Windows Firewall and Windows XP

The ICF, now dubbed Windows Firewall, is a simple stateful firewall that is part of the Windows XP operating system. In essence, Windows firewall provides the same core functionality that other personal firewall products on the market provide, such as stateful connection management and configurability for specific traffic that is desired.

Windows Firewall does come bundled with every new version of Microsoft's operating systems. The firewall capabilities can also be utilized in Windows Server 2003 Standard and Enterprise editions.

Essentially, Windows Firewall is the next version of Microsoft Windows ICF. It provides basic filtering capabilities on all Windows XP and 2003 Server platforms so that an administrator or end user can limit the traffic reaching the system (it does not filter traffic coming from the system). It's limited in that it is not a stateful firewall but rather a simple access list type of filter. Also, it only looks at the network and transport layers of the ISO protocol stack (Layers 3 and 4). This firewall is mostly useful for end users who do not require complex firewall capabilities to protect their systems and are looking for a simple packet filter to block typical Windows services such as NetBIOS, Remote Procedure Call (RPC), and others.

How Windows Firewall Works

By default, Windows Firewall comes with an assigned security profile. This profile provides what are termed as "exceptions" for Print and File Sharing as well as Remote Assistance and Universal Plug-and-Play (UPnP) with the local subnet. The local subnet is defined as the local network that the system is connected to. If the system is connected to multiple networks (for example, if the system has multiple interfaces), these network ranges are considered part of the local subnet. These services allow the ports listed in Table 4-1 to connect to the system.

Table 4-1. Default Windows Firewall Profile Exceptions
Service	TCP Ports	UDP Ports	Program
File and Printer Sharing	139,445	137,138
Remote Assistance			C:\Windows\system32\sessmgr.exe
Remote Desktop	3389
UPnP Framework	2869	1900

Note that by default only the Remote Assistance exception is enabled. Although the other exceptions are created in the profile, they are not enabled. Figure 4-1 shows the default configuration for the Windows Firewall.

Figure 4-1. Windows Firewall Default Configuration

After Microsoft released XP SP2, Windows Firewall was turned on by default. Third-party firewall vendors enable users to turn off Windows Firewall during the installation of their software.

Configuring Windows Firewall

Configuring Windows Firewall is fairly straightforward. To open Windows Firewall, go to Start and choose Control Panel. This will open the Control Panel window as shown in Figure 4-2.

Figure 4-2. Windows XP Control Panel

Choose Security Center at the lower-right corner of the window to open the Windows Security Center window. Choose Windows Firewall at the lower-left corner, as shown in Figure 4-3.

Figure 4-3. Windows Security Center

This opens the Windows Firewall window. The settings on the General tab determine whether the firewall is on or off. As mentioned earlier, Windows Firewall is on by default since the release of Windows XP SP2. You have three options with the Windows Firewall: on, on without exceptions, and off (as shown in Figure 4-4).

Figure 4-4. General Tab of the Windows Firewall

When the firewall is turned on, the user is offered the possibility of running the firewall with exceptions as specified in the Exceptions tab or with no exceptions at all. Microsoft recommends that when accessing a network such as a public wireless network (say at Starbucks or a T-Mobile hotspot in an airport) that the firewall should be set to on without exceptions. This setting blocks other users on the public wireless network from accessing system shares or other resources on the firewall-protected system.

When the system is on a safer network (such as a home office or a local office LAN), you can set the firewall to on with exceptions to allow for file sharing and remote assistance. These default exceptions are activated in the Windows Firewall policy on the Exceptions tab, as shown in Figure 4-5. The need to provide these exceptions is to allow the end system to participate in a Windows network environment and for folder and file shares to be made available to other systems on the local network. Remember that exceptions should be turned on only in known, secure networks. Such a network may be a home network or a corporate LAN and cannot be precisely defined in all cases. When in doubt, consult the network administrator regarding the security of the local network or simply do not allow exceptions.

Figure 4-5. Default Exceptions for Windows Firewall

Adding an exception to the default Microsoft policy is relatively simple. Exceptions can be added either as specific network ports or as programs that are to be provided access to the network. To add a program to the exception list, click the Add Program button in the lower left of the Exceptions tab. Doing so opens a new window with a list of programs that are to be added to the exceptions list, as shown in Figure 4-6. Choose the specific program to be added.

Figure 4-6. Program Exception List

There is a difference between specifying a program in the exceptions list and statically opening a TCP or UDP port. The difference comes from the fact that specifying a specific application in the exceptions list means that the port that the application listens on will be allowed through the firewall only if the defined application opens the port. The disadvantage to specifying the application in the exceptions is that if the port is used by another application, the firewall will not permit traffic through to the application because it is not the program defined in the exception list.

To specify which computers can have access to the ports that the program listens on, change the scope of the permitted access. To do so, click the Change Scope button at the lower-left corner of the window. Doing so opens the Change Scope window shown in Figure 4-7. Here you can add a custom list of IP addresses to allow exceptions for the program in the firewall. Alternatively, the entire local subnet, or even foreign networks, can be provided access.

Figure 4-7. Changing Scope

To add a port to the exceptions list, click the Add Port button on the Exceptions tab. Doing so opens the Add a Port window. As shown in Figure 4-8, here the user can enter the name of the service as well as a comma-separated list of ports that the service requires to be open in the firewall in order to be accessible to other systems. The UDP or TCP button on the window must be selected to define the specific transport protocol, too.

Figure 4-8. Add a Port Window

For home use, the typical ports that may need to be accessible by the local network include TCP/135, UDP/137, TCP/139 (traditional NetBIOS ports), and TCP/445 (NetBIOS over TCP/IP). It may be desirable to open TCP/3389 (for Microsoft Remote Desktop).

Finally, the Advanced tab allows the user to determine on which interfaces the Windows Firewall will be enabled as well as define a log file to store the firewall logs. In addition, specific Internet Control Message Protocol (ICMP) messages can be specified to be allowed to traverse the firewall in order to ease debugging of connection problems. A last-resort capability is also available, allowing the user to restore the Windows Firewall service to its default settings. Figure 4-9 shows the Advanced tab.

Figure 4-9. Windows Firewall Advanced Tab

Windows Firewall Features

The Windows Firewall software builds on top of the ICF/Internet Connection Sharing software that is now deprecated in Windows XP SP2. Essentially, Windows Firewall provides the following features over the ICF:

The ability to specify options on a global level so that they apply to all connections.
An operating mode that does not allow exceptions.
Startup security (covered below).
IPv4 traffic scoping. The end user can specify that the firewall accept traffic from specific IP addresses.
The ability to specify exceptions by service or by program.
IPv6 support.

Of particular interest is the new startup security. Whereas ICF was active after the system had booted up and the ICF service was successfully started by the Windows kernel, Windows Firewall is active from the very start. During system boot, the Windows Firewall applies a default stateful filter to the system to allow basic networking functionality such as Dynamic Host Configuration Protocol (DHCP), Domain Name System (DNS), and communication with domain controllers, but blocks all other traffic until the system boot process has completed. Only then are the settings configured by the user applied to the firewall.

Windows Firewall Checklist

When configuring Windows Firewall, you must configure several features depending on the system role in the network. The answers to the following questions will depend on whether the system will connect using a public network (such as a wireless network in a coffee shop or a library) or a private network (such as a corporate LAN or home network) or both. Additionally, Windows Firewall settings on servers that may be configured as a web server, an authentication server, or a database server will differ from the settings on a simple desktop or laptop system. You can use this checklist to help ensure that the Windows Firewall settings are appropriate for a given system.

Does Windows Firewall need to be enabled?
This is determined by the consideration of whether the system will be exposed to a less-secure network than anticipated. This really needs to be considered more for laptops rather than desktop systems.
What exceptions (if any) should be configured in the Windows Firewall policy?
Remote Desktop?
To allow an external user to access the system using Microsoft Remote Desktop Client.
File and Printer Sharing?
This is necessary to share files with other users and systems as well as print documents.
Other services?
Should other services such as Remote Assistance, Virtual Network Computer (VNC), or Internet Information Server (IIS) be accessible through the firewall?
Should the exceptions be configured as programs or as services?
If you configure exceptions as programs, the firewall only allows the traffic through if the specified program is active. Otherwise, the traffic is blocked. However, if the program is a set of services, such as Windows File and Printer Sharing, it may be easier to configure the exceptions as a range of network service ports rather than programs.
For which interfaces should Windows Firewall be configured?
The end user or administrator needs to decide whether all network interfaces will have the firewall active or just those that may be exposed to "insecure" networks. This typically applies to desktops with multiple interfaces but can also apply to laptops with both a wired and a wireless interface. In some cases (such as a laptop with a built-in wireless interface), it is best to apply the firewall to all interfaces to ensure that attackers cannot slip by through an active wireless connection.
Which ICMP types should be allowed through the firewall?
At the very least, ICMP echo reply packets, ICMP destination unreachable packets, and ICMP Time-To-Live (TTL) Exceeded packets should be allowed through the firewall for debugging potential network connectivity problems.
Should logging be configured?
Logging can cause a degradation in system performance. Turn logging on only when it is needed to debug a problem with the firewall.

After you have answered all of these questions, you can appropriately configure the firewall for the system. One item to consider is that if logging is configured, who will be reading the logs and how often? It is of little value to configure logging if no one actually looks at the logs.