Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2

  • Article

Overview

Windows XP Service Pack 2 (SP2) includes the Windows Firewall, a replacement for the feature previously known as the Internet Connection Firewall (ICF). Windows Firewall is a stateful host firewall that drops all unsolicited incoming traffic that does not correspond to either traffic sent in response to a request of the computer (solicited traffic) or unsolicited traffic that has been specified as allowed (excepted traffic). This behavior of Windows Firewall provides a level of protection from malicious users and programs that use unsolicited incoming traffic to attack computers. With the exception of some Internet Control Message Protocol (ICMP) messages, Windows Firewall does not drop outgoing traffic.

Windows Firewall is also included with Windows Server 2003 Service Pack 1 (SP1), now in Beta testing. For more information, see "Appendix H: Windows Firewall in Windows Server 2003 Service Pack 1" in this article.

On this page

New Features of Windows Firewall
Windows XP SP2 and the Impact to Enterprise Networks
Allowing Users to Install Windows XP SP2 from Windows Update
Using Windows XP SP2 Windows Firewall and IPSec

New Features of Windows Firewall

In Windows XP SP2, there are many new features for the Windows Firewall, including the following:

  • Enabled by default for all of the connections of the computer
  • New global configuration options that apply to all connections
  • New Windows Firewall component of Control Panel
  • New New operating mode
  • Startup security
  • Incoming traffic scoping for IPv4
  • Excepted traffic can be specified by program filename
  • Built-in support for IPv6
  • New configuration options
  • Configuration using group policy settings

Enabled by Default for All of the Connections of the Computer

In Windows XP with Service Pack 1 (SP1) and Windows XP with no service packs installed, ICF is disabled by default for all connections, unless enabled for an Internet connection by the Network Setup Wizard or Internet Connection Wizard. You can manually enable ICF through a single checkbox on the Advanced tab of the properties of a connection, from which you can also configure the set of excepted traffic by specifying Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) ports.

Windows Firewall in Windows XP SP2 is globally enabled by default. This means that, by default, all the connections of a computer running Windows XP with SP2 have Windows Firewall enabled, including LAN (wired and wireless), dial-up, and virtual private network (VPN) connections. New connections also have Windows Firewall enabled by default.

Although this provides more protection for Windows XP-based computers, this default behavior can have consequences for the information technology (IT) department of an organization network with regards to application compatibility and the ability to manage the computers on the network. For more information, see "Windows XP SP2 and the Impact to Enterprise Networks" in this article.

New Global Configuration Options that Apply to All Connections

Windows Firewall in Windows XP SP2 allows you to configure settings that apply to all the connections of the computer (global configuration). In Windows XP with SP1 and Windows XP with no service packs installed, ICF settings are configured per connection, which means that if you want to enable ICF on multiple connections and configure excepted traffic, you must configure each connection separately. When you change a global Windows Firewall setting, the change is applied to all the connections on which Windows Firewall is enabled.

Windows Firewall in Windows XP SP2 also allows per-connection configuration. Connection-specific configuration overrides global configuration.

New Windows Firewall Component of Control Panel

The settings for ICF in Windows XP with SP1 and Windows XP with no service packs installed consist of the Protect my computer and network by limiting or preventing access to this computer from the Internet check box on the Advanced tab of the properties of a connection, and a Settings button from which you can configure excepted traffic, logging settings, and excepted ICMP traffic.

In Windows XP SP2, the check box on the Advanced tab of the properties of a connection has been replaced with a Settings button, which launches the new Windows Firewall component in Control Panel, from which you can configure general settings, exceptions for programs (applications and services), connection-specific settings, log settings, and excepted ICMP traffic. The following figure shows the new Windows Firewall dialog box.

wsfp1201.gif

You can also configure Windows Firewall from the new Security Center.

For a detailed description of the settings and options of the new Windows Firewall component in Control Panel, see Manually Configuring Windows Firewall in Windows XP Service Pack 2.

The only users who can make changes to Windows Firewall settings are those who log on to the computer with a user account that is a member of the local Administrators group, referred to throughout this article as local administrators. When you configure Windows Firewall in an organization network using Group Policy, depending on the Group Policy settings, some of the local Windows Firewall configuration options might be grayed out and unavailable, even for local administrators.

New Operating Mode

With Windows XP with SP1 and Windows XP with no service packs installed, ICF is either enabled (allows solicited and excepted traffic) or disabled (allows all traffic).

With Windows XP SP2, you can select a new operating mode corresponding to the Don't allow exceptions check box on the General tab of the new Windows Firewall dialog box. When Windows Firewall is running in this new mode, all unsolicited incoming traffic is dropped, including excepted traffic. This new mode can be used when connecting to the Internet from a public location, such as a hotel or airport, or inside an organization network to temporarily lock down computers during a network attack or when a malicious program is spreading. Once the network attack is over and appropriate updates are installed to prevent future attacks, then Windows Firewall can be placed in the normal operating mode that allows excepted traffic. All of the original settings for excepted traffic are maintained.New Operating Mode

Startup Security

In Windows XP with SP1 and Windows XP with no service packs installed, ICF is active on the connections on which it is enabled when the Internet Connection Firewall (ICF)/Internet Connection Sharing (ICS) service is started successfully. Therefore, when a computer running Windows XP with SP1 and Windows XP with no service packs installed is started, there is a delay between when the computer is active on the network and when the connections are protected with ICF. This delay makes the computer vulnerable to attacks during startup.

In Windows XP SP2, there is a startup Windows Firewall policy to perform stateful packet filtering, which allows the computer to perform basic networking startup tasks using Dynamic Host Configuration Protocol (DHCP) and the Domain Name System (DNS) protocol to configure the computer and communicate with a domain controller to obtain Group Policy updates. Once the Windows Firewall (WF)/Internet Connection Sharing (ICS) service is started, it uses its configuration and removes the startup policy. The startup policy settings cannot be configured.

Incoming Traffic Scoping

In Windows XP with SP1 and Windows XP with no service packs installed, the excepted traffic can originate from any IPv4 address. In Windows XP SP2, Windows Firewall allows you to specify that excepted traffic can originate from any IPv4 address, from an IPv4 address that is directly reachable (based on IPv4 routing table entries), from one or more specific IPv4 addresses, or from one or more ranges of IPv4 addresses. This is known as configuring the incoming traffic scope.

For incoming IPv6 traffic, Windows Firewall allows you to specify that excepted traffic can originate from any IPv6 address or from an IPv6 address that is directly reachable (based on IPv6 routing table entries).

For more information about the behavior of Windows Firewall for different types of traffic scopes, see Manually Configuring Windows Firewall in Windows XP Service Pack 2.

Excepted Traffic Can Be Specified by Program Filename

In Windows XP with SP1 and Windows XP with no service packs installed, you manually configure excepted traffic by specifying the set of TCP and UDP ports that correspond to the traffic of a specific program, which can be either an application or service. This can make configuration difficult for users that do not know the set of TCP and UDP ports for the application or service or how to find them. Also, this configuration does not work for applications that do not listen on a specific set of UDP or TCP ports.

To make the specification of excepted traffic easier, it is possible in Windows XP SP2 to configure excepted traffic by either specifying the set of TCP or UDP ports or the filename of the program (application or service). When the program runs, Windows Firewall monitors the ports on which the program listens and automatically adds them to the list of excepted traffic.

To allow you to quickly enable exceptions for commonly allowed incoming unsolicited traffic, Windows Firewall has pre-defined exceptions, such as File and Printer Sharing and Remote Assistance. Additionally, the notification mechanism in Windows Firewall allows local administrators to automatically add new programs to the excepted programs list after being prompted with a Windows Security Alert message.

Built-in Support for IPv6

Windows Firewall replaces the Internet Protocol version 6 (IPv6) Internet Connection Firewall functionality that is provided in the Advanced Networking Pack for Windows XP. IPv6 support is included with the Windows Firewall and automatically enabled on all IPv6 connections. Both IPv4 and IPv6 share the same settings for excepted traffic. For example, if you except file and print sharing traffic, then both IPv4 and IPv6-based unsolicited incoming file and print sharing traffic is allowed. For more information, see Appendix B.

Note Windows Firewall does not support the same scope options for IPv6 traffic as IPv4 traffic.

New Configuration Options

With Windows XP with SP1 and Windows XP with no service packs installed, the only way to enable or disable ICF is through the Network Connections folder, the Network Setup Wizard, and the Internet Connection Wizard. To configure excepted traffic, you must either use the Network Connections folder or your application must be ICF-aware, in which case it automatically enables excepted traffic when needed.

With Windows XP SP2, Windows Firewall has the following additional configuration options:

  • Netsh commands
  • Netsh is a command-line tool through which you can configure settings for network components. To configure a component, it must support a set of commands through a Netsh context. Windows XP with SP1 and Windows XP with no service packs installed have no Netsh context for ICF. With Windows XP SP2, you can now configure Windows Firewall settings through a series of commands in the
  • netsh firewall
  • context. Using Netsh, you can create scripts to automatically configure a set of Windows Firewall settings for both IPv4 and IPv6 traffic. You can also use netsh commands to display the configuration and status of the Windows Firewall. For more information, see Appendix B.
  • New configuration application programming interfaces (APIs)
  • With Windows XP with SP1 and Windows XP with no service packs installed, there are ICF APIs by which applications can automatically configure excepted traffic and configure ICF settings for each connection. You can continue to use the ICF APIs for connection-specific settings. With Windows XP SP2, there are new APIs through which you can configure Windows Firewall global settings for all the items that are available through the Windows Firewall component in Control Panel. You can use these APIs to create customized configuration programs that can be run by individual users or by management software on an organization network. For information about the new Windows Firewall APIs, see
  • Windows Firewall
  • in the Windows Software Development Kit (SDK).
  • Extensive support to configure settings using Group Policy
  • For more information, see the following section, "Configuration Using Group Policy Settings".

Configuration Using Group Policy Settings

To centralize the configuration of large numbers of computers in an organization network that use the Active Directory® directory service, Windows Firewall settings for computers running Windows XP with SP2 can be deployed through Computer Configuration Group Policy. A new set of Computer Configuration Group Policy Windows Firewall settings allow a network administrator to configure Windows Firewall operational modes, excepted traffic, and other settings using a Group Policy object.

When you configure Windows Firewall in an organization network using Group Policy, some of the local Windows Firewall configuration options can be grayed out and unavailable, even for local administrators.

When using the new Windows Firewall Group Policy settings, you can configure two different profiles:

  • Domain profile
  • The domain profile is the set of Windows Firewall settings that are needed when the computer is connected to the network that contains the domain controllers of the organization. For example, the domain profile might contain excepted traffic for the applications needed by a managed computer in an enterprise network.
  • Standard profile
  • The standard profile is the set of Windows Firewall settings that are needed when the computer is not connected to the network that contains the domain controllers of the organization. A good example is when an organization laptop is taken on the road and connects to the Internet using a public broadband or wireless Internet service provider. Because the organization laptop is directly connected to the Internet, the standard profile should contain more restrictive settings than the domain profile.
  • Note
  • It is strongly recommended that you enable Windows Firewall for both profiles, unless you are already using a third-party host firewall product.

Windows XP SP2 relies on network determination to determine which profile settings to apply. For more information, see Network Determination Behavior for Network-Related Group Policy Settings.

For more information about Windows Firewall Group Policy settings, see "Deploying TCP/IP Windows Firewall Settings With Group Policy" in this article

For information about troubleshooting Windows Firewall, see Troubleshooting Windows Firewall in Microsoft Windows XP Service Pack 2.

 

Windows XP SP2 and the Impact to Enterprise Networks

For enterprise networks, the default behavior of having Windows Firewall enabled on all network connections might have a significant impact on the types of communication that can occur once Windows XP SP2 is installed. For many enterprise networks using Windows XP with SP1 and Windows XP with no service packs installed, ICF is disabled on all connections connected to the enterprise network because enterprise networks typically are not directly connected to the Internet. The enterprise network firewall, proxy, and other security systems provide a level of protection from the Internet to intranet network computers. However, the absence of host firewalls such as Windows Firewall on intranet connections leaves computers vulnerable to malicious programs brought onto the intranet by computers that are attached directly to the intranet.

For example, an employee connects an organization laptop to a home network that does not have adequate protections. Because the organization laptop does not have a host firewall enabled on its network connection, it gets infected with a malicious program (such as a virus or worm) that uses unsolicited incoming traffic to spread to other computers. The employee then brings his or her laptop back to the office and connects it to the organization intranet, effectively bypassing the security systems that are at the edge of the intranet. Once connected to the intranet, the malicious program begins to infect other computers. If Windows Firewall was enabled by default, the laptop computer might not get infected with the malicious program when connected to their home network. Even if the laptop computer is infected, when it is connected to the intranet, the local intranet computers might not become infected because they also have Windows Firewall enabled.

If the Windows XP with SP2-based computers are running client-based programs, then enabling Windows Firewall does not impair communications. Web access, email, Group Policy, and management agents that request updates from a management server are examples of client-based programs. For client-based programs, the client computer always initiates the communication and all response traffic from a server is allowed by Windows Firewall because it is solicited incoming traffic.

However, the consequences to blocking all unsolicited incoming traffic by default can affect network communications if the computers running Windows XP with SP2 are managed, are servers, are listeners, or are peers. The following lists provide examples of components and capabilities of a computer running Windows XP with SP2 for which communication can be impaired by the default enabling of Windows Firewall:

  • The Windows XP with SP2-based computer is managed  Examples of computer management components and features are the following:

    • Simple Network Management Protocol (SNMP) Agent
    • Windows Management Interface (WMI)
    • Remote management using Netsh or a Microsoft Management Console (MMC) snap-in
    • Remote Assistance and Remote Desktop
    • Desktop management software that relies on information being pushed out from a management station

  • The Windows XP with SP2-based computer is acting as a server Examples of server services included with Windows XP SP2 are the following:

    • Internet Information Services (IIS)
    • File and Printer Sharing
    • Message Queuing
    • Simple TCP/IP Services
    • Print Services for UNIX

  • The Windows XP with SP2 computer is acting as a listener Examples of components included with Windows XP SP2 that listen are the following:

    • UPnP™
    • Routing Information Protocol (RIP) Listener
    • Incoming Connections

  • The Windows XP with SP2-based computer is acting as a peer Examples include the following:

    • Instant messaging programs
    • Third-party peer-to-peer networking applications

If your network is using any of these components included with Windows XP SP2, provided by Microsoft as separate products, or provided by third parties, then by default, communication might be impaired when Windows XP SP2 is installed. To prevent this from happening, Windows XP SP2 must be deployed with the appropriate Windows Firewall exception settings to allow the computer to act as a managed computer, a server, a listener, or a peer for those applications and services being used on your network.

Because the deployment of Windows XP SP2 can impact communications on your network, it is highly recommended that you test Windows XP SP2 with critical administrative and business applications before deploying it on your production network.

The details of deploying Windows Firewall settings for Windows XP SP2 are described in "Deploying TCP/IP Windows Firewall Settings With Group Policy" and "Deploying Windows Firewall Settings Without Group Policy" in this article.

 

Allowing Users to Install Windows XP SP2 from Windows Update

When planning your deployment of Windows XP SP2, one of the issues that you must confront is whether you will allow your network users to download and install Windows XP SP2 from Windows Update. Only local administrators can install Windows XP SP2. If this is the case and you allow them to install Windows XP SP2, then after it is installed on a computer, that computer might not be manageable using your management software because Windows Firewall is enabled by default. The computer might not become manageable until Windows Firewall is configured with the appropriate excepted traffic. This can be done using Group Policy settings, a script, or a configuration program.

If you do not allow your users to install Windows XP SP2, then you can use your management software to deploy Windows XP SP2 along with the appropriate Windows Firewall settings (using the Unattend.txt file or the Netfw.inf file) so that at all times during the deployment, the computers on your network are manageable.

 

Using Windows XP SP2 Windows Firewall and IPSec

Windows Firewall blocks unsolicited incoming traffic. However, you cannot configure Windows Firewall to block outgoing traffic. Internet Protocol security (IPSec), built into Windows XP, can provide this extra level of protection. Using IPSec policies, you can specify the traffic that is blocked (dropped), permitted (allowed), or protected using cryptography for both outgoing and incoming traffic. In any of these three cases (blocked, permitted, protected), IPSec can be configured for a specific range of source and destination addresses.

If you are already using IPSec to block, permit, or protect traffic, then Windows Firewall on computers running Windows XP with SP2 provides additional protection against attacks based on incoming unsolicited traffic.

IPSec in Windows XP with SP2 is Windows Firewall-aware. When there is an active IPSec policy, the IPSec components of Windows XP with SP2 instruct the Windows Firewall to open UDP ports 500 and 4500 to allow Internet Key Exchange (IKE) traffic.

An additional feature of IPSec support is that you can specify through Group Policy that all IPSec-protected traffic bypass Windows Firewall processing. For more information, see Appendix A.

 

In This Article