Windows Firewall debuted with the release of Windows XP, and
Windows XP Service Pack 2 enabled this feature by default. This host-based
stateful firewall replaced Windows’ Internet Connection Firewall.
This feature’s default configuration rejects incoming IP
traffic unless you’ve specifically allowed it. To configure or adjust the Windows
Firewall settings, go to Start | Control Panel, and double-click the Windows
Firewall applet. Let’s take a closer look at the various settings.
Know your options
On the General tab, you can use the On and Off radio buttons
to enable or disable Windows Firewall. You can also choose to disallow
exceptions.
The Exceptions tab includes a list of programs and services
that you can select or deselect to allow or remove access to the network. You
can also add or delete ports (both TCP and UDP).
When adding programs or ports, you also have the following
options to limit the scope of access: Any Computer (Including Those On The
Internet), My Network (Subnet) Only, or Custom List, which allows you to choose
a mix of IP addresses and subnets.
On the Advanced tab, you can choose which connections the
firewall will apply to, and you can specify logging features. You can also
control, with some granularity, how the firewall handles Internet Control
Message Protocol (ICMP) packets.
Finally, if you get completely lost and make changes that prevent
the computer from connecting to the Internet, you can click the Restore
Defaults button. This removes all of your changes, returning Windows Firewall to
the Microsoft default state.
Know how to adjust the settings
You can use the method described above to manually change the
Windows Firewall settings. However, you can also use a variety of methods more
suited for enterprise deployments. Here are some of your options:
- Unattend.txt: You can use this
text file used during unattended setup when deploying multiple systems
that have similar configurations. - Netfw.ini: You can modify and
deploy this file via login scripts or a control system such as Systems
Management Server (SMS). You can find this file in the %windir%\Inf
folder. - Netsh: You can execute this
command at the command prompt or through a scripted batch file deployed at
login. - Group Policy: In an Active Directory
environment you can use Group Policy to deploy Windows Firewall configurations.
Update existing Group Policy Objects with the Windows Firewall policy
settings from the updated System.adm template included with Windows XP
SP2. You can find these new settings under Computer Configuration |
Administrative Templates | Network | Network Connections.
Of course, all of these available configuration and
deployment options beg the question: Does this firewall adequately protect your
computer?
Weigh the pros and cons
The Windows Firewall does a good job of proxying inbound
responses to outbound connection requests, and it does a good job of blocking
inbound connection requests for TCP or UDP conversations that you haven’t
initiated. It will block any connection attempts that you haven’t specifically
allowed in the settings. However, that’s only half of what a firewall needs to
do.
A firewall should also monitor, inspect, and proxy outbound
communication—and this is where Windows Firewall fails. Any program on your
computer can initiate any type of connection to any IP address on the Internet,
and the Windows Firewall will sit by passively and let it happen!
Don’t let any prompts fool you: Even though it tells you a
program has initiated a connection to the Internet and asks if you want to
allow this connection, the connection has already occurred. What it’sreally asking is whether you want to
allow the Internet to connect to this program.
Final thoughts
As far as I’m concerned, a firewall mechanism that only
works one way is a security feature—not a firewall. Thanks to viruses, worms, Trojans,
and a host of other malware and spyware that arrive on your computer daily, you
need to be able to control communications from both directions.
Every computer connected to any network (e.g., dial-up,
Ethernet, or wireless) needs a firewall, and Windows Firewall just isn’t up to
the task. Find yourself a free firewall or pay for one from a reputable vendor,
but don’t let Windows Firewall fool you into thinking it completely protects
your computer. Half a firewall is no better than no firewall at all.
Miss a column?
Check out the Security Solutions Archive,
and catch up on the most recent editions of Mike Mullins’ column.
Worried about security issues? Who isn’t? Automatically
sign up for our free Security Solutions newsletter, delivered each Friday,
and get hands-on advice for locking down your systems.
Mike Mullins has served as an assistant
network administrator and a network security administrator for the U.S. Secret
Service and the Defense Information Systems Agency. He is currently the
director of operations for the Southern Theater Network Operations and Security
Center.