The Cable Guy - February 2004
Manually Configuring Windows Firewall in Windows XP Service Pack 2
Windows XP Service Pack 2 (SP2) includes the new Windows Firewall, which replaces the Internet Connection Firewall (ICF). Windows Firewall is a stateful host-based firewall that drops unsolicited incoming traffic that does not correspond to either traffic sent in response to a request of the computer (solicited traffic) or unsolicited traffic that has been specified as allowed (excepted traffic). Windows Firewall provides a level of protection from malicious users and programs that rely on unsolicited incoming traffic to attack computers on a network.
In Windows XP SP2, there are many new features for Windows Firewall, including the following:
- Enabled by default for all the connections of the computer
- New global configuration options that apply to all connections
- New set of dialog boxes for local configuration
- New operating mode
- Startup security
- Excepted traffic can be specified by scope
- Excepted traffic can be specified by application filename
- Built-in support for Internet Protocol version 6 (IPv6) traffic
- New configuration options with Netsh and Group Policy
For more information about these changes, see New Networking Features in Windows XP Service Pack 2, the January 2004 Cable Guy article.
This article describes in detail the set of dialog boxes to manually configure the new Windows Firewall. Unlike ICF in Windows XP with Service Pack 1 (SP1) and Windows XP with no service packs installed, the configuration dialog boxes configure both IPv4 and IPv6 traffic.
The settings for ICF in Windows XP with SP1 and Windows XP with no service packs installed consist of a single checkbox (the Protect my computer and network by limiting or preventing access to this computer from the Internet check box on the Advanced tab of the properties of a connection) and a Settings button from which you can configure excepted traffic, logging settings, and allowed ICMP traffic.
In Windows XP SP2, the check box on the Advanced tab of the properties of a connection has been replaced with a Settings button from which you can configure general settings, permissions for programs and services, connection-specific settings, log settings, and allowed ICMP traffic. The Settings button launches the new Windows Firewall Control Panel applet, which is also available from the Network and Internet Connections and Security Center categories of Control Panel.
The new Windows Firewall dialog box contains the following tabs:
The General tab with its default settings is shown in the following figure.
From the General tab, you can select the following:
Select to enable Windows Firewall for all of the network connections that are selected on the Advanced tab. Windows Firewall is enabled to allow only solicited and excepted incoming traffic. Excepted traffic is configured on the Exceptions tab.
Don't allow exceptions
Click to allow only solicited incoming traffic. Excepted incoming traffic is not allowed. The settings on the Exceptions tab are ignored and all of the network connections are protected, regardless of the settings on the Advanced tab.
Off (not recommended)
Select to disable Windows Firewall. This is not recommended, especially for network connections that are directly accessible from the Internet, unless you are already using a third-party host firewall product.
Notice that the default setting for Windows Firewall is On (recommended) for all the connections of a computer running Windows XP with SP2 and for newly created connections. This can impact the communications of programs or services that rely on unsolicited incoming traffic. In this case, you must identify those programs that are no longer working and add them or their traffic as excepted traffic. Many programs, such as Internet browsers and email clients (such as Outlook Express), do not rely on unsolicited incoming traffic and operate properly with Windows Firewall enabled.
If you are using Group Policy to configure Windows Firewall for computers running Windows XP with SP2, the Group Policy settings you configure might not allow local configuration. In this case, the options on the General tab and the other tabs might be grayed out and unavailable, even when you log on with an account that is a member of the local Administrators group (a local administrator).
Group Policy-based Windows Firewall settings allow you to configure a domain profile (a set of Windows Firewall settings that are applied when you are attached to a network that contains domain controllers) and standard profile (a set of Windows Firewall settings that are applied when you are attached to a network that does not contain domain controllers, such as the Internet). The configuration dialog boxes only display the Windows Firewall settings of the currently applied profile. To view the settings of the profile that are not currently applied, use netsh firewall show commands. To change the settings of the profile that are not currently applied, use netsh firewall set commands.
The Exceptions tab with its default settings is shown in the following figure.
From the Exceptions tab, you can enable or disable an existing program (an application or service) or port or maintain the list of programs and ports that define excepted traffic. The excepted traffic is not allowed when the Don't allow exceptions option is selected on the General tab.
With Windows XP with SP1 and Windows XP with no service packs installed, you could define the excepted traffic only in terms of Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) ports. With Windows XP with SP2, you can define excepted traffic in terms of TCP and UDP ports or by the file name of a program (an application or service). This configuration flexibility makes it easier to configure excepted traffic when the TCP or UDP ports of the program are not known or are dynamically determined when the program is started.
There are a set of pre-defined programs, which include:
- File and Print Sharing
- Remote Assistance (enabled by default)
- Remote Desktop
- UPnP framework
These predefined exceptions can be disabled, but not deleted.
If allowed by Group Policy, you can create additional exceptions based on specifying a program name by clicking Add Program and exceptions based on specifying a TCP or UDP port by clickingAdd Port.
When you click Add Program, the Add Program dialog box is displayed from which you can select a program or browse for a program's file name. An example is shown in the following figure.
When you click AddPort, the Add a Port dialog box is displayed, from which you can configure a TCP or UDP port. An example is shown in the following figure.
The new Windows Firewall allows you to specify the scope of excepted traffic. The scope defines the portion of the network from which the excepted traffic is allowed to originate. To define the scope for a program or port, click Change Scope. An example is shown in the following figure.
You have three options when defining the scope for a program or a port:
Any computer (including those on the Internet)
Excepted traffic is allowed from any IPv4 or IPv6 address. This setting might make your computer vulnerable to attacks from malicious users or programs on the Internet.
My network (subnet) only
Excepted traffic is allowed only from IPv4 or IPv6 addresses that are directly reachable by your computer. Windows Firewall determines whether the source IPv4 or IPv6 address of the incoming packet is directly reachable by querying the IPv4 and IPv6 routing tables. The set of addresses considered directly reachable depends on the contents of your IPv4 and IPv6 routing tables. For example, you can see all the destinations that are considered directly reachable by typing the route print command at a command prompt. For the IPv4 routing table, all IPv4 addresses that match the routes in which the IPv4 address of the Gateway column equals the IPv4 address of the Interface column are considered directly reachable. For the IPv6 routing table, all IPv6 addresses that match routes in which the Gateway column is set to On-link are considered directly reachable. Therefore, the set of directly reachable addresses is directly dependent upon your networking configuration, as specified by the IPv4 and IPv6 configuration of LAN-based connections (such as Ethernet and 802.11 wireless), dial-up connections, and broadband Internet connections. In some Internet configurations, all destinations are considered directly reachable.
For example, for a computer that is only directly connected to a private home network, the set of directly reachable unicast addresses is confined to those that match the IPv4 network ID of the private subnet. If the network connection is configured with an IPv4 address of 192.168.0.99 with a subnet mask of 255.255.0.0, the configured excepted traffic is only allowed from IPv4 addresses in the range 192.168.0.0 to 192.168.255.255.
As another example, for a computer that is directly connected to both a private home network and the Internet through a cable modem, the set of directly reachable unicast addresses are those that match either the network ID of the private subnet or the cable modem provider subnet. For example, if the private network connection is configured with an IPv4 address of 192.168.0.1 and a subnet mask of 255.255.0.0 and the cable modem connection is configured with an IPv4 address of 126.96.36.199 and a subnet mask of 255.255.255.0, the configured excepted traffic received by either network connection is allowed from IPv4 addresses in the ranges from 192.168.0.0 to 192.168.255.255 and from 188.8.131.52 to 184.108.40.206. Due to the way that the Windows Firewall determines directly reachable traffic, the computer in this configuration is vulnerable to the configured excepted traffic from other computers on the cable modem's subnet. Note that this vulnerability does not extend to other computers on the Internet that are not connected to the same cable modem subnet as the computer in this configuration.
To reduce the vulnerability of this Internet-connected computer from other computers on the cable modem's subnet, do not use the My network (subnet) only scope option. Use the Custom list scope option and specify the IPv4 address range that corresponds to your private subnet's network ID. For this example, you would configure a custom address range of 192.168.0.0/16. However, this computer is still vulnerable to incoming traffic from potentially malicious Internet users that send traffic from the 192.168.0.0/16 address range. This technique of sending traffic from addresses other than those assigned is known as spoofing.
As another example, some dial-up connections to the Internet consider all destinations to be directly reachable. This occurs when the default route in the routing table has the same address in the Gateway and Interface columns. The default route has the Network Destination of 0.0.0.0 and a Netmask of 0.0.0.0 To prevent this configuration from making the computer vulnerable to Internet hosts when using the My network (subnet) only scope option, download and install the Critical Update for Windows XP Service Pack 2 886185 either through Windows Update or from the Description of the Critical Update for Windows XP Service Pack 2 Knowledge Base article. When installed, Windows XP SP2 no longer considers destinations that match the default route as being directly reachable when you use the My network (subnet) only scope option. This update is included in Windows Server 2003 Service Pack 1.
You can specify one or more IPv4 addresses or IPv4 address ranges separated by commas. IPv4 address ranges typically correspond to subnets. For IPv4 addresses, type the IPv4 address in dotted decimal notation. For IPv4 address ranges, you can specify the range using a dotted decimal subnet mask or a prefix length. When you use a dotted decimal subnet mask, you can specify the range as an IPv4 network ID (such as 10.47.81.0/255.255.255.0) or by using an IPv4 address within the range (such as 10.47.81.231/255.255.255.0). When you use a network prefix length, you can specify the range as an IPv4 network ID (such as 10.47.81.0/24) or by using an IPv4 address within the range (such as 10.47.81.231/24). An example custom list is the following: 10.91.12.56,10.7.14.9/255.255.255.0,10.116.45.0/255.255.255.0,172.16.31.11/24,172.16.111.0/24
You cannot specify a custom list for IPv6 traffic.
Before enabling any exception, carefully consider whether the exception is needed at all. Every enabled exception exposes your computer to attack, regardless of the scope. There is no way to guarantee invulnerability once the exception is enabled.
When you configure and enable an exception, you are instructing the Windows Firewall to allow specific unsolicited incoming traffic sent from the specified scope: from any address, from a directly reachable address, or from a custom list. For any scope, enabling an exception makes the computer vulnerable to attacks based on incoming unsolicited traffic from computers that are assigned the allowed addresses and from malicious computers that spoof traffic. There is no way to prevent spoofed attacks from the Internet on connections assigned public IPv4 addresses, except to disable the exception. Therefore, you should very carefully consider and properly configure the scope of each Windows Firewall exception to minimize the associated exposure.
Once the program or port is added, it is disabled by default in the Programs and Services list.
All of the programs or services enabled from the Exceptions tab are enabled for all of the connections that are selected on the Advanced tab.
The Advanced tab is shown in the following figure.
The Advanced tab contains the following sections:
- Network Connection Settings
- Security Logging
- Default Settings
Network Connections Settings
In Network Connection Settings, you can:
- Specify the set of interfaces on which Windows Firewall is enabled. To enable, select the check box next to the network connection name. To disable, clear the check box. By default, all of the network connections have Windows Firewall enabled. If a network connection does not appear in this list, then it is not a standard networking connection. Examples include some custom dialers from Internet service providers (ISPs).
- Configure advanced settings of an individual network connection by clicking the network connection name, and then clicking Settings.
If you clear all of the check boxes in the Network Connection Settings, then Windows Firewall is not protecting your computer, regardless of whether you have selected On (recommended) on the General tab. The settings in Network Connection Settings are ignored if you have selected Don't allow exceptions on the General tab, in which case all interfaces are protected.
When you click Settings, the Advanced Settings dialog box is displayed, as shown in the following figure.
From the Advanced Settings dialog box, you can configure specific services from the Services tab (by TCP or UDP port only) or enable specific types of ICMP traffic from the ICMP tab. These two tabs are equivalent to the settings tabs for ICF configuration in Windows XP with SP1 and Windows XP with no service packs installed.
In Security Logging, click Settings to specify the configuration of Windows Firewall logging in the Log Settings dialog box, as shown in the following figure.
From the Log Settings dialog box, you can configure whether to log discarded (dropped) packets or successful connections and specify the name and location of the log file (by default set to Systemroot\pfirewall.log) and its maximum size.
In ICMP, click Settings to specify the types of ICMP traffic that are allowed in the ICMP dialog box, as shown in the following figure.
From the ICMP dialog box, you can enable and disable the types of incoming ICMP messages that Windows Firewall allows for all the connections selected on the Advanced tab. ICMP messages are used for diagnostics, reporting error conditions, and configuration. By default, no ICMP messages in the list are allowed.
A common step in troubleshooting connectivity problems is to use the Ping tool to ping the address of the computer to which you are trying to connect. When you ping, you send an ICMP Echo message and get an ICMP Echo Reply message in response. By default, Windows Firewall does not allow incoming ICMP Echo messages and therefore the computer cannot send an ICMP Echo Reply in response. To configure Windows Firewall to allow the incoming ICMP Echo message, you must enable the Allow incoming echo request setting.
Click Restore Defaults to reset Windows Firewall back to its originally installed state. When you click Restore Defaults, you are prompted to verify your decision before Windows Firewall settings are changed.
Windows Firewall Notifications
Applications can use Windows Firewall application programming interface (API) function calls to automatically add exceptions. When an application that does not use the Windows Firewall API runs and attempts to listen on TCP or UDP ports, Windows Firewall prompts a local administrator with a Windows Security Alert dialog box, an example of which is shown in the following figure.
The local administrator can choose one of the following:
- Keep Blocking Adds the application to the exceptions list but in a Disabled state so that the ports are not opened. Unsolicited incoming traffic for the application is blocked unless the local administrator specifically enables the exception on the Exceptions tab. By adding the application to the exceptions list, Windows Firewall does not prompt the user every time the application is run.
- Unblock Adds the application to the exceptions list but in an Enabled state so that the ports are opened.
- Ask Me Later Block unsolicited incoming traffic for the application and do not add it to the exceptions list. The local administrator will be prompted again the next time the application is run.
To determine the path of the application from the Windows Security Alert dialog box, place the mouse pointer over the name or description of the application. The displayed tool tip text indicates the path to the application.
If the user is not a local administrator, the Windows Security Alert dialog box informs the user that the traffic is being blocked, and to contact their network administrator for more information.
Services do not prompt the user with a Windows Security Alert dialog box. Therefore, you should manually configure exceptions for them.
For More Information
For more information about Windows XP SP2, consult the following resources:
- New Networking Features in Windows XP Service Pack 2, the January 2004 Cable Guy article
- Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2
- Troubleshooting Windows Firewall in Microsoft Windows XP Service Pack 2
For a list of all The Cable Guy articles, click here.