Windows ICF (Internet Connection Firewall) is the built-in firewall in Windows XP, both the Home and Professional editions. ICF is an excellent personal firewall and will prevent most attacks from the Internet. However, the lack of granular control makes ICF much too restrictive for power users. So, as they say, you can’t live with it, you can’t live without it. For this article, we put ICF into the lab and set our hackers (well, security penetration testers) loose at it to see how good it is. In this article, we will give an overview of ICF, see how ICF performs under a simulated attack, and discuss the pros and cons of ICF.

full article (http://online.securityfocus.com/infocus/1620)

How to Manually Open Ports in Internet Connection Firewall in Windows XP (Q308127)
SUMMARY
This article contains the steps to manually open ports in Internet Connection Firewall (ICF) in Windows XP.

MORE INFORMATION
Programs may potentially require ports to be manually opened so that they function properly when ICF is in use either on the local computer or on the gateway computer. You may have to use this procedure if there is a service that is running on a computer that has ICF enabled that you want to make available to users on the Internet.

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q308127





Programs Require Manual Port Configurations with Internet Connection Firewall (Q307554)
This article lists some programs that require you to manually open ports so that the programs can work correctly. To work correctly, some programs need to have specific ports open so that traffic can pass through the Internet Connection Firewall.


http://support.microsoft.com/default.aspx?scid=kb;en-us;Q307554


WinXP Internet Connection Firewall

Windows XP's new Internet Connection Firewall feature lets you protect your machine from malicious users on the Internet.
This Week's Win2K Guest Columnist
Will Schmied
MCP

http://itresources.brainbuzz.com/TechLibrary/GetHtml.asp?ID=1001&CatID=340

The average home user will likely say, "Huh?" and turn the damn thing off.

Most of them have it on by default and do not even know it ;) ;)

That said...many are now going back and taking a look at it and those links will show them how to do many things with it that others did not think possible.

We even have some who have found out they can still run the ICF and other firewalls at the same time for an extra layer of protection.

In my opinion this stateful package is not a complete write off..in fact there are system that would be better off with it if they also had IDS and some other tools in place to manage the system..


Enjoy.

-{ Quote: " quoting: MyNethingyman link=board=23;threadid=3208;start=0#21579 date=1030101378]
Most of them have it on by default and do not even know it ;) ;)

That said...many are now going back and taking a look at it and those links will show them how to do many things with it that others did not think possible.

We even have some who have found out they can still run the ICF and other firewalls at the same time for an extra layer of protection.

In my opinion this stateful package is not a complete write off..in fact there are system that would be better off with it if they also had IDS and some other tools in place to manage the system..


Enjoy.
" }-

Hello,

You does not have any extra layer protection when running ICF with another decent FW:)

ICF only filter IN no OUT filtering : will not prevent any Trojan, spyware, webbugs in HTLM mails or other malwares already installed to do their nasty job nor preventing windows or installed progies to phone home....

It's impossible to set a range allowed/disallowed ports for definite applications, like a FTP server, for instance in you are using PASV you have to enter each port one by one, just a pain in the a**.

Rgds,

Nope most puters ship by default with the firewall off. I been using it for along time now. Hey it don't block outgoing but it does have a log file LOL
I haven't had any conflits with Outpost and a number of different AV's
I am betting the next version a XP will have a much better firewall atached... crossing fingies

Never said shipped out of the box..just by default..although have seen some Dells and others shiped with it installed.

Other here have stated what it will not do..and suggested does not have any extra layer protection when running ICF with another decent FW:)

Most likely you mean another software firewall solution. I dont. First of all ICF is not a true firewall...I am sure we will agree on that...second...most of the software firewalls that sit in your OS are junk..I will point no fingers..and the solution all should be looking at if they can afford it and the have broadband,,would be a hardware solution in a router and hopefully with a built in firewall..

All that said..I am not a guy to sell the M$ ICF to anyone..but it will give an extra layer of protection..if you know how to use it and why...


I also think M$ intends to improve on it in the future..and you might be pleasantly surprised what they will come up with now that they are..shall we say ;D ;D ;D Security Conscious.


But for now it is just an easy Target..but will tell you many professional have it installs and running in many Companies..but they also have other solutions running the same time at the Corporate level...the home user does not have many options. ::) ::).

But they sure have lots of Marketing Hype to weed through in the process... in the Battle of the Firewalls. I still feel sorry for all those old Black Ice guys getting beat up. :'( :'( :'( :'(

Smiles to ya guys,

John

-{ Quote: " quoting: MyNethingyman link=board=23;threadid=3208;start=0#21601 date=1030110162]most of the software firewalls that sit in your OS are junk" }-John, you really need to substantiate this rather extreme statement.

What do you want subtantiated..which ones can be tunneled..which ones can be disabled with a blink of the eye and are now a favorite target of every badboys out there...which ones half the people that use them..must turn them off in order to chat or download peer to peer or play games over the interent..????


I will not get into a firewall war with anyone..systems most of my friends who professional build systems for other's,have that ICF running from the get go..so the people who buy them can last 20 min..on broad band...without getting wacked and they do not end up with extra work themselves.

Sorry Checkout..I am not into naming of products..I think they are all great..I will leave that for those how keep on changing from one to the other..you have one you like..stick with it..but by all means, for anyone, learn how to set it up no matter if it is rules based or just push button.

In my udder posts I have mentioned I use a Linksys Router ;)

Today I am trying out Nod32 and Kerio Firewall , on my experimental
computer runing Intels Internal DSL Modem (Quest)

Are you trying out that new NOD32 beta ????...looking good I hear and Kerio is a nice firewall..let me know how it all works out.

So far so good..

Ya know, I was just asking about the NOD-32 Beta yesterday.
Even though I have posted that I have tested for Symantec, Intuit,
Executive software, I am still not good enough to test some of the software advertised here. Guessing the detest for MS, Norton ect.
Anyway, Every once in a while Pepimk allows me to do stuff LOL

real old news i happen to know the truth about xp even 4 or 5 months befor it came out when it had another name.

if i recall corectly microsoft knew about all the problems but they said if some one wants to hack you there going to basicly saying they dont care.

picture a sphghittie strainer with quarter size holes and thats windows xp.

it was mean many for eye candy and easability so easy that it was even easy for hackers.

it is a system hog and a security nightmare it is the aol of windows applications lol.

its sad when a nobody like me knew about xp vulnriabilitys and yet people insit on upgrading to it lol.

xp is gloriffied eye candy thats it

Personaly, I would rather use Xp than any other Windows Operating System. I have my reasons. One being I do some multimedia stuff and wouldn't even think of ever using Windows 98 again.
that's my story and I am sticking to it.
Believe me, if Gates wanted a awesome firewall built in, He could do it.
Maybe he will in the future world.

I support both of you (Controller and Blaze) in your thoughts and your feelings.

Did I hear someone say WinME? ;) ;) ;)

To put it a little different way....and some thought on the history..Win 98 was built for the sole purpose of launching that IE browser to be a speed demon out of the OS..it was and still is a neat product and I know why Blaze would like it..I do too for many uses. :) :) :) :)


Xp starting out as Whistler, by name..is a better product for many other reasons. Decisions to buy it or change over to it have been many..and then of course, which versions do I buy....Home or Pro.

IMHO...

Many have Pro and do not know what they are sitting on in that product..and some should have really purchased the Home versions. The web would be safer that way (ok beat me up again) only for the fact that many just do not have time to learn that OS with their busy schedule like some of you do. So do not get me wrong here. I am not directing any of this to members..just a general comment and I hope that this might help others in the future........

What's the difference between Windows XP Home and Professional editions?



The Home and Professional editions of Windows XP are nearly identical; the only differences are additional features found in the Professional edition that most likely won't appeal to home users. The primary differences, aside from the price and the color of the packaging, are as follows:
Windows XP Home Edition

Contains basic support for multiple users, but all users are "Administrators," so there's no way to set up user accounts with limited privileges. Furthermore, there's no way to secure folders or files from other users on the same machine.
Built-in support for peer-to-peer networking.


Windows XP Professional Edition

Includes extended support for multiple users and profiles, as well as security between users. A user can be an "Administrator" (who has full power to make any changes to the system), or a less-privileged user with a customizable level of privileges. For example, one user's folder can be protected from other users on the same system. Also, you can set up a "guest" account, allowing strangers to use a computer while limiting access to configuration tools and private files.
Built-in support for peer-to-peer networking, plus support for joining a "Windows NT domain."
The Professional edition includes the following components not found in the Home edition:
Administrative Tools (in the Start Menu and Control Panel)
Automated System Recovery (ASR)
Backup
Boot Configuration Manager
DriverQuery
Group Policy Refresh Utility
Multi-lingual User Interface (MUI) add-on
NTFS Encryption Utilitiy
Offline Files and Folders
OpenFiles
Performance Log Manager
Remote Desktop
Scheduled Tasks Console
Security Template Utility
Taskkill
Tasklist
Telnet Administrator
Provides support for multi-processor systems (2 or 4 CPUs), Dynamic Disks, Fax.






Which Edition Is Right for You?


When upgrading to the Microsoft Windows XP operating system, you have a choice between Windows XP Professional and Windows XP Home Edition. Windows XP Professional contains all the features of Windows XP Home Edition, plus extra features for business and advanced home computing. Is Windows XP Professional the best choice?

Ask yourself these five questions to find out which one is right for you:

Do you want to remotely access your computer so you can work with all your data and applications while away from your desk?
Remote Desktop, a feature found only in Windows XP Professional, lets you set up your computer for connection from any other Windows-based computer. Leave a file at home? Don't want to lug a laptop around? Remote Desktop gives you access to your computer from virtually anywhere. More about Remote Desktop.

Do you connect to a large network?
Windows XP Professional is best for people who connect to large networks, such as a school or office network, since it allows you to join and be managed by a Windows domain. More about joining networks.

Do you need to protect sensitive data in files and folders that are stored on your computer?
The Encrypting File System (EFS), found only in Windows XP Professional, allows you to encrypt your files and folders for added security of sensitive data against theft or hackers. Restricted File Access, also found only in Professional, allows you to restrict access to selected files, applications, and other resources. More about EFS.

Do you need the ability to completely restore your system in the event of a catastrophic failure?
Windows XP Professional provides more robust options for backing up and restoring data than Home Edition. More about System Restore and other restore options.

Would you consider yourself a "power user"?
Windows XP Professional contains a number of incremental features too numerous to list here. Suffice it to say, users who demand the most from their computers will want to "go Pro." Some additional features found only in Windows XP Professional are:

Support for multiple-processor systems
Support for multiple languages
Advanced networking for multiple PC environments

More about Windows XP Professional features.

http://www.microsoft.com/windowsxp/whichxp.asp

Here is Security Focus's thoughts on XP built in firewall.
They did a great job on it.. ;)
worth reading ;D

Starts here : http://www.net-security.org/news.php?id=862

Then links to below..

http://online.securityfocus.com/infocus/1620

I have a question about the xp firewall.Is it true that it will conflict with other software firewalls on xp?(I disabled the xp firewall this time around).The reason I'm asking is because I know someone that runs the Norton firewall and hasn't disabled the xp firewall.He hasn't had a problem yet.Any recommendations?

i think your right my frind brenda has nortion fire wall and it works ok but some of the bigger names like zone alarm and black ice ect had have some storys

First of all....

I run XP Home and I love it. A few utilities (namely winipcfg) could have been kept, but the OS itself runs great on my machine.

You DO have the ability to set up user AND administrator accounts with home edition, and you CAN determine whether the user accounts can access various folders, files, applications, etc. I have set up a user account on my machine so my mother in law can check her email at my house while babysitting for me, and she cannot get into any of my folders and she can not install or uninstall programs, she cannot modify or create any user accounts except for her own (and she doesn't have all of the options an admin has). Basically, if you think you need pro ask yourself the following:

Do you need all of the added (little) utilities included in pro?
For example, I can not manage my user accounts from my admin tools>services directory under control panel, whereas in pro you can.

Do you need remote desktop (and don't want to pay for pcanywhere or other shareware remote desktop software)?

Do you need massive encryption (and can you not download freeware programs that can do this better)?

Do you want to spend the extra $100 or so for the minor security and usability features that pro offers?

I have found in my experience that I do not know anyone who is running xp that actually has a need for any of these services included in pro (aside from built in remote desktop).

As for the firewall...I do not think that any built in firewall will actually protect my computer from serious hackers should they find a desire to hack my machine. I have not studied the xp built in firewall much, but I am sure it is not as secure as some of the freeware firewalls available, and certainly not as secure as a $50-$100 router you can buy from e-bay or best buy.

If you are concerned enough to look through all of the responses in this thread to determine if you should use the built in firewall, just go ahead and spend 5 minutes downloading spf or zone alarm or any other firewall that tickles your fancy, but don't leave it up to microsoft to protect your privacy. They are notorious for "spying" on you.

I use Home addition and if you look , you will see Task, Processes and
Services with the option to kill any.
Next, Home addition DOES have the remote Admin capabilities.
You turn them on and you turn them off. I like to leave mine off LOL
Oh yes and I like to use Tweak UI XP
and of course as you all know a million other products.

-{ Quote: " quoting: the Tester link=board=23;threadid=3208;start=15#21795 date=1030248391]
I have a question about the xp firewall.Is it true that it will conflict with other software firewalls on xp?(I disabled the xp firewall this time around).The reason I'm asking is because I know someone that runs the Norton firewall and hasn't disabled the xp firewall.He hasn't had a problem yet.Any recommendations?
" }-

In the case of NIS, Symantec does does not recommend or support running both. The following is from the release notes of NIS2002 Pro,

Interaction with the Windows XP firewall
Windows XP has a basic built-in firewall which is
superseded by Norton Internet Security Professional.
Although it is possible to run both firewalls
simultaneously, there will be problems with some
protocols (including FTP). Symantec does not support
running both firewalls simultaneously and recommends
disabling the Windows XP firewall before installing
Norton Internet Security Professional.

CrazyM

Can someone please tell me what the word egress means in this entence ??? :

"the lack of egress filtering is a huge flaw in the design of ICF."

The translations I found don´t seem to make sense.

Regards,

Pieter

Substitute 'outbound' for 'egress'

Of course, we could get obscure and talk about comesinnas and goesouttas. :D

-{ Quote: " quoting: Joseph V. Morris link=board=23;threadid=3208;start=15#26335 date=1033507300]
comesinnas and goesouttas. :D
" }-

LOL, never heard of this, ;D

Courtesy of my grandmother when I was about five or six and running in and out of the house all day during the summer.

"First, you comesinna da house and den you goesoutta da house!"

Also, a favorite expression of many electrical engineers in my experience (but they probably learned it from my grandmother). :P

That is like inni and outi LOL

I did post some Windows XP firewall shots on another thread
for KAV's new firewall. Even though Windows XP's firewall does not block outgoing traffic, you do have some options to block incomming and outgoing echo requests ect..
I have run Windows XP's firewall along with Outpost without any trouble.

-{ Quote: " quoting: Joseph V. Morris link=board=23;threadid=3208;start=15#26335 date=1033507300]
Substitute 'outbound' for 'egress'

Of course, we could get obscure and talk about comesinnas and goesouttas. :D
" }-

Thnx,

I think your grandma should write a book about firewalls ;)
Howto keepeminna and ignorewazzoutta

Regards,

Pieter

-{ Quote: " quoting: controler link=board=23;threadid=3208;start=15#26344 date=1033517190]
... I have run Windows XP's firewall along with Outpost without any trouble." }-
Now, that is interesting to know! I had always thought that Outpost was the one firewall that had been quite up front about one should not run it with another firewall?

But then, I'm still not sure that ICF is really much more than a glorified software NAT router. (Yes, I know ICS and ICF are said to be separate things, but I can't help wondering.) At any rate, I rather suspect that the phsyical implementation of ICF is more akin to that of a software router than that of a software firewall.

Incidentally, which shows up first in processing inbound? ICF or Outpost? And which shows up first in processing outbound?

Hi Joseph. It has been known for awhile that Outpost will work with XPs firewall enabled for some but not all people.
Just so people understand, ZA or Sygate will create massive problems for you if you install Outpost with them. As for other firewalls, Agnitum will not guarantee functioning properly if any other firewall is installed on the same machine. Not much can be done about XP, since Billy boy was so sure everyone just had to have his choice of firewalls. >:(
As for how soon processed, I don't have that information, but I have seen Outpost popup a window when I was offline and installing an updated version of a program that accesses the internet. That seems to be getting it at a pretty low level.

-{ Quote: " quoting: root link=board=23;threadid=3208;start=15#26381 date=1033566884]. . . .
As for how soon processed, I don't have that information, but I have seen Outpost popup a window when I was offline and installing an updated version of a program that accesses the internet. That seems to be getting it at a pretty low level." }-
Indeed, almost sounds like hooks into the BDOS, doesn't it?