Windows Firewall in Windows Server 2003 Service Pack 1

IT Support Forum Forums Windows Windows Server 2003 R2 General Discussion Windows Firewall in Windows Server 2003 Service Pack 1

This topic contains 0 replies, has 1 voice, and was last updated by  Webmaster 3 months, 1 week ago.

  • Author
    Posts
  • #2228

    Webmaster
    Keymaster

    Applies To:Windows Server 2003 with SP1
    What does Windows Firewall do?
    Windows Firewall (previously called Internet Connection Firewall or ICF) is a software-based, stateful filtering firewall for Microsoft Windows XP and Microsoft Windows Server 2003.Windows Firewall provides protection for computers that are connected to a network by preventing unsolicited incoming traffic through TCP/IP version 4 (IPv4) and TCP/IP version 6 (IPv6).
    Configuration options include:
    Configuring and enabling port-based exceptions
    Configuring and enabling program-based exceptions
    Configuring basic ICMP options
    Logging dropped packets and successful connections
    Windows Firewall in Windows Server 2003 Service Pack 1 is notenabled by default when the updateis applied to your server.
    It will only beenabled in thefollowing situations:
    If Internet Connection Sharing was previously enabled.
    If Internet Connection Firewall was previously enabled.
    If theserver is a new installation of Windows Server 2003 with Service Pack 1 (also known as a slipstream installation).
    The best resources to help you fully understand how Windows Firewall works and how it can be used in your environmentare
    the Windows Firewall Information and Help topics on the Windows Server 2003 Tech Center Web siteat
    http://go.microsoft.com/fwlink/?LinkId=48911 and the Windows Firewall Operations Guide on the Windows Server 2003
    TechCenter Web siteat http://go.microsoft.com/fwlink/?LinkId=48912.
    Note
    If you decideto use Windows Firewall with your server, it is strongly recommended thatyou restartyour servers after
    turning on and configuring thefirewall.Windows Firewall in Windows Server 2003 with Service Pack 1 now supports
    application exceptions and needs to maintain thestate of thoseapplications. As a result,any applications or services thatyou
    add to thefirewall exceptions list that wererunning prior to thefirewall starting will still fail. After theserver is restarted, the
    firewall will berunning beforeany of theapplications on theexceptions listand will beableto successfully maintain thestate
    of theapplications and handlethem correctly.
    Who does this feature apply to?
    This featureapplies to:
    All computers thatareconnected to a network, including theInternet.
    All programs (applications and services) that listen on the network.
    All programs that do not work with stateful filtering.
    What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
    Integration of Internet Connection Firewall and IPv6 Internet Connection Firewall into Windows Firewall
    Detailed description
    Theversion of Internet Connection Firewall that was introduced with Windows XP filtered only IPv4 traffic. IPv6 Internet
    Connection Firewall was introduced with the Advanced Networking Pack for Windows XP.With Windows Server 2003 Service
    Pack 1, Internet Connection Firewall and IPv6 Internet Connection Firewall areintegrated into a singlecomponent called
    Windows Firewall.
    With this change,any configuration changeapplies to both IPv4 and IPv6 traffic.For example, when a static port is opened, it is
    opened for both IPv4 and IPv6 traffic.
    Why is this change important?
    This allows for easier configuration managementand application compatibility.
    What works differently?
    TheInternet Connection Firewall serviceis removed from thesystem and replaced with the Windows Firewall service, which
    filters both IPv4 and IPv6 traffic. All firewall APIs aresuperseded by new APIs introduced with Windows Server 2003 Service
    Pack 1.
    How do I resolve these issues?
    For moreinformation, see”Do I need to change my codeto work with Windows Server 2003 Service Pack 1?” later in this
    document.
    On-by-default for new installations of Windows Server 2003 that include a service pack
    Detailed description
    Windows Firewall is on by default only during new installations of Windows Server 2003 that includea service pack (also
    known as a slipstream release).Windows Firewall provides network protection while users updatetheir system with thelatest
    patches using the new Post-Setup Security Updates feature. As soon as the updates arefinished thefirewall is turned off unless
    it was explicitly enabled.
    If a server running Windows Server 2003 is updated or upgraded to Service Pack 1 thefirewall is off by defaultand the Post
    Setup Security Updates featureis not used.
    Why is this change important? What threats does it help mitigate?
    By enabling Windows Firewall by default on new installations, thecomputer has more protection from many network-based
    attacks whileit is being set up and configured.For example, if Windows Firewall had been enabled by default, the MSBlaster
    attack would have been greatly reduced in impact, whether or not users had installed therelevant updates on their computers.
    What works differently?
    After a new installation of a slipstream version of Windows Server 2003 with Service Pack 1,Windows Firewall is enabled by
    defaultand incoming traffic is blocked until after Post-Setup Security Updates have been completed.This might create
    application or serviceincompatibility if theapplication or service does not work with stateful filtering by default.
    How do I resolve these issues?
    Complete Post-Setup Security Updates, which will automatically turn off thefirewall, before proceeding with any other server
    configuration tasks.
    It is also possibleto configurethefirewall to work with applications or services you need to use, if you don’t want to complete
    Post-Setup Security Updates until a later time.
    Configuration by the Security Configuration Wizard
    Detailed description
    Therecommended means of turning on Windows Firewall and performing its initial configuration for Windows Server 2003
    with Service Pack 1 is to usetheSecurity Configuration Wizard (SCW).SCW will automatically turn on Windows Firewall and
    createtheappropriatesettings based on the needs of your server.For moreinformation aboutSCW, see”Security
    Configuration Wizard”, in this document.
    Why is this change important?
    Someserver components and applications should not be used with Windows Firewall or should be used in very specific
    configurations.SCW has been designed to help you determinetherecommended settings for the Windows Firewall based on
    your environment.
    Boot-time security
    Detailed description
    In earlier versions of Windows, thereis a period of time between when the network stack comes up and when Internet
    Connection Firewall provides protection.This results in theability for a packet to bereceived and delivered to a service without
    Internet Connection Firewall providing filtering and potentially exposes thecomputer to vulnerabilities.This was dueto the
    firewall driver not starting to filter until thefirewall user-modeservice was loaded and had applied appropriate policy settings.
    Thefirewall service has a number of dependencies, which causes theserviceto wait until those dependencies arecleared
    beforeit pushes the policy down to the driver.This time period is based upon thespeed of thecomputer.
    In Windows Server 2003 Service Pack 1, theIPv4 and IPv6 firewall drivers havea static ruleto perform stateful filtering.This
    static ruleis called a boot-time policy.This allows thecomputer to perform basic networking functions such as DNS and DHCP
    and communicate with a domain controller to obtain policy settings. After the Windows Firewall serviceis running, it loads and
    applies theruntime policy settings.The boot-time policy cannot beconfigured.
    Thereis no boot-timesecurity if the Windows Firewall service(which is listed as Windows Firewall/Internet Connection
    Sharing (ICS) in theService Control Manager) is set to either Manual or Disabled.
    Why is this change important? What threats does it help mitigate?
    With this change, thecomputer is open to fewer attacks during startup and shutdown.
    What works differently?
    If the Windows Firewall servicefails to start, boot-timesecurity remains in effect.This means thatall incoming connections are
    blocked. In this case,an administrator will not beableto remotely troubleshoot theissue becauseall the ports will beclosed,
    including the port used by Remote Desktop.
    If a serviceattempts to start beforethefirewall servicea “racecondition” might result. If a necessary serviceis blocked by this
    condition you will need to disable Windows Firewall.
    How do I resolve these issues?
    To turn off boot-timesecurity, stop the Windows Firewall/Internet Connection Sharing (ICS) serviceand set its startup typeto
    either Manual or Disabled.
    If thecomputer is in boot-timesecurity mode becausethefirewall service has not started,an administrator must log on to the
    computer, resolvethecause of thefailure,and then manually start thefirewall service.
    Running in safe mode (Safe mode firewall)
    Detailed description
    Thefirewall stateis maintained when theserver is started in safe mode.
    Why is this change important?
    With this changeyour computer is less vulnerableto attack when starting in safe mode with network connectivity.
    What works differently?
    In previous versions, Internet Connection Firewall was notavailable when running in safe mode.
    Global configuration
    Detailed description
    In earlier versions of Windows, Internet Connection Firewall was configured on a per-interface basis.This meant thateach
    network connection had its own set of firewall settings, for example, oneset of settings for wireless,another set of settings for
    Ethernet.This madeit difficult to synchronizefirewall settings between connections. Additionally, new connections would not
    haveany of theconfiguration changes that had been applied to theexisting connections. Non-standard network connections,
    such as thosecreated by proprietary dialers (for instance, ISP-configured dial-up networking connections) could not be
    protected.
    With global configuration in Windows Firewall, whenever a configuration change occurs, itautomatically applies to all network
    connections in the Network Connections folder,as well as any non-Microsoft dialers.When new connections arecreated, the
    configuration is applied to them as well. Configuration can still be performed on a per-interface basis. Non-standard network
    connections will have only global configuration. Configuration changes also apply to both IPv4 and IPv6.
    Why is this change important?
    Having global configuration makes iteasier for users to managetheir firewall policy across all network connections and
    enables configuration through Group Policy. Italso allows you to enableapplications to work on any interface with a single
    configuration option.
    What works differently?
    In earlier versions of Windows Server, firewall configuration was on a per-interface basis. In Windows Server 2003 Service
    Pack 1, theconfiguration is global and applies to both IPv4 and IPv6.
    How do I resolve these issues?
    If your application or servicerequires static openings to work,you should open the ports globally,as described later in this
    topic, in “Do I need to change my codeto work with Windows Server 2003 Service Pack 1?”
    Audit logging
    Detailed description
    Audit logging enables you to track changes thatare madeto Windows Firewall settings and to see which applications and
    services asked your computer to listen on a port. After audit logging is enabled,auditevents will belogged in thesecurity
    event log. Audit logging can beenabled on client computers running Windows XP Service Pack 2 and servers running
    Windows Server 2003 Service Pack 1. You can usethefollowing procedureto enableaudit logging on your computer.
    To enable audit logging
    1. Log on using an account that is a local administrator.
    2. Click Start,click Control Panel,and then click Administrative Tools.
    3. In Administrative Tools, double-click Local Security Policy to open theLocal Security Settings console.
    4. In theconsoletree of theLocal Security Settings console,click Local Policies,and then click Audit Policy.
    5. In the details pane of theLocal Security Settings console, double-click Audit policy change.Select Success and
    Failure,and then click OK.
    6. In the details pane of theLocal Security Settings console, double-click Audit process tracking.Select Success and
    Failure,and then click OK.
    You can also enableaudit logging for multiplecomputers in an Active Directory directory service domain using Group Policy
    by modifying the Audit policy change and Audit process tracking settings at Computer Configuration\Windows
    Settings\Security Settings\Local Policies\Audit Policy for the Group Policy objects in theappropriate domain system
    containers.
    After audit logging is enabled,you can usetheEvent Viewer snap-in to view auditevents in thesecurity event log.
    Windows Firewall uses thefollowing event IDs:
    848 – Displays thestartup configuration of Windows Firewall.
    849 – Displays an application exception configuration.
    850 – Displays a portexception configuration.
    851 – Displays a change madeto theapplication exceptions list.
    852 – Displays a change madeto the portexceptions list.
    853 – Displays a change madeto the Windows Firewall operation mode.
    854 – Displays a change madeto Windows Firewall logging settings.
    855 – Displays a change madeto ICMP settings.
    856 – Displays a change madeto the Prohibit unicast responseto multicast or broadcast requests setting.
    857 – Displays a change madeto the Remote Administration setting.
    858 – Displays theapplication of Windows Firewall Group Policy settings.
    859 – Displays theremoval of Windows Firewall Group Policy settings.
    860 – Displays a change madeto a different profile.
    861 – Displays an application attempting to listen for incoming traffic.
    Why is this change important?
    Auditing theactivity of Windows Firewall is part of a defensein depth strategy becauseit can be used to alertyou to malicious
    softwarethat is attempting to modify firewall settings. Auditing also generally helps administrators determinethe network
    needs of their applications and design an appropriate policy for deployment to large numbers of users.
    Traffic scoping for exceptions
    Detailed description
    ICF allowed excepted traffic to comefrom any IPv4 address.With Windows Firewall in Windows Server 2003 with Service
    Pack 1,you can also configurean exception to allow incoming traffic only from addresses thatare directly reachable by
    selecting the My network (subnet) only scope option (based on entries in theIPv4 and IPv6 routing table), or from specific
    IPv4 address ranges by selecting the Custom list scope option.
    For computers in a workgroup, someexceptions arerestricted to locally reachableaddresses by default.Theseexceptions are
    those needed for fileand printer sharing and the UPnP framework. Additionally, when theseexceptions are opened for locally
    reachableaddresses on an Internet Connection Sharing (ICS) host, theexceptions will not be opened on theICS public
    interface. If you enabletheseexceptions for all possibleaddresses they will be opened on theICS public interface, which is not
    recommended.When theFileand Printer Sharing built-in exception is enabled with the NetShareapplication programming
    interface(API), with the Network Setup Wizard, or through the Windows Firewall user interface, incoming fileand printer
    sharing connection requests can come only from directly reachableaddresses by default.
    If you areenabling Windows Firewall on a server that is already configured for fileand printer sharing, theFileand Printer
    Sharing exception might beenabled automatically. It is recommended thatyou apply thelocally reachableaddresses
    restriction to any exception that is used for communicating on thelocal network. It can be done programmatically at the
    command line using Windows Firewall Netsh Helper, or by clicking Windows Firewall in Control Panel.
    Note
    As a best practice, identify custom scopes with specificaddresses or subnets for theexceptions thatyou specify for Windows
    Firewall.
    When you configureand enablean exception,you areinstructing Windows Firewall to allow specific unsolicited incoming
    traffic sent from thespecified scope(from any address, from an address that can bereached directly, or from a custom list).
    For any scope,enabling an exception makes thecomputer accessibleto attacks based on incoming unsolicited traffic from
    computers thatareassigned theallowed addresses and from malicious computers that spoof traffic.Thereis no way to
    prevent spoofed attacks from theInternet on connections assigned public IPv4 addresses except by disabling theexception.
    Therefore,you should try to configurescope options so that the number of computers thatareallowed to send unsolicited
    traffic through an exception is kept to a minimum.This will reduce, but noteliminate, thelikelihood of a spoof attack.
    If your organizational security policy requires you to ensurethat no one outsideyour network can access a resource, then
    you should consider using an approach such as IPsec that supports network-level peer authentication, data origin
    authentication, data integrity, data confidentiality (encryption),and replay protection.
    Why is this change important? What threats does it help mitigate?
    Someapplications need to communicate only with other computers on thelocal network and not computers on theInternet.
    Configuring Windows Firewall to allow only traffic from locally reachableaddresses or from specificaddress ranges
    corresponding to locally attached subnets restricts theset of addresses from which unsolicited incoming traffic can be
    accepted.This mitigates, but does noteliminate,attacks that can occur for enabled exceptions.
    What works differently?
    When theFileand Printer Sharing or the UPnP framework built-in exception is enabled using the Control Panel on a computer
    that is a member of a workgroup, thelocally reachableaddresses scopeis applied to the ports opened. If an application or
    servicealso uses these ports, it will beableto communicate only with other nodes thatareassigned locally reachable
    addresses. However, if thecomputer is a member of a domain, the global scopeis applied.
    If theseexceptions areenabled using an API call or using Netsh.exeinstead of from Control Panel, the default scopesetting is
    locally reachableaddresses, regardless of whether thecomputer is a member of a workgroup or a domain.
    How do I resolve these issues?
    If your application or service does not work with this type of restriction,you should open the port for any computer,as
    described in “Do I need to change my codeto work with Windows Server 2003 Service Pack 1?” later in this document.
    Command-line support
    Detailed description
    The Windows Firewall Netsh Helper was added to Windows XP in the Advanced Networking Pack.This helper applied only to
    IPv6 Windows Firewall.With Windows Server 2003 Service Pack 1, thestructureand syntax of the helper changed and
    expanded to includesupport for configuring IPv4 as well.With the Netsh Helper,you can fully configure Windows Firewall,
    including:
    Configurethe default state of Windows Firewall (Off, On, On with no exceptions).
    Configurethe ports that must be open.
    Configurethe ports to enable global access or to restrictaccess to thelocal subnet.
    Set ports to be open on all interfaces or only on a specific interface.
    Configurethelogging options.
    ConfiguretheInternet Control Message Protocol (ICMP) handling options.
    Configureand enable program-based exceptions.
    Windows Firewall configuration and status information can beretrieved at thecommand line by using the Netsh.execontext:
    firewall.
    To usethis context, type netsh firewall ata command prompt,and then useadditional Netsh commands as needed.
    Thefollowing commands are useful for gathering firewall status and configuration information and can be useful for
    troubleshooting the operation of your firewall:
    Netsh firewall show state
    Netsh firewall show config
    Thefollowing commands can be used to modify theconfiguration of Windows Firewall.
    Command Description
    add
    allowedprogram
    Used to add excepted traffic by specifying the program’s file name.
    set
    allowedprogram
    Used to modify thesettings of an existing allowed program exception.
    delete
    allowedprogram
    Used to deletean existing allowed program exception.
    set icmpsetting Used to specify allowed ICMP traffic.
    set logging Used to specify logging options.
    set notifications Used to specify whether notifications to the user when programs try to open ports areenabled.
    set opmode Used to specify the operating mode of Windows Firewall either globally or for a specific connection
    (interface).
    add portopening Used to add excepted traffic by specifying aTCP or UDP port.
    set portopening Used to modify thesettings of an existing open TCP or UDP portexception.
    delete
    portopening
    Used to deletean existing open TCP or UDP portexception.
    set service Used to enable or drop RPC and DCOM traffic, Remote Desktop, fileand printer sharing,and UPnP traffic.
    reset Resets firewall configuration to Default.This provides thesamefunctionality as the Restore Defaults button
    in Control Panel/Windows Firewall.
    Thefollowing table details theshow commands supported for Windows Firewall.
    Command Description
    show allowedprogram Displays theallowed programs.
    show config Displays the detailed local configuration information.
    show currentprofile Displays thecurrent profile.
    show icmpsetting Displays theICMP settings.
    show logging Displays thelogging settings.
    show notification settings Displays thecurrent settings for notifications.
    show opmode Displays the operational modefor profiles and interfaces.
    show portopening Displays theexcepted ports.
    show service Displays theservices exception settings.
    show state Displays thecurrent stateinformation.
    You can comparethe output from thesecommands with the output from the netstat –ano command to identify the programs
    that may havelistening ports open and that do not havecorresponding exceptions in thefirewall configuration.
    Why is this change important?
    Providing a command-lineinterface provides administrators with a method to configure Windows Firewall without going
    through the graphical user interface.Thecommand-lineinterfacecan be used in logon scripts and remote management.
    What works differently?
    Any script that was created with the Netsh Helper that was madeavailable with the Advanced Networking Pack for
    Windows XP no longer works and must be updated.
    How do I resolve these issues?
    Updateany scripts you might haveso that they includethe new firewall contextand syntax.
    “On with no exceptions” operational mode
    Detailed description
    Windows Firewall can beconfigured for exceptions to allow specific unsolicited incoming traffic during normal use.Typically,
    this is becausekey scenarios, likefileand printer sharing, must beenabled. If a security issueis discovered in one or more of
    thelistening services or applications thatarerunning on thecomputer, it may be necessary for thecomputer to switch into a
    client-only mode, which is called “On with no exceptions.”Switching into this client-only modeconfigures Windows Firewall to
    preventall unsolicited incoming traffic without having to reconfigurethefirewall.
    When in this mode,all exceptions aretemporarily disabled and any existing connections are dropped. Any application interface
    that calls into Windows Firewall to createan exception is allowed and therequested firewall configuration is stored, but it is not
    enabled until the operational modeswitches back to normal operation. All listen requests by applications arealso ignored and
    notification dialogs are not displayed,effectively blocking theapplication from listening on a port whilethecomputer is in this
    operational mode.
    Why is this change important?
    When a network system is under attack by viruses, worms,and other attackers, theattacker looks for services to exploit.The
    “On with no exceptions” operational mode provides a way for you to quickly lock-down your system in theevent of an attack
    so thatvalid exceptions cannot be used to circumvent the protection provided to your computer by Windows Firewall.
    What works differently?
    When in this operational mode, thecomputer cannot listen for requests that originatefrom the network. Any existing incoming
    connections areterminated. Outgoing connections arethe only connections that succeed.
    How do I resolve these issues?
    When in this operational mode, it is expected that somefunctionality will fail because of thestrict network security in place.
    You can restorefunctionality by returning the operational modeto On.This action should be performed by the user only after
    thethreat has been identified and mitigated, becausethesecurity of thecomputer is reduced by performing this action.
    Program-based exceptions
    Detailed description
    Some programs (applications or services) actas both network clients and servers.When they actas servers, they mustallow
    unsolicited incoming traffic, becausethey do notknow in advance who the peer will be.
    In earlier versions of Windows,a program needed to call thefirewall APIs to enablethe necessary listening ports to be open.
    This proved difficult in peer-to-peer situations when the port was notknown in advance. It was up to the program to closethe
    portagain after communication was completed. If the program terminated unexpectedly this could result in unnecessary open
    ports in thefirewall.
    An additional issue with the previous method of opening firewall ports was that ports could be opened only if programs were
    running in thesecurity context of a local administrator.This violated the basic information security principle of least privilege
    by requiring programs to run in an administrativecontext, rather than only with the minimum necessary privileges.
    In Windows Server 2003 with Service Pack 1,a program that needs to listen to the network can beadded to the Windows
    Firewall exceptions list. If a program is enabled on the Windows Firewall exceptions list,Windows Firewall opens and closes the
    necessary listening ports automatically, regardless of the program’s security context.For moreinformation aboutadding
    programs to the Windows Firewall exceptions list, see”How do I resolvetheseissues?” later in this document.
    Programs that work with stateful filtering do not need to be placed on the Windows Firewall exceptions list. Only
    administrators can add a program to the Windows Firewall exceptions list.
    Why is this change important? What threats does it help mitigate?
    When a program is on the Windows Firewall exceptions list, only the necessary ports are opened,and they are opened only for
    the duration that the program is listening on those ports.
    What works differently?
    If a program needs to listen on the network, it must beenabled on the Windows Firewall exceptions list. If it is not, then the
    necessary port in Windows Firewall is not opened and the program will not beableto receive unsolicited inbound traffic.
    How do I resolve these issues?
    A program can be placed on the Windows Firewall exceptions list in five ways:
    1. Programmatically. It is recommended that independent softwarevendors (ISVs) placetheir programs on the Windows
    Firewall exceptions list during installation.For moreinformation about how to programmatically add a program to the
    exceptions list, see”Do I need to change my codeto work with Windows Server 2003 Service Pack 1?” later in this
    section.
    2. Command-line interface.This method can be used by ITadministrators who manage Windows XP and Windows
    Server 2003 systems using scripts or other command-linetools.
    3. Group Policy settings.This method can be used by ITadministrators to add the program to theexceptions list through
    Group Policy.
    4. Windows Firewall notification message. A user with Administrator rights can interact with the Windows Firewall
    notification messageand add theapplication to theexceptions list.
    When an application performs aTCP listen or UDP bind to a non-wildcard port, the network stack passes theapplication
    nameand port to Windows Firewall.Windows Firewall looks up theapplication name on theexceptions list. If the
    application is on theexceptions listand enabled, then thecorresponding port is opened in thefirewall. If theapplication
    is on theexceptions listand disabled, then thecorresponding port is not opened. If theapplication is not on the
    exceptions list, then users areasked to makea choice. If the users haveadministrativerights, they can:
    Unblock theapplication to allow it to listen on the network. It is added to theexceptions listas Enabled and the port
    is opened.
    Block theapplication from listening on the network. It is added to theexceptions listas Disabled and the port is not
    opened.
    Chooseto beasked again later.Theapplication is notadded to theexceptions listand the port is not opened.
    If the user does not haveadministrativerights, the user is notified that theapplication is notallowed to listen on the
    network and thatan Administrator mustenablethe program exception. If the user selects the Do not ask me again
    check box, theapplication is listed in theexceptions listas Disabled.
    Note
    Notification messages can only be used with applications.They cannot be used with services.
    5. Manual configuration. Administrators can decideto enablea program manually in the Windows Firewall control panel
    by selecting it from a list that is populated from thelist of programs in the Start menu or by browsing for the program.
    Multiple profiles
    Detailed description
    Multiple profilesupport in Windows Firewall allows you to createtwo sets of firewall policy settings: onefor when the
    computer is connected to a managed network and onefor when thecomputer is not. You can specify settings thatareless
    strict when thecomputer is connected to thecorporate network to enableline-of-business applications to work. You can also
    have moreaggressivesecurity policy settings that will beenforced when thecomputer leaves thecorporate network, which
    helps to protect mobile users.
    Note
    Multiple profiles for Windows Firewall apply only to computers thatarejoined to an Active Directory domain. Computers
    thatarein a workgroup use only one profile.
    Why is this change important? What threats does it help mitigate?
    For a mobilecomputer, it is desirableto have morethan onefirewall configuration. Often,a configuration that is safe on a
    corporate network is likely to besusceptibleto attack on theInternet.Therefore, being ableto have ports opened on the
    corporate network and not on other networks is critical to ensuring that only the necessary ports areexposed atany given
    time.
    What works differently?
    If an application needs to belisted in the Windows Firewall exceptions list in order to work correctly, it might not work on both
    networks as thetwo profiles might not havethesameset of policy settings.For an application to work on all networks, it must
    belisted in both profiles.For moreinformation about the Windows Firewall exceptions list, seetheearlier section.
    How do I resolve these issues?
    If thecomputer is joined to a domain,you mustensurethat theapplication is listed in both firewall configurations. Consider
    creating exceptions though thecommand-lineinterface or Group Policy as you will only haveaccess to thecurrently running
    profilethrough Windows Firewall in Control Panel.
    RPC support for System Services
    Detailed description
    In earlier versions of Windows, Internet Connection Firewall blocked remote procedurecall (RPC) communication.While
    Internet Connection Firewall could beconfigured to allow network traffic to the RPC Endpoint Mapper, the port thatan RPC
    server used was unknown and theapplication would still fail.
    Many enterpriseapplications and components fail if RPC is notallowed to communicate over the network.Someexamples
    include, butare not limited to, thefollowing:
    Remoteadministration, such as the Computer Management featureand the Select User, Computers, and Groups
    dialog box, which is used by many applications
    Remote Windows Management Instrumentation (WMI) configuration
    Scripts that manageremoteclients and servers
    RPC opens several ports and then exposes many different servers on those ports. It then requests that Windows Firewall create
    associated exceptions for these ports. If Windows Firewall is configured to allow such requests, therequired ports will be
    opened for as long as RPC needs theexception (similar to a program exception).
    Why is this change important? What threats does it help mitigate?
    In order to enableremoteadministration scenarios, many enterprise-wide deployments requirethat thesystem services that
    use RPC work with Windows Firewall by default.
    What works differently?
    By default, RPC does not function through Windows Firewall. All system services that use RPC areaffected. However,Windows
    Firewall can beconfigured to allow RPC to work for theseservices using theremoteadministration setting.This setting also
    enables exceptions for the RPC Endpoint Mapper (TCP 135),SMB over TCP (TCP 445),and ICMP echo requests.
    How do I resolve these issues?
    See”Do I need to change my codeto work with Windows Server 2003 Service Pack 1?” later in this document.
    Restore defaults
    Detailed description
    Previously, there was no way for a user to reset theconfiguration of Internet Connection Firewall (ICF). Over time, thefirewall
    might beconfigured to allow unsolicited incoming traffic to ports no longer used by other applications.This might makeit
    difficult for the user to easily and quickly go back to a default configuration.
    This option enables the user to restore Windows Firewall settings to their original defaults. In addition, the Windows Firewall
    defaults can be modified by original equipment manufacturers (OEMs) and businesses to providecustom default configuration
    options.
    Why is this change important?
    This option allows end-users to restoretheir Windows Firewall settings to the out-of-the-box defaults.
    What works differently?
    No functional changes in Windows Firewall result from this addition. However, use of this feature disables Internet Connection
    Sharing and Network Bridge.
    Unattended setup support
    Detailed description
    In earlier versions of Windows, it was not possibleto configureInternet Connection Firewall during installation.This madeit
    difficult for OEMs and businesses to preconfigureInternet Connection Firewall before distributing a computer to their end
    users. In Windows Server 2003 with Service Pack 1,you can configurethefollowing options of Windows Firewall through
    unattended setup:
    Operational mode
    Applications on the Windows Firewall exception list
    Static ports on theexception list
    ICMP options
    Logging options
    Why is this change important?
    A method to preconfigure Windows Firewall allows Windows resellers and largeenterprises moreflexibility and customization
    options for Windows Firewall.
    What works differently?
    This featureadds configuration flexibility to Windows Firewall. No functional changes in Windows Firewall result from this
    addition.
    Thesyntax used to enable or disableICF in an unattend script has been replaced with the new syntax for Windows Firewall.
    Thesections of the Unattend.txt filefor Windows Firewall configuration consist of thefollowing:
    [WindowsFirewall]
    A required section that defines which profiles to useand Windows Firewall log filesettings.
    [WindowsFirewall.profile_name]
    The domain profilesection, [WindowsFirewall.Domain],contains settings for when a computer is connected to a network
    that contains domain controllers for the domain of which thecomputer is a member.Thestandard profile,
    [WindowsFirewall.Standard],contains settings for when a computer is not connected to a network that contains
    domain controllers for the domain of which thecomputer is a member. If you do not want Windows Firewall to be used
    you can specify Profiles = WindowsFirewall.TurnOffFirewall
    The [WindowsFirewall.profile_name] section is a user-defined section that is referenced by the [WindowsFirewall]
    section to makechanges to Windows Firewall’s default configuration, including programs, services, ports,and ICMP
    settings.
    [WindowsFirewall.program_name]
    A user-defined section thatadds a program to the Windows Firewall exceptions list.
    [WindowsFirewall.service_name]
    A user-defined section thatadds a predefined serviceto the Windows Firewall exceptions list (such as fileand printer
    sharing, UPnP framework, Remote Desktop service,and Remote Administration).
    [WindowsFirewall.portopening_name]
    A user-defined section thatadds a port to the Windows Firewall exceptions list.
    [WindowsFirewall.icmpsetting_name]
    A user-defined section thatadds ICMP messagetypes to the Windows Firewall exceptions list.
    What existing functionality is changing in Windows Server 2003 Service Pack 1?
    Enhanced multicast and broadcast support
    Detailed description
    Multicastand broadcast network traffic differs from unicast traffic becausetheresponsecomes from an unknown host. As
    such, stateful filtering prevents theresponsefrom being accepted.This stops a number of scenarios from working, ranging
    from streaming media to discovery.
    To enablethesescenarios,Windows Firewall will allow a unicast responsefor threeseconds from any directly reachablesource
    address on thesame port from which the multicast or broadcast traffic originated.
    Why is this change important? What threats does it help mitigate?
    This allows applications and services that use multicastand broadcast for communicating to work withouteither the user or
    application/service needing to alter thefirewall policy.This is important for things like NETBIOS over TCP/IP, so that sensitive
    ports such as port 135 are notexposed.
    What works differently? Are there any dependencies?
    In Windows Server 2003, Internet Connection Firewall statefully filtered multicastand broadcast traffic, which required the
    user to manually open the port to receivetheresponse. In Windows Server 2003 Service Pack 1,Windows Firewall accepts the
    responseto the multicast or broadcast traffic withoutadditional configuration.
    Updated user interface
    Detailed description
    Thefirewall user interfaceis updated in Windows Server 2003 Service Pack 1 to accommodatethe new configuration options
    and theintegration of IPv6 Internet Connection Firewall.The new Windows Firewall interface provides the user with theability
    to changethe operational states, the global configuration, logging options,and ICMP options.
    The primary entry to the user interface has been moved from the Properties dialog box of theconnection to a Control Panel
    icon. A link from the old location is still provided. Additionally,Windows Server 2003 Service Pack 1 creates a link from the
    Network Connections folder.
    Why is this change important?
    Thefunctionality that is added in Windows Server 2003 Service Pack 1 required updates to the user interface.
    What works differently?
    The user interfaceis moved from the Advanced tab of the network connection’s Properties dialog box to a specific Windows
    Firewall icon in Control Panel.
    New Group Policy support
    Detailed description
    In earlier versions of Windows, Internet Connection Firewall had a single Group Policy object (GPO): Prohibit Use of Internet
    Connection Firewall on your DNS domain network.With Windows Server 2003 Service Pack 1,every global configuration
    option can beset through Group Policy.Examples of the new configuration options availableinclude:
    Define program exceptions
    Allow local program exceptions
    Allow ICMP exceptions
    Prohibit notifications
    Allow fileand printer sharing exception
    Allow logging
    Each of these objects can beset for both thecorporateand standard profile.For moreinformation about Group Policy options,
    see”Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2″ in the Microsoft Download Center at
    http://go.microsoft.com/fwlink/?linkid=23277.This documentalso covers developments in Windows Server 2003 Service
    Pack 1.
    Why is this change important?
    It is important for administrators to centrally manage Windows Firewall policy settings to enableapplications and scenarios to
    work in thecorporateenvironment.
    What works differently?
    TheITadministrator can now decidethe default Windows Firewall policy set.This can either enable or disableapplications and
    scenarios.This allows morecontrol, but the policies do not changethe underlying functionality of Windows Firewall.
    What settings are added or changed in Windows Server 2003 Service Pack 1?
    Setting name Location Previous
    default
    value
    Default
    value
    Possible values
    Protectall network
    connections
    (Group Policy object) Computer Configuration
    \AdministrativeTemplates \Network\Network
    Connections\ \Windows Firewall
    Not
    applicable
    Not
    configured
    Enabled
    Disabled
    Do notallow exceptions (Group Policy object) Computer Configuration
    \AdministrativeTemplates \Network\Network
    Connections \Windows Firewall
    Not
    applicable
    Not
    configured
    Enabled
    Disabled
    Define program
    exceptions
    (Group Policy object) Computer Configuration
    \AdministrativeTemplates \Network\Network
    Connections \Windows Firewall
    Not
    applicable
    Not
    configured
    Enabled [Program path]
    [Scope]
    Disabled
    Allow local program
    exceptions
    (Group Policy object) Computer Configuration
    \AdministrativeTemplates \Network\Network
    Connections \Windows Firewall
    Not
    applicable
    Not
    configured
    Enabled
    Disabled
    Allow remote
    administration exception
    (Group Policy object) Computer Configuration
    \AdministrativeTemplates \Network\Network
    Connections \Windows Firewall
    Not
    applicable
    Not
    configured
    Enabled
    Disabled
    Allow fileand printer
    sharing exception
    (Group Policy object) Computer Configuration
    \AdministrativeTemplates \Network\Network
    Connections \Windows Firewall
    Not
    applicable
    Not
    configured
    Enabled
    Disabled
    Allow ICMP exceptions (Group Policy object) Computer Configuration
    \AdministrativeTemplates \Network\Network
    Connections \Windows Firewall
    Not
    applicable
    Not
    configured
    Enabled
    Onceenabled, select
    which of thefollowing
    messagetypes to allow:
    [Allow outbound
    destination
    unreachable]
    [Allow outbound source
    quench]
    [Allow redirect]
    [Allow inbound echo
    request]
    [Allow outbound time
    exceeded]
    [Allow outbound
    parameter problem]
    [Allow inbound
    timestamp request]
    [Allow inbound mask
    request]
    [Allow outbound
    packets too bug]
    Disabled
    Allow remote desktop
    exception
    (Group Policy object) Computer Configuration
    \AdministrativeTemplates \Network\Network
    Connections \Windows Firewall
    Not
    applicable
    Not
    configured
    Enabled
    Disabled
    Allow UPnP framework
    exception
    (Group Policy object) Computer Configuration
    \AdministrativeTemplates \Network\Network
    Connections \Windows Firewall
    Not
    applicable
    Not
    configured
    Enabled
    Disabled
    Prohibit notifications (Group Policy object) Computer Configuration
    \AdministrativeTemplates\Network \Network
    Connections \Windows Firewall
    Not
    applicable
    Not
    configured
    Enabled
    Disabled
    Allow logging (Group Policy object) Computer Configuration
    \AdministrativeTemplates\Network \Network
    Connections \Windows Firewall
    Not
    applicable
    Not
    configured
    Enabled
    Disabled
    Prohibit unicast response
    to multicast or broadcast
    requests
    (Group Policy object) Computer Configuration
    \AdministrativeTemplates\Network \Network
    Connections \Windows Firewall
    Not
    applicable
    Not
    configured
    Enabled
    Disabled
    Define portexceptions (Group Policy object) Computer Configuration
    \AdministrativeTemplates\Network \Network
    Connections \Windows Firewall
    Not
    applicable
    Not
    configured
    Enabled
    Disabled
    Allow local port
    exceptions
    (Group Policy object) Computer Configuration
    \AdministrativeTemplates\Network \Network
    Connections \Windows Firewall
    Not
    applicable
    Not
    configured
    Enabled
    Disabled
    Do I need to change my code to work with Windows Server 2003 Service Pack 1?
    Werecommend thatyou usetheSecurity Configuration Wizard to configure Windows Firewall for use with Windows
    Server 2003 Service Pack 1.SCW is designed to accommodatetherequirements of different server roles and workloads and
    configurethefirewall settings correctly. If you are going to manually configureyour firewall settings, review thefollowing
    information for how your applications might beaffected.
    Outbound connections
    Description
    For typical consumer and officecomputers, thecomputer is a client on the network.Software on thecomputer connects out to
    a server (an outbound connection) and gets responses back from theserver.Windows Firewall allows all outbound
    connections, butapplies rules to thetypes of communication thatareallowed back into thecomputer.
    Someexamples of tasks involving Microsoftapplications that might work this way include:
    Surfing the Web using Microsoft InternetExplorer.
    Checking e-mail in Outlook Express.
    Chatting in MSN Messenger or Windows Messenger.
    Action Required
    None.Windows Firewall will automatically allow all outbound connections, regardless of the program and the user context.
    Note
    When a computer initiates aTCP session request to a target computer, it will accepta response only from that target
    computer.
    When thecomputer sends UDP packets,Windows Firewall allows UDP responses to the port from which the UDP packets
    weresent from any IP address for approximately 90 seconds.
    Unicast responses to multicastand broadcast trafficareallowed through Windows Firewall for threeseconds if the
    responses areto the port from which thetraffic was sentand arefrom IP addresses on thesamesubnetas thecomputer. A
    setting in thefirewall controls this behavior, which is enabled by default.
    Unsolicited inbound connections for applications
    Description
    This scenario covers an application that completes a listen operation on aTCP socket or successfully binds to a specific UDP
    socket through Winsock.For this scenario,Windows Firewall can automatically open and close ports as needed by the
    application.
    Someexamples of tasks involving Microsoftapplications that might work this way include:
    Using audio and video in MSN Messenger or Windows Messenger.
    Transferring files in MSN Messenger or Windows Messenger.
    Hosting a multiplayer game.
    Action required
    If you are developing an application that needs to listen on a port (or ports) Microsoft requests thatyou updateyour codeto
    ask the users to indicate whether they want to allow theapplication to open ports in thefirewall:
    If the user consents to this, then theapplication can usethe INetFwAuthorizedApplication API to add itself to the
    AuthorizedApplications collection as Enabled.
    If the user does not consent, then theapplication can usethe INetFwAuthorizedApplication API to add itself to the
    AuthorizedApplications collection as Disabled.
    When using the INetFwAuthorizedApplication API to add an application to the AuthorizedApplications collection, the
    following values arerequired:
    ImageFile Name.This is thefilethat calls Winsock to listen for network traffic.This must bea fully-qualified path, but it
    might contain environmentvariables.
    Friendly Name.This is the description for theapplication that will beshown to users in the Windows Firewall user
    interface.
    For moreinformation about the INetFwAuthorizedApplication API, see”INetFwAuthorizedApplication” in the Microsoft
    Platform Software Development Kit (SDK) on the MSDN Web siteat http://go.microsoft.com/fwlink/?LinkId=32000.
    Windows Firewall monitors Winsock to see when applications startand stop listening on ports. As a result, ports are
    automatically opened and closed for applications after their entries have been enabled in the Windows Firewall exceptions list.
    This means that no action is required by Winsock applications to actually open and close ports in thefirewall.
    Note
    An application must berunning in thecontext of a user with Administrator rights to add itself to the Windows Firewall
    exceptions list.
    Ports areautomatically opened and closed in thefirewall for allowed Winsock applications, regardless of the user context in
    which theapplications arerunning.
    Applications should get user consent beforeadding themselves to the INetFwAuthorizedApplications collection.
    Svchost.execannot beadded to the INetFwAuthorizedApplications collection.
    Inbound connections for services using fixed ports
    Description
    While developers areadvised to usethe INetFWAuthorizedApplication APIs for all other scenarios, the use of global port APIs
    in Windows Firewall is recommended for services that listen on fixed ports. Becausethese ports arealways open, thereis
    minimal benefit to dynamically opening the ports. Instead, users gain theability to customizethefirewall settings for these
    fixed ports when the global port APIs are used.
    Someexamples of services that requireinbound connections are:
    Fileand printer sharing.
    UPnP architecture.
    Remote Desktop.
    Action Required
    When a service needs to listen on a fixed port, it should ask the user whether it should allow theserviceto open ports in the
    firewall. Ideally this should be done when theserviceis being installed.
    If the user consents to this, then theserviceshould usethe INetFwOpenPort API to add rules to Windows Firewall for thefixed
    port (or ports) needed by theservice.Theserules should beenabled.
    If the user does not consent, then theserviceshould still usethe INetFwOpenPort API to add rules to Windows Firewall for the
    fixed port or ports needed by theservice.Theserules, however, should not beenabled.
    When using the INetFwOpenPort API to add a port opening to Windows Firewall, thefollowing values arerequired:
    Protocol.Specifies the network protocol that is used by theservice,either TCP or UDP.
    Port.This is the number of the port to be opened.
    Friendly Name.This is the description for the port opening that will beshown to users in the Windows Firewall user
    interface.
    For moreinformation about the INetFwOpenPort API, see”InetFwOpenPort” in the Platform Software Development Kit on the
    MSDN Web siteat http://go.microsoft.com/fwlink/?LinkId=35316.
    When a serviceis disabled, it should usethe INetFwOpenPort API to closethestatic ports that it opened, whenever possible.
    This can beeasily doneif it is the only servicethat uses the ports. If theservice potentially shares the ports with other services,
    however, it should not closethe ports unless it can verify that none of the other services are using the ports.
    An application must berunning in thecontext of a user with Administrator rights to statically open ports in Windows Firewall.
    Note
    When statically opening ports through the INetFw API,a serviceshould limit itself to traffic from thelocal subnet whenever
    possible.
    Services should get user consent beforestatically opening ports in Windows Firewall. A serviceshould never just
    automatically open ports without first warning the user.
    Inbound connections on RPC and DCOM ports for system services
    Description
    Somesystem services requirethe use of RPC ports,either through DCOM or RPC directly, for inbound connections. Because of
    thesignificant security implications when opening RPC ports, these ports are handled as a special case,and developers should
    try to enable RPC for system services through Windows Firewall only when absolutely necessary.
    Action required
    Windows Firewall can beconfigured to enabletheautomatic opening and closing of RPC and DCOM ports for system services.
    By default, however, RPC will be blocked by Windows Firewall.This means thatapplications that usethe RPC ports to transfer
    data to system services will need to configure Windows Firewall appropriately.When an application needs to enablethis
    feature, it should ask the user whether it should allow theservices to open ports in thefirewall. Ideally, this should be doneat
    installation time.
    If the user consents to allowing the RPC ports to be opened, then theserviceshould usethe INetFwRemoteAdminSettings API
    to open the ports thatare needed by theservice.
    If the user does not consent to allowing the RPC ports to be opened, then theapplication or serviceshould not configure
    Windows Firewall to allow the RPC ports.
    For moreinformation about the INetFwRemoteAdminSettings API, see”INetFwAuthorizedApplication” on the MSDN Web site
    at http://go.microsoft.com/fwlink/?linkid=32000 and, in thetable of contents,click “RemoteAddresses Property of
    InetFwAuthorizedApplication.”
    Note
    To enable or disabletheautomatic opening of RPC ports in Windows Firewall,an application or service must berunning in
    thecontext of a user with Administrator rights.
    An application or serviceshould try to allow the RPC ports through Windows Firewall only when absolutely necessary.
    If the RPC ports arealready allowed, then theapplication or service does not need to do anything in order to function
    correctly. You can determine which ports arealready opened using the IsPortAllowed API.
    The RPC ports setting works only for RPC servers that run in thecontext of local system, network service, or local service.
    Ports opened by RPC servers running in other user contexts will not beenabled through this setting. Instead, those RPC
    servers should use the Windows Firewall exceptions list.

You must be logged in to reply to this topic.