Tweaking the Windows Firewall in Windows XP SP2

Nine new Group Policy settings and related commands.

In an article published in the previous issue of the magazine, I already talked about the Windows Firewall, the component of the Windows XP Service Pack 2 (SP2) update package, former versions of which were known as the Internet Connection Firewall (ICF). In this article I will dwell on this program in more detail and show how to prepare it for work in a particular network. At my disposal was only a preliminary version of SP2, the final version can be changed.

So, consider the nine new Group Policy settings for Windows Firewall and the corresponding commands. Windows Firewall settings are stored in the Computer Configuration \ Administrative Templates \ Network \ Network Connections \ Internet Connection Firewall folder. There are two sub-folders in this folder: Domain Profile and Mobile Profile. Domain Profile policy settings are enabled on a computer that has Windows Firewall installed when this computer is registered in the domain; Otherwise, the Mobile Profile settings are selected. Both subfolders contain the same set of nine policy settings.

In the previous article, we talked about the first parameter, Operational Mode. This option provides three modes: Disabled disables the firewall, Protected activates the firewall, and Shielded activates the firewall, but the computer is more isolated from the network than in Protected mode, which allows you to open certain ports. To set the computer to Disabled, Protected, or Shielded, use the command

Netsh firewall ipv4 set opmode

With the disabled, enabled or shield. The notation on the command line sometimes differs from the names of the corresponding Group Policy settings. Thus, in order to reliably protect the network adapter, you must enter the command

Netsh firewall ipv4 set opmode shield

It is convenient to use this command in the command file. You can create a shortcut on the desktop for the batch file, calling it the Shield this System, so you can double-click on it for any danger signs for the network. Using the command

You can find out the firewall mode.

Changing Firewall Settings

The properties of the following Windows Firewall policy setting - Allow User Preference / Group Policy Settings Merge - are not entirely clear. The Windows Firewall documentation indicates that with this setting, local administrators can change the firewall mode. But what does the word "change" mean - enable or disable the firewall or configure it by opening and closing ports? In this case, "change" has a second meaning: with this policy, the local administrator can open or close the port, but do not cancel the Disabled, Protected or Shielded mode set by the domain policy (assuming that the domain policy for Windows Firewall exists). If the policy is set to Disabled, the local administrator can not control the operation of the firewall.

Confusion begins when the local administrator attempts to override the Windows Firewall settings specified by the Group Policy Object (GPO). In response to the team

The result is OK, and the next Netsh Firewall command reports that the firewall is disabled. However, by looking at the properties of the network adapter in the Network Connections folder, you can see that the firewall is active. Several tests show that the information of the graphic interface corresponds to reality: domain parameters prevail. Let's hope that in the final version these shortcomings will be corrected.

However, you can not always rely on dialog boxes. If you set the Allow User Preference / Group Policy Settings Merge to Disabled, the window becomes grayed out, and the switches for activating and disabling Windows Firewall are no longer valid. This approach is reasonable. But try to activate the option, and then return to the Windows Firewall configuration screen. Buttons for turning the firewall on and off are available. If you click on one of them, and then click OK, you will not see an error message on the screen, but there will also be no changes. However, the local administrator can open and close ports using the command line or gpedit.msc. For the Allow User Preference / Group Policy Settings Merge policy setting, there is no equivalent command line.

Open ports for programs

The next policy setting is the first of seven parameters that you can use to open or (in some cases) close a particular port. By opening a firewall for certain types of traffic (for example, Web traffic, Active Directory authentication data, or e-mail retrieval), it is difficult to determine which port is needed for this type of traffic. The task is simplified thanks to the policy parameter Define Allowable Programs. By default, Windows Firewall blocks uninitiated incoming traffic, but not outgoing traffic. This approach is acceptable if the workstation functions as a client initiating data exchange (for example, by requesting a mail server for messages or a Web server for information). But it does not work if the workstation provides services to other computers on the network, for example, if the mail server is hosted on the workstation, because the firewall blocks attempts by clients to initiate a dialog with the server program. It is also not suitable for peer-to-peer (P2P) connections, such as Instant Messaging (IM), in which two or more machines exchange data, performing the duties of both clients and servers simultaneously. Thus, to start the server or to establish P2P connections, you need to open some ports.

But which ports should I open? To answer this question it is enough to specify a specific program in the Define Allowable Programs parameter, and Windows Firewall opens the ports required by this program. The user specifies the location of the program in the policy parameter, determines its state (active or blocked, for example, you can create a port blocking policy for a particular program if the program was a Trojan horse that penetrated the network) and opens the appropriate ports for the entire Internet or only for Local subnet.

Suppose that the server program C: \ myprogs \ serverprog.exe is running on the computer. It is not known which ports it opens, but it is necessary that these ports be opened only for the computers of the subnet in which the server is located. You need to activate the Define Allowable Programs parameter, then click the Show button to display a dialog box for entering information about the mail server. In this dialog I entered a line

C: \ myprogs \ serverprog.exe: LocalSubnet: enabled: E-mail server

Which defines four components, each of which is separated from the others by a colon. The first component is the full path to the program. You can use environment variables, such as% ProgramFiles%. The next component, LocalSubnet, indicates the need to accept traffic that enters the ports of this server only from systems on the same subnet. The third component, enabled, allows traffic to pass. And the fourth component, the E-mail server, is simply a label that Windows Firewall can use to compose reports. The number of programs is unlimited.

Opening specific ports

With the help of other parameters, various ports are opened. It is not entirely clear whether to activate the first one, Allow Dynamically Assigned Ports for RPC and DCOM. In general, I prefer Windows Management Instrumentation (WMI) tools, such as WMI VBScripts and the Microsoft Management Console (MMC) Manage Computer snap-in, but WMI requires Remote Procedure Calls (RPC) calls. The Manage Computer snap-in can not be used to remotely control the system without WMI, so you must enable this option to manage remote systems using Manage Computer with Windows Firewall active. The danger of opening ports for RPC is that in the past two years, RPC has detected several serious errors, one of which led to the memorable attack of MSBlaster. Therefore, firewall activation with open ports for RPC is a contradictory solution; With the same success you can lock all the doors in the house, for convenience (his and the robbers) leaving open the front door. Like the previous one, this option allows you to open ports for all IP addresses or only for a local subnet, but this option is also not very successful. In many cases, the MSBlaster virus spread from an infected computer that someone brought to the enterprise. Therefore, before activating this parameter, you need to think carefully.

Like RPC, you can undo or activate the File and Print Sharing, Remote Assistance Support and Universal Plug and Play options, and restrict the action of the active parameters to a local subnet. All these parameters, except Remote Assistance Support, can be activated from the command line using the command

Netsh firewall ipv4 set service

Followed by type = and the service name (for example, FILEANDPRINT, RPCANDDCOM or UPNP) or scope = followed by all keys (for all IP addresses) and subnet (for the local subnet). For example, to allow files and printers to work together only on a local subnet, enter the command

Netsh firewall ipv4 set service type = fileandprint scope = subnet

Any command can be supplemented with the keys profile = and interface =, so if the file or print service needs to be opened for a wired Ethernet connection only in cases where the system is connected to a domain,

Netsh firewall ipv4 set service type = fileandprint scope = subnet interface = "local area connection" profile = corporate

Group Policy works with Domain and Mobile profiles, and command line tools - with corporate and other profiles.

There are two policy parameters left. Allow ICMP Settings affects the ICMP (Internet Control Message Protocol) subsystem. In essence, only one ICMP component is important for the administrator: Ping. By default, all ICMP requests are blocked on systems with the firewall, and therefore ping signals are ignored. Allow ICMP Settings Properties lists the nine types of ICMP requests allowed by the Windows Firewall. For testing, you only need to activate the Allow Inbound Echo Request. This option does not allow you to restrict ICMP traffic to a local subnet.

ICMP is opened from the command line:

Netsh firewall ipv4 set icmpsetting

Followed by a key type = and a number (3, 4, 5, 8, 10, 11, 12, 13 or 17) or the word all. The number indicates one of the nine ICMP parameters, and we need the number 8 - incoming echo request. For the machine to respond to test signals, you must enter the command

Netsh firewall ipv4 set icmpsetting type = 8

The command can be specified with the help of the keys profile = and interface =.

How to open a port for a service that was not considered in this article? To do this, you can use the ninth policy parameter, Define Custom Open Ports. Then, specify the Windows Firewall port number, the port type (TCP or UDP), the scope (all IP addresses or only the local subnet) and the action (activate or block). If desired, you can assign a descriptive name to the port. For example, for a mail server, you can open the entire world to TCP port 25:

25: TCP: *: enabled: SMTP

Where 25 is the port number, TCP is the protocol, the asterisk (*) opens the port to the whole world (not just the subnets), the enabled key opens rather than closes the port, and SMTP is a descriptive phrase. At the command prompt, enter

Netsh firewall ipv4 add portopening

With the following keys protocol = (options - tcp, udp or all), port = (with number), name = (with name), mode = (enable or disable) and scope = (all or subnet). To activate the mail server, enter the following command:

Netsh firewall ipv4 add portopening protocol = tcp port = 25 name = SMTP mode = enable scope = all

If the mode is not specified, it means enable, and if the range scope is not specified, a subnet is implied.

To close the port, just type the command

Netsh firewall ipv4 delete portopening

Specifying the protocol and port number identifying the port to be closed. For example, the mail server port is closed with a command

Netsh firewall ipv4 delete portopening protocol = tcp port = 25

In the course of experiments, misunderstandings may arise - the port was closed, but for some reason remains open. To avoid confusion, you need to understand the difference between the behavior of firewalls controlled by the Group Policy parameter and the command line. Commands that are submitted from the command line usually take effect immediately. Changes in Group Policy start to work after a while. To make Group Policy changes for Windows Firewall come into effect immediately, you should use the gpupdate command.

You must wait for the command to complete processing, then go to the Services function in the Manage Computer snap-in and restart the Internet Connection Firewall service (in the final version, the service name can be changed).

Additional command-line options

We examined the capabilities of Group Policy settings for Windows Firewall, but the command-line functions are wider. It should be remembered that Windows Firewall has two profiles: Domain and Mobile. Suppose we need to find out which profile is being used at the moment. The following command shows the active profile - Domain Profile (corporate) or Mobile Profile (other):

Netsh firewall ipv4 show currentprofile

The Set Logging command allows you to learn more about the operation of the firewall. It has four optional parameters: Filelocation = shows the firewall where to write the ASCII log file, and maxfilesize = specifies the maximum file size. The size of the file is specified in kilobytes, and the maximum allowable value is 32767. Parameters droppedpackets = and connections = are either enable or disable and indicate to the firewall whether to register blocked and successful connections. For example, to record both successful and blocked connections in the C: \ firelog.txt file with a maximum size of 8 MB,

Netsh firewall ipv4 set logging filelocation = "C: \ firelog.txt" maxfilesize = 8192 droppedpackets = enable connections = enable

The log can be large, but if you need to detect a burglar that regularly attempts to attack, it is useful to have a full log that reflects all the connections and failures of TCP and UDP. You can set the current registration mode using the command

Netsh firewall ipv4 show logging

The following command provides an exhaustive list of firewall settings:

Netsh firewall ipv4 show config

Replacing the config key with the state key in this command, you can get detailed information about the actions performed by the firewall. To get a more compact report that contains only information about open ports, you should replace the config with icmpsetting or portopening.

To work with Windows Firewall you need to master many new concepts. However, if there is no personal firewall in the system, then Windows Firewall will help protect the machine, you only have to spend a little time creating a GPO to open the required ports. The remuneration for the administrator will be the consciousness that the system behind the firewall will become much less vulnerable.