In "Meet Windows Firewall" (May 2004, InstantDoc ID 42293), I introduced Windows Firewall, a Windows XP Service Pack 2 (SP2) feature that was called Internet Connection Firewall (ICF) in its previous incarnation. In this column, I want to look more closely at the feature and show you how to fine-tune it for your network's needs. (This article is based on a prerelease version of SP2, and Microsoft might make modifications in the final release.)

Let's look at the nine new Group Policy settings for Windows Firewall and at their corresponding commands. You can find Windows Firewall settings in the Computer Configuration\Administrative Templates\Network\Network Connections\Internet Connection Firewall folder. In that folder, you'll see two subfolders: Domain Profile and Mobile Profile. A computer that has Windows Firewall installed chooses the policy settings for Domain Profile when that computer is logged on to a domain; otherwise, it chooses the settings for Mobile Profile. Both subfolders contain the same nine policy settings.

I showed you the first setting, Operational Mode, last month. The Operational Mode setting gives you three options: Disabled turns off the firewall, Protected turns the firewall on, and Shielded turns the firewall on but isolates the computer from the network more than the Protected setting, which lets you open particular ports. To set the firewall to Disabled, Protected, or Shielded, you use the

netsh firewall ipv4 set opmode

command, followed by either disabled, enabled, or shield. (The command-line commands often describe options with slightly different words than the Group Policy settings.) Thus, to raise the drawbridge and shield your NIC, you'd type

netsh firewall ipv4 set opmode shield

This command strikes me as a good one to put into a batch file. You could then create a shortcut on your desktop to that batch file, call the shortcut Shield this System, then double-click it any time your network falls under attack. To find out how the firewall is set, you can use the command

netsh firewall ipv4 show opmode

Modify Firewall Settings
The next Windows Firewall policy setting is Allow User Preference/Group Policy Settings Merge—a setting that can be confusing. The Windows Firewall documentation states that if this setting is enabled, local administrators can modify the firewall's settings. But does "modify" mean "turn the firewall on or off" or "tweak it by opening or closing ports"? In this case, "modify" means the latter: If enabled, this policy lets a local administrator open or close a port on a system—but not override the Disabled, Protected, or Shielded setting set by a domain policy, assuming that a Windows Firewall-relevant domain policy exists. If you set the policy to Disabled, local administrators have no power over the firewall's behavior.

Confusion sets in when a local administrator tries to override the Windows Firewall settings that a domain Group Policy Object (GPO) creates. A local administrator who types

netsh firewall ipv4 set opmode disable

will get an OK result, and a subsequent Netsh Firewall command will report that the firewall is disabled. However, a look at the properties of the NIC in the Network Connections folder will reveal that the firewall is enabled. A few tests show that the GUI is telling the truth: The domain settings win. Let's hope that this behavior doesn't make it into the final release version.

But the GUI can't always be trusted either. If you set Allow User Preference/Group Policy Settings Merge to Disabled, the GUI is grayed out, and the radio buttons for turning Windows Firewall on or off become unusable. That makes sense. But try enabling the setting, then returning to the Windows Firewall configuration screen. The radio buttons to enable or disable the firewall are now enabled. You can click them and choose OK, and you won't get an error message—but you won't see a change, either. However, as a local administrator, you can use either the command line or gpedit.msc to open and close ports. No command-line equivalent of the Allow User Preference/Group Policy Settings Merge policy setting exists.

Whatever the Program Needs
The next policy setting is the first of seven settings that let you open or—in some cases—close a particular port. The difficult aspect of configuring firewalls to pass a particular kind of traffic (e.g., Web traffic, Active Directory—AD—authentications, email downloads) is knowing which port that traffic needs. The Define Allowable Programs policy setting simplifies that aspect. Recall that, by default, Windows Firewall doesn't block outbound traffic but does block unsolicited inbound traffic. That functionality works fine when your workstation acts as a client that initiates a conversation, such as when you ask your mail server for your mail or a Web server for information. But it doesn't work when your workstation provides a service for others on the network—for example, if you run an email server on your workstation—because the firewall would rebuff clients trying to initiate a conversation with that server program. It also doesn't work in peer-to-peer (P2P) situations such as Instant Messaging (IM), in which two or more systems communicate but act both as clients and servers. Thus, running a server or performing P2P scenarios require opening some ports.

But which ports do you open? By naming a particular program in the Define Allowable Programs setting, you answer the question by simply having Windows Firewall open whatever ports that program needs. To do so, you point the policy setting to the location of the program, determine whether to enable it or disable it (e.g., you might want to create a policy to disable ports for a particular program if that program were a Trojan horse loose on your network), and determine whether to open those ports for the whole world or just for the local subnet.

Suppose I've got an email server program running on my computer at C:\myprogs\serverprog.exe. I don't know which ports it opens, but I want those ports open only to systems on the same subnet as the server. I'd enable the Define Allowable Programs setting, then click Show to get a dialog box that lets me punch in the information for my email server. In that dialog box, I'd type

C:\myprogs\serverprog.exe:LocalSubnet:
  enabled:E-mail server

This line specifies four items, each separated from the rest by colons. The first item is the complete path to the program. You can use environment variables such as %ProgramFiles%, if you want. The next item, LocalSubnet, says to accept incoming traffic on that server's ports from only systems on the same subnet. The third item, enabled, says to permit the traffic. And the fourth item, E-mail server, is merely a label that Windows Firewall can use when reporting on its activity. You can add as many programs as you want.

   Prev. page   [1] 2 3     next page



You must log on before posting a comment.

If you don't have a username & password, please register now.

Reader Comments

Liked all the command line examples.

DonJuan64- August 03, 2004

Article Rating 4 out of 5

XP Firewall and Stupid Domain Policy

I work for a company that hasn't yet made the leap to XPSP2. I installed it myself to fix a video driver bug. Now I'm setting up a VPN between home and my work computer. I want to use the XPSP2 firewall to block access to Remote Desktop, VNC and telnet normally, but allow it through from the VPN subnet.

I set stuff up through the GUI but discovered I could still telnet and VNC in to my wireless and wired IPs. After playing with netsh, I noticed that the first line of `firewall show config` says "Domain Profile Config Operational mode = Disable"

I'm guessing that my firewall policies are being overridden by a company Domain policy, which they haven't set since they don't yet use XPSP2.

1) Am I right about why my fw doesn't work? 2) Is there any way round it (other than buying a proprietary firewall or, worse yet, trying to convince company tech support to change group policy)?

Anonymous User- November 26, 2004