How to harden your XP (Pro) firewall

This is a way to harden your Windows XP (Pro) firewall against termination. I mention the Pro version specifically because it's done via a Group Policy (not available on the Home version) tweak.

One thing I've noticed from fixing other people's computers is that the XP firewall has the tendency to be terminated by malware semi-easily. It won't be so susceptible after this tweak.

First of all I recommend deleting everything from the "exceptions" list in your Windows Firewall that you can. For me this leaves 4 things left. And uncheck those 4. Nothing should need unsolicited inbound connections to function properly... period. Also check the "Don't Allow Exceptions" box in the main tab. And otherwise make sure you have all the settings the way you want them before we do this tweak, because afterward they'll be greyed out.

If you don't know how to get into your Group Policy: Go into your Control Panel > Administrative Tools. Right click somewhere in the open (white) space and go to New > Shortcut. In the box asking for the location of the item type "gpedit.msc" (without the quotes). Then it'll ask you to name it. I think Group Policy is quite fitting.

Now go in there, and go to: Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall. Under that heading will be 2 sections: Domain Profile & Standard Profile. Set the same rules for both profiles:

The main thing is the first 4 things on the list: Protect all network connections (Enabled), Do not allow exceptions (Enabled), Define program exceptions (Disabled), Allow local program exceptions (Disabled).

There are 14 things on the list in all, starting with "Protect all network connections", and ending with "Allow local port exceptions". I personally set rules for them all, thusly:

Enabled
Enabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Enabled
Disabled
Disabled

Again, I set these same rules for both the Domain & Standard profiles. You may prefer yours a bit different (allowing logging, etc...). But set them all as you see fit.

You may have to reboot your computer for it to take effect (I forget). But anyhow, when you go into your Windows Firewall again you'll see that all the options are greyed out, you can't change them. The good thing is... neither can malware.

To test this without infecting yourself, try installing Comodo Firewall once, both before & after making these tweaks. If you do it before-hand, Comodo will disable your Windows Firewall after installing itself. Many 3'rd party firewalls will, since it's (generally) not safe to run more than one FW at a time. But I can assure you that the XP FW & Comodo run seamlessly together, and the former adds an extra layer of inbound protection. I don't doubt that most (if not all) 3'rd party FW's integrate seamlessly with it as well.

After the tweaks, you'll see that installing Comodo does not disable it... because it cannot.

This eliminates the one glaring weakness of the XP firewall and makes it a sufficient (and much stronger) inbound (only) FW.

... pass it on to your computer illiterate family/friends that can't grasp an outbound firewall. Or for people that simply care not for outbound filtering, and want to maintain a nice light setup without fear of their much maligned (largely unfairly) XP FW failing them.

 

lucid, thank you. I have an old machine and prefer the XP Pro Firewall so things can run lighter. After the tweak I wonder if I can still go into services and disable/enable the firewall manually. Also, I'm using the Windows 7 Firewall Control for XP. We'll see how this goes for awhile.

 

I'm honestly not sure. Never tried it. To harden it even more run as a LUA. Then you can't even modify the GP setting to change it back if you wanted to.

Or with the right GP edits you can run a very safe admin. Hardened but still very usable. If you find running LUA overkill. Almost a psuedo-LUA even.

And thanks for the love. At first I see nobody respond and I'm like: "and nobody cares..." lol. Most in here probably already know even. But I see so many posts about complicated outbound FW/HIPS configurations and just wanted to post a simple way to harden the much maligned (largely unfairly, IMO) XP FW. For people that care not for outbound control and just want to keep it light... a hardened XP FW + router is perfectly sufficient.

 

Wow! I'm going to look into this a bit more. One thing I'd like to check out and that is the ability to make changes if necessary and that's the only thing. Its really a shame that Microsoft wants to retire my XP Pro and i think others will agree..

Thanks..
Hogndog

 

The whole point of this really though is to not be able to make a change, even if you wanted to. If you can't even disable the thing yourself, malware will have a pretty tough go at it as well.

I believe in hardening the OS and cutting out as many attack vectors as possible, and leaving less work for your security software.

I'm in no hurry to change OS's either, but at the same time I have no reservations about 7. It's a nice OS too. I hope that support continues for it for a very long time as was the case with XP. My current box will live on as a retro gaming console mainly (lots of emulators/roms and other retro games on here). And for my music. And sensitive stuff I'd rather have off-line. So XP (and this box) will continue to be a part of my life, maybe forever.

 

I was just going to say the same by this comment you made..

"you can't change them. The good thing is... neither can malware."

 

Hi luciddream,

Any tips for Win XP (Home) Firewall?

Thanks.

 

I wonder the same thing for my XP Home netbook.

 

For Windows XP Home Edition you can use Kerio Firewall 2.1.5. This is the last version that was free and it is very good. Better than Windows Firewall from Windows XP, it has outbound control and consumes very few system resources. Google it.

 

Or I could use any other third party fw. I know that. This thread is about hardening XP Pro fw. I wanted to get tips for XP Home fw too. I don't see your point in suggesting to replace XP fw with another fw. XP Pro fw could also be replaced by any other fw.

 

Actually, the Group Policy options are saved in Windows Registry. If a malware application executes on your computer, it can modify by itself the same settings that you have modified by Group Policy and think that they are bulletproof. Unfortunatelly, there isn't a real solution to make Windows Firewall from Windows XP better than it is. There are no hidden tips&tricks that will make your computer safer by using Windows XP firewall. This is just an illusion and this is the reason why I recommended a different solution.

 

Okay I understand now.

 

I don't recall using the term "bullet proof". Nothing is. But this certainly hardens it against termination, quite a bit in fact. I've yet to see anyone's box I've applied this tweak to have their FW disabled afterward.

And any 3'rd party FW you'd use instead would create registry keys of their own... keys that could fall victim to the same type of corruption. So I guess all this security is really an "illusion" in the end. Anything that creates registry values is.

Bullet/full proof isn't an option. That won't stop me from trying to make things as difficult as possible for malware. And running as a limited user, with these tweaks... I'd like to see something get into my registry and modify those values once to disable my XP FW without my administrator password.

 

Thanks a lot luciddream. Didn't notice about your post since I rarely drop by the Firewall forums... I'm still on XP mostly because of insufficient funds to upgrade my hardware, let alone getting a new box. This procedure really is what I was looking for, and as said by you and others, doesn't matter if it's not 100% effective, it adds security to a light & simple setup.
I really thank you for sharing this.

Cheers!

 

Thanks as well for the XP firewall tip. Have been using your config for the past week along with sandboxie in a LUA account and so far no problems.

 

Also using folder permissions, or what I like to call "Unsimple file sharing" can help. For those unfamiliar go into your Folder Options, "View" tab. Untick what should be the last/bottom box: "Use simple file sharing (Recommended)"

Now go in My Computer and right click on any partition, go to Properties. You'll notice a "Security" tab that wasn't there before. In here you can fine tune permissions for your limited account. Especially useful if you have a dedicated OS partition, isolated from everything else. You can make it so that your limited account can't modify anything in the OS. You aint disabling your FW with the right tweaks in there... and if you can't, then malware will certainly have a tough go at it.

I grant my LUA's 1 partition to download data to, to be able to use (but not modify) my programs (with a few exceptions), and pretty much isolate it from everything else. And run like this all the time. Using my admin acct. once a month for "update day".

You can even harden your admin account(s) a bit to, once again, create kind of a psuedo-LUA. Maybe to prevent that aforementioned "registry based termination" from occurring, but while still maintaining most functionality with less constraints than a LUA.

Do your research on how to utilize folder permissions before just jumping in there and winging it, mind you... you can really fudge things up.

 

I haven't run XP for quite a long time but still, without even trying, somehow this looks like a good guide

 

I already had that option unticked as well. I also installed comodo firewall D+ to go along with the xp firewall config as suggested above. Along with MBAM pro and Sandboxie pd., everthing seems to be running quite smoothly.

 

Hey, sorry for not responding but I really couldn't think of anything off-hand for Home.

SuRun is a great tool for XP Home users. Your XP FW can certainly be better off as a result if utilized properly, and then some. You can create a very functional/user friendly LUA with it. Here's a good rundown of it:

http://www.dedoimedo.com/computers/surun.html

 

That's a darn fine (& light) setup you've got there bro! I think MBAM Pro is not even necessary. If you're using Firefox maybe the addons NoScript & WOT can be your real-time anti-malware solution/alternative. And the "Malware Domains" subscription for Adblock Plus. Lighter, and along with safe browsing habits will render any AV moot (not to mention Sandboxie & Macrium do already : )