Windows Firewall in Windows Server 2003 Service Pack 1

Applies To:Windows Server 2003 with SP1
What does Windows Firewall do?
Windows Firewall (previously called Internet Connection Firewall or ICF) is a software-based, stateful filtering firewall for Microsoft Windows XP and Microsoft Windows Server 2003.Windows Firewall provides protection for computers that are connected to a network by preventing unsolicited incoming traffic through TCP/IP version 4 (IPv4) and TCP/IP version 6 (IPv6).
Configuration options include:
Configuring and enabling port-based exceptions
Configuring and enabling program-based exceptions
Configuring basic ICMP options
Logging dropped packets and successful connections
Windows Firewall in Windows Server 2003 Service Pack 1 is notenabled by default when the updateis applied to your server.
It will only beenabled in thefollowing situations:
If Internet Connection Sharing was previously enabled.
If Internet Connection Firewall was previously enabled.
If theserver is a new installation of Windows Server 2003 with Service Pack 1 (also known as a slipstream installation).
The best resources to help you fully understand how Windows Firewall works and how it can be used in your environmentare
the Windows Firewall Information and Help topics on the Windows Server 2003 Tech Center Web siteat
http://go.microsoft.com/fwlink/?LinkId=48911 and the Windows Firewall Operations Guide on the Windows Server 2003
TechCenter Web siteat http://go.microsoft.com/fwlink/?LinkId=48912.
Note
If you decideto use Windows Firewall with your server, it is strongly recommended thatyou restartyour servers after
turning on and configuring thefirewall.Windows Firewall in Windows Server 2003 with Service Pack 1 now supports
application exceptions and needs to maintain thestate of thoseapplications. As a result,any applications or services thatyou
add to thefirewall exceptions list that wererunning prior to thefirewall starting will still fail. After theserver is restarted, the
firewall will berunning beforeany of theapplications on theexceptions listand will beableto successfully maintain thestate
of theapplications and handlethem correctly.
Who does this feature apply to?
This featureapplies to:
All computers thatareconnected to a network, including theInternet.
All programs (applications and services) that listen on the network.
All programs that do not work with stateful filtering.
What new functionality is added to this feature in Windows Server 2003 Service Pack 1?
Integration of Internet Connection Firewall and IPv6 Internet Connection Firewall into Windows Firewall
Detailed description
Theversion of Internet Connection Firewall that was introduced with Windows XP filtered only IPv4 traffic. IPv6 Internet
Connection Firewall was introduced with the Advanced Networking Pack for Windows XP.With Windows Server 2003 Service
Pack 1, Internet Connection Firewall and IPv6 Internet Connection Firewall areintegrated into a singlecomponent called
Windows Firewall.
With this change,any configuration changeapplies to both IPv4 and IPv6 traffic.For example, when a static port is opened, it is
opened for both IPv4 and IPv6 traffic.
Why is this change important?
This allows for easier configuration managementand application compatibility.
What works differently?
TheInternet Connection Firewall serviceis removed from thesystem and replaced with the Windows Firewall service, which
filters both IPv4 and IPv6 traffic. All firewall APIs aresuperseded by new APIs introduced with Windows Server 2003 Service
Pack 1.
How do I resolve these issues?
For moreinformation, see”Do I need to change my codeto work with Windows Server 2003 Service Pack 1?” later in this
document.
On-by-default for new installations of Windows Server 2003 that include a service pack
Detailed description
Windows Firewall is on by default only during new installations of Windows Server 2003 that includea service pack (also
known as a slipstream release).Windows Firewall provides network protection while users updatetheir system with thelatest
patches using the new Post-Setup Security Updates feature. As soon as the updates arefinished thefirewall is turned off unless
it was explicitly enabled.
If a server running Windows Server 2003 is updated or upgraded to Service Pack 1 thefirewall is off by defaultand the Post
Setup Security Updates featureis not used.
Why is this change important? What threats does it help mitigate?
By enabling Windows Firewall by default on new installations, thecomputer has more protection from many network-based
attacks whileit is being set up and configured.For example, if Windows Firewall had been enabled by default, the MSBlaster
attack would have been greatly reduced in impact, whether or not users had installed therelevant updates on their computers.
What works differently?
After a new installation of a slipstream version of Windows Server 2003 with Service Pack 1,Windows Firewall is enabled by
defaultand incoming traffic is blocked until after Post-Setup Security Updates have been completed.This might create
application or serviceincompatibility if theapplication or service does not work with stateful filtering by default.
How do I resolve these issues?
Complete Post-Setup Security Updates, which will automatically turn off thefirewall, before proceeding with any other server
configuration tasks.
It is also possibleto configurethefirewall to work with applications or services you need to use, if you don’t want to complete
Post-Setup Security Updates until a later time.
Configuration by the Security Configuration Wizard
Detailed description
Therecommended means of turning on Windows Firewall and performing its initial configuration for Windows Server 2003
with Service Pack 1 is to usetheSecurity Configuration Wizard (SCW).SCW will automatically turn on Windows Firewall and
createtheappropriatesettings based on the needs of your server.For moreinformation aboutSCW, see”Security
Configuration Wizard”, in this document.
Why is this change important?
Someserver components and applications should not be used with Windows Firewall or should be used in very specific
configurations.SCW has been designed to help you determinetherecommended settings for the Windows Firewall based on
your environment.
Boot-time security
Detailed description
In earlier versions of Windows, thereis a period of time between when the network stack comes up and when Internet
Connection Firewall provides protection.This results in theability for a packet to bereceived and delivered to a service without
Internet Connection Firewall providing filtering and potentially exposes thecomputer to vulnerabilities.This was dueto the
firewall driver not starting to filter until thefirewall user-modeservice was loaded and had applied appropriate policy settings.
Thefirewall service has a number of dependencies, which causes theserviceto wait until those dependencies arecleared
beforeit pushes the policy down to the driver.This time period is based upon thespeed of thecomputer.
In Windows Server 2003 Service Pack 1, theIPv4 and IPv6 firewall drivers havea static ruleto perform stateful filtering.This
static ruleis called a boot-time policy.This allows thecomputer to perform basic networking functions such as DNS and DHCP
and communicate with a domain controller to obtain policy settings. After the Windows Firewall serviceis running, it loads and
applies theruntime policy settings.The boot-time policy cannot beconfigured.
Thereis no boot-timesecurity if the Windows Firewall service(which is listed as Windows Firewall/Internet Connection
Sharing (ICS) in theService Control Manager) is set to either Manual or Disabled.
Why is this change important? What threats does it help mitigate?
With this change, thecomputer is open to fewer attacks during startup and shutdown.
What works differently?
If the Windows Firewall servicefails to start, boot-timesecurity remains in effect.This means thatall incoming connections are
blocked. In this case,an administrator will not beableto remotely troubleshoot theissue becauseall the ports will beclosed,
including the port used by Remote Desktop.
If a serviceattempts to start beforethefirewall servicea “racecondition” might result. If a necessary serviceis blocked by this
condition you will need to disable Windows Firewall.
How do I resolve these issues?
To turn off boot-timesecurity, stop the Windows Firewall/Internet Connection Sharing (ICS) serviceand set its startup typeto
either Manual or Disabled.
If thecomputer is in boot-timesecurity mode becausethefirewall service has not started,an administrator must log on to the
computer, resolvethecause of thefailure,and then manually start thefirewall service.
Running in safe mode (Safe mode firewall)
Detailed description
Thefirewall stateis maintained when theserver is started in safe mode.
Why is this change important?
With this changeyour computer is less vulnerableto attack when starting in safe mode with network connectivity.
What works differently?
In previous versions, Internet Connection Firewall was notavailable when running in safe mode.
Global configuration
Detailed description
In earlier versions of Windows, Internet Connection Firewall was configured on a per-interface basis.This meant thateach
network connection had its own set of firewall settings, for example, oneset of settings for wireless,another set of settings for
Ethernet.This madeit difficult to synchronizefirewall settings between connections. Additionally, new connections would not
haveany of theconfiguration changes that had been applied to theexisting connections. Non-standard network connections,
such as thosecreated by proprietary dialers (for instance, ISP-configured dial-up networking connections) could not be
protected.
With global configuration in Windows Firewall, whenever a configuration change occurs, itautomatically applies to all network
connections in the Network Connections folder,as well as any non-Microsoft dialers.When new connections arecreated, the
configuration is applied to them as well. Configuration can still be performed on a per-interface basis. Non-standard network
connections will have only global configuration. Configuration changes also apply to both IPv4 and IPv6.
Why is this change important?
Having global configuration makes iteasier for users to managetheir firewall policy across all network connections and
enables configuration through Group Policy. Italso allows you to enableapplications to work on any interface with a single
configuration option.
What works differently?
In earlier versions of Windows Server, firewall configuration was on a per-interface basis. In Windows Server 2003 Service
Pack 1, theconfiguration is global and applies to both IPv4 and IPv6.
How do I resolve these issues?
If your application or servicerequires static openings to work,you should open the ports globally,as described later in this
topic, in “Do I need to change my codeto work with Windows Server 2003 Service Pack 1?”
Audit logging
Detailed description
Audit logging enables you to track changes thatare madeto Windows Firewall settings and to see which applications and
services asked your computer to listen on a port. After audit logging is enabled,auditevents will belogged in thesecurity
event log. Audit logging can beenabled on client computers running Windows XP Service Pack 2 and servers running
Windows Server 2003 Service Pack 1. You can usethefollowing procedureto enableaudit logging on your computer.
To enable audit logging
1. Log on using an account that is a local administrator.
2. Click Start,click Control Panel,and then click Administrative Tools.
3. In Administrative Tools, double-click Local Security Policy to open theLocal Security Settings console.
4. In theconsoletree of theLocal Security Settings console,click Local Policies,and then click Audit Policy.
5. In the details pane of theLocal Security Settings console, double-click Audit policy change.Select Success and
Failure,and then click OK.
6. In the details pane of theLocal Security Settings console, double-click Audit process tracking.Select Success and
Failure,and then click OK.
You can also enableaudit logging for multiplecomputers in an Active Directory directory service domain using Group Policy
by modifying the Audit policy change and Audit process tracking settings at Computer Configuration\Windows
Settings\Security Settings\Local Policies\Audit Policy for the Group Policy objects in theappropriate domain system
containers.
After audit logging is enabled,you can usetheEvent Viewer snap-in to view auditevents in thesecurity event log.
Windows Firewall uses thefollowing event IDs:
848 – Displays thestartup configuration of Windows Firewall.
849 – Displays an application exception configuration.
850 – Displays a portexception configuration.
851 – Displays a change madeto theapplication exceptions list.
852 – Displays a change madeto the portexceptions list.
853 – Displays a change madeto the Windows Firewall operation mode.
854 – Displays a change madeto Windows Firewall logging settings.
855 – Displays a change madeto ICMP settings.
856 – Displays a change madeto the Prohibit unicast responseto multicast or broadcast requests setting.
857 – Displays a change madeto the Remote Administration setting.
858 – Displays theapplication of Windows Firewall Group Policy settings.
859 – Displays theremoval of Windows Firewall Group Policy settings.
860 – Displays a change madeto a different profile.
861 – Displays an application attempting to listen for incoming traffic.
Why is this change important?
Auditing theactivity of Windows Firewall is part of a defensein depth strategy becauseit can be used to alertyou to malicious
softwarethat is attempting to modify firewall settings. Auditing also generally helps administrators determinethe network
needs of their applications and design an appropriate policy for deployment to large numbers of users.
Traffic scoping for exceptions
Detailed description
ICF allowed excepted traffic to comefrom any IPv4 address.With Windows Firewall in Windows Server 2003 with Service
Pack 1,you can also configurean exception to allow incoming traffic only from addresses thatare directly reachable by
selecting the My network (subnet) only scope option (based on entries in theIPv4 and IPv6 routing table), or from specific
IPv4 address ranges by selecting the Custom list scope option.
For computers in a workgroup, someexceptions arerestricted to locally reachableaddresses by default.Theseexceptions are
those needed for fileand printer sharing and the UPnP framework. Additionally, when theseexceptions are opened for locally
reachableaddresses on an Internet Connection Sharing (ICS) host, theexceptions will not be opened on theICS public
interface. If you enabletheseexceptions for all possibleaddresses they will be opened on theICS public interface, which is not
recommended.When theFileand Printer Sharing built-in exception is enabled with the NetShareapplication programming
interface(API), with the Network Setup Wizard, or through the Windows Firewall user interface, incoming fileand printer
sharing connection requests can come only from directly reachableaddresses by default.
If you areenabling Windows Firewall on a server that is already configured for fileand printer sharing, theFileand Printer
Sharing exception might beenabled automatically. It is recommended thatyou apply thelocally reachableaddresses
restriction to any exception that is used for communicating on thelocal network. It can be done programmatically at the
command line using Windows Firewall Netsh Helper, or by clicking Windows Firewall in Control Panel.
Note
As a best practice, identify custom scopes with specificaddresses or subnets for theexceptions thatyou specify for Windows
Firewall.
When you configureand enablean exception,you areinstructing Windows Firewall to allow specific unsolicited incoming
traffic sent from thespecified scope(from any address, from an address that can bereached directly, or from a custom list).
For any scope,enabling an exception makes thecomputer accessibleto attacks based on incoming unsolicited traffic from
computers thatareassigned theallowed addresses and from malicious computers that spoof traffic.Thereis no way to
prevent spoofed attacks from theInternet on connections assigned public IPv4 addresses except by disabling theexception.
Therefore,you should try to configurescope options so that the number of computers thatareallowed to send unsolicited
traffic through an exception is kept to a minimum.This will reduce, but noteliminate, thelikelihood of a spoof attack.
If your organizational security policy requires you to ensurethat no one outsideyour network can access a resource, then
you should consider using an approach such as IPsec that supports network-level peer authentication, data origin
authentication, data integrity, data confidentiality (encryption),and replay protection.
Why is this change important? What threats does it help mitigate?
Someapplications need to communicate only with other computers on thelocal network and not computers on theInternet.
Configuring Windows Firewall to allow only traffic from locally reachableaddresses or from specificaddress ranges
corresponding to locally attached subnets restricts theset of addresses from which unsolicited incoming traffic can be
accepted.This mitigates, but does noteliminate,attacks that can occur for enabled exceptions.
What works differently?
When theFileand Printer Sharing or the UPnP framework built-in exception is enabled using the Control Panel on a computer
that is a member of a workgroup, thelocally reachableaddresses scopeis applied to the ports opened. If an application or
servicealso uses these ports, it will beableto communicate only with other nodes thatareassigned locally reachable
addresses. However, if thecomputer is a member of a domain, the global scopeis applied.
If theseexceptions areenabled using an API call or using Netsh.exeinstead of from Control Panel, the default scopesetting is
locally reachableaddresses, regardless of whether thecomputer is a member of a workgroup or a domain.
How do I resolve these issues?
If your application or service does not work with this type of restriction,you should open the port for any computer,as
described in “Do I need to change my codeto work with Windows Server 2003 Service Pack 1?” later in this document.
Command-line support
Detailed description
The Windows Firewall Netsh Helper was added to Windows XP in the Advanced Networking Pack.This helper applied only to
IPv6 Windows Firewall.With Windows Server 2003 Service Pack 1, thestructureand syntax of the helper changed and
expanded to includesupport for configuring IPv4 as well.With the Netsh Helper,you can fully configure Windows Firewall,
including:
Configurethe default state of Windows Firewall (Off, On, On with no exceptions).
Configurethe ports that must be open.
Configurethe ports to enable global access or to restrictaccess to thelocal subnet.
Set ports to be open on all interfaces or only on a specific interface.
Configurethelogging options.
ConfiguretheInternet Control Message Protocol (ICMP) handling options.
Configureand enable program-based exceptions.
Windows Firewall configuration and status information can beretrieved at thecommand line by using the Netsh.execontext:
firewall.
To usethis context, type netsh firewall ata command prompt,and then useadditional Netsh commands as needed.
Thefollowing commands are useful for gathering firewall status and configuration information and can be useful for
troubleshooting the operation of your firewall:
Netsh firewall show state
Netsh firewall show config
Thefollowing commands can be used to modify theconfiguration of Windows Firewall.
Command Description
add
allowedprogram
Used to add excepted traffic by specifying the program’s file name.
set
allowedprogram
Used to modify thesettings of an existing allowed program exception.
delete
allowedprogram
Used to deletean existing allowed program exception.
set icmpsetting Used to specify allowed ICMP traffic.
set logging Used to specify logging options.
set notifications Used to specify whether notifications to the user when programs try to open ports areenabled.
set opmode Used to specify the operating mode of Windows Firewall either globally or for a specific connection
(interface).
add portopening Used to add excepted traffic by specifying aTCP or UDP port.
set portopening Used to modify thesettings of an existing open TCP or UDP portexception.
delete
portopening
Used to deletean existing open TCP or UDP portexception.
set service Used to enable or drop RPC and DCOM traffic, Remote Desktop, fileand printer sharing,and UPnP traffic.
reset Resets firewall configuration to Default.This provides thesamefunctionality as the Restore Defaults button
in Control Panel/Windows Firewall.
Thefollowing table details theshow commands supported for Windows Firewall.
Command Description
show allowedprogram Displays theallowed programs.
show config Displays the detailed local configuration information.
show currentprofile Displays thecurrent profile.
show icmpsetting Displays theICMP settings.
show logging Displays thelogging settings.
show notification settings Displays thecurrent settings for notifications.
show opmode Displays the operational modefor profiles and interfaces.
show portopening Displays theexcepted ports.
show service Displays theservices exception settings.
show state Displays thecurrent stateinformation.
You can comparethe output from thesecommands with the output from the netstat –ano command to identify the programs
that may havelistening ports open and that do not havecorresponding exceptions in thefirewall configuration.
Why is this change important?
Providing a command-lineinterface provides administrators with a method to configure Windows Firewall without going
through the graphical user interface.Thecommand-lineinterfacecan be used in logon scripts and remote management.
What works differently?
Any script that was created with the Netsh Helper that was madeavailable with the Advanced Networking Pack for
Windows XP no longer works and must be updated.
How do I resolve these issues?
Updateany scripts you might haveso that they includethe new firewall contextand syntax.
“On with no exceptions” operational mode
Detailed description
Windows Firewall can beconfigured for exceptions to allow specific unsolicited incoming traffic during normal use.Typically,
this is becausekey scenarios, likefileand printer sharing, must beenabled. If a security issueis discovered in one or more of
thelistening services or applications thatarerunning on thecomputer, it may be necessary for thecomputer to switch into a
client-only mode, which is called “On with no exceptions.”Switching into this client-only modeconfigures Windows Firewall to
preventall unsolicited incoming traffic without having to reconfigurethefirewall.
When in this mode,all exceptions aretemporarily disabled and any existing connections are dropped. Any application interface
that calls into Windows Firewall to createan exception is allowed and therequested firewall configuration is stored, but it is not
enabled until the operational modeswitches back to normal operation. All listen requests by applications arealso ignored and
notification dialogs are not displayed,effectively blocking theapplication from listening on a port whilethecomputer is in this
operational mode.
Why is this change important?
When a network system is under attack by viruses, worms,and other attackers, theattacker looks for services to exploit.The
“On with no exceptions” operational mode provides a way for you to quickly lock-down your system in theevent of an attack
so thatvalid exceptions cannot be used to circumvent the protection provided to your computer by Windows Firewall.
What works differently?
When in this operational mode, thecomputer cannot listen for requests that originatefrom the network. Any existing incoming
connections areterminated. Outgoing connections arethe only connections that succeed.
How do I resolve these issues?
When in this operational mode, it is expected that somefunctionality will fail because of thestrict network security in place.
You can restorefunctionality by returning the operational modeto On.This action should be performed by the user only after
thethreat has been identified and mitigated, becausethesecurity of thecomputer is reduced by performing this action.
Program-based exceptions
Detailed description
Some programs (applications or services) actas both network clients and servers.When they actas servers, they mustallow
unsolicited incoming traffic, becausethey do notknow in advance who the peer will be.
In earlier versions of Windows,a program needed to call thefirewall APIs to enablethe necessary listening ports to be open.
This proved difficult in peer-to-peer situations when the port was notknown in advance. It was up to the program to closethe
portagain after communication was completed. If the program terminated unexpectedly this could result in unnecessary open
ports in thefirewall.
An additional issue with the previous method of opening firewall ports was that ports could be opened only if programs were
running in thesecurity context of a local administrator.This violated the basic information security principle of least privilege
by requiring programs to run in an administrativecontext, rather than only with the minimum necessary privileges.
In Windows Server 2003 with Service Pack 1,a program that needs to listen to the network can beadded to the Windows
Firewall exceptions list. If a program is enabled on the Windows Firewall exceptions list,Windows Firewall opens and closes the
necessary listening ports automatically, regardless of the program’s security context.For moreinformation aboutadding
programs to the Windows Firewall exceptions list, see”How do I resolvetheseissues?” later in this document.
Programs that work with stateful filtering do not need to be placed on the Windows Firewall exceptions list. Only
administrators can add a program to the Windows Firewall exceptions list.
Why is this change important? What threats does it help mitigate?
When a program is on the Windows Firewall exceptions list, only the necessary ports are opened,and they are opened only for
the duration that the program is listening on those ports.
What works differently?
If a program needs to listen on the network, it must beenabled on the Windows Firewall exceptions list. If it is not, then the
necessary port in Windows Firewall is not opened and the program will not beableto receive unsolicited inbound traffic.
How do I resolve these issues?
A program can be placed on the Windows Firewall exceptions list in five ways:
1. Programmatically. It is recommended that independent softwarevendors (ISVs) placetheir programs on the Windows
Firewall exceptions list during installation.For moreinformation about how to programmatically add a program to the
exceptions list, see”Do I need to change my codeto work with Windows Server 2003 Service Pack 1?” later in this
section.
2. Command-line interface.This method can be used by ITadministrators who manage Windows XP and Windows
Server 2003 systems using scripts or other command-linetools.
3. Group Policy settings.This method can be used by ITadministrators to add the program to theexceptions list through
Group Policy.
4. Windows Firewall notification message. A user with Administrator rights can interact with the Windows Firewall
notification messageand add theapplication to theexceptions list.
When an application performs aTCP listen or UDP bind to a non-wildcard port, the network stack passes theapplication
nameand port to Windows Firewall.Windows Firewall looks up theapplication name on theexceptions list. If the
application is on theexceptions listand enabled, then thecorresponding port is opened in thefirewall. If theapplication
is on theexceptions listand disabled, then thecorresponding port is not opened. If theapplication is not on the
exceptions list, then users areasked to makea choice. If the users haveadministrativerights, they can:
Unblock theapplication to allow it to listen on the network. It is added to theexceptions listas Enabled and the port
is opened.
Block theapplication from listening on the network. It is added to theexceptions listas Disabled and the port is not
opened.
Chooseto beasked again later.Theapplication is notadded to theexceptions listand the port is not opened.
If the user does not haveadministrativerights, the user is notified that theapplication is notallowed to listen on the
network and thatan Administrator mustenablethe program exception. If the user selects the Do not ask me again
check box, theapplication is listed in theexceptions listas Disabled.
Note
Notification messages can only be used with applications.They cannot be used with services.
5. Manual configuration. Administrators can decideto enablea program manually in the Windows Firewall control panel
by selecting it from a list that is populated from thelist of programs in the Start menu or by browsing for the program.
Multiple profiles
Detailed description
Multiple profilesupport in Windows Firewall allows you to createtwo sets of firewall policy settings: onefor when the
computer is connected to a managed network and onefor when thecomputer is not. You can specify settings thatareless
strict when thecomputer is connected to thecorporate network to enableline-of-business applications to work. You can also
have moreaggressivesecurity policy settings that will beenforced when thecomputer leaves thecorporate network, which
helps to protect mobile users.
Note
Multiple profiles for Windows Firewall apply only to computers thatarejoined to an Active Directory domain. Computers
thatarein a workgroup use only one profile.
Why is this change important? What threats does it help mitigate?
For a mobilecomputer, it is desirableto have morethan onefirewall configuration. Often,a configuration that is safe on a
corporate network is likely to besusceptibleto attack on theInternet.Therefore, being ableto have ports opened on the
corporate network and not on other networks is critical to ensuring that only the necessary ports areexposed atany given
time.
What works differently?
If an application needs to belisted in the Windows Firewall exceptions list in order to work correctly, it might not work on both
networks as thetwo profiles might not havethesameset of policy settings.For an application to work on all networks, it must
belisted in both profiles.For moreinformation about the Windows Firewall exceptions list, seetheearlier section.
How do I resolve these issues?
If thecomputer is joined to a domain,you mustensurethat theapplication is listed in both firewall configurations. Consider
creating exceptions though thecommand-lineinterface or Group Policy as you will only haveaccess to thecurrently running
profilethrough Windows Firewall in Control Panel.
RPC support for System Services
Detailed description
In earlier versions of Windows, Internet Connection Firewall blocked remote procedurecall (RPC) communication.While
Internet Connection Firewall could beconfigured to allow network traffic to the RPC Endpoint Mapper, the port thatan RPC
server used was unknown and theapplication would still fail.
Many enterpriseapplications and components fail if RPC is notallowed to communicate over the network.Someexamples
include, butare not limited to, thefollowing:
Remoteadministration, such as the Computer Management featureand the Select User, Computers, and Groups
dialog box, which is used by many applications
Remote Windows Management Instrumentation (WMI) configuration
Scripts that manageremoteclients and servers
RPC opens several ports and then exposes many different servers on those ports. It then requests that Windows Firewall create
associated exceptions for these ports. If Windows Firewall is configured to allow such requests, therequired ports will be
opened for as long as RPC needs theexception (similar to a program exception).
Why is this change important? What threats does it help mitigate?
In order to enableremoteadministration scenarios, many enterprise-wide deployments requirethat thesystem services that
use RPC work with Windows Firewall by default.
What works differently?
By default, RPC does not function through Windows Firewall. All system services that use RPC areaffected. However,Windows
Firewall can beconfigured to allow RPC to work for theseservices using theremoteadministration setting.This setting also
enables exceptions for the RPC Endpoint Mapper (TCP 135),SMB over TCP (TCP 445),and ICMP echo requests.
How do I resolve these issues?
See”Do I need to change my codeto work with Windows Server 2003 Service Pack 1?” later in this document.
Restore defaults
Detailed description
Previously, there was no way for a user to reset theconfiguration of Internet Connection Firewall (ICF). Over time, thefirewall
might beconfigured to allow unsolicited incoming traffic to ports no longer used by other applications.This might makeit
difficult for the user to easily and quickly go back to a default configuration.
This option enables the user to restore Windows Firewall settings to their original defaults. In addition, the Windows Firewall
defaults can be modified by original equipment manufacturers (OEMs) and businesses to providecustom default configuration
options.
Why is this change important?
This option allows end-users to restoretheir Windows Firewall settings to the out-of-the-box defaults.
What works differently?
No functional changes in Windows Firewall result from this addition. However, use of this feature disables Internet Connection
Sharing and Network Bridge.
Unattended setup support
Detailed description
In earlier versions of Windows, it was not possibleto configureInternet Connection Firewall during installation.This madeit
difficult for OEMs and businesses to preconfigureInternet Connection Firewall before distributing a computer to their end
users. In Windows Server 2003 with Service Pack 1,you can configurethefollowing options of Windows Firewall through
unattended setup:
Operational mode
Applications on the Windows Firewall exception list
Static ports on theexception list
ICMP options
Logging options
Why is this change important?
A method to preconfigure Windows Firewall allows Windows resellers and largeenterprises moreflexibility and customization
options for Windows Firewall.
What works differently?
This featureadds configuration flexibility to Windows Firewall. No functional changes in Windows Firewall result from this
addition.
Thesyntax used to enable or disableICF in an unattend script has been replaced with the new syntax for Windows Firewall.
Thesections of the Unattend.txt filefor Windows Firewall configuration consist of thefollowing:
[WindowsFirewall]
A required section that defines which profiles to useand Windows Firewall log filesettings.
[WindowsFirewall.profile_name]
The domain profilesection, [WindowsFirewall.Domain],contains settings for when a computer is connected to a network
that contains domain controllers for the domain of which thecomputer is a member.Thestandard profile,
[WindowsFirewall.Standard],contains settings for when a computer is not connected to a network that contains
domain controllers for the domain of which thecomputer is a member. If you do not want Windows Firewall to be used
you can specify Profiles = WindowsFirewall.TurnOffFirewall
The [WindowsFirewall.profile_name] section is a user-defined section that is referenced by the [WindowsFirewall]
section to makechanges to Windows Firewall’s default configuration, including programs, services, ports,and ICMP
settings.
[WindowsFirewall.program_name]
A user-defined section thatadds a program to the Windows Firewall exceptions list.
[WindowsFirewall.service_name]
A user-defined section thatadds a predefined serviceto the Windows Firewall exceptions list (such as fileand printer
sharing, UPnP framework, Remote Desktop service,and Remote Administration).
[WindowsFirewall.portopening_name]
A user-defined section thatadds a port to the Windows Firewall exceptions list.
[WindowsFirewall.icmpsetting_name]
A user-defined section thatadds ICMP messagetypes to the Windows Firewall exceptions list.
What existing functionality is changing in Windows Server 2003 Service Pack 1?
Enhanced multicast and broadcast support
Detailed description
Multicastand broadcast network traffic differs from unicast traffic becausetheresponsecomes from an unknown host. As
such, stateful filtering prevents theresponsefrom being accepted.This stops a number of scenarios from working, ranging
from streaming media to discovery.
To enablethesescenarios,Windows Firewall will allow a unicast responsefor threeseconds from any directly reachablesource
address on thesame port from which the multicast or broadcast traffic originated.
Why is this change important? What threats does it help mitigate?
This allows applications and services that use multicastand broadcast for communicating to work withouteither the user or
application/service needing to alter thefirewall policy.This is important for things like NETBIOS over TCP/IP, so that sensitive
ports such as port 135 are notexposed.
What works differently? Are there any dependencies?
In Windows Server 2003, Internet Connection Firewall statefully filtered multicastand broadcast traffic, which required the
user to manually open the port to receivetheresponse. In Windows Server 2003 Service Pack 1,Windows Firewall accepts the
responseto the multicast or broadcast traffic withoutadditional configuration.
Updated user interface
Detailed description
Thefirewall user interfaceis updated in Windows Server 2003 Service Pack 1 to accommodatethe new configuration options
and theintegration of IPv6 Internet Connection Firewall.The new Windows Firewall interface provides the user with theability
to changethe operational states, the global configuration, logging options,and ICMP options.
The primary entry to the user interface has been moved from the Properties dialog box of theconnection to a Control Panel
icon. A link from the old location is still provided. Additionally,Windows Server 2003 Service Pack 1 creates a link from the
Network Connections folder.
Why is this change important?
Thefunctionality that is added in Windows Server 2003 Service Pack 1 required updates to the user interface.
What works differently?
The user interfaceis moved from the Advanced tab of the network connection’s Properties dialog box to a specific Windows
Firewall icon in Control Panel.
New Group Policy support
Detailed description
In earlier versions of Windows, Internet Connection Firewall had a single Group Policy object (GPO): Prohibit Use of Internet
Connection Firewall on your DNS domain network.With Windows Server 2003 Service Pack 1,every global configuration
option can beset through Group Policy.Examples of the new configuration options availableinclude:
Define program exceptions
Allow local program exceptions
Allow ICMP exceptions
Prohibit notifications
Allow fileand printer sharing exception
Allow logging
Each of these objects can beset for both thecorporateand standard profile.For moreinformation about Group Policy options,
see”Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2″ in the Microsoft Download Center at
http://go.microsoft.com/fwlink/?linkid=23277.This documentalso covers developments in Windows Server 2003 Service
Pack 1.
Why is this change important?
It is important for administrators to centrally manage Windows Firewall policy settings to enableapplications and scenarios to
work in thecorporateenvironment.
What works differently?
TheITadministrator can now decidethe default Windows Firewall policy set.This can either enable or disableapplications and
scenarios.This allows morecontrol, but the policies do not changethe underlying functionality of Windows Firewall.
What settings are added or changed in Windows Server 2003 Service Pack 1?
Setting name Location Previous
default
value
Default
value
Possible values
Protectall network
connections
(Group Policy object) Computer Configuration
\AdministrativeTemplates \Network\Network
Connections\ \Windows Firewall
Not
applicable
Not
configured
Enabled
Disabled
Do notallow exceptions (Group Policy object) Computer Configuration
\AdministrativeTemplates \Network\Network
Connections \Windows Firewall
Not
applicable
Not
configured
Enabled
Disabled
Define program
exceptions
(Group Policy object) Computer Configuration
\AdministrativeTemplates \Network\Network
Connections \Windows Firewall
Not
applicable
Not
configured
Enabled [Program path]
[Scope]
Disabled
Allow local program
exceptions
(Group Policy object) Computer Configuration
\AdministrativeTemplates \Network\Network
Connections \Windows Firewall
Not
applicable
Not
configured
Enabled
Disabled
Allow remote
administration exception
(Group Policy object) Computer Configuration
\AdministrativeTemplates \Network\Network
Connections \Windows Firewall
Not
applicable
Not
configured
Enabled
Disabled
Allow fileand printer
sharing exception
(Group Policy object) Computer Configuration
\AdministrativeTemplates \Network\Network
Connections \Windows Firewall
Not
applicable
Not
configured
Enabled
Disabled
Allow ICMP exceptions (Group Policy object) Computer Configuration
\AdministrativeTemplates \Network\Network
Connections \Windows Firewall
Not
applicable
Not
configured
Enabled
Onceenabled, select
which of thefollowing
messagetypes to allow:
[Allow outbound
destination
unreachable]
[Allow outbound source
quench]
[Allow redirect]
[Allow inbound echo
request]
[Allow outbound time
exceeded]
[Allow outbound
parameter problem]
[Allow inbound
timestamp request]
[Allow inbound mask
request]
[Allow outbound
packets too bug]
Disabled
Allow remote desktop
exception
(Group Policy object) Computer Configuration
\AdministrativeTemplates \Network\Network
Connections \Windows Firewall
Not
applicable
Not
configured
Enabled
Disabled
Allow UPnP framework
exception
(Group Policy object) Computer Configuration
\AdministrativeTemplates \Network\Network
Connections \Windows Firewall
Not
applicable
Not
configured
Enabled
Disabled
Prohibit notifications (Group Policy object) Computer Configuration
\AdministrativeTemplates\Network \Network
Connections \Windows Firewall
Not
applicable
Not
configured
Enabled
Disabled
Allow logging (Group Policy object) Computer Configuration
\AdministrativeTemplates\Network \Network
Connections \Windows Firewall
Not
applicable
Not
configured
Enabled
Disabled
Prohibit unicast response
to multicast or broadcast
requests
(Group Policy object) Computer Configuration
\AdministrativeTemplates\Network \Network
Connections \Windows Firewall
Not
applicable
Not
configured
Enabled
Disabled
Define portexceptions (Group Policy object) Computer Configuration
\AdministrativeTemplates\Network \Network
Connections \Windows Firewall
Not
applicable
Not
configured
Enabled
Disabled
Allow local port
exceptions
(Group Policy object) Computer Configuration
\AdministrativeTemplates\Network \Network
Connections \Windows Firewall
Not
applicable
Not
configured
Enabled
Disabled
Do I need to change my code to work with Windows Server 2003 Service Pack 1?
Werecommend thatyou usetheSecurity Configuration Wizard to configure Windows Firewall for use with Windows
Server 2003 Service Pack 1.SCW is designed to accommodatetherequirements of different server roles and workloads and
configurethefirewall settings correctly. If you are going to manually configureyour firewall settings, review thefollowing
information for how your applications might beaffected.
Outbound connections
Description
For typical consumer and officecomputers, thecomputer is a client on the network.Software on thecomputer connects out to
a server (an outbound connection) and gets responses back from theserver.Windows Firewall allows all outbound
connections, butapplies rules to thetypes of communication thatareallowed back into thecomputer.
Someexamples of tasks involving Microsoftapplications that might work this way include:
Surfing the Web using Microsoft InternetExplorer.
Checking e-mail in Outlook Express.
Chatting in MSN Messenger or Windows Messenger.
Action Required
None.Windows Firewall will automatically allow all outbound connections, regardless of the program and the user context.
Note
When a computer initiates aTCP session request to a target computer, it will accepta response only from that target
computer.
When thecomputer sends UDP packets,Windows Firewall allows UDP responses to the port from which the UDP packets
weresent from any IP address for approximately 90 seconds.
Unicast responses to multicastand broadcast trafficareallowed through Windows Firewall for threeseconds if the
responses areto the port from which thetraffic was sentand arefrom IP addresses on thesamesubnetas thecomputer. A
setting in thefirewall controls this behavior, which is enabled by default.
Unsolicited inbound connections for applications
Description
This scenario covers an application that completes a listen operation on aTCP socket or successfully binds to a specific UDP
socket through Winsock.For this scenario,Windows Firewall can automatically open and close ports as needed by the
application.
Someexamples of tasks involving Microsoftapplications that might work this way include:
Using audio and video in MSN Messenger or Windows Messenger.
Transferring files in MSN Messenger or Windows Messenger.
Hosting a multiplayer game.
Action required
If you are developing an application that needs to listen on a port (or ports) Microsoft requests thatyou updateyour codeto
ask the users to indicate whether they want to allow theapplication to open ports in thefirewall:
If the user consents to this, then theapplication can usethe INetFwAuthorizedApplication API to add itself to the
AuthorizedApplications collection as Enabled.
If the user does not consent, then theapplication can usethe INetFwAuthorizedApplication API to add itself to the
AuthorizedApplications collection as Disabled.
When using the INetFwAuthorizedApplication API to add an application to the AuthorizedApplications collection, the
following values arerequired:
ImageFile Name.This is thefilethat calls Winsock to listen for network traffic.This must bea fully-qualified path, but it
might contain environmentvariables.
Friendly Name.This is the description for theapplication that will beshown to users in the Windows Firewall user
interface.
For moreinformation about the INetFwAuthorizedApplication API, see”INetFwAuthorizedApplication” in the Microsoft
Platform Software Development Kit (SDK) on the MSDN Web siteat http://go.microsoft.com/fwlink/?LinkId=32000.
Windows Firewall monitors Winsock to see when applications startand stop listening on ports. As a result, ports are
automatically opened and closed for applications after their entries have been enabled in the Windows Firewall exceptions list.
This means that no action is required by Winsock applications to actually open and close ports in thefirewall.
Note
An application must berunning in thecontext of a user with Administrator rights to add itself to the Windows Firewall
exceptions list.
Ports areautomatically opened and closed in thefirewall for allowed Winsock applications, regardless of the user context in
which theapplications arerunning.
Applications should get user consent beforeadding themselves to the INetFwAuthorizedApplications collection.
Svchost.execannot beadded to the INetFwAuthorizedApplications collection.
Inbound connections for services using fixed ports
Description
While developers areadvised to usethe INetFWAuthorizedApplication APIs for all other scenarios, the use of global port APIs
in Windows Firewall is recommended for services that listen on fixed ports. Becausethese ports arealways open, thereis
minimal benefit to dynamically opening the ports. Instead, users gain theability to customizethefirewall settings for these
fixed ports when the global port APIs are used.
Someexamples of services that requireinbound connections are:
Fileand printer sharing.
UPnP architecture.
Remote Desktop.
Action Required
When a service needs to listen on a fixed port, it should ask the user whether it should allow theserviceto open ports in the
firewall. Ideally this should be done when theserviceis being installed.
If the user consents to this, then theserviceshould usethe INetFwOpenPort API to add rules to Windows Firewall for thefixed
port (or ports) needed by theservice.Theserules should beenabled.
If the user does not consent, then theserviceshould still usethe INetFwOpenPort API to add rules to Windows Firewall for the
fixed port or ports needed by theservice.Theserules, however, should not beenabled.
When using the INetFwOpenPort API to add a port opening to Windows Firewall, thefollowing values arerequired:
Protocol.Specifies the network protocol that is used by theservice,either TCP or UDP.
Port.This is the number of the port to be opened.
Friendly Name.This is the description for the port opening that will beshown to users in the Windows Firewall user
interface.
For moreinformation about the INetFwOpenPort API, see”InetFwOpenPort” in the Platform Software Development Kit on the
MSDN Web siteat http://go.microsoft.com/fwlink/?LinkId=35316.
When a serviceis disabled, it should usethe INetFwOpenPort API to closethestatic ports that it opened, whenever possible.
This can beeasily doneif it is the only servicethat uses the ports. If theservice potentially shares the ports with other services,
however, it should not closethe ports unless it can verify that none of the other services are using the ports.
An application must berunning in thecontext of a user with Administrator rights to statically open ports in Windows Firewall.
Note
When statically opening ports through the INetFw API,a serviceshould limit itself to traffic from thelocal subnet whenever
possible.
Services should get user consent beforestatically opening ports in Windows Firewall. A serviceshould never just
automatically open ports without first warning the user.
Inbound connections on RPC and DCOM ports for system services
Description
Somesystem services requirethe use of RPC ports,either through DCOM or RPC directly, for inbound connections. Because of
thesignificant security implications when opening RPC ports, these ports are handled as a special case,and developers should
try to enable RPC for system services through Windows Firewall only when absolutely necessary.
Action required
Windows Firewall can beconfigured to enabletheautomatic opening and closing of RPC and DCOM ports for system services.
By default, however, RPC will be blocked by Windows Firewall.This means thatapplications that usethe RPC ports to transfer
data to system services will need to configure Windows Firewall appropriately.When an application needs to enablethis
feature, it should ask the user whether it should allow theservices to open ports in thefirewall. Ideally, this should be doneat
installation time.
If the user consents to allowing the RPC ports to be opened, then theserviceshould usethe INetFwRemoteAdminSettings API
to open the ports thatare needed by theservice.
If the user does not consent to allowing the RPC ports to be opened, then theapplication or serviceshould not configure
Windows Firewall to allow the RPC ports.
For moreinformation about the INetFwRemoteAdminSettings API, see”INetFwAuthorizedApplication” on the MSDN Web site
at http://go.microsoft.com/fwlink/?linkid=32000 and, in thetable of contents,click “RemoteAddresses Property of
InetFwAuthorizedApplication.”
Note
To enable or disabletheautomatic opening of RPC ports in Windows Firewall,an application or service must berunning in
thecontext of a user with Administrator rights.
An application or serviceshould try to allow the RPC ports through Windows Firewall only when absolutely necessary.
If the RPC ports arealready allowed, then theapplication or service does not need to do anything in order to function
correctly. You can determine which ports arealready opened using the IsPortAllowed API.
The RPC ports setting works only for RPC servers that run in thecontext of local system, network service, or local service.
Ports opened by RPC servers running in other user contexts will not beenabled through this setting. Instead, those RPC
servers should use the Windows Firewall exceptions list.