Disable stealth mode in Windows

This article discusses how to disable stealth mode (a Windows filtering platform feature).

Original product version:   Windows 7 Service Pack 1, Windows Server 2012 R2
Original KB number:   2586744

Introduction

Windows Server or Windows client computers do not send Transmission Control Protocol (TCP) reset (RST) messages or Internet Control Message Protocol (ICMP) unreachable packets across a port that does not have a listening application. Several applications rely on the behavior that is described in RFC 793, "Reset Generation," Page 35f. These applications require the TCP RST packet or ICMP unreachable packet as a response if they knock on a port that has no listener. If they don't receive this response, the applications might not be able to run correctly on Windows Server 2008 R2 or Windows 7. Typically, the effect of this dependency is that stealth mode may cause a 20-second delay for regular TCP applications to reconnect if the remote peer loses the connection state and that notification packet doesn't reach the client. One example of this behavior is Lotus Notes Client. The client can be configured to use different Lotus Notes servers. If the service is not running on the first configured server, the client switches immediately to the second server if it receives a TCP RESET command. If stealth mode is enabled, no TCP RESET is received by the client. The client then waits for the last SYN retransmit to time out before it tries the next server in the list.

Cause

For ports on which no application listens, the stealth mode feature blocks the outgoing ICMP unreachable packet and TCP RST messages. Stealth mode also applies to the endpoints that are in a paused state because of an overrun in the listen backlog parameter.

Resolution

Warning Stealth mode is an important security feature. Disabling it can make the computer vulnerable to attack, even in managed corporate domain networks and behind edge firewalls. Therefore, we strongly recommend that you keep stealth mode active, and disable it only if it is required.

Caution Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, back up the registry for restoration in case problems occur.

Stealth mode is a core security feature. For any given configuration, stealth mode should stay enabled unless there is a strong, valid argument for disabling it. Stealth mode can be disabled by using any of the following methods:

  • You can set the DisableStealthMode keyword in the Firewall configuration service provider CSP) by using Microsoft Intune or another Mobile Device Management system.
  • An Independent software vendor (ISV) can use the Windows Filtering Platform (WFP) API to replace the stealth filters with proprietary filters.
  • You can disable the firewall for all profiles. (We do NOT recommend this method.)
  • You can add a "disable" value to either of the following sets of registry subkeys: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile** **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfile HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfile HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile Note In the Software hive "Policy" section, the StandardProfile entry is used only if a legacy firewall GPO still exists.

In either set of subkeys, add the following value:Value: DisableStealthMode Type: REG_DWORD Data: 0x00000000 (default - StealthMode enabled) 0x00000001 (StealthMode disabled) Caution Stealth mode cannot be deactivated by disabling the firewall service (MpsSvc). This is an unsupported configuration. For more information, see the "Disable Windows Defender Firewall with Advanced Security" section of "Windows Defender Firewall with Advanced Security Administration with Windows PowerShell."

More information

Stealth Mode in Windows Firewall with Advanced Security Disable Stealth Mode  in the "[MS-GPFAS]: Group Policy: Firewall and Advanced Security Data Structure" specification Appendix B: Product Behavior in "[MS-FASP]: Firewall and Advanced Security Protocol" specification (look for FW_PROFILE_CONFIG_DISABLE_STEALTH_MODE in this appendix) Third-party information disclaimer

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.