7 Appendix B: Product Behavior
The information in this specification is applicable to the following Microsoft products or supplemental software. References to product versions include updates to those products.
The terms "earlier" and "later", when used with a product version, refer to either all preceding versions or all subsequent versions, respectively. The term "through" refers to the inclusive range of versions. Applicable Microsoft products are listed chronologically in this section.
The following tables show the relationships between Microsoft product versions or supplemental software and the roles they perform.
|
Windows Client Releases |
Server Role |
Client Role |
|---|---|---|
|
Windows Vista operating system |
Yes |
Yes |
|
Windows 7 operating system |
Yes |
Yes |
|
Windows 8 operating system |
Yes |
Yes |
|
Windows 8.1 operating system |
Yes |
Yes |
|
Windows 10 operating system |
Yes |
Yes |
|
Windows 11 operating system |
Yes |
Yes |
|
Windows Server Releases |
Server Role |
Client Role |
|---|---|---|
|
Windows Server 2008 operating system |
Yes |
Yes |
|
Windows Server 2008 R2 operating system |
Yes |
Yes |
|
Windows Server 2012 operating system |
Yes |
Yes |
|
Windows Server 2012 R2 operating system |
Yes |
Yes |
|
Windows Server 2016 operating system |
Yes |
Yes |
|
Windows Server operating system |
Yes |
Yes |
|
Windows Server 2019 operating system |
Yes |
Yes |
|
Windows Server 2022 operating system |
Yes |
Yes |
|
Windows Server 2025 operating system |
Yes |
Yes |
Exceptions, if any, are noted in this section. If an update version, service pack or Knowledge Base (KB) number appears with a product name, the behavior changed in that update. The new behavior also applies to subsequent updates unless otherwise specified. If a product edition appears with the product version, behavior is different in that product edition.
Unless otherwise specified, any statement of optional behavior in this specification that is prescribed using the terms "SHOULD" or "SHOULD NOT" implies product behavior in accordance with the SHOULD or SHOULD NOT prescription. Unless otherwise specified, the term "MAY" implies that the product does not follow the prescription.
<1> Section 2.2.6: For Windows Vista operating system with Service Pack 1 (SP1), Windows Server 2008, Windows 7, and Windows Server 2008 R2 operating system, unspecified addresses are allowed. Unspecified addresses are also allowed on Windows Vista if the Security Update for Windows Vista specified in [MSKB-935807] is applied.
<2> Section 2.2.14: The following port keywords are supported in Windows 10 v1809 operating system and Windows Server v1809 operating system and later, in Windows Server 2019 and later, and in Windows 10 v1903 operating system and Windows Server v1903 operating system and later.
|
Enum Flag Name |
Enum Value |
|---|---|
|
FW_PORT_KEYWORD_MDNS |
0x80 |
|
FW_PORT_KEYWORD_CORTANA_OUT |
0x100 |
|
FW_PORT_KEYWORD_PROXIMAL_TCP_CDP |
0x200 |
|
FW_PORT_KEYWORD_MAX_V2_20 |
0x80 |
|
FW_PORT_KEYWORD_MAX_V2_24 |
0x100 |
|
FW_PORT_KEYWORD_MAX_V2_25 |
0x200 |
<3> Section 2.2.14: The enum value 0x400 for enum flag FW_PORT_KEYWORD_MAX is supported in Windows 10 v1809 and Windows Server v1809 and later, and in Windows Server 2019 and later.
<4> Section 2.2.23: The Dynamic Keyword Addresses feature is supported in Windows 11, version 22H2 operating system and later and in Windows Server 2022 and later.
<5> Section 2.2.32: During server initialization, Windows uses default values to initialize the Phase 1 and Phase 2 primary AuthenticationSet objects if these objects are not already present in LocalStore and GroupPolicyRSoPStore. The same defaults are used for both LocalStore and GroupPolicyRSoPStore. These defaults are as follows:
-
#define FW_DEFAULT_P1_PRIMARY_AUTH_SET_NAME_STR L"Default Phase1 Primary AuthSet" #define FW_DEFAULT_P2_PRIMARY_AUTH_SET_NAME_STR L"Default Phase2 Primary AuthSet" #define RTL_NUMBER_OF(A) (sizeof(A)/sizeof((A)[0])) FW_AUTH_SUITE g_DefaultPrimaryAuthSuitePhase1[] = { { FW_AUTH_METHOD_MACHINE_KERB, {0} } }; FW_AUTH_SET g_DefaultPrimaryAuthSetPhase1 = { NULL, 0x0200, FW_IPSEC_PHASE_1, L"{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE3}", FW_DEFAULT_P1_PRIMARY_AUTH_SET_NAME_STR, FW_DEFAULT_P1_PRIMARY_AUTH_SET_NAME_STR, NULL, RTL_NUMBER_OF(g_DefaultPrimaryAuthSuitePhase1), g_DefaultPrimaryAuthSuitePhase1, FW_RULE_ORIGIN_HARDCODED, NULL, FW_RULE_STATUS_OK, 0 }; FW_AUTH_SET g_DefaultPrimaryAuthSetPhase2 = { NULL, 0x0200, FW_IPSEC_PHASE_2, L"{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE4}", FW_DEFAULT_P2_PRIMARY_AUTH_SET_NAME_STR, FW_DEFAULT_P2_PRIMARY_AUTH_SET_NAME_STR, NULL, 0, NULL, FW_RULE_ORIGIN_HARDCODED, NULL, FW_RULE_STATUS_OK, 0 };
During server initialization, Windows uses default values to initialize the Phase 1 and Phase 2 primary CryptoSet objects if these objects are not already present in LocalStore or GroupPolicyRSoPStore. The same defaults are used for both LocalStore and GroupPolicyRSoPStore. These defaults are as follows:
-
#define FW_DEFAULT_P1_PRIMARY_CRYPTO_SET_NAME_STR L"Default Phase1 Primary CryptoSet" #define FW_DEFAULT_P2_PRIMARY_CRYPTO_SET_NAME_STR L"Default Phase2 Primary CryptoSet" FW_PHASE1_CRYPTO_SUITE g_DefaultPrimaryCryptoSuitesPhase1[] = { {FW_CRYPTO_KEY_EXCHANGE_DH2, FW_CRYPTO_ENCRYPTION_AES128, FW_CRYPTO_HASH_SHA1}, {FW_CRYPTO_KEY_EXCHANGE_DH2, FW_CRYPTO_ENCRYPTION_3DES, FW_CRYPTO_HASH_SHA1} }; FW_CRYPTO_SET g_DefaultPrimaryCryptoSetPhase1 = { NULL, 0x0200, FW_IPSEC_PHASE_1, L"{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE1}", FW_DEFAULT_P1_PRIMARY_CRYPTO_SET_NAME_STR, FW_DEFAULT_P1_PRIMARY_CRYPTO_SET_NAME_STR, NULL, { 0, // flags 0, // RTL_NUMBER_OF(g_DefaultPrimaryCryptoSuitesPhase1), 0, // g_DefaultPrimaryCryptoSuitesPhase1, 0, //480, 0 }, FW_RULE_ORIGIN_HARDCODED, NULL, FW_RULE_STATUS_OK, 0 }; FW_PHASE2_CRYPTO_SUITE g_DefaultPrimaryCryptoSuitesPhase2[] = { {FW_CRYPTO_PROTOCOL_ESP, FW_CRYPTO_HASH_NONE, FW_CRYPTO_HASH_SHA1, FW_CRYPTO_ENCRYPTION_NONE, FW_DEFAULT_CRYPTO_PHASE2_TIMEOUT_MINUTES, FW_DEFAULT_CRYPTO_PHASE2_TIMEOUT_KBYTES}, {FW_CRYPTO_PROTOCOL_ESP, FW_CRYPTO_HASH_NONE, FW_CRYPTO_HASH_SHA1, FW_CRYPTO_ENCRYPTION_AES128, FW_DEFAULT_CRYPTO_PHASE2_TIMEOUT_MINUTES, FW_DEFAULT_CRYPTO_PHASE2_TIMEOUT_KBYTES}, {FW_CRYPTO_PROTOCOL_ESP, FW_CRYPTO_HASH_NONE, FW_CRYPTO_HASH_SHA1, FW_CRYPTO_ENCRYPTION_3DES, FW_DEFAULT_CRYPTO_PHASE2_TIMEOUT_MINUTES, FW_DEFAULT_CRYPTO_PHASE2_TIMEOUT_KBYTES}, {FW_CRYPTO_PROTOCOL_AH, FW_CRYPTO_HASH_SHA1, FW_CRYPTO_HASH_NONE, FW_CRYPTO_ENCRYPTION_NONE, FW_DEFAULT_CRYPTO_PHASE2_TIMEOUT_MINUTES, FW_DEFAULT_CRYPTO_PHASE2_TIMEOUT_KBYTES} }; FW_CRYPTO_SET g_DefaultPrimaryCryptoSetPhase2 = { NULL, 0x0200, FW_IPSEC_PHASE_2, L"{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE2}", FW_DEFAULT_P2_PRIMARY_CRYPTO_SET_NAME_STR, FW_DEFAULT_P2_PRIMARY_CRYPTO_SET_NAME_STR, NULL, { { 0, // FW_PHASE2_CRYPTO_PFS_DISABLE, 0, // RTL_NUMBER_OF(g_DefaultPrimaryCryptoSuitesPhase2), 0, // g_DefaultPrimaryCryptoSuitesPhase2 } }, FW_RULE_ORIGIN_HARDCODED, NULL, FW_RULE_STATUS_OK, 0 }; void FwDefaultPrimaryCryptoSetsInit() { // Init Phase 1 Crypto. g_DefaultPrimaryCryptoSetPhase1.dwNumPhase1Suites = RTL_NUMBER_OF(g_DefaultPrimaryCryptoSuitesPhase1); g_DefaultPrimaryCryptoSetPhase1.pPhase1Suites = g_DefaultPrimaryCryptoSuitesPhase1; g_DefaultPrimaryCryptoSetPhase1.dwTimeOutMinutes = 480; //Init Phase 2 Crypto g_DefaultPrimaryCryptoSetPhase2.Pfs = FW_PHASE2_CRYPTO_PFS_DISABLE; g_DefaultPrimaryCryptoSetPhase2.dwNumPhase2Suites = RTL_NUMBER_OF(g_DefaultPrimaryCryptoSuitesPhase2); g_DefaultPrimaryCryptoSetPhase2.pPhase2Suites = g_DefaultPrimaryCryptoSuitesPhase2; }
<6> Section 2.2.37: Windows uses the three fields of the FW_OS_PLATFORM data type to identify Windows platform types. The fields in this data type correspond to the fields of the Windows OSVERSIONINFOEX data type (for more information, see [MSDN-OSVERSIONINFOEX]). The bPlatform field in this specification corresponds to the dwPlatformId field in MSDN. The bMajorVersion field in this specification corresponds to the dwMajorVersion field in MSDN. The bMinorVersion field in this specification corresponds to the dwMinorVersion field in MSDN. The Windows firewall and advanced security components extract the OSVERSIONINFOEX values and use them to enforce PlatformValidityList conditions in FW_RULE (section 2.2.37) and FW_CS_RULE (section 2.2.55) rules.
<7> Section 2.2.37: Rules with wSchemaVersion less than 0x000200 but greater than or equal to 0x000100 are not allowed to be written to the local store.
<8> Section 2.2.37: On Windows 7 and Windows Server 2008 R2 the wszRuleId size cannot be greater than or equal to 512 characters. On Windows Vista and Windows Server 2008 it cannot be greater than or equal to 1000 characters.
<9> Section 2.2.38: When Windows is operating in stealth mode, it blocks the following outbound packets:
ICMP Destination Unreachable
ICMP Parameter Problem for IPv6 only
TCP Reset (RST) packets sent because no application is listening on the destination port
<10> Section 2.2.38: In Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, the FW_PROFILE_CONFIG_LOG_IGNORED_RULES option is ignored.
<11> Section 2.2.38: When an application is blocked from listening on a port and inbound notifications are not disabled, Windows displays a notification to the user only when there is not an FW_RULE object in the Group Policy RSoP, local, or dynamic policy stores with a wszLocalApplication field that matches the application.
<12> Section 2.2.42: Supported policy versions are mapped to Windows product releases in the table that follows:
Table 1. Windows product releases vs Firewall policy versions
|
Windows Client Release |
Windows Server Release |
Policy Version |
|---|---|---|
|
Windows Vista |
|
0x0200 |
|
Windows Vista SP1 |
Windows Server 2008 |
0x0201 |
|
Windows 7 |
Windows Server 2008 R2 |
0x020A |
|
Windows 8 |
Windows Server 2012 |
0x0214 |
|
Windows 8.1 |
Windows Server 2012 R2 |
0x0216 |
|
Windows 10 |
|
0x0218, 0x0219 |
|
Windows 10 v1607 operating system |
Windows Server 2016 |
0x021A |
|
Windows 10 v1703 operating system |
|
0x021B |
|
Windows 10 v1709 operating system |
Windows Server operating system |
Ox021B |
|
Windows 10 v1803 operating system |
Windows Server v1803 operating system |
0x021C |
|
Windows 10 v1809 |
Windows Server v1809 Windows Server 2019 |
0x021D |
|
Windows 10 v1903 |
Windows Server v1903 |
0x021E |
|
|
Windows Server 2022 |
0x021F |
|
Windows 11 v22H2 |
|
0x0220 |
|
|
Windows Server 2025 |
0x0221? |
<13> Section 2.2.43: Windows selects a default value for the profile configuration options and the global configurations options. These configurations default values are secure, and it is recommended to use these values as default values. Profile configuration options default values:
-
FW_PROFILE_CONFIG_ENABLE_FW .- TRUE. FW_PROFILE_CONFIG_DISABLE_STEALTH_MODE .- FALSE. FW_PROFILE_CONFIG_SHIELDED .- FALSE. FW_PROFILE_CONFIG_DISABLE_UNICAST_RESPONSES_TO_MULTICAST_BROADCAST .- FALSE. FW_PROFILE_CONFIG_LOG_DROPPED_PACKETS .- FALSE. FW_PROFILE_CONFIG_LOG_SUCCESS_CONNECTIONS .- FALSE. FW_PROFILE_CONFIG_LOG_IGNORED_RULES .- TRUE. FW_PROFILE_CONFIG_LOG_MAX_FILE_SIZE .- 1024. FW_PROFILE_CONFIG_LOG_FILE_PATH .- L"". FW_PROFILE_CONFIG_DISABLE_INBOUND_NOTIFICATIONS .- FALSE. FW_PROFILE_CONFIG_AUTH_APPS_ALLOW_USER_PREF_MERGE .- TRUE. FW_PROFILE_CONFIG_GLOBAL_PORTS_ALLOW_USER_PREF_MERGE .- TRUE. FW_PROFILE_CONFIG_ALLOW_LOCAL_POLICY_MERGE .- TRUE. FW_PROFILE_CONFIG_ALLOW_LOCAL_IPSEC_POLICY_MERGE .- TRUE. FW_PROFILE_CONFIG_DISABLED_INTERFACES .- {0}. FW_PROFILE_CONFIG_DEFAULT_OUTBOUND_ACTION .- 0 (0 is allow). FW_PROFILE_CONFIG_DEFAULT_INBOUND_ACTION.- 1 (1 is block).
Global configuration options default values:
-
FW_GLOBAL_CONFIG_POLICY_VERSION_SUPPORTED .- 0x0200 on Windows Vista. FW_GLOBAL_CONFIG_POLICY_VERSION_SUPPORTED .- 0x0201 on Windows Vista SP1 and Windows Server 2008. FW_GLOBAL_CONFIG_CURRENT_PROFILE .- FW_PROFILE_TYPE_PUBLIC. FW_GLOBAL_CONFIG_DISABLE_STATEFUL_FTP .- FALSE. FW_GLOBAL_CONFIG_DISABLE_STATEFUL_PPTP .- FALSE. FW_GLOBAL_CONFIG_SA_IDLE_TIME .- 300. FW_GLOBAL_CONFIG_PRESHARED_KEY_ENCODING .- FW_GLOBAL_CONFIG_PRESHARED_KEY_ENCODING_UTF_8. FW_GLOBAL_CONFIG_IPSEC_EXEMPT .- FW_GLOBAL_CONFIG_IPSEC_EXEMPT_NEIGHBOR_DISC. FW_GLOBAL_CONFIG_CRL_CHECK .- 0. FW_GLOBAL_CONFIG_IPSEC_THROUGH_NAT .- FW_GLOBAL_CONFIG_IPSEC_THROUGH_NAT_SERVER_BEHIND_NAT. FW_GLOBAL_CONFIG_POLICY_VERSION .- 0x0200. FW_GLOBAL_CONFIG_BINARY_VERSION_SUPPORTED .- 0x201. This value is present only in Windows Vista SP1 and Windows Server 2008.
<14> Section 2.2.55: Windows uses the three fields of the FW_OS_PLATFORM data type to identify Windows platform types. The fields in this data type correspond to the fields of the Windows OSVERSIONINFOEX data type (for more information, see [MSDN-OSVERSIONINFOEX]). The bPlatform field in this specification corresponds to the dwPlatformId field in MSDN. The bMajorVersion field in this specification corresponds to the dwMajorVersion field in MSDN. The bMinorVersion field in this specification corresponds to the dwMinorVersion field in MSDN. The Windows firewall and advanced security components extract the OSVERSIONINFOEX values and use them to enforce PlatformValidityList conditions in FW_RULE (section 2.2.37) and FW_CS_RULE (section 2.2.55) rules.
<15> Section 2.2.55: On Windows 7 and Windows Server 2008 R2 the wszRuleId size is less than 512 characters. On Windows Vista and Windows Server 2008 it is less than 1000 characters.
<16> Section 2.2.55: On Windows 7 and Windows Server 2008 R2 the wszPhase1AuthSet, wszPhase2AuthSet, and wszPhase2CryptoSet sizes are less than 255 characters. On Windows Vista and Windows Server 2008 they are less than 1000 characters.
<17> Section 2.2.64: On Windows Vista and Windows Server 2008, the only duplicate check performed is for the anonymous method.
<18> Section 2.2.64: On Windows Vista and Windows Server 2008, the only duplicate check performed is for the anonymous method.
<19> Section 2.2.65: On Windows Vista and Windows Server 2008, the only duplicate check performed is for the anonymous method.
<20> Section 2.2.65: On Windows Vista and Windows Server 2008, the only duplicate check performed is for the anonymous method.
<21> Section 2.2.83: Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 set TransportFilterId to the filter key of the Windows Filtering Platform filter used to enforce the security association (for more information, see [MSWFPSDK]).
<22> Section 2.2.85: Windows uses the three fields of the FW_OS_PLATFORM data type to identify Windows platform types. The fields in this data type correspond to the fields of the Windows OSVERSIONINFOEX data type (for more information, see [MSDN-OSVERSIONINFOEX]). The bPlatform field in this specification corresponds to the dwPlatformId field in MSDN. The bMajorVersion field in this specification corresponds to the dwMajorVersion field in MSDN. The bMinorVersion field in this specification corresponds to the dwMinorVersion field in MSDN. The Windows firewall and advanced security components extract the OSVERSIONINFOEX values and use them to enforce PlatformValidityList conditions in FW_RULE (section 2.2.37) and FW_CS_RULE (section 2.2.55) rules.
<23> Section 2.2.96: By default, Windows uses the IKEv1 and AuthIP keying modules.
<24> Section 2.2.97: The following table shows the tuple keyword flags added to the ‘enum _tag_FW_TRUST_TUPLE_KEYWORD_NONE’ type definition in Windows 10 v1803 and Windows Server v1803 and later:
|
Enum Tuple Keyword Flag Name |
Enum Value |
|---|---|
|
FW_TRUST_TUPLE_KEYWORD_WFD_CDP |
0x0080 |
|
FW_TRUST_TUPLE_KEYWORD_MAX_V2_27 |
0x0080 |
<25> Section 2.2.97: In schema version 0x0214, the value for the FW_TRUST_TUPLE_KEYWORD_MAX flag is 0x0004.
<26> Section 2.2.97: In Windows 10 v1803 and Windows Server v1803 and later, the enum value for the FW_TRUST_TUPLE_KEYWORD_MAX tuple keyword flag is updated from '0x0080' to '0x0100'.
<27> Section 2.2.103: In Windows, audit events that are generated by rules that specify the FW_RULE_FLAGS2_CALLOUT_AND_AUDIT flag are sent to the audit event log.
<28> Section 3.1.1: The new boolean fields 'IsMDNS', 'IsCortanaOut', and 'IsProximalTCPCDP' are added to the PortInUse ADM element in Windows 10 v1809 and Windows Server v1809 and later, and in Windows Server 2019 and later.
<29> Section 3.1.3: During server initialization, Windows uses default values to initialize the Phase 1 and Phase 2 primary AuthenticationSet objects if these objects are not already present in LocalStore or GroupPolicyRSoPStore. The same defaults are used for both LocalStore and GroupPolicyRSoPStore. These defaults are as follows:
-
#define FW_DEFAULT_P1_PRIMARY_AUTH_SET_NAME_STR L"Default Phase1 Primary AuthSet" #define FW_DEFAULT_P2_PRIMARY_AUTH_SET_NAME_STR L"Default Phase2 Primary AuthSet" #define RTL_NUMBER_OF(A) (sizeof(A)/sizeof((A)[0])) FW_AUTH_SUITE g_DefaultPrimaryAuthSuitePhase1[] = { { FW_AUTH_METHOD_MACHINE_KERB, {0} } }; FW_AUTH_SET g_DefaultPrimaryAuthSetPhase1 = { NULL, 0x0200, FW_IPSEC_PHASE_1, L"{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE3}", FW_DEFAULT_P1_PRIMARY_AUTH_SET_NAME_STR, FW_DEFAULT_P1_PRIMARY_AUTH_SET_NAME_STR, NULL, RTL_NUMBER_OF(g_DefaultPrimaryAuthSuitePhase1), g_DefaultPrimaryAuthSuitePhase1, FW_RULE_ORIGIN_HARDCODED, NULL, FW_RULE_STATUS_OK, 0 }; FW_AUTH_SET g_DefaultPrimaryAuthSetPhase2 = { NULL, 0x0200, FW_IPSEC_PHASE_2, L"{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE4}", FW_DEFAULT_P2_PRIMARY_AUTH_SET_NAME_STR, FW_DEFAULT_P2_PRIMARY_AUTH_SET_NAME_STR, NULL, 0, NULL, FW_RULE_ORIGIN_HARDCODED, NULL, FW_RULE_STATUS_OK, 0 };
<30> Section 3.1.3: During server initialization, Windows uses default values to initialize the Phase 1 and Phase 2 primary CryptoSet objects if these objects are not already present in LocalStore or GroupPolicyRSoPStore. The same defaults are used for both LocalStore and GroupPolicyRSoPStore. These defaults are as follows:
-
#define FW_DEFAULT_P1_PRIMARY_CRYPTO_SET_NAME_STR L"Default Phase1 Primary CryptoSet" #define FW_DEFAULT_P2_PRIMARY_CRYPTO_SET_NAME_STR L"Default Phase2 Primary CryptoSet" FW_PHASE1_CRYPTO_SUITE g_DefaultPrimaryCryptoSuitesPhase1[] = { {FW_CRYPTO_KEY_EXCHANGE_DH2, FW_CRYPTO_ENCRYPTION_AES128, FW_CRYPTO_HASH_SHA1}, {FW_CRYPTO_KEY_EXCHANGE_DH2, FW_CRYPTO_ENCRYPTION_3DES, FW_CRYPTO_HASH_SHA1} }; FW_CRYPTO_SET g_DefaultPrimaryCryptoSetPhase1 = { NULL, 0x0200, FW_IPSEC_PHASE_1, L"{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE1}", FW_DEFAULT_P1_PRIMARY_CRYPTO_SET_NAME_STR, FW_DEFAULT_P1_PRIMARY_CRYPTO_SET_NAME_STR, NULL, { 0, //flags 0, //RTL_NUMBER_OF(g_DefaultPrimaryCryptoSuitesPhase1), 0, //g_DefaultPrimaryCryptoSuitesPhase1, 0, // 480, 0 }, FW_RULE_ORIGIN_HARDCODED, NULL, FW_RULE_STATUS_OK, 0 }; FW_PHASE2_CRYPTO_SUITE g_DefaultPrimaryCryptoSuitesPhase2[] = { {FW_CRYPTO_PROTOCOL_ESP, FW_CRYPTO_HASH_NONE, FW_CRYPTO_HASH_SHA1, FW_CRYPTO_ENCRYPTION_NONE, FW_DEFAULT_CRYPTO_PHASE2_TIMEOUT_MINUTES, FW_DEFAULT_CRYPTO_PHASE2_TIMEOUT_KBYTES}, {FW_CRYPTO_PROTOCOL_ESP, FW_CRYPTO_HASH_NONE, FW_CRYPTO_HASH_SHA1, FW_CRYPTO_ENCRYPTION_AES128, FW_DEFAULT_CRYPTO_PHASE2_TIMEOUT_MINUTES, FW_DEFAULT_CRYPTO_PHASE2_TIMEOUT_KBYTES}, {FW_CRYPTO_PROTOCOL_ESP, FW_CRYPTO_HASH_NONE, FW_CRYPTO_HASH_SHA1, FW_CRYPTO_ENCRYPTION_3DES, FW_DEFAULT_CRYPTO_PHASE2_TIMEOUT_MINUTES, FW_DEFAULT_CRYPTO_PHASE2_TIMEOUT_KBYTES}, {FW_CRYPTO_PROTOCOL_AH, FW_CRYPTO_HASH_SHA1, FW_CRYPTO_HASH_NONE, FW_CRYPTO_ENCRYPTION_NONE, FW_DEFAULT_CRYPTO_PHASE2_TIMEOUT_MINUTES, FW_DEFAULT_CRYPTO_PHASE2_TIMEOUT_KBYTES} }; FW_CRYPTO_SET g_DefaultPrimaryCryptoSetPhase2 = { NULL, 0x0200, FW_IPSEC_PHASE_2, L"{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE2}", FW_DEFAULT_P2_PRIMARY_CRYPTO_SET_NAME_STR, FW_DEFAULT_P2_PRIMARY_CRYPTO_SET_NAME_STR, NULL, { { 0, // FW_PHASE2_CRYPTO_PFS_DISABLE, 0, // RTL_NUMBER_OF(g_DefaultPrimaryCryptoSuitesPhase2), 0, // g_DefaultPrimaryCryptoSuitesPhase2 } }, FW_RULE_ORIGIN_HARDCODED, NULL, FW_RULE_STATUS_OK, 0 }; void FwDefaultPrimaryCryptoSetsInit() { // Init Phase 1 Crypto. g_DefaultPrimaryCryptoSetPhase1.dwNumPhase1Suites = RTL_NUMBER_OF(g_DefaultPrimaryCryptoSuitesPhase1); g_DefaultPrimaryCryptoSetPhase1.pPhase1Suites = g_DefaultPrimaryCryptoSuitesPhase1; g_DefaultPrimaryCryptoSetPhase1.dwTimeOutMinutes = 480; //Init Phase 2 Crypto g_DefaultPrimaryCryptoSetPhase2.Pfs = FW_PHASE2_CRYPTO_PFS_DISABLE; g_DefaultPrimaryCryptoSetPhase2.dwNumPhase2Suites = RTL_NUMBER_OF(g_DefaultPrimaryCryptoSuitesPhase2); g_DefaultPrimaryCryptoSetPhase2.pPhase2Suites = g_DefaultPrimaryCryptoSuitesPhase2; }
<31> Section 3.1.3: Windows selects a default value for the ProfileConfiguration option and the GlobalConfiguration option. These configuration default values are secure, and it is recommended to use these values as default values. ProfileConfiguration option default values:
-
FW_PROFILE_CONFIG_ENABLE_FW .- TRUE. FW_PROFILE_CONFIG_DISABLE_STEALTH_MODE .- FALSE. FW_PROFILE_CONFIG_SHIELDED .- FALSE. FW_PROFILE_CONFIG_DISABLE_UNICAST_RESPONSES_TO_MULTICAST_BROADCAST .- FALSE. FW_PROFILE_CONFIG_LOG_DROPPED_PACKETS .- FALSE. FW_PROFILE_CONFIG_LOG_SUCCESS_CONNECTIONS .- FALSE. FW_PROFILE_CONFIG_LOG_IGNORED_RULES .- TRUE. FW_PROFILE_CONFIG_LOG_MAX_FILE_SIZE .- 1024. FW_PROFILE_CONFIG_LOG_FILE_PATH .- L"". FW_PROFILE_CONFIG_DISABLE_INBOUND_NOTIFICATIONS .- FALSE. FW_PROFILE_CONFIG_AUTH_APPS_ALLOW_USER_PREF_MERGE .- TRUE. FW_PROFILE_CONFIG_GLOBAL_PORTS_ALLOW_USER_PREF_MERGE .- TRUE. FW_PROFILE_CONFIG_ALLOW_LOCAL_POLICY_MERGE .- TRUE. FW_PROFILE_CONFIG_ALLOW_LOCAL_IPSEC_POLICY_MERGE .- TRUE. FW_PROFILE_CONFIG_DISABLED_INTERFACES .- {0}. FW_PROFILE_CONFIG_DEFAULT_OUTBOUND_ACTION .- 0 (0 is allow). FW_PROFILE_CONFIG_DEFAULT_INBOUND_ACTION.- 1 (1 is block).
GlobalConfiguration options default values:
-
FW_GLOBAL_CONFIG_POLICY_VERSION_SUPPORTED .- 0x0200 on Windows Vista. FW_GLOBAL_CONFIG_POLICY_VERSION_SUPPORTED .- 0x0201 on Windows Vista SP1 and Windows Server 2008. FW_GLOBAL_CONFIG_CURRENT_PROFILE .- FW_PROFILE_TYPE_PUBLIC. FW_GLOBAL_CONFIG_DISABLE_STATEFUL_FTP .- FALSE. FW_GLOBAL_CONFIG_DISABLE_STATEFUL_PPTP .- FALSE. FW_GLOBAL_CONFIG_SA_IDLE_TIME .- 300. FW_GLOBAL_CONFIG_PRESHARED_KEY_ENCODING .- FW_GLOBAL_CONFIG_PRESHARED_KEY_ENCODING_UTF_8. FW_GLOBAL_CONFIG_IPSEC_EXEMPT .- FW_GLOBAL_CONFIG_IPSEC_EXEMPT_NEIGHBOR_DISC. FW_GLOBAL_CONFIG_CRL_CHECK .- 0. FW_GLOBAL_CONFIG_IPSEC_THROUGH_NAT .- FW_GLOBAL_CONFIG_IPSEC_THROUGH_NAT_SERVER_BEHIND_NAT. FW_GLOBAL_CONFIG_POLICY_VERSION .- 0x0200. FW_GLOBAL_CONFIG_BINARY_VERSION_SUPPORTED .- 0x201. This value is present only in Windows Vista SP1 and Windows Server 2008.
<32> Section 3.1.4: In Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, security principals are identified by SIDs (see [MS-DTYP] section 2.4.2). The authorized clients are represented by the S-1-5-32-544 and the S-1-5-32-556 SIDs. If the client's identity token (see [MS-DTYP] section 2.5.2) does not contain at least one of these SIDs, the server fails the call.
<33> Section 3.1.4.6: Path validations were not performed in Windows Vista and Windows Server 2008 at edit time.
<34> Section 3.1.4.47: Path validations were not performed in Windows Vista and Windows Server 2008 at edit time.
<35> Section 3.1.6.5: Windows determines whether it is operating in common criteria mode by calling the BCryptGetFipsAlgorithmMode API. For more information, see [MSDN-BCryptGetFipsAlgorithmMode].
<36> Section 3.1.6.6: Windows enforces the effective firewall policy by converting the settings to Windows Filtering Platform filters. For more information, see [MSWFPSDK].