Windows Firewall (previously called Internet Connection Firewall, or ICF) is a software-based, stateful filtering firewall for Windows XP and Windows Server 2003. Windows Firewall provides protection for computers that are connected to a network by preventing unsolicited incoming traffic through TCP/IP version 4 (IPv4) and TCP/IP version 6 (IPv6). Configuration options include:
Configuring and enabling port-based exceptions
Configuring and enabling program-based exceptions
Configuring basic ICMP options
Logging dropped packets and successful connections
In earlier versions of Windows, Windows Firewall was configured on a per-interface basis giving each network connection had its own set of firewall settings. For example, a network might have one set of settings for wireless and another set of settings for Ethernet. This configuration makes it difficult to synchronize firewall settings between connections. Also, new connections do not have any of the configuration changes that are applied to the existing connections. Nonstandard network connections, such as those created by proprietary dialers (for instance, ISP-configured dial-up networking connections) cannot be protected.
Global policy makes it easier for users to manage their firewall policy across all network connections and enables configuration through Group Policy. It also allows you to enable applications to work on any interface with a single configuration option.
With global configuration, whenever a configuration change occurs, it applies to all network connections in the Network Connections folder, including any non-Microsoft dialers. When new connections are created, the configuration is applied to them as well. Configuration can still be performed on a per-interface basis. Nonstandard network connections have only global configuration. Configuration changes also apply to both IPv4 and IPv6.
To shorten your reaction time to attacks on your system, incorporate auditing the activity of Windows Firewall is part of your defense strategy. Use audit logging to track changes that are made to Windows Firewall settings and to identify which applications and services have asked your computer to listen on a port. When audit logging is enabled, audit events are logged in the security event log. Audit logging can be enabled on client computers running Windows XP SP2 and servers running Windows Server 2003 SP1.
To enable audit logging on your computer, complete the following steps:
Log on using an account that is a local administrator.
Click Start, Control Panel, and then click Administrative Tools.
In Administrative Tools, double-click Local Security Policy to open the Local Security Settings console.
In the console tree of the Local Security Settings console, click Local Policies, and then click Audit Policy.
In the details pane of the Local Security Settings console, double-click Audit policy change. Select Success And Failure, and then click OK.
In the details pane of the Local Security Settings console, double-click Audit process tracking. Select Success And Failure, and then click OK.
Tip
You can also use Group Policy to enable audit logging for multiple computers in an Active Directory® directory service domain. Modify the Audit policy change and Audit process tracking settings at Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit Policy for the Group Policy objects in the domain system containers.
The Advanced Networking Pack for Windows XP introducted the firewall context of Netsh Helper. It applied only to IPv6 Windows Firewall. With the integration of Windows Firewall and IPv6 Windows Firewall, the firewall context of Netsh Helper no longer has an IPv6 context. This change accommodates the changes to Windows Firewall and integration of IPv4 filtering configuration options in the existing firewall context of Netsh Helper.
The administrator’s ability to manage Windows Firewall policy settings enable applications and scenarios to work in the corporate environment. In earlier versions of Windows, Internet Connection Firewall had a single GPO: Prohibit Use Of Internet Connection Firewall On Your DNS Domain Network. With Windows Server 2003 SP1, you can set every configuration option through Group Policy. The following are some of the new configuration options:
Define program exceptions
Allow local program exceptions
Allow ICMP exceptions
Prohibit notifications
Allow file and printer sharing exception
Allow logging
Each of these objects can be set for both the corporate and the standard profile.
Note
For a complete list of Group Policy options, see "Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2" at the Microsoft Download Center at http://go.microsoft.com/fwlink/?linkid=23277. An updated document that covers developments in Windows Server 2003 SP1 will be available before the final release of the service pack.
The IT administrator can now choose the default Windows Firewall policy set—that is, to enable or disable applications and scenarios. This gives the administrator more control, but the policies do not change the underlying functionality of Windows Firewall. Table B-2 lists the changes to Windows Firewall.
Table B-2. Windows Firewall GPO Changes
Setting | Location | Previous Default Value | Default Value | Possible Values |
|---|---|---|---|---|
Protect all network connections | (Group Policy object) Computer ConfigurationAdministrative Templates NetworkNetwork ConnectionsWindows Firewall | Not applicable | Enabled | Enabled Disabled |
Do not allow exceptions | (Group Policy object) Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows Firewall | Not applicable | Not configured | Enabled Disabled |
Define program exceptions | (Group Policy object) Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows Firewall | Not applicable | Not configured | Enabled Disabled Program path Scope |
Allow local program exceptions | (Group Policy object) Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows Firewall | Not applicable | Not configured | Enabled Disabled |
Allow remote administration exception | (Group Policy object) Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows Firewall | Not applicable | Not configured | Enabled Disabled |
Allow file and printer sharing exception | (Group Policy object) Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows Firewall | Not applicable | Not configured | Enabled Disabled |
Allow ICMP exceptions | (Group Policy object) Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows Firewall | Not applicable | Not configured | Echo Request: On, Off Source Quench: On, Off Redirect: On, Off Destination Unreachable: On, Off Router Request: On, Off Time Exceeded: On, Off Parameter Problem: On, Off Mask Request: On, Off Timestamp Request: On, Off |
Allow remote desktop exception | (Group Policy object) Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows Firewall | Not applicable | Not configured | Enabled Disabled |
Allow UPnP framework exception | (Group Policy object) Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows Firewall | Not applicable | Not configured | Enabled Disabled |
Prohibit notifications | (Group Policy object) Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows Firewall | Not applicable | Not configured | Enabled Disabled |
Allow logging | (Group Policy object) Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows Firewall Not applicable | Not applicable | Not configured | Enabled Disabled |
Prohibit unicast response to multicast or broadcast requests | (Group Policy object) Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows Firewall | Not applicable | Not configured | Enabled Disabled |