Windows Firewall Overview & Tips

Discussion in 'other firewalls' started by CrazyM, Oct 11, 2004.

Thread Status:
Not open for further replies.
  1. CrazyM

    CrazyM Firewall Expert

    Feb 9, 2002
    BC, Canada
    Windows Firewall Overview & Tips

    A few tips for those that will be using the Windows Firewall in XP SP2.

    Windows XP Service Pack 2 (SP2) includes the Windows Firewall, a replacement for the feature previously known as the Internet Connection Firewall (ICF). Windows Firewall is a stateful host firewall that drops all unsolicited incoming traffic that does not correspond to either traffic sent in response to a request of the computer (solicited traffic) or unsolicited traffic that has been specified as allowed (excepted traffic). This behavior of Windows Firewall provides a level of protection from malicious users and programs that use unsolicited incoming traffic to attack computers. With the exception of some Internet Control Message Protocol (ICMP) messages, Windows Firewall does not drop outgoing traffic." Microsoft

    So to clarify, while this stateful firewall monitors both outbound and inbound network traffic, there is no outbound application control. If this is something you want, you will need to run a third party software firewall that offers this and disable the Windows Firewall.

    With SP2 the Windows Firewall is enabled by default and only users within the Administrator group can make changes to Windows Firewall. The firewall can be accessed via the Security Center or Control Panel.

    As noted above, by default the firewall will permit all outbound and deny all inbound.


    In order to effectively troubleshoot connection problems and/or firewall settings enable logging (disabled by default). Logging options are found on the Advanced tab, select "Log dropped packets". You also have the option to log connections, change the default log location and size.


    To help make the raw log file a little easier to read third party utilities are available for this. One example is
    Personal Firewall Log Reader.


    Exceptions is where users can define what traffic to allow inbound through the firewall by port or application and further restrict the scope of that traffic. This is something that is not generally recommended, but some applications will require the allowing of inbound connections to function properly (some messaging programs, file transfers, games).

    "Don't allow exceptions" is something that can be toggled off and on and is located on the General tab and will override listed exceptions. An example where this could be used would in the case of laptops. You may have exceptions that are safe while connected to trusted work/home LAN, but would want to disable when travelling and connecting to foreign networks.

    Defining exceptions is where application control does make an appearance in the new Windows Firewall. When an application establishes a listening network connection (acts as a server), the firewall will block it and prompt the user for an action: Keep Blocking, Unblock, Ask Me Later.


    In this example SolarWinds TFTP server established a listening connection and generated the Windows Security Alert. As with any firewall, if the application is unknown to you, untrusted or one you do not want to allow server rights, Keep Blocking. In the case of trusted applications you want to allow as servers, ie. the TFTP server, you can Unblock. Either way, the application will show up on the Exceptions list.


    If you Unblocked the application, it will show with a checkmark on the list. Applications where Keep Blocking was chosen will show on the list, but no checkmark. Ask me later results in no entry on the list until a choice is made.

    You do not want to stop here when Unblocking (allowing server rights) for an application. From the Exceptions list highlight the application and select Edit.


    The Edit a Program window will display the file path of the application and more importantly the Change scope button.


    Here you can define what remote networks/systems will be allowed to use this exception (inbound connection). Any computer (including those on the Internet), My network (subnet) only or Custom list. Use Any only if absolutely necessary. If you can restrict this access to specific systems/networks, then do so. In this example the Custom list was used to restrict access to a router on the LAN.

    Applications can also be added manually by using the Add Program button in the Exceptions tab.


    From here you can browse for the application, select it and Change scope.
    When you create and restrict your Exceptions by application, the Windows Firewall will monitor the application and manage ports that need to be added to excepted traffic.

    You can also manually Add a Port (service) from the Exceptions tab.


    The Add a Port window provides for naming the service, define the port, define the protocol and Change scope.

    The default Exceptions list has some services already entered to simplify things. Of note to users who have a home network (LAN) is the File and Printer Sharing. Simply check this entry to Unblock and be sure to check the scope is limited to My network (subnet) only. This is done by highlighting the service and then the edit button.


    The ports associated with file and printer sharing will be listed in the Edit Service window along with the current scope (subnet is the default). The scope for each port listed can be modified if desired. If you use the custom option option to restrict these exceptions further keep in mind the UDP 137 and 138 will use broadcasts and are probably best left at My network (subnet) only. "When you enable the pre-defined File and Printer Sharing exception, Windows Firewall also allows incoming ICMP Echo messages."

    When working in the Exceptions tab anything defined here is applied globally to all interfaces and any new interfaces. Should you need connection (interface) specific settings they can be defined when in the Advanced tab.


    Select the interface and then settings. Any settings defined here will override global settings.

    Under the Advanced tab you will also find the settings for ICMP. Here you can define exepted ICMP traffic, but the selection is somewhat limited.


    Most users will not need to add/change anything here. The most likely exception being Allow incoming echo request (ping). This may be required by some applications/games. Some exceptions may be required here when troubleshooting network connection issues with your ISP.

    This is a quick overview of settings within Windows Firewall for home users. Additional links are provided below for further information. Please start a new post for any discussions and/or questions on the Windows Firewall.

    One addtional note:
    "The Windows Firewall API makes it possible to programmatically manage the features of Windows Firewall (formerly known as Internet Connection Firewall) by allowing applications to create, enable, and disable firewall exceptions." MSDN
    What this means in relation to system security is that applications (must be run in an Administrator account) can now add themselves to and change exceptions in the Windows Firewall without a user prompt. So be sure to follow best practices and do not run or install unknown/untrusted applications and routinely check your exceptions list and remove anything that does not need to be there.




    Windows Firewall
    understanding Windows Firewall
    Troubleshooting Windows Firewall settings in Windows XP Service Pack 2

    Security Center
    Manage Your Computer's Security Settings in One Place
    How to Disable Firewall Alerts
    How to Disable Antivirus Alerts
    How to use the Security Alert dialog box in Windows XP Service Pack 2

    MS General Security
    Security at Home, Protect Your PC

    MS XP Service Pack 2
    Changes to Functionality in Microsoft Windows XP Service Pack 2

    Firewall Log Reader
    Personal Firewall Log Reader
    Last edited: Oct 12, 2004
Thread Status:
Not open for further replies.