall (WF)/Internet Connection Sharing (ICS) service is started, it uses its configuration and removes the startup policy. The startup policy settings cannot be configured.
Excepted Traffic Can be Specified by Scope
In Windows XP with SP1 and Windows XP with no service packs installed, the excepted traffic can originate from any IPv4 address. In Windows XP SP2, Windows Firewall allows you to specify that excepted traffic can originate from one of three scopes: any IPv4 or IPv6 address, an IPv4 or IPv6 address that is directly reachable (based on entries in the IPv4 and IPv6 routing tables), or from a list of one or more IPv4 addresses or IPv4 address ranges.
For more information about Windows Firewall behavior with different scopes, see Manually Configuring Windows Firewall in Windows XP Service Pack 2, the February 2004 Cable Guy article.
Excepted Traffic Can Be Specified by Application Filename
In Windows XP with SP1 and Windows XP with no service packs installed, you manually configure excepted traffic by specifying the set of TCP and UDP ports that correspond to the traffic of a specific application or service. This can make configuration difficult for users that do not know what the set of TCP and UDP ports for the application or service are or how to find them. Also, this configuration does not work for applications that do not listen on a specific set of UDP or TCP ports.
To make the specification of excepted traffic easier, it is possible in Windows XP with SP2 to configure the filename of the program (the application or service). When the program runs, Windows Firewall monitors the ports on which the program listens and automatically adds them to the list of excepted traffic.
To allow you to quickly enable exceptions for commonly allowed incoming unsolicited traffic, Windows Firewall has pre-defined programs for commonly used Windows components and services, such as File and Printer Sharing and Remote Assistance. Additionally, the notification mechanism in Windows Firewall allows local administrators to automatically add new programs to the excepted programs list after being prompted.
Built-in Support for IPv6
Windows XP SP2 includes the Internet Protocol version 6 (IPv6) that was included in the Advanced Networking Pack for Windows XP. IPv6 support is included with the Windows Firewall and automatically enabled on all IPv6 connections. Both IPv4 and IPv6 share the same settings for excepted traffic. For example, if you except file and print sharing traffic, then both IPv4 and IPv6-based unsolicited incoming file and print sharing traffic is allowed.
New Configuration Options with Netsh and Group Policy
With Windows XP with SP1 and Windows XP with no service packs installed, the only way to enable or disable ICF is through the Network Connections folder, the Network Setup Wizard, and the Internet Connection Wizard. To configure excepted traffic, you must either use the Network Connections folder or your application must be ICF-aware, in which case it automatically enables excepted traffic when it runs.
With Windows XP SP2, you have the following additional configuration options:
Netsh is a command-line tool through which you can configure settings for network components. To configure a component, it must support a set of commands through a Netsh context. Windows XP with SP1 and Windows XP with no service packs installed have no Netsh context for Windows Firewall. With Windows XP SP2, you can now configure Windows Firewall settings through a series of commands in the netsh firewall context. Using Netsh, you can create Netsh scripts to automatically configure a set of Windows Firewall settings for both TCP/IP and IPv6. For more information, see Appendix B of Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2.
New configuration APIs
With Windows XP with SP1 and Windows XP with no service packs installed, there are APIs by which applications can automatically configure excepted traffic and configure ICF settings. With Windows XP SP2, there are new APIs through which you can configure Windows Firewall for both global and connection-specific settings for all the items that are available through the Windows Firewall Control Panel applet. You can use these APIs to create customized configuration programs that can be run by users on an organization network. For information about the new Windows Firewall APIs, see Windows Firewall in the Windows Software Development Kit (SDK).
Extensive support to configure settings using Group Policy
To centralize the configuration of large numbers of computers in an organization network that use the Active Directory directory service, Windows Firewall settings for computers running Windows XP with SP2 can be deployed through Computer Configuration Group Policy. A new set of Computer Configuration Group Policy Windows Firewall settings allow a network administrator to configure Windows Firewall operation modes, excepted traffic, and other settings using a Group Policy object.
When using the new Windows Firewall Group Policy settings, you can configure two different profiles:
The domain profile is the set of Windows Firewall settings that are needed when the computer is connected to the network that contains the domain controllers of the organization. For example, the domain profile might contain excepted traffic for the applications needed by a managed computer on an enterprise network.
The standard profile is the set of Windows Firewall settings that are needed when the computer is not connected to the network that contains the domain controllers of the organization. A good example is when an organization laptop is taken on the road and connects to the Internet using a public broadband or wireless Internet service provider. Because the organization laptop is directly connected to the Internet, the standard profile should contain more restrictive settings than the domain profile.
The following figure shows the new Windows Firewall Group Policy settings.
If your browser does not support inline frames, click here to view on a separate page.
For more information, see Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2.
Wireless Provisioning Services
Wireless Provisioning Services (WPS) are enhancements included in Windows XP SP2 and being considered for inclusion in Windows Server 2003 Service Pack 1 (SP1). WPS extends the wireless client software included with Windows XP and the Internet Authentication Service (IAS) included with Windows Server 2003 to allow for a consistent and automated configuration process when connecting to the following:
- Public wireless hotspots that provide access to the Internet.
- Private organization wireless networks that provide guest access to the Internet.
When wireless clients connect to a public wireless hotspot and they are not already a customer of the wireless Internet service provider (WISP), the user of the wireless client is faced with the challenge of performing the following:
- Configuring network settings to connect to the WISP network.
- Providing identification and payment information to the WISP.
- Obtaining connection credentials.
- Reconnecting to the WISP network after valid credentials have been obtained.
WPS is designed to simplify, automate, and standardize initial sign-up and subscription renewal so that the user does not have to perform a different set of steps for each wireless provider to which they want to connect.
For more information about how WPS works for a WISP, see Wireless Provisioning Services Overview, the December 2003 The Cable Guy article.
Windows Peer-to-Peer Networking
Peer-to-peer networking is the utilization of the relatively powerful personal computers (PCs) that exist at the edge of the Internet for more than just client-based computing tasks. The modern PC has a very fast processor, vast memory, and a large hard disk, none of which are being fully utilized when performing common client/server computing tasks such as e-mail and Web browsing. The modern PC can easily act as both a client and server (a peer) for many types of applications.
Peer-to-peer networking has the following advantages over client/server networking:
- Content and resources can be shared from both the center and the edge of the network.
- A network of peers is easily scaled and more reliable than a single server.
- A network of peers can share its processor, consolidating computing resources for distributed computing tasks.
- Shared resources of peer computers can be directly accessed.
- Allows for efficient multipoint communication with having to rely on IP multicast infrastructure.
- Peer-to-peer networking enables or enhances real-time communications (RTC), collaboration, content distribution, and distributed processing.
To address the need for platform-based peer-to-peer networking capabilities, Microsoft now includes Windows Peer-to-Peer Networking in Windows XP SP2 as the Peer-to-Peer networking component, installed from the Networking Services category of Add/Remove Windows Programs.
For computers running Windows XP with SP1, you must install the Advanced Networking Pack for Windows XP.
Windows Peer-to-Peer Networking uses the Microsoft TCP/IP version 6 protocol as its network transport.
You can develop peer-to-peer applications using a set of Win32 functions for grouping, graphing, identity management, and more. For more information, see Windows XP Peer-to-Peer API Documentation. To develop Windows Peer-to-Peer Networking applications, you must install the Microsoft Windows XP Peer-to-Peer Software Development Kit (SDK).
For an example of a Windows Peer-to-Peer Networking application, you can download threedegrees (3'), a free application that uses the Windows Peer-to-Peer Networking platform to listen to a shared play list, send digital photos, and initiate group chats with MSN Messenger.
For more information about the architecture of Windows Peer-to-Peer Networking, see Windows Peer-to-Peer Networking, the November 2003 Cable Guy article.
Updates to IPv6
Windows XP SP2 includes the following updates to IPv6 that are included in the Advanced Networking Pack for Windows XP:
IPv6 ICF in the Advanced Networking Pack for Windows XP is a stateful firewall for IPv6 traffic that drops all unsolicited incoming IPv6 traffic, providing a level of protection from malicious users and programs that rely on unsolicited incoming traffic to attack computers.
Windows Firewall includes the functionality of IPv6 ICF, with additional enhancements.
When connecting to the Internet, many computers running Windows XP are behind network address translators (NATs), which translate traffic between private addresses used on private and public addresses used on the Internet. Teredo, also known as IPv6 NAT traversal, is an IPv6/IPv4 transition technology that provides unicast IPv6 connectivity across the IPv4 Internet when the communicating peers are separated by one or more NATs.
When you install the IPv6 protocol on a computer running Windows XP with SP2, the Teredo component is automatically enabled. For the status of the Teredo component, type the netsh interface ipv6 show teredo command.
For more information about Teredo, see IPv6 Features in the Advanced Networking Pack for Windows XP, the April 2003 The Cable Guy article.
Netstat –b Option
The Netstat tool displays a variety of information about active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, and IPv4 and IPv6 statistics. In Windows XP SP2, the Netstat tool supports a new –b option that displays the set of components that are listening on each open TCP and UDP port.
Prior to Windows XP SP2, you can use the –o option to display the set of ports being listened on and the corresponding process ID (PID). You can then lookup the PID in the display of the tasklist /svc command to discover the name of the process that owns the port. However, in some cases, there are multiple services within a single process and it was not possible to determine which service within the process owned the port.
With the –b option, Netstat displays the TCP or UDP port, the file names corresponding to the components of the service that owns the port, and the PID. From the file names and PID, you can determine which of the services in the display of the tasklist /svc command owns the port.
For more information about additional changes to networking functionality in Windows XP SP2, see the following Cable Guy articles:
- The New Wireless Network Setup Wizard in Windows XP Service Pack 2
- Wireless LAN Enhancements in Windows XP Service Pack 2
For More Information
For more information about Windows XP SP2 and Windows Firewall, consult the following resources:
- Windows XP Service Pack 2 Resources for IT Professionals
- Deploying Internet Connection Firewall Settings for Microsoft Windows XP with Service Pack 2
- Troubleshooting Windows Firewall in Microsoft Windows XP Service Pack 2
For a list of all The Cable Guy articles, click here.