Windows Firewall and Windows XP
The ICF, now dubbed Windows Firewall, is a simple stateful firewall that is part of the
Windows XP operating system. In essence, Windows firewall provides the same core
functionality that other personal firewall products on the market provide, such as stateful
connection management and configurability for specific traffic that is desired.
Windows Firewall does come bundled with every new version of Microsoft's operating
systems. The firewall capabilities can also be utilized in Windows Server 2003 Standard
and Enterprise editions.
Essentially, Windows Firewall is the next version of Microsoft Windows ICF. It provides
basic filtering capabilities on all Windows XP and 2003 Server platforms so that an
administrator or end user can limit the traffic reaching the system (it does not filter traffic
coming from the system). It's limited in that it is not a stateful firewall but rather a simple
access list type of filter. Also, it only looks at the network and transport layers of the ISO
protocol stack (Layers 3 and 4). This firewall is mostly useful for end users who do not
require complex firewall capabilities to protect their systems and are looking for a simple
p
acket filter to block typical Windows services such as NetBIOS, Remote Procedure Call
(RPC), and others.
How Windows Firewall Works
By default, Windows Firewall comes with an assigned security profile. This profile
provides what are termed as "exceptions" for Print and File Sharing as well as Remote
Assistance and Universal Plug-and-Play (UPnP) with the local subnet. The local subnet is
defined as the local network that the system is connected to. If the system is connected to
multiple networks (for example, if the system has multiple interfaces), these network
ranges are considered part of the local subnet. These services allow the ports listed in
Table 4-1
to connect to the system.
Table 4-1. Default Windows Firewall Profile Exceptions

Service TCP Ports UDP Ports Program
File and Printer Sharing 139,445 137,138
Remote Assistance C:\Windows\system32\sessmgr.exe
Remote Desktop 3389
UPnP Framework 2869 1900

N
ote that by default only the Remote Assistance exception is enabled. Although the other
exceptions are created in the profile, they are not enabled. Figure 4-1
shows the default
configuration for the Windows Firewall.
Figure 4-1. Windows Firewall Default Configuration


After Microsoft released XP SP2, Windows Firewall was turned on by default. Third-
party firewall vendors enable users to turn off Windows Firewall during the installation
of their software.
Configuring Windows Firewall
Configuring Windows Firewall is fairly straightforward. To open Windows Firewall, go
to Start and choose Control Panel. This will open the Control Panel window as shown in
Figure 4-2
.
Figure 4-2. Windows XP Control Panel
[View full size image]



Choose Security Center at the lower-right corner of the window to open the Windows
Security Center window. Choose Windows Firewall at the lower-left corner, as shown in
Figure 4-3

.
Figure 4-3. Windows Security Center
[View full size image]



This opens the Windows Firewall window. The settings on the General tab determine
whether the firewall is on or off. As mentioned earlier, Windows Firewall is on by default
since the release of Windows XP SP2. You have three options with the Windows
Firewall: on, on without exceptions, and off (as shown in Figure 4-4
).
Figure 4-4. General Tab of the Windows Firewall


When the firewall is turned on, the user is offered the possibility of running the firewall
with exceptions as specified in the Exceptions tab or with no exceptions at all. Microsoft
recommends that when accessing a network such as a public wireless network (say at
Starbucks or a T-Mobile hotspot in an airport) that the firewall should be set to on
without exceptions. This setting blocks other users on the public wireless network from
accessing system shares or other resources on the firewall-protected system.
When the system is on a safer network (such as a home office or a local office LAN), you
can set the firewall to on with exceptions to allow for file sharing and remote assistance.
These default exceptions are activated in the Windows Firewall policy on the Exceptions
tab, as shown in Figure 4-5
. The need to provide these exceptions is to allow the end
system to participate in a Windows network environment and for folder and file shares to
be made available to other systems on the local network. Remember that exceptions
should be turned on only in known, secure networks. Such a network may be a home
network or a corporate LAN and cannot be precisely defined in all cases. When in doubt,
consult the network administrator regarding the security of the local network or simply

do not allow exceptions.
Figure 4-5. Default Exceptions for Windows Firewall


Adding an exception to the default Microsoft policy is relatively simple. Exceptions can
be added either as specific network ports or as programs that are to be provided access to
the network. To add a program to the exception list, click the Add Program button in the
lower left of the Exceptions tab. Doing so opens a new window with a list of programs
that are to be added to the exceptions list, as shown in Figure 4-6
. Choose the specific
program to be added.
Figure 4-6. Program Exception List


There is a difference between specifying a program in the exceptions list and statically
opening a TCP or UDP port. The difference comes from the fact that specifying a specific
application in the exceptions list means that the port that the application listens on will be
allowed through the firewall only if the defined application opens the port. The
disadvantage to specifying the application in the exceptions is that if the port is used by
another application, the firewall will not permit traffic through to the application because
it is not the program defined in the exception list.
To specify which computers can have access to the ports that the program listens on,
change the scope of the permitted access. To do so, click the Change Scope button at the
lower-left corner of the window. Doing so opens the Change Scope window shown in
Figure 4-7
. Here you can add a custom list of IP addresses to allow exceptions for the
program in the firewall. Alternatively, the entire local subnet, or even foreign networks,
can be provided access.
Figure 4-7. Changing Scope



To add a port to the exceptions list, click the Add Port button on the Exceptions tab.
Doing so opens the Add a Port window. As shown in Figure 4-8
, here the user can enter
the name of the service as well as a comma-separated list of ports that the service requires
to be open in the firewall in order to be accessible to other systems. The UDP or TCP
button on the window must be selected to define the specific transport protocol, too.
Figure 4-8. Add a Port Window


For home use, the typical ports that may need to be accessible by the local network
include TCP/135, UDP/137, TCP/139 (traditional NetBIOS ports), and TCP/445
(NetBIOS over TCP/IP). It may be desirable to open TCP/3389 (for Microsoft Remote
Desktop).
Finally, the Advanced tab allows the user to determine on which interfaces the Windows
Firewall will be enabled as well as define a log file to store the firewall logs. In addition,
specific Internet Control Message Protocol (ICMP) messages can be specified to be
allowed to traverse the firewall in order to ease debugging of connection problems. A
last-resort capability is also available, allowing the user to restore the Windows Firewall
service to its default settings. Figure 4-9
shows the Advanced tab.
Figure 4-9. Windows Firewall Advanced Tab



Windows Firewall Features
The Windows Firewall software builds on top of the ICF/Internet Connection Sharing
software that is now deprecated in Windows XP SP2. Essentially, Windows Firewall
provides the following features over the ICF:
• The ability to specify options on a global level so that they apply to all

connections.
• An operating mode that does not allow exceptions.
• Startup security (covered below).
• IPv4 traffic scoping. The end user can specify that the firewall accept traffic from
specific IP addresses.
• The ability to specify exceptions by service or by program.
• IPv6 support.
Of particular interest is the new startup security. Whereas ICF was active after the system
had booted up and the ICF service was successfully started by the Windows kernel,
Windows Firewall is active from the very start. During system boot, the Windows
Firewall applies a default stateful filter to the system to allow basic networking
functionality such as Dynamic Host Configuration Protocol (DHCP), Domain Name
System (DNS), and communication with domain controllers, but blocks all other traffic
until the system boot process has completed. Only then are the settings configured by the
user applied to the firewall.
Windows Firewall Checklist
When configuring Windows Firewall, you must configure several features depending on
the system role in the network. The answers to the following questions will depend on
whether the system will connect using a public network (such as a wireless network in a
coffee shop or a library) or a private network (such as a corporate LAN or home network)
or both. Additionally, Windows Firewall settings on servers that may be configured as a
web server, an authentication server, or a database server will differ from the settings on
a simple desktop or laptop system. You can use this checklist to help ensure that the
Windows Firewall settings are appropriate for a given system.
• Does Windows Firewall need to be enabled?
This is determined by the consideration of whether the system will be exposed to a
less-secure network than anticipated. This really needs to be considered more for
laptops rather than desktop systems.
• What exceptions (if any) should be configured in the Windows Firewall policy?
Remote Desktop?

To allow an external user to access the system using Microsoft Remote
Desktop Client.
File and Printer Sharing?
This is necessary to share files with other users and systems as well as print
documents.
Other services?
Should other services such as Remote Assistance, Virtual Network
Computer (VNC), or Internet Information Server (IIS) be accessible
through the firewall?
• Should the exceptions be configured as programs or as services?
If you configure exceptions as programs, the firewall only allows the traffic
through if the specified program is active. Otherwise, the traffic is blocked.
However, if the program is a set of services, such as Windows File and Printer
Sharing, it may be easier to configure the exceptions as a range of network service
ports rather than programs.
• For which interfaces should Windows Firewall be configured?
The end user or administrator needs to decide whether all network interfaces will
have the firewall active or just those that may be exposed to "insecure" networks.
This typically applies to desktops with multiple interfaces but can also apply to
laptops with both a wired and a wireless interface. In some cases (such as a laptop
with a built-in wireless interface), it is best to apply the firewall to all interfaces to
ensure that attackers cannot slip by through an active wireless connection.
• Which ICMP types should be allowed through the firewall?
At the very least, ICMP echo reply packets, ICMP destination unreachable
packets, and ICMP Time-To-Live (TTL) Exceeded packets should be allowed
through the firewall for debugging potential network connectivity problems.
• Should logging be configured?
Logging can cause a degradation in system performance. Turn logging on only
when it is needed to debug a problem with the firewall.
After you have answered all of these questions, you can appropriately configure the

firewall for the system. One item to consider is that if logging is configured, who will be
reading the logs and how often? It is of little value to configure logging if no one actually
looks at the logs.