Stealth Mode in Windows Firewall with Advanced Security

Applies To: Windows Server 2008

Stealth mode is a mechanism in Windows Firewall that helps prevent malicious users from discovering information about network computers and the services that they run.

It is common for an attacker to use an automated scanning process to send query packets to a range of IP addresses. For each IP address, the scanning process sends packets to a range of port numbers, and the response packets are used to identify the services that are installed on the computer. For example, if a computer responds to a UDP query with an ICMP unreachable packet, or to a TCP query with a reset message, then an attacker is able to determine the existence of a computer at that IP address and an open port in Windows Firewall that can be used to reach the computer. The attacker can then use this information to attempt to exploit vulnerabilities.

Stealth mode in Windows Firewall with Advanced Security is designed to help protect against this kind of attack. Stealth mode blocks outgoing ICMP unreachable and TCP reset messages for a port when no application is listening on that port.

Stealth mode is enabled by default on computers that are running Windows Vista®, Windows Server® 2008, Windows® 7, and Windows Server® 2008 R2.

Important

Network packets dropped by the stealth mode feature are not logged.