Hack77.Protect Your Computer with the New Windows Firewall

Hack 77. Protect Your Computer with the New Windows Firewall

XP SP2 turns on the Windows Firewall by default, so you're automatically protected from incoming attacks. Here's how to configure the Windows Firewall for maximum protection and flexibility and use it to log potential attacks and send information about the intruders to your ISP.

The moment you connect to the Internet, you're in some danger of intrusion, especially if you have a broadband connection. PCs with broadband connections are tempting targets because their high-speed connections are ideal springboards for attacking other networks or web sites.

Whenever you're connected, your system is among many constantly being scanned for weaknesses by crackers (malicious hackers) and wannabes (often called script kiddies) sending automated probes looking for vulnerable PCs. In fact, these kinds of probes are so common and incessant, you can think of them as the background radiation of the Internet.

One of the best ways to protect yourself against these probes and more targeted attacks is to use a firewall. Firewall software sits between you and the Internet and acts as a gatekeeper of sorts, only allowing nonmalicious traffic through.

If you have a home network, your router might offer firewall protection. For details on how to optimize that protection and get the most out of other router features, see [Hack 50] and [Hack #68] .

In this hack, we'll look at how to get the most out of the Windows Firewall, the firewall built into XP SP2, which is turned on by default when you install SP2.

Before SP2, the firewall was called the Internet Connection Firewall (ICF). It was much the same as the Windows Firewall although with some differences, notably in how you access the firewall and its features.

The Windows Firewall offers basic Internet security by stopping all unsolicited inbound traffic and connections to your PC and network, unless your PC or another PC on the network initially makes the request for the connection. However, it will not block outgoing requests and connections, so you can continue to use the Internet as you normally would for browsing the Web, getting email, using FTP, or similar services.

If you use the Windows Firewall or another type of firewall, you can run into problems if you run a web server or an FTP server, or if you want to allow Telnet access to your PC. Because firewalls block unsolicited inbound communications, visitors won't be able to get to your sites or get Telnet access to your PC. However, you can allow access to these resources, while still retaining firewall protection [Hack #80] .

If you're sharing an Internet connection through a PC, only the PC that directly accesses the Internet should run the Windows Firewall. All the other PCs will be protected. Don't run the Windows Firewall on any of those other PCs because you'll cause connection problems. And don't use the Windows Firewall with a Virtual Private Network (VPN) [Hack #82] .

The Windows Firewall has one serious drawback: it won't protect you against Trojans, such as the Back Orifice Trojan. Trojans let other users take complete control of your PC and its resources. For example, someone could use your PC as a launch pad for attacking web sites and it would appear you were the culprit, or he could copy all your files and find out personal information about you, such as your credit card numbers if you store them on your PC.

The Windows Firewall won't stop Trojans because it blocks only incoming traffic, and Trojans work by making outbound connections from your PC. To stop Trojans, get a third-party firewall. The best is ZoneAlarm [Hack #78] .

When you install XP SP2, you're automatically protected because it turns on the Windows Firewall. There's a chance, though, that the firewall has been turned off. To make sure it's turned on, click Security Center from the Control Panel. When the Security Center appears, there should be a green light next to the Firewall button, and it should say ON, as shown in Figure 8-7.

Figure 8-7. Making sure the Windows Firewall is turned on

If it's not on, click the Windows Firewall icon at the bottom of the screen, click ON, and then click OK.

8.4.1. Allow Programs to Bypass the Firewall

The Windows Firewall offers protection from inbound threats, but it can also cause problems. A variety of software needs to be able to accept inbound connections, so the firewall blocks them from working. Instant messaging programs and FTP programs, for example, both need to be able to accept these kinds of connections, and the Windows Firewall blocks them.

Usually, but not always, the first time you run one of these programs, you'll get the warning from the Windows Firewall shown in Figure 8-8. The warning will show you the name of the program and the publisher and will ask if you want to keep blocking the program. If you'd like to allow the Windows Firewall to let the program function, click Unblock. To keep blocking the program, click Keep Blocking. As for the Ask Me Later choice, it doesn't really ask you later. It lets the program accept incoming connections for just this one time when you run it. After you exit, the next time you run the program, you'll get the same warning.

Figure 8-8. A warning from the Windows Firewall

That's well and good, but the Windows Firewall won't always pop up this alert. So, you might find that some programs don't work with the firewall on, but you won't get a warning about them. In that case, you can manually tell the Windows Firewall to let it through by adding programs to its exceptions list.

To do so, choose Control Panel Security Center Windows Firewall. Then, click the Exceptions tab, shown in Figure 8-9. This tab lists all the programs for which the firewall will accept inbound connections. If a program is listed here but doesn't have a check next to it, it means the firewall blocks it. To tell the firewall to stop blocking inbound connections for the program, check the box next to it and click OK.

Figure 8-9. The Windows Firewall Exceptions tab

When you get a warning from the Windows Firewall and click Ask Me Later, the program will be listed on the Exceptions tab, with no check next to it.

To add a program to the exceptions list, click Add Program to bring up the window shown in Figure 8-10. Choose a program from the list and click OK, and then click OK again to add it to your list. If the program you want to add isn't listed in the Add a Program dialog box, click the Browse button to find it and then add it.

Figure 8-10. Choosing a program to add to your exceptions list

There might be some programs for which you want to grant access to only certain people and not others. Maybe, for example, you want to allow an instant messenger program to work only with people on your own network. There's a way to do that.

First, add the program to the exceptions list. Then, highlight the program and click Edit Change Scope. The Change Scope dialog box appears, as shown in Figure 8-11. Choose "My Network (subnet) only," click OK and then OK again, and the firewall will let only inbound connections from your network. To allow inbound connections for the program for only specific IP addresses, choose "Custom list," type in the IP addresses you want to allow, and then click OK and OK again.

Figure 8-11. Granting access to your network to specific people only

If you want to allow inbound connections to any servers on your system, such as web servers, or if you want to open up specific ports in the firewall, see [Hack #80] .

8.4.2. Track Firewall Activity with a Windows Firewall Log

The Windows Firewall can do more than just protect you from intruders; it can also keep track of all intrusion attempts so that you can know whether your PC has been targeted, and what kinds of attacks the Windows Firewall has turned back. Then you can send that information to your ISP so that it can track down the intruders.

If you have a home network, you can get add-on software that will automatically log all intrusion attempts and help you track down intruders as well [Hack #68] .

First, create a Windows Firewall log. From the Security Center, choose Windows Firewall Advanced, and click the Settings button in the Security Logging section. The dialog box shown in Figure 8-12 appears.

Figure 8-12. Creating a Windows Firewall log

Choose whether to log dropped packets, successful connections, or both. A dropped packet is a packet that the Windows Firewall has blocked. A successful connection doesn't mean an intruder has successfully connected to your PC; it refers to any connection you have made over the Internet, such as to web sites. Because of this, there's usually no reason for you to log successful connections. If you do log them, your log will become large quickly, and it will be more difficult to track only potentially dangerous activity. So, your best bet is to log only dropped packets.

After you've made your choices, choose a location for the log, set its maximum size, and click OK. I don't let my log get larger than 1MB, but depending on how much you care about disk space and how much you plan to use the log, you might want yours larger or smaller.

The log will be created in a W3C Extended Log format (.log) that you can examine with Notepad or another text editor or by using a log analysis program such as the free AWStats (http://awstats.sourceforge.net). Figure 8-13 shows a log generated by the Windows Firewall, examined in Notepad.

Figure 8-13. A log generated by the Windows Firewall

Each log entry has a total of up to 16 pieces of information associated with each event, but the most important columns for each entry are the first eight.

In a text editor, the names of the columns don't align over the data, but they will align in a log analyzer.

Table 8-3 describes the most important columns.

Table 8-3. The columns in the Windows Firewall log




Date of occurrence, in year-month-date format


Time of occurrence, in hour:minute:second format


The operation that was logged by the firewall, such as DROP for dropping a connection, OPEN for opening a connection, and CLOSE for closing a connection


The protocol used, such as TCP, UDP, or ICMP

Source IP (src-ip)

The IP address of the computer that started the connection

Destination IP (dst-ip)

The IP address of the computer to which the connection was attempted

Source Port (src-port)

The port number on the sending computer from which the connection was attempted

Destination Port (dst-port)

The port to which the sending computer was trying to make a connection


The packet size


Information about TCP control flags in TCP headers


The TCP sequence of a packet


The TCP acknowledgment number in the packet


The TCP window size of the packet


Information about the ICMP messages


Information about the ICMP messages


Information about an entry in the log

The source IP address is the source of the attack. You might notice the same source IP address continually cropping up; if so, you might have been targeted by an intruder. It's also possible that the intruder is sending out automated probes to thousands of PCs across the Internet and your PC is not under direct attack. In either case, you can send the log information to your ISP and ask them to follow up by tracking down the source of the attempts. Either forward the entire log or cut and paste the relevant sections to a new file.

8.4.3. Watch Out for Problems with Email and the Windows Firewall

Depending on the email program you use and how it gets notification of new email, the Windows Firewall could interfere with the way you retrieve your email. It won't stop you from getting your email, but it could disable your email program's notification feature.

The Windows Firewall won't interfere with the normal notification feature of Outlook Express because the initial request asking for notification of new email comes from Outlook Express, which is inside the firewall. When the server responds to the request, the firewall recognizes that the server is responding to the request from Outlook Express, so it lets the communication pass through.

However, if you use Outlook and connect to a Microsoft Exchange server using a remote procedure call (RPC) to send email notifications (which is usually the case with Exchange), you'll run into problems. That's because the RPC initially comes from the server, not from Outlook, so the firewall doesn't allow the notification to pass to you. In this case, you can still retrieve your email, but you'll have to check for new email manually; you won't be able to get automatic notification from the server. So, if you don't get new mail notifications after you install the Windows Firewall, it's not that co-workers, friends, and spammers are suddenly ignoring you; you'll just have to check for new mail manually.

8.4.4. Hacking the Hack

The Windows Firewall Exceptions tab is especially useful for anyone who uses file sharing on a home or corporate network but wants to turn file sharing off when they're on a public network connection, such as a WiFi hotspot. When you get to a hotspot, before connecting, go to the tab, uncheck the box next to File and Printer Sharing, and click OK. File sharing will be turned off. Then, when you get back to your home or business network, turn it back on again.

8.4.5. See Also

  • For more information about the Windows Firewall, see Microsoft Knowledge Base Article 875357 (http://support.microsoft.com/kb/875357).

  • [Hack #78]

  • [Hack #50]

  • [Hack #68]

  • [Hack #80]

    Windows XP Hacks
    Windows XP Hacks, Second Edition
    ISBN: 0596009186
    EAN: 2147483647
    Year: 2003
    Pages: 191

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net