Configuring Exceptions
Windows Firewall includes several predefined exceptions that permit common tasks such as remote administration or file and print sharing. Web Table 1 lists the default Windows Firewall communication exceptions and the ports or programs they open.
You can also create your own exceptions locally via the Windows Firewall applet or a GPO. Simply specify the excepted traffic's program name or network characteristics (e.g., its TCP or UDP port) and source address, then tell Windows Firewall to allow that exception.
The predefined exceptions are more flexible than the exceptions that you create because the predefined ones can include multiple ports per rule. For example, the File and Printer Sharing exception service includes ports TCP 139, TCP 445, UDP 137, and UDP 138. However, if you create a custom exception, you can specify only one port, which means if you need to open a range of ports you need to create multiple exceptions. However, you can specify a custom scope (i.e., an IP address or range of IP addresses for which you want to allow traffic) for both the predefined and custom exceptions, as Figure 4 shows.
You can also use a GPO to configure Windows Firewall exceptions. You specify the port (e.g., 80), the transport (e.g., TCP or UDP), the scope, the status (either enabled or disabled), and the name of the connection. The construction looks like this: Port:Transport:Scope:Status:Name.
The GPO scope parameter syntax is a bit different from the scope parameter syntax in the Windows Firewall applet (which might be an inconsistency between RC2 and the final version of SP2). As of RC2, the GPO scope is defined as "*" (all traffic), localsubnet (traffic on only that subnet), and IP address (e.g., 10.0.0.1 or a Classless Inter-Domain Routing--CIDR--subnet shorthand nomenclature that looks like 192.168.0.0/24, where 24 is the number of bits in the subnet mask). For example, the parameters "1433:TCP:10.0.0.1:Enabled:MSSQL" and "23:TCP:192.168.0.0/24:Enabled:Telnet" allow inbound Microsoft SQL Server connections that use TCP port 1433 only from the host 10.0.0.1 and Telnet connections that use TCP port 23 from the 192.168.0.0/24 subnet.
Logging
You can configure Windows Firewall to write log activity to a text file located on the local computer or a remote share. Windows Firewall can log dropped packets as well as successful connections. The logging includes useful data fields to help troubleshoot denied connections or watch allowed connections.
Web Figure 2 shows a sample log file. The first two lines show examples of dropped file share access attempts, and the last line shows a successful RDP connection on TCP port 3389.
By default, Windows Firewall displays a message warning the user that a particular program tried to access a port. However, if you use Group Policy to centrally manage Windows Firewall, you can disable these notifications, if you so desire.
Disabling Windows Firewall
If you currently run a host-based firewall other than Windows Firewall or Windows' built-in IPSec, then you'll likely want to disable Windows Firewall when you install XP SP2. You have several options for doing so. First, if your target computers are members of a domain, then you can simply create a Windows Firewall GPO that disables the feature. Specifically, you'll need to configure the GPO with the following settings:
Disable:
Domain profile--Windows Firewall: Protect all network connections
Standard profile--Windows Firewall: Protect all network connections
Enable:
Prohibit use of Internet Connection Firewall on your DNS domain network
If you don't want to run the Windows Firewall features on computers within your domain (e.g., employee laptops connected to your corporate network over a LAN) but want to protect remote users when they're not on your network, then configure the GPO as follows:
Disable:
Domain profile--Windows Firewall: Protect all network connections
Enable:
Standard profile--Windows Firewall: Protect all network connections
Prohibit use of Internet Connection Firewall on your DNS domain network
If your XP computers aren't members of a Windows 2003 or Win2K domain that supports Group Policy, you can disable Windows Firewall by modifying a configuration text file named netfw.inf and saving that file centrally along with the other XP SP2 installation files. Add the line HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile","EnableFirewall",0x00010001,0 to the ICF.AddReg.StandardProfile section of netfw.inf. Refer to the Microsoft documentation about deploying Windows Firewall for more detailed information about the netfw.inf file.
You can also deploy registry entries that will disable Windows Firewall on target XP computers before you install SP2. Use a registry editor to add the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FirewallPolicy\DomainProfile\EnableFirewall=0 (DWORD data type) and HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FirewallPolicy\StandardProfile\EnableFirewall=0 (DWORD data type) registry subkeys.
To implement custom Windows Firewall settings, you can modify the unattend.txt file. For information about this process, refer to the Microsoft document "Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2" (http://download.microsoft.com/download/6/8/a/68a81446-cd73-4a61-8665-8a67781ac4e8/wf_xpsp2.doc).
Firewall for the Masses
The improved Windows Firewall, enabled by default when you install XP SP2, provides a great step toward securing XP computers--benefiting home and corporate users alike. The preconfigured exceptions help less-experienced administrators quickly configure Windows Firewall, but the firewall also supports granular customization to meet many different deployment scenarios. The management integration with Group Policy means that you can define a central policy and apply it to select groups of computers. And the price is right--free--making Windows Firewall a serious contender for the host-based firewall of choice for many organizations.
End of Article
Register
