________
Overview
Windows XP Service Pack 2 (SP2) includes the new Windows
Firewall. Windows Firewall is a stateful host-based firewall
that drops unsolicited incoming traffic that does not correspond
to either traffic sent in response to a request of the computer
(solicited traffic) or unsolicited traffic that has been specified
as allowed (excepted traffic). Windows Firewall provides a
level of protection from malicious users and programs that
rely on unsolicited incoming traffic to attack computers on
a network.
This document discusses some of the common tasks that need
to be performed in order to customize the Windows Firewall.
How
To Create an Exception
In this section we discuss how to create a port or program
exception in the Windows Firewall. To begin working with the
Windows Firewall we need to open the Windows Firewall dialog
box. This can be done through the [Control Panel] by clicking
[Windows Firewall]. A dialog box like the following should
appear.
Observe in the above dialog box the Windows Firewall is enabled
due to the [On] button being selected. You can choose to disable
the Windows Firewall by selecting the [Off] button. In the
event you need to disable the Windows Firewall in order to
troubleshoot or because you choose to use a differing firewall,
this is how to disable the Windows Firewall.
In order to create a port or program exception, we need to
click the [Exceptions] tab. Once the [Exceptions] tab is clicked,
one will see the options below. The first column, with check
boxes, indicates whether a given policy is enabled (checked)
or disabled (not checked). The second column lists the name
of the service. The third column lists exception due to the
host being a member
of Active Directory. The items set by Active Directory
have [Yes] in the Group Policy column. These settings are
a general set of exceptions needed by many lab systems to
allow the IT division backup software to work and the IT division
help desk to connect to your computer.
If you want to enable additional exceptions, notice that
some common services, such as "File and Printer Sharing",
already have an exception entry created for you. If you want
an exception for [File and Printer Sharing] all you need to
do is click the predefined [File and Printer Sharing] check
box. If you want an exception for a program or service not
listed, use the [Add Program] or [Add Port] buttons. These
buttons allow you to create an exception for a single port
or program. For details about the difference between port
and program exceptions please see the Reference
section.
Below we demonstrate how to create a port exception for a
commonly used port, 22/tcp. Simple click the [Add Port] button
and the following dialog box will appear.
In the dialog box enter the name of the service and the port
number to be given an exception. You will also need to specify
whether the exception is for TCP or UDP. One other important
set of options to consider are the options under [Change scope].
Clicking [Change scope] brings up the following dialog box.
The scope settings specify the hosts that are allowed to
take advantage of the exception you have created in the Windows
Firewall. The first option [Any computer] means that anyone
on the Internet, inside or outside the Lab, has an exception
in your Windows Firewall. The second option [My network only]
means that only computers on your subnet (typically in your
building) can take advantage of the exception. The third option
[Custom list] allows you to specify exactly which computers
or subnets can take advantage of the exception. In the example
above we specify the LBL address range, which means any computer
plugged into the wire at Berkeley Lab has an exception.
Please keep in mind that CPP
minimum security requirements state that "service
offerings must be limited to systems and networks requiring
access to the service".
Handling
Windows Firewall Popups
In addition to exceptions your host acquires from Active
Directory and exceptions you create in the Windows Firewall,
Windows also attempts to prompt you when it detects a program
running that may require an exception in the Windows Firewall.
In the following dialog box notice the option that says [Display
a notification when Windows Firewall blocks a program].
If this option is selected, Windows Firewall will prompt
you when it detects a program running that may require a Windows
Firewall exception. An example of the prompt is below.
In the above example I ran an X server, which in an insecure
mode requires port 6000/tcp open. The Windows Firewall is
alerting me that Windows detected that an exception may be
needed. At this point I have three options.
My first option is to [Keep Blocking]. Windows will create
an entry for the port or program in the Windows Firewall,
so I will not be prompted in the future, but the entry will
not be enabled, e.g. it will not be checked, see Xwin in previous
graphic. The second option is to [Unblock]. Windows will create
an entry for the port or program in the Windows Firewall,
so I will not be prompted in the future, and enable the entry,
e.g. it will be checked. The third option [Ask Me Later] does
nothing, it pretends this event never occurred. No entry is
created in the Windows Firewall, so you will be prompted again
if this event occurs. In this example, I choose to [Keep Blocking]
since my X server is tunneled over SSH and this exception
is not required.
References
For detailed information about configuring the Windows Firewall
please visit the following. This is a Microsoft article that
discusses in detail each of the Windows Firewall settings.
http://www.microsoft.com/technet/community/columns/cableguy/cg0204.mspx
|
