Enable Internet Connection Firewall in Windows XP Embedded with Service Pack 1 Images

  • Article

 

Neil Marlowe
Microsoft Corporation

March 2004

    Applies to: Microsoft® Windows® XP Embedded with Service Pack 1

Summary: In Windows XP Embedded with Service Pack 1, Internet Connection Firewall (ICF) is disabled by default. This technical article provides details about how to enable ICF by creating a custom ICF component, adding the custom component to a configuration, and then deploying and testing the run-time image.

This technical article is written for Microsoft partners who develop and deploy Windows XP Embedded images to networked devices, and it assumes a proficiency in using Microsoft Windows Embedded Studio (Component Designer, Component Database Manager, and Target Designer). For in-depth help with Windows Embedded Studio tools and concepts, see the For More Information section at the end of this article.

Contents

Introduction
Download the ICF Tool
Create a Custom Component
Add the Custom Component to Your Configuration
Deploy and Test the Run-Time Image
Other Considerations
For More Information

Introduction

All networked devices, not just devices connected to the Internet, are vulnerable to attacks by hackers, viruses, and worms. If unchecked, these attacks may attempt to:

  • Access personal information.
  • Damage hardware, software, or data.
  • Spread across networks, consuming memory or network bandwidth.

Although Microsoft® Windows® XP Embedded with Service Pack 1 includes Internet Connection Firewall in the component called Internet Connection Sharing/Personal Firewall, the firewall is not automatically enabled when an image containing this component is deployed. There are two ways to enable ICF:

  • Programmatically with First Boot Agent (FBA), the first time a run-time image starts on a device. This method helps reduce the risk of attack during and after FBA.
  • Manually on each device after the run-time image has been installed, through the user interfaces (UIs) in Network Connection Manager. The disadvantages of this method are that the required Network Connection Manager components increase the image's footprint, ICF must be manually enabled on each device, and the run-time image is vulnerable to attack prior to ICF being enabled.

The scope of this article is to programmatically enable ICF during initial startup by FBA, to help reduce the risk of attacks. The steps to enable ICF are as follows:

  1. Download the ICF tool.
  2. Create a custom component.
  3. Add the custom component to your configuration.
  4. Deploy and test the run-time image.

**Note   **Most services that communicate over the network are not affected by enabling ICF. For example, with a service like Device Update Agent (DUA), you do not need to create and/or enable any ICF service port mappings.

Advanced configuration of Internet Connection Firewall in Windows XP Embedded with Service Pack 1 images is not covered in this technical article.

Download the ICF Tool

With the ICF application programming interfaces (APIs) supported in Windows XP Embedded with Service Pack 1, you can configure your network environment by using C, C++, the Microsoft Visual Basic® development system, Visual Basic Scripting Edition (VBScript), or Microsoft JScript® development software. This article discusses how to programmatically enable ICF by using a Microsoft Win32® console application. Although you can enable ICF by using VBScript or JScript, these scripting options depend on the Windows Script Engine component, which may increase the footprint of your run-time image.

The downloadable ICF tool (ICFUtil.exe),which is used later in this article in the FBA Generic Command, accepts the following command-line arguments:

Argument Description
/ENABLE By providing the /ENABLE (not case sensitive) command-line argument, the ICF tool enables the firewall on each network connection.
/STATUS By providing the /STATUS (not case sensitive) command-line argument, the ICF tool provides the status of ICF on each network connection.
/? By providing the /? command-line argument, the ICF tool provides usage information.
/CLOSESERVICES By providing the /CLOSESERVICES (not case sensitive) command-line argument, the tool disables all ICF service port mappings on all network connections, including network connections made through remote access.
/ADDSERVICE By providing the /ADDSERVICE (not case sensitive) command-line argument, the tool adds a new ICF service port mapping to all network connections, and either enables or disables the added ICF service port mapping depending on the first of the additional command-line arguments. If the ICF service port mapping already exists, this function either enables or disables the existing ICF service port mapping. The tool accepts the following additional command-line arguments:
  • Enable/Disable

  • Service Name

    Note   The tool will not accept a zero-length string.

  • External Port

    Note   The tool accepts only numbers in the range 1 through 65535.

  • Internal Port

    Note   The tool accepts only numbers in the range 1 through 65535.

  • Target Name or IP Address

    Note   The tool accepts only Internet Protocol (IP) addresses in the range 1.1.1.1 through 249.249.249.249.

  • Protocol

    Note   The values are either Transmission Control Protocol (TCP) or User Datagram Protocol (UDP).
/Q By providing the /Q (not case sensitive) command-line argument, the tool provides the option of a quiet mode and all UI output is suppressed. The quiet mode consists of the /Q switch in conjunction with the optional logging /L path_name switch.

Note   One of the features of ICF is to warn users of possible unauthorized changes to ICF. ICF therefore displays a warning message every time the firewall is enabled, except when the /Q switch is provided.
/L path_name By providing the /Lpath_name (not case sensitive) command-line argument, the tool logs all actions to the file that the path name indicates. If the log file does not exist, one will be created silently. If the log file does exist, the actions will be added to the end of the file. If the path name is not provided, the log file will be created in a default location. This switch will be ignored unless it appears in conjunction with the /Q switch.

Create a Custom Component

The new component does not replace the current Internet Connection Sharing/Personal Firewall component. Instead, this component helps define the state of ICF when the device starts for the first time. Because the only way to enable ICF during image deployment is programmatically, you must create an FBA Generic Command that runs the ICF tool. The following diagram illustrates the FBA sequence.

Figure 1. FBA sequence

The following steps outline the process of using Component Designer to create a custom component:

  1. Create and save a new component definition (.sld) file.

    **Note   **Create a flat file structure for the location of this .sld file and the ICF repository you create in the next step.

  2. Create a new physical repository for the component definition.

    The repository must contain the ICF tool.

    For example, create a new physical repository called "ICF Repository."

    **Note   **The repository source path should be the same as the path to the .sld file saved in the previous step.

  3. Add a new component to the component definition file. When adding the new component, you may want to consider the following:

    • When defining the component's repository, make sure that you select the physical repository that contains the ICF tool. For example, select the "ICF Repository" created in step 2.
    • To simplify the image development process, you can create a macro component that will create dependencies on all of the components required for ICF. To create a macro component, set the component's Prototype property to Selector Prototype Component in Component Designer. This prototype can be found under Software\Test & Development.

    This component will be used to enable ICF. You can name it "ICF Component."

  4. Add the ICF tool to the component.

    By default, the destination path of the file is the file's current path. To change the destination path, use parameters to define the path value. For example, change the destination path to the \Windows folder by using the path value %10%.

  5. Add a new FBA Generic Command resource to the configuration.

    After this resource is fully configured, it will enable ICF during the FBA phase.

    You can create an FBA Generic Command called "FBA Generic Command – Enable ICF" with the following extended properties:

    • Arguments. This property passes the arguments to the application defined in the FilePath property. Set this property to /enable /Q.

    Note   The quiet mode (/Q) switch is optional.

    • FilePath. Set this property to the parameterized path of the application, namely %10%\ICFUtil.exe (\Windows\ICFUtil.exe).
    • Phase. This numeric property defines when the FBA Generic Command is run in the FBA sequence. To enable ICF as soon as the network has been configured, set the property to 4501.

  6. After defining the component, save it and import it into the component database.

Add the Custom Component to Your Configuration

  1. In Target Designer, create a new configuration or open an existing one.
  2. If your image does not already have the Internet Connection Sharing/Personal Firewall component, add the component to your configuration. The component is located in the Software\System\Networking & Communications folder in the component browser.
  3. Add your custom component called "ICF Component" to your configuration.
  4. After adding the component, check and resolve all component dependencies, and then build the image.

Deploy and Test the Run-Time Image

After resolving dependencies and building the run-time image, the run-time image is ready to be deployed. When the reference device starts for the first time, the First Boot Agent runs. Depending on your configuration, the device may restart one or more times. When FBA runs the FBA Generic Command created previously, expect to see the application run in a Windows command shell. The following is a sample output from the "FBA Generic Command – Enable ICF" command:

C:\Windows\ICFUtil.exe /enable /Q
ICFUtil: Firewall disabled on connection: "Local Area Connection".
ICFUtil: Firewall enabled on connection: "Local Area Connection".

**Note   **One of the features of ICF is to warn users of possible unauthorized changes to ICF. ICF therefore displays a warning message every time the firewall is enabled, except when the /Q switch is provided.

To confirm that the FBA Generic Command was successfully run, review the FBA log file (Fbalog.txt) located in the \Windows\FBA directory. You should find entries similar to the following:

17:23:33 PM -  [FBASetProgressText] Installing Components... 
17:27:57 PM -  [FBALaunch] C:\WINDOWS\ICFUtil.exe /enable (ExitCode: 0x0) 
17:27:57 PM -  [FBASetProgressText] Replacing System Hives...

At this point, ICF is enabled and unsolicited messages sent to the device are ignored. For example, you should not be able to connect to the device through Remote Desktop Protocol (RDP) unless an RDP ICF service port mapping has been created and/or enabled.

Other Considerations

Servicing or environmental considerations may affect your run-time image after the image is deployed. When designing or building your configuration, consider the following topics.

Group Policy

Group Policy enables policy-based administration. Group Policy uses the Active Directory® directory service and security group membership to provide flexibility and to support extensive configuration information. Unlike profile settings, which are often specified by a user, policy settings are specified by an administrator.

If your device has a group policy applied to it, your device will inherit the ICF settings defined by the policy. If the group policy dictates that ICF should be disabled, the Group Policy settings will supersede the ICF settings discussed in this article. If this is the case, the Group Policy may need to be updated.

Device Update Agent

If you enable ICF on a device that uses Device Update Agent, the servicing of your device should not be affected as DUA initiates the request. Because the incoming response is on the same port, ICF will permit the communication to flow through.

Systems Management Server

If you use Microsoft Systems Management Server (SMS) to service remote devices that have ICF enabled, SMS will not be able to service the devices unless ICF service port mappings are configured and/or enabled.

For example, if you use network basic input/output system (NetBIOS) over TCP/IP for SMS remote control, the following ports need to be configured:

  • Name resolution on port 137
  • Messaging on port 138
  • Client sessions on port 139

Additional FBA commands

Aside from the preceding SMS example, there may be cases where you need to create additional components and/or FBA commands, such as when you use RDP to connect to your device, or when your device needs to respond to specific remote procedure calls (RPCs).

For More Information

See these Microsoft websites:

Security & Privacy

Internet Connection Sharing and Internet Connection Firewall Reference

Component Designer Overview

Creating an .SLD file

Adding a New Repository

Creating a Macro Component

Creating a Component

Adding a File to a Configuration

Adding a Resource to a Configuration

FBA Generic Command

Importing Components into the Database

Adding a Component to a Configuration

Checking Dependencies

Designing a Run-Time Image

Target Designer Overview

Step 7: Deploying the Windows XP Embedded Run-Time Image

Device Update Agent

Microsoft Systems Management Server

Ports That Systems Management Server 2003 Uses to Communicate Through a Firewall or Through a Proxy Server