Windows Firewall
Windows Firewall is a stateful host firewall designed to drop unsolicited incoming traffic that does not correspond to a dynamic or configured exception. A stateful firewall tracks the state of network connections. The firewall monitors traffic sent by the host and dynamically adds exceptions so that the responses to the sent traffic are allowed. Some of the state parameters that the Windows Firewall tracks include source and destination addresses and TCP and UDP port numbers.
This behavior of Windows Firewall provides a level of protection from malicious users and programs that use unsolicited incoming traffic to attack computers. With the exception of some Internet Control Message Protocol (ICMP) messages, Windows Firewall does not drop outgoing traffic.
Windows Firewall, a replacement for the Internet Connection Firewall (ICF) in Windows XP with Service Pack 1 and Windows XP with no service packs installed, is enabled by default in SP2. This means that all the connections of a computer running Windows XP with SP2 have Windows Firewall enabled, including LAN (wired and wireless), dial-up, and virtual private network (VPN) connections. New connections also have Windows Firewall enabled by default.
Without configured exceptions, Windows Firewall will drop traffic for server, peer, or listener applications and services. Therefore, it is likely you will want to configure Windows Firewall for exceptions to ensure that the Windows Firewall works appropriately for your environment. Windows Firewall settings are available for Computer Configuration only. They are located in Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall.
Identical sets of policy settings, as shown in Table 2, are available for two profiles:
Domain profile. Used when computers are connected to a network that contains your organization’s Active Directory domain.
Standard profile. Used when computers are not connected to a network that contains your organization’s Active Directory domain, such as a home network or the Internet.
Table 2 Windows Firewall Group Policy Settings
Policy Setting
Description
Windows Firewall: Protect all network connections
Turns on Windows Firewall. The default is Not Configured.
Windows Firewall: Do not allow exceptions
Specifies that Windows Firewall blocks all unsolicited incoming messages, including configured exceptions. This policy setting overrides all configured exceptions. The default is Not Configured.
Windows Firewall: Define program exceptions
Allows you to view and change the program exceptions list defined by Group Policy. Windows Firewall uses two program exception lists: one is defined by Group Policy settings and the other is defined by the Windows Firewall component in Control Panel. The default is Not Configured.
Windows Firewall: Allow local program exceptions
Allows local administrators to use the Windows Firewall component in Control Panel to define a local program exceptions list. The default is Not Configured.
Windows Firewall: Allow remote administration exception
Allows remote administration of this computer using administrative tools such as the Microsoft Management Console (MMC) and Windows Management Instrumentation (WMI). To do this, Windows Firewall opens TCP ports 135 and 445. Services typically use these ports to communicate using RPC and DCOM.
The default is Not Configured.
Windows Firewall: Allow file and printer sharing exception
Allows file and printer sharing. To do this, Windows Firewall opens UDP ports 137 and 138, and TCP ports 139 and 445. The default is Not Configured.
Windows Firewall: Allow ICMP exceptions
Defines the set of Internet Control Message Protocol (ICMP) message types that Windows Firewall allows. Tools and services use ICMP messages to determine the status of other computers. The default is Not Configured.
Windows Firewall: Allow Remote Desktop exception
Allows this computer to receive Remote Desktop requests. To do this, Windows Firewall opens TCP port 3389. The default is Not Configured.
Windows Firewall: Allow UPnP framework exception
Allows this computer to receive unsolicited Plug and Play messages sent by network devices, such as routers with built-in firewalls. To do this, Windows Firewall opens TCP port 2869 and UDP port 1900. The default is Not Configured.
Windows Firewall: Prohibit notifications
Prevents Windows Firewall from displaying notifications to the user when a program requests that Windows Firewall add the program to the program exceptions list. The default is Not Configured.
Windows Firewall: Allow logging
Allows Windows Firewall to record information about successful connections and the unsolicited incoming messages that it receives. The default is Not Configured.
Windows Firewall: Prohibit unicast response to multicast or broadcast requests
Prevents this computer from receiving unicast responses to its outgoing multicast or broadcast messages. The default is Not Configured.
Windows Firewall: Define port exceptions
Allows you to view and change the port exceptions list defined by Group Policy. Windows Firewall uses two port exception lists: one is defined by Group Policy settings and the other is defined by the Windows Firewall component in Control Panel. The default is Not Configured.
Windows Firewall: Allow local port exceptions
Allows administrators to use the Windows Firewall component in Control Panel to define a local port exceptions list. Windows Firewall uses two port exceptions lists; the other is defined by the Windows Firewall: Define port exceptions policy setting. The default is Not Configured.
In addition, the following policy setting is available separately from the domain and standard profiles:
- Windows Firewall: Allow authenticated IPSec bypass. Allows IPSec-protected traffic to bypass the Windows Firewall. If you enable this policy setting, you must type a security descriptor containing a list of computers or groups of computers. The default is Not Configured.
For complete descriptions of each Windows Firewall policy setting including registry paths, see the Group Policy Settings Reference on the Microsoft Download Center Web site at https://go.microsoft.com/fwlink/?linkid=22031. The easiest way to find the individual settings in the spreadsheet is to open the worksheet labeled All and search for Windows Firewall.
For complete details about configuring Windows Firewall settings on computers running Windows XP with SP2, see “Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2” on the Microsoft Download Center Web site at https://go.microsoft.com/fwlink/?LinkId=23277.
Windows Firewall Policy Settings Deployment Roadmap
This section is designed to help guide you in determining which policy settings to use based on your environment. Among the first decisions you will need to make as a Group Policy administrator is whether to turn the firewall off through Group Policy (not recommended unless you’re already using a third party host firewall). If you use Windows Firewall, you need to assess policy settings for both the domain and standard profiles. It is recommended to enable the firewall for both profiles. Typically, the domain profile might be less restrictive to allow exceptions for specific types of organization traffic. Conversely, the standard profile might be more restrictive to protect computers such as laptops that are vulnerable to threats from the Internet. In addition, you will need to assess any program or port exceptions to ensure your applications or tools work correctly. These decisions are shown in the following diagram.
.gif "~mangxp04.gif")
Disabling Windows Firewall: Protect all network connections turns off the firewall and prevents any local administrators from turning it on using Control Panel. Both Windows Firewall and third-party firewalls can typically coexist, but you would need to configure exceptions for both firewalls. Maintaining two firewalls incurs additional management overhead and does not increase your security.
Although Windows Firewall is enabled by default in SP2, turning it on via Group Policy (enabling Windows Firewall: Protect all network connections) prevents local administrators from turning it off using the Windows Firewall component in Control Panel. In addition, enabling this policy setting also overrides an earlier related policy setting that was available in Windows XP with SP1 and Windows XP with no service packs installed: Prohibit use of Internet Connection Firewall on your DNS domain network located in Computer Configuration\Administrative Templates\Network\Network Connections.
Whether you enable the firewall explicitly through this policy setting or leave it on by default (by not configuring Windows Firewall: Protect all network connections), you will need to assess any program or port exceptions. These decisions are shown in the following diagram.
.gif "~mangxp05_big.gif")
When assessing exceptions, the first policy setting decision to make is whether to allow any. Most organizations will likely need to make some exceptions in order for all of their applications or tools to run. However, after testing your applications and tools for compatibility with Windows Firewall, you might choose not to allow any exceptions and simply enable Windows Firewall: Do not allow exceptions.
If after testing, it is clear that you will need to allow exceptions, it is recommended that you first enable exceptions for programs by configuring Windows Firewall: Define program exceptions. In this way, the policy setting will only permit the opening of ports while the application is in use instead of leaving ports open all the time regardless of whether the application is in use. If required, you can configure Windows Firewall: Define port exceptions where you will need to define the required ports.
Next, you’ll need to decide how much freedom to grant your users who run as local administrators on their computers. For Windows Firewall, local administrators can be permitted to configure Windows Firewall using the Windows Firewall component in Control Panel. This is shown in the following diagram.
.gif "~mangxp06.gif")
Note that if you do not configure these policy settings, the ability of local administrators to define these exceptions depends on how you set other policy settings:
Windows Firewall: Define program exceptions. If this policy setting is not configured, administrators can define a local program exceptions list. If it is enabled or disabled, administrators cannot define a local program exceptions list.
Windows Firewall: Define port exceptions. If this policy setting is not configured, administrators can define a local port exceptions list. If it is enabled or disabled, administrators cannot define a local port exceptions list.
Now, you’re ready to assess any additional specific exceptions you want to permit through the Windows Firewall. This matrix is shown in the following diagram.
.gif "~mangxp07_big.gif")
Note that if you permit any of these exceptions, the computers in your organization might become more susceptible to network attacks. Therefore, you must carefully consider your requirements against your security needs.
Also note that to use remote RSoP capabilities in GPMC or the RSoP snap-in, you need to enable Windows Firewall: Allow remote administration exception, as explained earlier in this document. Be sure to account for the additional security risk if you enable this policy setting.
Furthermore, for each of these scenarios, you’ll need to assess whether you want your local administrators to be able to set any of these policy settings on their own computers, as shown in the following diagram. Disabling any of the exceptions by using policy settings prevents local administrators from changing them.
.gif "~mangxp08.gif")
Additional Windows Firewall Policy Settings
Finally, there are additional policy settings that you may want to configure:
Windows Firewall: Prohibit notifications. This policy setting prevents Windows Firewall from displaying notifications to the user when a program requests that Windows Firewall add the program to the program exceptions list. It is recommended to disable, which would allow notifications to be displayed. If you want to let local administrators choose how to use this option, leave this policy setting as not configured. If you have enabled Windows Firewall: Do not allow exceptions, notifications will not be displayed.
Windows Firewall: Allow logging. This policy setting allows Windows Firewall to record information about the unsolicited incoming messages that it receives. It is recommended to enable this policy setting and set a limit on the log file size so that it can be easily e-mailed to Help desk support if necessary.
Windows Firewall: Prohibit unicast response to multicast or broadcast requests. This policy setting prevents this computer from receiving unicast responses to its outgoing multicast or broadcast messages. It is recommended to disable this policy setting. If you want to let local administrators choose how to use this option, leave this policy setting as not configured.
For additional information about network security and risk assessment, see “Security Policy, Assessment, and Vulnerability Analysis” on the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=33542.
More Information
For more information about deploying Windows Firewall, see “Deploying Windows Firewall Settings for Microsoft Windows XP Service Pack 2” in the Microsoft Download Center Web site at https://go.microsoft.com/fwlink/?LinkId=23277
For complete descriptions of each Windows Firewall policy setting including registry paths, see the Group Policy Settings Reference on the Microsoft Download Center Web site at https://go.microsoft.com/fwlink/?linkid=22031. The easiest way to find the individual settings in the spreadsheet is to open the worksheet in the All or System.adm tabs and search for Windows Firewall.