Configuring Windows Firewall

The purpose of Windows Firewall is to examine all incoming network data looking for attempts to connect to your computer. The firewall maintains a list of networking services for which incoming connections should be permitted, within a given range of network addresses. For example, by default, Windows Firewall permits file sharing connections only from computers on the same "subnet" or local area network as your computer. Attempts by users outside your immediate network to contact your computer are rebuffed. This prevents Internet users from examining your shared files. (Outgoing requests, attempts by your computer to connect others are not restricted.)

The Firewall also monitors application programs and system services that announce their willingness to receive connections through the network. These are compared against a list of authorized programs. If an unexpected program sets itself up to receive incoming network connections, Windows displays a pop-up message like the one shown in Figure 21.6, giving you the opportunity to either prevent the program from receiving any network traffic ("Keep Blocking"), or to add the program to the authorized list ("Unblock"). This gives you a chance to prevent "spyware" and Trojan Horses from doing their dirty work. Firewall-aware programs like Windows Messenger automatically instruct the Firewall to unblock their data connections.

Figure 21.6. Windows Firewall displays a pop-up message if an unauthorized program asks to receive network connections.

To view Windows Firewall's setup dialogs, open the Network Connections window and select Change Windows Firewall Settings, or open the Windows Security Center and select Manage Security Settings for Windows Firewall.

NOTE

On a corporate network, your network manager may enforce or prevent its use and may restrict your ability to change Firewall settings while your computer is connected to the network.

The remainder of this section discusses the various setup options for Windows Firewall.

Enabling and Disabling the Firewall

The Firewall's General tab (refer to Figure 21.3) lets you enable or disable the firewall function. When on, you can additionally check Don't Allow Exceptions to prevent all incoming connections from other computers. This can provide an extra level of safety when you are using an unsecured public network such as a Wireless hotspot in a hotel, airport or café.

If Windows Messenger file transfer fails after enabling Windows Firewall, see "Windows Messenger Can't Send Files" in the "Troubleshooting" section at the end of this chapter.

Enabling Exceptions

In most cases you do want other computers to be able to make connections to yours; for instance, this is how other people get to folders and printers you are sharing. Windows Firewall lets you determine what network services it will let in, and for each, which other users (as specified by their computers' network address) will be allowed to make contact. These are called exceptions.

Exceptions can be defined in terms of network protocols and port numbers, which correspond to particular network services, or in terms of specific application program filenames. When a protocol and port is listed, any program that wants to receive connections for that network service is permitted to. When a program filename is listed, that program is permitted to receive connections for any protocol or port it wishes to.

The range of network addresses that are allowed to contact your computer is called a scope, and can be specified as any of the following:

Any computer (including those on the Internet)
My Network (subnet only)
Custom list (a list of network addresses or subnet specifications separated by commas).

CAUTION

The "My Network" selection permits access by any computer in the same subnet (local network group) of any of your computer's network connection, which may include more than just your own LAN. When your computer has a direct broadband or dialup Internet connection, in most cases there can be up to 252 other random computers assigned to the same subnet as your computer, and they'll have access to your computer.

The workaround is to not run sensitive services on a computer that is sharing its own Internet connection. This is not a problem when you are using a shared connection or a sharing router.

On the Firewall's Exceptions tab, shown in Figure 21.7, there is a predefined list of programs and network services for which the firewall will allow incoming connections. These are listed in Table 21.7.

Figure 21.7. Exceptions permit incoming connections to particular network services or specified application programs.

Table 21.7. Predefined Windows Firewall Exceptions
Entry	Selected by Program or Port?	Scope	Protocols/Ports
File and Printer Sharing	Port	Subnet	TCP 139
		Subnet	TCP 445
		Subnet	UDP 137
		Subnet	UDP 138
Remote Assistance	Program	Any
Remote Desktop	Port	Any	TCP 3389
UPnP Framework	Port	Any	TCP 2689
		Any	UDP 1900
Windows Messenger ^[*]	Program	Any

^[*] Windows Messenger appears automatically the first time Windows Messenger is used.

If you run a service such as a Web server, or an application program that will need to receive network connections, you can get an exception placed into this list by letting Windows display a pop-up warning of the type shown in Figure 21.6, or you can manually add an exception for this program.

To manually add an application exception, which lets the program receive any network connections it wishes, view the Exceptions tab and click Add Program. Click Browse to locate the program's executable (.EXE) file, and click Change Scope to set the range of network addresses that should be able to access the program's services.

To manually add a port (service) exception, which lets any program receive network connections on the specified network ports, view the Exceptions tab and click Add Port. Enter a name to describe the network service, enter the port number, and select TCP or UDP. Click Change Scope to set the range of network addresses that should be able to access this service.

For example, to permit access to a Web server running on your computer, you add the information shown in Figure 21.8. The Scope could be set to Any to permit access by the entire Internet, or Subnet to restrict access to your LAN only.

Figure 21.8. Adding an exception for a Web server.

You can later highlight any entry and select Delete or Edit to remove or modify these settings. You can also uncheck an entry to temporarily block the program or service.

TIP

Curious to know what programs and services on your computer are listening for incoming network connections? Log on as a Computer Administrator, open a Command Prompt window, and type the command netstat -ab | more. (This may take quite a long time.) If you don't recognize a program's name, use Google to see if it's discussed on any Web pages; this may help you determine whether it's a legitimate Windows program or some sort of malware.

Advanced Firewall Settings

The Firewall's Advanced tab lets you remove the firewall from particular network connections, enable logging of rejected data, control how Internet control packets are treated, and restore the Firewall to the default, factory-fresh settings.

Network Connection Settings

You can remove some network connections from the firewall's scrutiny by unchecking these connections in the Network Connection Settings list. This leaves the other connections still protected by the firewall. You may wish to do this when, for instance, your LAN is professionally protected by a hardware firewall, and you use network services on your LAN that the firewall has trouble with.

In general, though, it's best to leave all of your network connections protected by the firewall, to help prevent the spread of viruses and Trojans around your network should one computer be compromised.

The Settings button lets you change forwarding and ICMP packet filtering for the highlighted connection. This is not useful unless you are using Internet Connection Sharing, and the selected connection is the one being shared. (To be honest, it's hard to understand what Microsoft was thinking here. It would have been very useful if this button let you configure exceptions on an interface by interface basis, but that's not what it does.)

Security Logging

You can have Windows Firewall keep a record of connection requests it receives and rejects, or even of connections accepted and rejected. This may be useful in determining why network connections to your computer are failing, and also to identify when your computer is under attack. This feature was discussed earlier in the chapter under "Monitor Suspicious Activity."

ICMP

In addition to TCP, UDP, and other data transmission protocols, the Internet makes extensive use the Internet Control Message Protocol (ICMP), which takes care of housekeeping details such as informing computers of routing problems and data transmission errors. It's also used by the ping program, a very important networking diagnostic tool.

By default, Windows Firewall does not permit any ICMP data to pass through the firewall. This prevents outside computers from sending you bogus ICMP data that could disrupt your use of the network. You can click ICMP Settings to instruct the firewall to pass any particular ICMP messages that your computer definitely needs to process.

In most cases, ICMP Echo Request (ping) is the only ICMP message that you definitely want to process. And, happily, you don't have to manually check this, as Windows Firewall automatically passes these packets if the exception for File and Printer Sharing is enabled.

Default Settings

You can restore the firewall to the default settings provided by Microsoft by clicking Default Settings.

However, you should be aware that this will remove entries for programs that may have added their own firewall settings. Furthermore, it will uncheck most of the default entries listed in Table 21.7 including File and Printer Sharing. You will need to recheck the entries for any services you want to make available.