SlideShare ist ein Scribd-Unternehmen logo

Wfinf guide

Als DOC, PDF herunterladen
B
BABIS2
TechnologieNews & Politik
1 von 15
Windows XP OEM Preinstallation Kit Design Notes Microsoft® Windows® Family of Operating Systems Using the Windows Firewall .Inf File in Microsoft® Windows® XP Service Pack 2 MICROSOFT CONFIDENTIAL - PROVIDED UNDER NDA DO NOT REDISTRIBUTE July 14, 2004 Abstract: Microsoft Windows XP Service Pack 2 (SP2) includes significant enhancements to the Windows Firewall component (formerly known as the Internet Connection Firewall). Windows Firewall is a stateful host firewall that discards unsolicited incoming traffic, providing a level of protection for computers against malicious users or programs. To provide better protection for computers connected to any kind of network (such as the Internet, a home network, or an organization network), Windows XP SP2 enables Windows Firewall on all network connections by default. Network administrators can use the Windows Firewall .inf file (Netfw.inf) to modify default settings either before installation or after installation. This article describes the usage of the Windows Firewall .inf file.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. © 2004 Microsoft Corporation. All rights reserved. Microsoft, Win32, Windows, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States or other countries or regions. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Contents Overview...................................................................................................................................4 Scenarios for Modifying Default Windows Firewall Configuration.............................................4 Location of Windows Firewall .Inf File.......................................................................................5 Methods for Replacing the Default Windows Firewall Configuration........................................5 Default Windows Firewall .Inf File.............................................................................................6 Configuration Options Provided in the Windows Firewall .Inf File.............................................7 Changing Windows Firewall’s Default Operational Mode....................................................7 Disabling Windows Firewall’s Notifications..........................................................................8 Blocking Unicast Responses to Multicast and Broadcast Packets.......................................9 Enabling Remote Administration..........................................................................................9 Allowing ICMP Messages through Windows Firewall........................................................10 Adding Static Ports to Windows Firewall’s Default Exceptions List....................................11 Adding Programs to Windows Firewall’s Default Exceptions List......................................12 Defining the Scope for an Entry in the Windows Firewall .Inf File...........................................14 Summary.................................................................................................................................15 Related Links..........................................................................................................................15
Overview Windows XP Service Pack 2 (SP2) includes significant enhancements to Windows Firewall, formerly known as the Internet Connection Firewall (ICF). Windows Firewall is a stateful, host-based firewall that drops all unsolicited, incoming traffic that does not correspond to either traffic sent in response to a request of the computer (solicited traffic) or unsolicited traffic that has been specified as allowed (excepted traffic). This behavior of Windows Firewall provides a level of protection from malicious users and programs that rely on unsolicited, incoming traffic to attack computers. A new feature in Windows XP SP2 is the enabling of Windows Firewall by default during an installation of Windows XP or during an update to Windows XP SP2. Because Windows Firewall is enabled by default, network administrators need the flexibility to modify the default configuration of Windows Firewall during the installation of Windows XP SP2 and after its installation. Typical configuration modifications include adding programs to Windows Firewall’s exception list or disabling Windows Firewall, for example, if a third-party, host-based firewall is already installed and enabled. Windows Firewall can be preconfigured by modifying the Windows Firewall .inf file, named Netfw.inf, in which Windows Firewall’s default configuration is stored. During an installation of or an update to Windows XP SP2, Windows Firewall imports its configuration from this .inf file. This means that any modifications made to the Windows Firewall .inf file before an installation of Windows will automatically be incorporated into the default configuration of Windows Firewall. Scenarios for Modifying Default Windows Firewall Configuration The following are common scenarios for modifying the default configuration of Windows Firewall. Third-Party Firewall-Enabled An original equipment manufacturer (OEM) may choose to provide its customers with a third-party, host-based firewall. If this firewall is enabled by default, then it is recommended that Windows Firewall be disabled. This can be done by modifying the Windows Firewall .inf file to disable Windows Firewall by default. Preinstalled Programs An OEM or enterprise may choose to install a suite of programs by default. Some of these programs may need to receive unsolicited, incoming traffic in order to function correctly. Windows Firewall can be configured to enable specific, unsolicited, incoming traffic by default by adding the programs to the Windows Firewall’s exceptions list. This can be done by adding entries for the programs to the Windows Firewall .inf file. Only programs that require unsolicited, incoming traffic should be added to the exceptions list; programs that do not require unsolicited, incoming traffic should not be added to the exceptions list.
Using the Windows Firewall .Inf File in Microsoft® Windows® XP Service Pack 2 5 Pre-Opened Ports An enterprise may choose to use various network services and want to ensure that the network traffic for those services is enabled by default through Windows Firewall. For example, an enterprise may use some of the remote management functionality included in Windows XP. You can configure Windows Firewall to open the necessary ports by default by adding them to the Windows Firewall’s exceptions list. Specifically, you can add entries for the TCP or UDP ports to the Windows Firewall .inf file. Statically opening ports does potentially increase a computer’s exposure to attack, so the number of ports opened in Windows Firewall by default should be at a minimum. Location of Windows Firewall .Inf File On a Windows XP CD image, the location of the Windows Firewall .inf file is: Cd_drive:I386Netfw.in_ Note: On a Windows XP CD image, the file’s name is Netfw.in_ (not Netfw.inf). This is for signing purposes. If an OEM modifies this file, the file must also be re-signed. After the installation of Windows XP SP2, the location of the Windows Firewall .inf file is: %WINDIR%InfNetfw.inf Methods for Replacing the Default Windows Firewall Configuration Method 1: Pre-Installation 1. Copy the default Windows Firewall .inf file (Netfw.in_) from a Windows XP SP2 CD image. 2. Make the desired modifications to the .inf file. Directions for modifying the .inf file are provided in the "Configuration Options Provided in the Windows Firewall .Inf File" section of this article. 3. Save the modified .inf file as Netfw.in_. 4. Sign the modified Netfw.in_. 5. Replace the default Netfw.in_ with the modified Netfw.in_ in the Windows XP SP2 CD image. 6. Install Windows XP SP2 from the modified Windows XP SP2 CD image. © 2004 Microsoft Corporation. All rights reserved.
Using the Windows Firewall .Inf File in Microsoft® Windows® XP Service Pack 2 6 Method 2: Post-Installation 1. Copy the default Windows Firewall .inf file (Netfw.inf) from an installation of Windows XP SP2. 2. Make the desired modifications to the .inf file. Directions for modifying the .inf file are provided in the "Configuration Options Provided in the Windows Firewall .Inf File" section of this article. 3. Save the modified .inf file as Netfw.inf. 4. Replace the default Netfw.inf with the modified Netfw.inf in the installation of Windows XP SP2. 5. Run the netsh firewall reset command on the computer running Windows XP SP2. You can do this manually by typing the command at a command prompt or by including the command in a run-once script. Default Windows Firewall .Inf File The default contents of the Netfw.inf file are the following: [Version] Signature = "$Windows NT$" DriverVer =07/01/2001,5.1.2600.2132 [DefaultInstall] AddReg = ICF.AddReg.DomainProfile AddReg = ICF.AddReg.StandardProfile [ICF.AddReg.DomainProfile] HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yDomainProfileAuthorizedApplicationsList","%WINDIR %system32sessmgr.exe",0x00000000,"%WINDIR %system32sessmgr.exe:*:enabled:@xpsp2res.dll.-22019" [ICF.AddReg.StandardProfile] HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yStandardProfileAuthorizedApplicationsList","%WINDIR %system32sessmgr.exe",0x00000000,"%WINDIR %system32sessmgr.exe:*:enabled:@xpsp2res.dll.-22019" The first two sections of Netfw.inf contain versioning and configuration information, and do not need to be modified. The sections that are significant for modifying the default configuration for Windows Firewall are the following: • [ICF.AddReg.DomainProfile] – Windows Firewall maintains two sets of configuration known as profiles. One profile is used when a computer is connected to the domain to which it is joined, while the other profile is used when the computer is not connected to its domain. This section is for defining changes to Windows Firewall’s default configuration when a computer is connected to a network that contains its domain. • [ICF.AddReg.StandardProfile] – This section is for defining changes to Windows Firewall’s default configuration when a computer is not connected to a network that contains its domain. If a computer is not a member of a domain, then Windows Firewall will always enforce the configuration stored in the Standard Profile. © 2004 Microsoft Corporation. All rights reserved.
Using the Windows Firewall .Inf File in Microsoft® Windows® XP Service Pack 2 7 Configuration Options Provided in the Windows Firewall .Inf File The majority of the default configurations for Windows Firewall can be defined in the Windows Firewall .inf file. This includes the following settings: • Operational mode • Disable notifications • Block unicast responses to multicast and broadcast packets • Enable Remote Administration • Enable ICMP messages • Open ports • Enable programs These settings are described in the next sections. Notes: All of the settings made in the Windows Firewall .inf file will be applied to all of a computer’s network interfaces. You cannot open ports nor enable ICMP messages for individual interfaces through the Windows Firewall .inf file. Logging settings cannot be defined through the Windows Firewall .inf file. Changing Windows Firewall’s Default Operational Mode • Windows Firewall can be placed in one of three operational modes: • On – This is the default operational mode for Windows Firewall. In this mode, Windows Firewall drops all unsolicited, incoming traffic, except those matching enabled entries in Windows Firewall’s exceptions lists. Because this is the default operational mode, no entries need to be included in the Windows Firewall .inf file. • The assumed entries for the Domain Profile in the [ICF.AddReg.DomainProfile] section of the Windows Firewall .inf file are: HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yDomainProfile","DoNotAllowExceptions",0x00010001,0 HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yDomainProfile","EnableFirewall",0x00010001,1 • The assumed entries for the Standard Profile in the [ICF.AddReg.StandardProfile] section of the Windows Firewall .inf file are: HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yStandardProfile","DoNotAllowExceptions",0x00010001,0 HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yStandardProfile","EnableFirewall",0x00010001,0x00000001 © 2004 Microsoft Corporation. All rights reserved.
Using the Windows Firewall .Inf File in Microsoft® Windows® XP Service Pack 2 8 • On with No Exceptions – In this mode, Windows Firewall blocks all unsolicited, incoming traffic, even those matching enabled entries in Windows Firewall’s exceptions lists. • To make this the default operational mode for the Domain Profile, add the following entries to the [ICF.AddReg.DomainProfile] section of the Windows Firewall .inf file: HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yDomainProfile","DoNotAllowExceptions",0x00010001,1 HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yDomainProfile","EnableFirewall",0x00010001,1 • To make this the default operational mode for the Standard Profile, add the following entries to the [ICF.AddReg.StandardProfile] section of the Windows Firewall .inf file: HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yStandardProfile","DoNotAllowExceptions",0x00010001,1 HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yStandardProfile","EnableFirewall",0x00010001,1 • Off – In this mode, Windows Firewall is disabled and does not do any filtering of unsolicited, incoming traffic. All unsolicited, incoming traffic is enabled, and Windows Firewall does not help to protect the computer from network attacks. • To make this the default operational mode for the Domain Profile, add the following entries to the [ICF.AddReg.DomainProfile] section of the Windows Firewall .inf file: HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yDomainProfile","DoNotAllowExceptions",0x00010001,0 HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yDomainProfile","EnableFirewall",0x00010001,0 • To make this the default operational mode for the Standard Profile, add the following entries to the [ICF.AddReg.StandardProfile] section of the Windows Firewall .inf file: HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yStandardProfile","DoNotAllowExceptions",0x00010001,0 HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yStandardProfile","EnableFirewall",0x00010001,0 Disabling Windows Firewall’s Notifications By default, Windows Firewall displays a notification to users when a program not already included in the Windows Firewall exceptions list uses the new Windows Firewall APIs to add itself or its traffic to an exceptions list. By adding the appropriate entries to the Windows Firewall .inf file, these notifications can be disabled in either or both of Windows Firewall’s profiles. • To disable notifications by default in the Domain Profile, add the following entry to the [ICF.AddReg.DomainProfile] section of the Windows Firewall .inf file: © 2004 Microsoft Corporation. All rights reserved.
Using the Windows Firewall .Inf File in Microsoft® Windows® XP Service Pack 2 9 HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yDomainProfile","DisableNotifications",0x00010001,1 • To disable notifications by default in the Standard Profile, add the following entry to the [ICF.AddReg.StandardProfile] section of the Windows Firewall .inf file: HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yStandardProfile","DisableNotifications",0x00010001,1 Blocking Unicast Responses to Multicast and Broadcast Packets By default, Windows Firewall enables incoming, unicast-response packets to a port for three seconds after a multicast or broadcast packet is sent from the port. By adding the appropriate entries to the Windows Firewall .inf file, this behavior can be disabled in either or both of Windows Firewall’s profiles. • To block unicast responses to multicast and broadcast packets by default in the Domain Profile, add the following entry to the [ICF.AddReg.DomainProfile] section of the Windows Firewall .inf file: HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yDomainProfile","DisableUnicastResponsesToMulticastBroadcast",0x00010001,1 • To block unicast responses to multicast and broadcast packets by default in the Standard Profile, add the following entry to the [ICF.AddReg.StandardProfile] section of the Windows Firewall .inf file: HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yStandardProfile","DisableUnicastResponsesToMulticastBroadcast",0x00010001,1 Enabling Remote Administration Windows Firewall includes a Remote Administration option that alters its configuration to enable Remote Procedure Call (RPC) and Distributed Component Object Model (DCOM) communication. Enabling this option statically opens TCP 135 and TCP 445 to unsolicited, incoming traffic. Additionally, communication over named pipes is permitted, and ports are dynamically opened as needed by Windows services using RPC. By adding the appropriate entries to the Windows Firewall .inf file, you can enable the Remote Administration option in either or both of Windows Firewall’s profiles. • To enable Remote Administration by default in the Domain Profile, add the following entry to the [ICF.AddReg.DomainProfile] section of the Windows Firewall .inf file: HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yDomainProfileRemoteAdminSettings","Enabled",0x00010001,1 • To enable Remote Administration by default in the Standard Profile, add the following entry to the [ICF.AddReg.StandardProfile] section of the Windows Firewall .inf file: HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yStandardProfileRemoteAdminSettings","Enabled",0x00010001,1 When enabling Remote Administration, the set of IP addresses from which unsolicited, incoming traffic is accepted can also be specified through an additional entry in the appropriate section of the Windows Firewall .inf file. © 2004 Microsoft Corporation. All rights reserved.
Using the Windows Firewall .Inf File in Microsoft® Windows® XP Service Pack 2 10 To define the default scope for Remote Administration in the Domain Profile, add the following entry to the [ICF.AddReg.DomainProfile] section of the Windows Firewall .inf file: HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yDomainProfileRemoteAdminSettings","RemoteAddresses",0x00000000,scope To define the default scope for Remote Administration in the Standard Profile, add the following entry to the [ICF.AddReg.StandardProfile] section of the Windows Firewall .inf file: HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yStandardProfileRemoteAdminSettings","RemoteAddresses",0x00000000,scope Permitted values for scope are defined in the “Defining the Scope for an Entry in the Windows Firewall .Inf File" section of this article. Allowing ICMP Messages through Windows Firewall While the default configuration for Windows Firewall blocks all ICMP message types, you can modify this behavior by adding entries to the Windows Firewall .inf file that enable certain ICMP message types by default. To enable an ICMP message type by default in the Domain Profile, add the following entry to the [ICF.AddReg.DomainProfile] section of the Windows Firewall .inf file: HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yDomainProfileIcmpSettings","ICMP Message Type",0x00010001,1 To enable an ICMP message type by default in the Standard Profile, add the following entry to the [ICF.AddReg.StandardProfile] section of the Windows Firewall .inf file: HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yStandardProfileIcmpSettings","ICMP Message Type",0x00010001,1 Both of these entries require an ICMP Message Type to be specified. The permitted values for ICMP Message Type are listed in Table 1. Table 1. ICMP Message Types ICMP Message Type Number Description AllowOutboundPacketTooBig 2 When an Internet Protocol version 6 (IPv6) packet is too large to be forwarded, data is dropped and a computer replies to the sender with a Packet Too Big message. AllowOutboundDestinationUnreachabl 3 Sent data that fails to reach this e computer due to an error is discarded and reported with a Destination Unreachable message explaining the failure. AllowOutboundSourceQuench 4 When a computer’s ability to process incoming data cannot keep up with the rate of a transmission, data is dropped and the sender is © 2004 Microsoft Corporation. All rights reserved.
Using the Windows Firewall .Inf File in Microsoft® Windows® XP Service Pack 2 11 asked to transmit more slowly. AllowRedirect 5 Data sent from a computer is rerouted. AllowInboundEchoRequest 8 Messages sent to a computer are repeated back to the sender. This is commonly used for troubleshooting (for example, to ping a computer). AllowInboundRouterRequest 10 A computer responds to router discovery messages. AllowOutboundTimeExceeded 11 When a computer discards a packet because its hop count was exceeded or it ran out of time to assemble fragments of a packet, it replies to the sender with a Time Exceeded message. AllowOutboundParameterProblem 12 When a computer discards data that it has received because of a problematic header, it replies to the sender with a Parameter Problem error message. AllowInboundTimestampRequest 13 A confirmation message is sent, indicating the time that the data was received at a computer. AllowInboundMaskRequest 17 A computer listens for and responds to requests for a network subnet mask. Adding Static Ports to Windows Firewall’s Default Exceptions List In Windows XP SP2, Windows Firewall maintains an exceptions list for each of its two profiles. When in normal operation, Windows Firewall statically opens ports that are included in its current profile’s exceptions list. It is generally recommended that programs be added to the exceptions list, instead of statically opening ports. This enables Windows Firewall to open and close ports dynamically and to minimize the number of ports open at any one time. It is recognized, however, that there are scenarios in which ports need to be statically opened. For example, a static port may need to be opened in order for a Windows service to receive unsolicited, incoming traffic. To support such scenarios, OEMs have the ability to add static ports to either or both of Windows Firewall’s default exceptions lists through the Windows Firewall .inf file. To add a static port to the Domain Profile’s exceptions list, an entry in the following format should be added to the [ICF.AddReg.DomainProfile] section of the Windows Firewall .inf file: © 2004 Microsoft Corporation. All rights reserved.
Using the Windows Firewall .Inf File in Microsoft® Windows® XP Service Pack 2 12 HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yDomainProfileGloballyOpenPortsList","port number:protocol",0x00000000, "port number:protocol:scope:mode:port’s friendly name" To add a static port to the Standard Profile’s exceptions list, an entry in the following format should be added to the [ICF.AddReg.StandardProfile] section of the Windows Firewall .inf file: HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yStandardProfileGloballyOpenPortsList","port number:protocol",0x00000000, "port number:protocol:scope:mode:port’s friendly name" In the two entries above, the following elements must be defined, based upon the port added to Windows Firewall’s default exceptions lists and the desired behavior: • port number – A port is specified by the combination of a protocol and a port number. The port number must be between 1 and 65535 inclusive. • protocol – A port is specified by the combination of a protocol and a port number. The protocol must be either TCP or UDP. • scope – Permitted values for scope are defined in the “Defining the Scope for an Entry in the Windows Firewall .Inf File” section of this article. • mode – An entry can be added to Windows Firewall’s default exceptions lists as either enabled or disabled. The two permitted values for this element are Enabled and Disabled. If a port’s entry is enabled, the port will be statically opened in Windows Firewall. If a port’s entry is disabled, the port will not be statically opened in Windows Firewall. • port’s friendly name – This is the description that will be used to represent the entry for Windows Firewall in Control Panel. It should provide an indication of why the port is statically opened, such as "Web Server (TCP 80)" or "Telnet Server (TCP 23)". As an example for opening a port, two entries are required to enable the static port used by the Internet Key Exchange (IKE) protocol, which uses UDP 500, for a scope of all IP addresses in the default exceptions lists for both of Windows Firewall’s profiles. This entry is added to the [ICF.AddReg.DomainProfile] section of the Windows Firewall .inf file: HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yDomainProfileGloballyOpenPortsList","500:UDP",0x00000000,"500:UDP:*:enabl ed:IKE (UDP 500)" This entry is added to the [ICF.AddReg.StandardProfile] section of the Windows Firewall .inf file: HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yStandardProfileGloballyOpenPortsList","500:UDP",0x00000000, "500:UDP:*:enabled:IKE (UDP 500)" Adding Programs to Windows Firewall’s Default Exceptions List In Windows XP SP2, Windows Firewall maintains an exceptions list for each of its two profiles. When in normal operation, Windows Firewall dynamically opens the ports used by programs in its current profile’s exceptions list. The Windows Firewall .inf file can be used to add programs to either or both of Windows Firewall’s default exceptions lists. © 2004 Microsoft Corporation. All rights reserved.
Using the Windows Firewall .Inf File in Microsoft® Windows® XP Service Pack 2 13 Only programs that actually require unsolicited, incoming traffic should be added to the exceptions lists; there is no benefit to adding programs that use only outgoing connections to the exceptions lists. To add a program to the Domain Profile’s exceptions list, an entry in the following format should be added to the [ICF.AddReg.DomainProfile] section of the Windows Firewall .inf file: HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yDomainProfileAuthorizedApplicationsList","program’s image path",0x00000000,"program’s image path:scope:mode:program’s friendly name" To add a program to the Standard Profile’s Exceptions List, an entry in the following format should be added to the [ICF.AddReg.StandardProfile] section of the Windows Firewall .inf file: HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yDomainProfileAuthorizedApplicationsList","program’s image path",0x00000000,"program’s image path:scope:mode:program’s friendly name" In the two entries above, the following elements must be defined, based upon the program added to Windows Firewall’s default exceptions lists and the desired behavior: • program’s image path – This is the fully qualified path for the file to be added to Windows Firewall’s default exceptions lists. It may include environmental variables, such as %ProgramFiles%. • scope – Permitted values for scope are defined in the “Defining the Scope for an Entry in the Windows Firewall .Inf File” section of this article. • mode – An entry can be added to Windows Firewall’s default exceptions lists as either enabled or disabled. The two permitted values for this element are Enabled and Disabled. If a program’s entry is enabled, ports are dynamically opened in Windows Firewall for the program when it opens ports. If a program’s entry is disabled, ports will not be dynamically opened in Windows Firewall for the program. • program’s friendly name – This is the name that is used to represent the entry in the Windows Firewall user interface. It should include the product name and publisher, such as MSN Messenger v6.1 or AOL Instant Messenger v5.5. As an example of enabling programs, two entries are included in the Windows Firewall .inf file to enable Remote Assistance with a scope of all IP addresses in the default exceptions lists for both Windows Firewall profiles. This entry is included in the [ICF.AddReg.DomainProfile] section of the Windows Firewall .inf file: HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yDomainProfileAuthorizedApplicationsList","%WINDIR %system32sessmgr.exe",0x00000000,"%WINDIR %system32sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" This entry is included in the [ICF.AddReg.StandardProfile] section of the Windows Firewall .inf file: HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yStandardProfileAuthorizedApplicationsList","%WINDIR %system32sessmgr.exe",0x00000000,"%WINDIR %system32sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" © 2004 Microsoft Corporation. All rights reserved.
Using the Windows Firewall .Inf File in Microsoft® Windows® XP Service Pack 2 14 Defining the Scope for an Entry in the Windows Firewall .Inf File When enabling Remote Assistance, opening a port, or enabling a program, the set of IP addresses from which the unsolicited, incoming traffic is enabled can be defined. This set of IP addresses from which unsolicited, incoming traffic is enabled is the scope of the exception. There are three options for defining the scope for a Windows Firewall exception. • All IP addresses – This is the default scope for a Windows Firewall exception, and it enables unsolicited, incoming traffic that matches the exception from any computer. In the Windows Firewall .inf file, making an entry’s scope element an asterisk ("*") results in a scope of all IP addresses for the entry. • Local subnet only – This scope enables unsolicited, incoming traffic that matches the exception from any computer on the same subnet as the network connection on which the traffic was received through Windows Firewall, while dropping unsolicited, incoming traffic from all other computers. When a computer’s subnet changes, the set of enabled IP addresses dynamically changes to match the new subnet. In the Windows Firewall .inf file, making an entry’s scope element LocalSubnet results in a local subnet-only scope for the entry. • Custom – The final option is to define a custom scope, which is a list of IPv4 addresses and address ranges that typically correspond to subnets. Unsolicited, incoming traffic that matches the exception and originates from a computer with an IPv4 address in the defined list is enabled through Windows Firewall. Unsolicited, incoming traffic from computers with IPv4 addresses that are not in the list is dropped. A custom scope can include the local subnet (using the "LocalSubnet" string), IPv4 addresses, and IPv4 address ranges, but cannot include IPv6 addresses and IPv6 address ranges. For IPv4 address ranges, you can specify the range using a dotted decimal subnet mask notation or a prefix length (w.x.y.z/n). When you use a dotted decimal subnet mask, you can specify the range as an IPv4 network ID (such as 10.47.81.0/255.255.255.0) or by using an IPv4 address within the range (such as 10.47.81.231/255.255.255.0). When you use a network prefix length, you can specify the range as an IPv4 network ID (such as 10.47.81.0/24) or by using an IPv4 address within the range (such as 10.47.81.231/24). Some examples of custom scope elements include the following: • 192.168.0.5 • 192.168.0.0/255.255.255.0 • 192.168.0.5,LocalSubnet • 157.54.0.1,172.16.0.0/12,10.0.0.0/255.0.0.0,LocalSubnet • 10.91.12.56,10.7.14.9/255.255.255.0,10.116.45.0/255.255.255.0,172.16.31.11/ 24,172.16.111.0/24 Note: You cannot have any spaces between the entries in the list of sources, or the entire list is ignored and Windows Firewall uses the default scope of any source IPv4 address. This can create an unintended vulnerability. Please double-check your scope syntax before saving changes to the Windows Firewall .inf file. © 2004 Microsoft Corporation. All rights reserved.
Using the Windows Firewall .Inf File in Microsoft® Windows® XP Service Pack 2 15 Summary To install Windows XP SP2 with customized default settings for the new Windows Firewall or to change settings after installation, use the Windows Firewall .inf file (Netfw.inf). The Windows Firewall .inf file contains two main sections: [ICF.AddReg.DomainProfile] for modifying Windows Firewall settings for the domain profile, [ICF.AddReg.StandardProfile] for modifying settings for the standard profile, and [Strings] for defining strings for some settings. Typical uses of the Windows Firewall .inf file include disabling the Windows Firewall (if a third-party .inf file is already installed and enabled) and adding either programs or ports to the Windows Firewall exceptions lists (one list for each profile). Related Links See the following resources for more information: • Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2 at http:// www.microsoft.com/downloads/details.aspx?familyid=4454e0e1-61fa-447a- bdcd-499f73a637d1&displaylang=en • Manually Configuring Windows Firewall in Windows XP Service Pack 2 at http://www.microsoft.com/technet/community/columns/cableguy/cg0204.mspx • Windows XP Service Pack 2: Resources for IT Professionals at http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/winxpsp2.mspx For the latest information about Windows XP, see the Windows XP Web site at http://www.microsoft.com/windowsxp. © 2004 Microsoft Corporation. All rights reserved.

Empfohlen

Ch1 2
Ch1 2Ch1 2
Ch1 2Sumit Tambe
 
Administering windows xp
Administering windows xpAdministering windows xp
Administering windows xpSamaja
 
Windows 7 Security
Windows 7 SecurityWindows 7 Security
Windows 7 SecurityJorge Orchilles
 
Windows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterpriseWindows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterprise247infotech
 
Windows 7 Security--Windows 7 password reset
Windows 7 Security--Windows 7 password resetWindows 7 Security--Windows 7 password reset
Windows 7 Security--Windows 7 password resetPassreset
 
Windows 7 Security Enhancements
Windows 7 Security EnhancementsWindows 7 Security Enhancements
Windows 7 Security EnhancementsPresentologics
 
Windows Vista Security
Windows Vista SecurityWindows Vista Security
Windows Vista Securitysimplysuperb007
 
Fcm rapid-install-11122-1634210
Fcm rapid-install-11122-1634210Fcm rapid-install-11122-1634210
Fcm rapid-install-11122-1634210raman pattanaik
 

Empfohlen

Ch1 2
Ch1 2Ch1 2
Ch1 2Sumit Tambe
 
Administering windows xp
Administering windows xpAdministering windows xp
Administering windows xpSamaja
 
Windows 7 Security
Windows 7 SecurityWindows 7 Security
Windows 7 SecurityJorge Orchilles
 
Windows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterpriseWindows 7 professional Vs Windows 7 enterprise
Windows 7 professional Vs Windows 7 enterprise247infotech
 
Windows 7 Security--Windows 7 password reset
Windows 7 Security--Windows 7 password resetWindows 7 Security--Windows 7 password reset
Windows 7 Security--Windows 7 password resetPassreset
 
Windows 7 Security Enhancements
Windows 7 Security EnhancementsWindows 7 Security Enhancements
Windows 7 Security EnhancementsPresentologics
 
Windows Vista Security
Windows Vista SecurityWindows Vista Security
Windows Vista Securitysimplysuperb007
 
Fcm rapid-install-11122-1634210
Fcm rapid-install-11122-1634210Fcm rapid-install-11122-1634210
Fcm rapid-install-11122-1634210raman pattanaik
 
Disabling windows file protection
Disabling windows file protectionDisabling windows file protection
Disabling windows file protectionJhonathansmrt Smart
 
Ch11
Ch11Ch11
Ch11jeffcflynn
 
Discover the 5 New Windows 8 Security Features You Should Know - by Denver IT...
Discover the 5 New Windows 8 Security Features You Should Know - by Denver IT...Discover the 5 New Windows 8 Security Features You Should Know - by Denver IT...
Discover the 5 New Windows 8 Security Features You Should Know - by Denver IT...North Star. Inc.
 
To pass ite chapter 5 exam
To pass ite chapter 5 examTo pass ite chapter 5 exam
To pass ite chapter 5 examAhmed Abdullah
 
2009 reborn card plus version
2009 reborn card plus version 2009 reborn card plus version
2009 reborn card plus version cordobaboxeador
 
70-680 Windows 7 configuring
70-680 Windows 7 configuring70-680 Windows 7 configuring
70-680 Windows 7 configuringbiwan
 
Windows XP security
Windows XP securityWindows XP security
Windows XP securityESET Middle East
 
9adcab7c 1 crash
9adcab7c 1 crash9adcab7c 1 crash
9adcab7c 1 crashPrezMan3141
 
Ht w25
Ht w25Ht w25
Ht w25SelectedPresentations
 
SysInfoTools NSF Local Security Remover
SysInfoTools NSF Local Security RemoverSysInfoTools NSF Local Security Remover
SysInfoTools NSF Local Security RemoverSysInfoTools Software
 
Bit locker Drive Encryption: How it Works and How it Compares
Bit locker Drive Encryption: How it Works and How it ComparesBit locker Drive Encryption: How it Works and How it Compares
Bit locker Drive Encryption: How it Works and How it ComparesLumension
 
Mobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetMobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetBrent Muir
 
License
LicenseLicense
LicenseQueenofhearts Griffin
 
Guide to Windows 7 - Managing Disks
Guide to Windows 7 - Managing DisksGuide to Windows 7 - Managing Disks
Guide to Windows 7 - Managing DisksGene Carboni
 
Guide to Windows 7 - Managing File Systems
Guide to Windows 7 - Managing File SystemsGuide to Windows 7 - Managing File Systems
Guide to Windows 7 - Managing File SystemsGene Carboni
 
0x80042308
0x800423080x80042308
0x80042308ssuser1eca7d
 
Overview Of Windows Xp Service Pack 3
Overview Of Windows Xp Service Pack 3Overview Of Windows Xp Service Pack 3
Overview Of Windows Xp Service Pack 3ranjeetsg
 
Project Pt1
Project Pt1Project Pt1
Project Pt1Emmanuel McCain
 
Readme
ReadmeReadme
ReadmeLe Trung Dung
 
Artigo hpv dra gloria
Artigo hpv dra gloriaArtigo hpv dra gloria
Artigo hpv dra gloriaGloria Grazziotin
 
Die Hotel Lindenhof Wellnessfiebel 2014
Die Hotel Lindenhof Wellnessfiebel 2014 Die Hotel Lindenhof Wellnessfiebel 2014
Die Hotel Lindenhof Wellnessfiebel 2014 Hotel Lindenhof
 
Pre Employment Medical Article
Pre Employment Medical ArticlePre Employment Medical Article
Pre Employment Medical ArticleMarkCassidy
 

Weitere ähnliche Inhalte

Was ist angesagt?

Disabling windows file protection
Disabling windows file protectionDisabling windows file protection
Disabling windows file protectionJhonathansmrt Smart
 
Discover the 5 New Windows 8 Security Features You Should Know - by Denver IT...
Discover the 5 New Windows 8 Security Features You Should Know - by Denver IT...Discover the 5 New Windows 8 Security Features You Should Know - by Denver IT...
Discover the 5 New Windows 8 Security Features You Should Know - by Denver IT...North Star. Inc.
 
To pass ite chapter 5 exam
To pass ite chapter 5 examTo pass ite chapter 5 exam
To pass ite chapter 5 examAhmed Abdullah
 
2009 reborn card plus version
2009 reborn card plus version 2009 reborn card plus version
2009 reborn card plus version cordobaboxeador
 
70-680 Windows 7 configuring
70-680 Windows 7 configuring70-680 Windows 7 configuring
70-680 Windows 7 configuringbiwan
 
9adcab7c 1 crash
9adcab7c 1 crash9adcab7c 1 crash
9adcab7c 1 crashPrezMan3141
 
SysInfoTools NSF Local Security Remover
SysInfoTools NSF Local Security RemoverSysInfoTools NSF Local Security Remover
SysInfoTools NSF Local Security RemoverSysInfoTools Software
 
Bit locker Drive Encryption: How it Works and How it Compares
Bit locker Drive Encryption: How it Works and How it ComparesBit locker Drive Encryption: How it Works and How it Compares
Bit locker Drive Encryption: How it Works and How it ComparesLumension
 
Mobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetMobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetBrent Muir
 
Guide to Windows 7 - Managing Disks
Guide to Windows 7 - Managing DisksGuide to Windows 7 - Managing Disks
Guide to Windows 7 - Managing DisksGene Carboni
 
Guide to Windows 7 - Managing File Systems
Guide to Windows 7 - Managing File SystemsGuide to Windows 7 - Managing File Systems
Guide to Windows 7 - Managing File SystemsGene Carboni
 
Overview Of Windows Xp Service Pack 3
Overview Of Windows Xp Service Pack 3Overview Of Windows Xp Service Pack 3
Overview Of Windows Xp Service Pack 3ranjeetsg
 

Was ist angesagt? (19)

Disabling windows file protection
Disabling windows file protectionDisabling windows file protection
Disabling windows file protection
 
Ch11
Ch11Ch11
Ch11
 
Discover the 5 New Windows 8 Security Features You Should Know - by Denver IT...
Discover the 5 New Windows 8 Security Features You Should Know - by Denver IT...Discover the 5 New Windows 8 Security Features You Should Know - by Denver IT...
Discover the 5 New Windows 8 Security Features You Should Know - by Denver IT...
 
To pass ite chapter 5 exam
To pass ite chapter 5 examTo pass ite chapter 5 exam
To pass ite chapter 5 exam
 
2009 reborn card plus version
2009 reborn card plus version 2009 reborn card plus version
2009 reborn card plus version
 
70-680 Windows 7 configuring
70-680 Windows 7 configuring70-680 Windows 7 configuring
70-680 Windows 7 configuring
 
Windows XP security
Windows XP securityWindows XP security
Windows XP security
 
9adcab7c 1 crash
9adcab7c 1 crash9adcab7c 1 crash
9adcab7c 1 crash
 
Ht w25
Ht w25Ht w25
Ht w25
 
SysInfoTools NSF Local Security Remover
SysInfoTools NSF Local Security RemoverSysInfoTools NSF Local Security Remover
SysInfoTools NSF Local Security Remover
 
Bit locker Drive Encryption: How it Works and How it Compares
Bit locker Drive Encryption: How it Works and How it ComparesBit locker Drive Encryption: How it Works and How it Compares
Bit locker Drive Encryption: How it Works and How it Compares
 
Mobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring BudgetMobile Forensics on a Shoestring Budget
Mobile Forensics on a Shoestring Budget
 
License
LicenseLicense
License
 
Guide to Windows 7 - Managing Disks
Guide to Windows 7 - Managing DisksGuide to Windows 7 - Managing Disks
Guide to Windows 7 - Managing Disks
 
Guide to Windows 7 - Managing File Systems
Guide to Windows 7 - Managing File SystemsGuide to Windows 7 - Managing File Systems
Guide to Windows 7 - Managing File Systems
 
0x80042308
0x800423080x80042308
0x80042308
 
Overview Of Windows Xp Service Pack 3
Overview Of Windows Xp Service Pack 3Overview Of Windows Xp Service Pack 3
Overview Of Windows Xp Service Pack 3
 
Project Pt1
Project Pt1Project Pt1
Project Pt1
 
Readme
ReadmeReadme
Readme
 

Andere mochten auch

Die Hotel Lindenhof Wellnessfiebel 2014
Die Hotel Lindenhof Wellnessfiebel 2014 Die Hotel Lindenhof Wellnessfiebel 2014
Die Hotel Lindenhof Wellnessfiebel 2014 Hotel Lindenhof
 
Pre Employment Medical Article
Pre Employment Medical ArticlePre Employment Medical Article
Pre Employment Medical ArticleMarkCassidy
 
Genetic modification
Genetic modificationGenetic modification
Genetic modificationsomsscience7
 
System Accuracy Evaluation Of 43 Blood Glucose Monitoring For Self Monitoring...
System Accuracy Evaluation Of 43 Blood Glucose Monitoring For Self Monitoring...System Accuracy Evaluation Of 43 Blood Glucose Monitoring For Self Monitoring...
System Accuracy Evaluation Of 43 Blood Glucose Monitoring For Self Monitoring...mikezisiss
 
Three steps for entrepreneurs to establish and leverage their personal brand
Three steps for entrepreneurs to establish and leverage their personal brandThree steps for entrepreneurs to establish and leverage their personal brand
Three steps for entrepreneurs to establish and leverage their personal brandBright Star PR
 
ELECTREX INDUSTRIAL PPT
ELECTREX INDUSTRIAL PPTELECTREX INDUSTRIAL PPT
ELECTREX INDUSTRIAL PPTwinstonmosby
 
Global Urban DataFest Madrid
Global Urban DataFest MadridGlobal Urban DataFest Madrid
Global Urban DataFest MadridManu Arenas
 
Susur gua-vertikal-dan-horisontal
Susur gua-vertikal-dan-horisontalSusur gua-vertikal-dan-horisontal
Susur gua-vertikal-dan-horisontalArdhat Muhuruna
 
Sociale tools en Zorg: Zorgnetwerk Nederland
Sociale tools en Zorg: Zorgnetwerk NederlandSociale tools en Zorg: Zorgnetwerk Nederland
Sociale tools en Zorg: Zorgnetwerk NederlandBaukelien van Minnen
 
BuildingInspecs.com - Sample Report
BuildingInspecs.com - Sample ReportBuildingInspecs.com - Sample Report
BuildingInspecs.com - Sample ReportJustin Macduff
 
Pccc july2010-newsletter
Pccc july2010-newsletterPccc july2010-newsletter
Pccc july2010-newsletterJustin Macduff
 
Building Specs Sample Report
Building Specs Sample ReportBuilding Specs Sample Report
Building Specs Sample ReportJustin Macduff
 
τίτλος σεναρίου
τίτλος σεναρίουτίτλος σεναρίου
τίτλος σεναρίουBABIS2
 

Andere mochten auch (20)

Artigo hpv dra gloria
Artigo hpv dra gloriaArtigo hpv dra gloria
Artigo hpv dra gloria
 
Die Hotel Lindenhof Wellnessfiebel 2014
Die Hotel Lindenhof Wellnessfiebel 2014 Die Hotel Lindenhof Wellnessfiebel 2014
Die Hotel Lindenhof Wellnessfiebel 2014
 
Pre Employment Medical Article
Pre Employment Medical ArticlePre Employment Medical Article
Pre Employment Medical Article
 
Genetic modification
Genetic modificationGenetic modification
Genetic modification
 
System Accuracy Evaluation Of 43 Blood Glucose Monitoring For Self Monitoring...
System Accuracy Evaluation Of 43 Blood Glucose Monitoring For Self Monitoring...System Accuracy Evaluation Of 43 Blood Glucose Monitoring For Self Monitoring...
System Accuracy Evaluation Of 43 Blood Glucose Monitoring For Self Monitoring...
 
Marketing
MarketingMarketing
Marketing
 
Portfolio
PortfolioPortfolio
Portfolio
 
Three steps for entrepreneurs to establish and leverage their personal brand
Three steps for entrepreneurs to establish and leverage their personal brandThree steps for entrepreneurs to establish and leverage their personal brand
Three steps for entrepreneurs to establish and leverage their personal brand
 
ELECTREX INDUSTRIAL PPT
ELECTREX INDUSTRIAL PPTELECTREX INDUSTRIAL PPT
ELECTREX INDUSTRIAL PPT
 
Global Urban DataFest Madrid
Global Urban DataFest MadridGlobal Urban DataFest Madrid
Global Urban DataFest Madrid
 
Susur gua-vertikal-dan-horisontal
Susur gua-vertikal-dan-horisontalSusur gua-vertikal-dan-horisontal
Susur gua-vertikal-dan-horisontal
 
project
projectproject
project
 
paper
paperpaper
paper
 
Sociale tools en Zorg: Zorgnetwerk Nederland
Sociale tools en Zorg: Zorgnetwerk NederlandSociale tools en Zorg: Zorgnetwerk Nederland
Sociale tools en Zorg: Zorgnetwerk Nederland
 
BuildingInspecs.com - Sample Report
BuildingInspecs.com - Sample ReportBuildingInspecs.com - Sample Report
BuildingInspecs.com - Sample Report
 
PCCC June Newsletter
PCCC June NewsletterPCCC June Newsletter
PCCC June Newsletter
 
PCCC Archive 8/9/2007
PCCC Archive 8/9/2007PCCC Archive 8/9/2007
PCCC Archive 8/9/2007
 
Pccc july2010-newsletter
Pccc july2010-newsletterPccc july2010-newsletter
Pccc july2010-newsletter
 
Building Specs Sample Report
Building Specs Sample ReportBuilding Specs Sample Report
Building Specs Sample Report
 
τίτλος σεναρίου
τίτλος σεναρίουτίτλος σεναρίου
τίτλος σεναρίου
 

Ähnlich wie Wfinf guide

chapter2windowsxpinsideandoutofwinxp.ppt
chapter2windowsxpinsideandoutofwinxp.pptchapter2windowsxpinsideandoutofwinxp.ppt
chapter2windowsxpinsideandoutofwinxp.pptsandhyashankar20
 
Client install
Client installClient install
Client installmrt Londeh
 
P6 professional standalone_install_and_config_guide
P6 professional standalone_install_and_config_guideP6 professional standalone_install_and_config_guide
P6 professional standalone_install_and_config_guideSuresh G Sankarankutty
 
IBM i and related software Data migrations.pdf
IBM i and related software Data migrations.pdfIBM i and related software Data migrations.pdf
IBM i and related software Data migrations.pdfken761ken1
 
Windows Firewall & Its Configuration
Windows Firewall & Its ConfigurationWindows Firewall & Its Configuration
Windows Firewall & Its ConfigurationSoban Ahmad
 
Operating system windows XP
Operating system windows XPOperating system windows XP
Operating system windows XPRohan Bhatkar
 
1RUNNING HEAD MANAGING HOST BASED SECURITY IN WINDOWS 8.1La.docx
1RUNNING HEAD MANAGING HOST BASED SECURITY IN WINDOWS 8.1La.docx1RUNNING HEAD MANAGING HOST BASED SECURITY IN WINDOWS 8.1La.docx
1RUNNING HEAD MANAGING HOST BASED SECURITY IN WINDOWS 8.1La.docxeugeniadean34240
 
Installing R H E L 5
Installing R H E L 5Installing R H E L 5
Installing R H E L 5monywa
 
Test Lab Guide: Windows Server 2012 R2 Base Configuration
Test Lab Guide: Windows Server 2012 R2 Base ConfigurationTest Lab Guide: Windows Server 2012 R2 Base Configuration
Test Lab Guide: Windows Server 2012 R2 Base ConfigurationTiago Henrique Ribeiro Ferreira
 
Frststps
FrststpsFrststps
Frststpserney03
 
Vista Presentation
Vista PresentationVista Presentation
Vista Presentationsdrayin
 
Wfc878r eop hwsg_npd6407-00_en
Wfc878r eop hwsg_npd6407-00_enWfc878r eop hwsg_npd6407-00_en
Wfc878r eop hwsg_npd6407-00_enHerrySyafitri
 

Ähnlich wie Wfinf guide (20)

chapter2windowsxpinsideandoutofwinxp.ppt
chapter2windowsxpinsideandoutofwinxp.pptchapter2windowsxpinsideandoutofwinxp.ppt
chapter2windowsxpinsideandoutofwinxp.ppt
 
Lecture10.pptx
Lecture10.pptxLecture10.pptx
Lecture10.pptx
 
spnt_5.58_gsg
spnt_5.58_gsgspnt_5.58_gsg
spnt_5.58_gsg
 
Client install
Client installClient install
Client install
 
P6 professional standalone_install_and_config_guide
P6 professional standalone_install_and_config_guideP6 professional standalone_install_and_config_guide
P6 professional standalone_install_and_config_guide
 
Network install guide
Network install guideNetwork install guide
Network install guide
 
Manual Sophos
Manual SophosManual Sophos
Manual Sophos
 
56-FP_Wireless1
56-FP_Wireless156-FP_Wireless1
56-FP_Wireless1
 
IBM i and related software Data migrations.pdf
IBM i and related software Data migrations.pdfIBM i and related software Data migrations.pdf
IBM i and related software Data migrations.pdf
 
Windows Firewall & Its Configuration
Windows Firewall & Its ConfigurationWindows Firewall & Its Configuration
Windows Firewall & Its Configuration
 
Operating system windows XP
Operating system windows XPOperating system windows XP
Operating system windows XP
 
1RUNNING HEAD MANAGING HOST BASED SECURITY IN WINDOWS 8.1La.docx
1RUNNING HEAD MANAGING HOST BASED SECURITY IN WINDOWS 8.1La.docx1RUNNING HEAD MANAGING HOST BASED SECURITY IN WINDOWS 8.1La.docx
1RUNNING HEAD MANAGING HOST BASED SECURITY IN WINDOWS 8.1La.docx
 
Installing R H E L 5
Installing R H E L 5Installing R H E L 5
Installing R H E L 5
 
Ite pc v40_chapter9
Ite pc v40_chapter9Ite pc v40_chapter9
Ite pc v40_chapter9
 
Test Lab Guide: Windows Server 2012 R2 Base Configuration
Test Lab Guide: Windows Server 2012 R2 Base ConfigurationTest Lab Guide: Windows Server 2012 R2 Base Configuration
Test Lab Guide: Windows Server 2012 R2 Base Configuration
 
Windows 8.1 a closer look
Windows 8.1 a closer lookWindows 8.1 a closer look
Windows 8.1 a closer look
 
Frststps
FrststpsFrststps
Frststps
 
Firewall intro
Firewall introFirewall intro
Firewall intro
 
Vista Presentation
Vista PresentationVista Presentation
Vista Presentation
 
Wfc878r eop hwsg_npd6407-00_en
Wfc878r eop hwsg_npd6407-00_enWfc878r eop hwsg_npd6407-00_en
Wfc878r eop hwsg_npd6407-00_en
 

Kürzlich hochgeladen

Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 

Kürzlich hochgeladen (20)

DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 

Wfinf guide

  • 1. Windows XP OEM Preinstallation Kit Design Notes Microsoft® Windows® Family of Operating Systems Using the Windows Firewall .Inf File in Microsoft® Windows® XP Service Pack 2 MICROSOFT CONFIDENTIAL - PROVIDED UNDER NDA DO NOT REDISTRIBUTE July 14, 2004 Abstract: Microsoft Windows XP Service Pack 2 (SP2) includes significant enhancements to the Windows Firewall component (formerly known as the Internet Connection Firewall). Windows Firewall is a stateful host firewall that discards unsolicited incoming traffic, providing a level of protection for computers against malicious users or programs. To provide better protection for computers connected to any kind of network (such as the Internet, a home network, or an organization network), Windows XP SP2 enables Windows Firewall on all network connections by default. Network administrators can use the Windows Firewall .inf file (Netfw.inf) to modify default settings either before installation or after installation. This article describes the usage of the Windows Firewall .inf file.
  • 2. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. © 2004 Microsoft Corporation. All rights reserved. Microsoft, Win32, Windows, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States or other countries or regions. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
  • 3. Contents Overview...................................................................................................................................4 Scenarios for Modifying Default Windows Firewall Configuration.............................................4 Location of Windows Firewall .Inf File.......................................................................................5 Methods for Replacing the Default Windows Firewall Configuration........................................5 Default Windows Firewall .Inf File.............................................................................................6 Configuration Options Provided in the Windows Firewall .Inf File.............................................7 Changing Windows Firewall’s Default Operational Mode....................................................7 Disabling Windows Firewall’s Notifications..........................................................................8 Blocking Unicast Responses to Multicast and Broadcast Packets.......................................9 Enabling Remote Administration..........................................................................................9 Allowing ICMP Messages through Windows Firewall........................................................10 Adding Static Ports to Windows Firewall’s Default Exceptions List....................................11 Adding Programs to Windows Firewall’s Default Exceptions List......................................12 Defining the Scope for an Entry in the Windows Firewall .Inf File...........................................14 Summary.................................................................................................................................15 Related Links..........................................................................................................................15
  • 4. Overview Windows XP Service Pack 2 (SP2) includes significant enhancements to Windows Firewall, formerly known as the Internet Connection Firewall (ICF). Windows Firewall is a stateful, host-based firewall that drops all unsolicited, incoming traffic that does not correspond to either traffic sent in response to a request of the computer (solicited traffic) or unsolicited traffic that has been specified as allowed (excepted traffic). This behavior of Windows Firewall provides a level of protection from malicious users and programs that rely on unsolicited, incoming traffic to attack computers. A new feature in Windows XP SP2 is the enabling of Windows Firewall by default during an installation of Windows XP or during an update to Windows XP SP2. Because Windows Firewall is enabled by default, network administrators need the flexibility to modify the default configuration of Windows Firewall during the installation of Windows XP SP2 and after its installation. Typical configuration modifications include adding programs to Windows Firewall’s exception list or disabling Windows Firewall, for example, if a third-party, host-based firewall is already installed and enabled. Windows Firewall can be preconfigured by modifying the Windows Firewall .inf file, named Netfw.inf, in which Windows Firewall’s default configuration is stored. During an installation of or an update to Windows XP SP2, Windows Firewall imports its configuration from this .inf file. This means that any modifications made to the Windows Firewall .inf file before an installation of Windows will automatically be incorporated into the default configuration of Windows Firewall. Scenarios for Modifying Default Windows Firewall Configuration The following are common scenarios for modifying the default configuration of Windows Firewall. Third-Party Firewall-Enabled An original equipment manufacturer (OEM) may choose to provide its customers with a third-party, host-based firewall. If this firewall is enabled by default, then it is recommended that Windows Firewall be disabled. This can be done by modifying the Windows Firewall .inf file to disable Windows Firewall by default. Preinstalled Programs An OEM or enterprise may choose to install a suite of programs by default. Some of these programs may need to receive unsolicited, incoming traffic in order to function correctly. Windows Firewall can be configured to enable specific, unsolicited, incoming traffic by default by adding the programs to the Windows Firewall’s exceptions list. This can be done by adding entries for the programs to the Windows Firewall .inf file. Only programs that require unsolicited, incoming traffic should be added to the exceptions list; programs that do not require unsolicited, incoming traffic should not be added to the exceptions list.
  • 5. Using the Windows Firewall .Inf File in Microsoft® Windows® XP Service Pack 2 5 Pre-Opened Ports An enterprise may choose to use various network services and want to ensure that the network traffic for those services is enabled by default through Windows Firewall. For example, an enterprise may use some of the remote management functionality included in Windows XP. You can configure Windows Firewall to open the necessary ports by default by adding them to the Windows Firewall’s exceptions list. Specifically, you can add entries for the TCP or UDP ports to the Windows Firewall .inf file. Statically opening ports does potentially increase a computer’s exposure to attack, so the number of ports opened in Windows Firewall by default should be at a minimum. Location of Windows Firewall .Inf File On a Windows XP CD image, the location of the Windows Firewall .inf file is: Cd_drive:I386Netfw.in_ Note: On a Windows XP CD image, the file’s name is Netfw.in_ (not Netfw.inf). This is for signing purposes. If an OEM modifies this file, the file must also be re-signed. After the installation of Windows XP SP2, the location of the Windows Firewall .inf file is: %WINDIR%InfNetfw.inf Methods for Replacing the Default Windows Firewall Configuration Method 1: Pre-Installation 1. Copy the default Windows Firewall .inf file (Netfw.in_) from a Windows XP SP2 CD image. 2. Make the desired modifications to the .inf file. Directions for modifying the .inf file are provided in the "Configuration Options Provided in the Windows Firewall .Inf File" section of this article. 3. Save the modified .inf file as Netfw.in_. 4. Sign the modified Netfw.in_. 5. Replace the default Netfw.in_ with the modified Netfw.in_ in the Windows XP SP2 CD image. 6. Install Windows XP SP2 from the modified Windows XP SP2 CD image. © 2004 Microsoft Corporation. All rights reserved.
  • 6. Using the Windows Firewall .Inf File in Microsoft® Windows® XP Service Pack 2 6 Method 2: Post-Installation 1. Copy the default Windows Firewall .inf file (Netfw.inf) from an installation of Windows XP SP2. 2. Make the desired modifications to the .inf file. Directions for modifying the .inf file are provided in the "Configuration Options Provided in the Windows Firewall .Inf File" section of this article. 3. Save the modified .inf file as Netfw.inf. 4. Replace the default Netfw.inf with the modified Netfw.inf in the installation of Windows XP SP2. 5. Run the netsh firewall reset command on the computer running Windows XP SP2. You can do this manually by typing the command at a command prompt or by including the command in a run-once script. Default Windows Firewall .Inf File The default contents of the Netfw.inf file are the following: [Version] Signature = "$Windows NT$" DriverVer =07/01/2001,5.1.2600.2132 [DefaultInstall] AddReg = ICF.AddReg.DomainProfile AddReg = ICF.AddReg.StandardProfile [ICF.AddReg.DomainProfile] HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yDomainProfileAuthorizedApplicationsList","%WINDIR %system32sessmgr.exe",0x00000000,"%WINDIR %system32sessmgr.exe:*:enabled:@xpsp2res.dll.-22019" [ICF.AddReg.StandardProfile] HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yStandardProfileAuthorizedApplicationsList","%WINDIR %system32sessmgr.exe",0x00000000,"%WINDIR %system32sessmgr.exe:*:enabled:@xpsp2res.dll.-22019" The first two sections of Netfw.inf contain versioning and configuration information, and do not need to be modified. The sections that are significant for modifying the default configuration for Windows Firewall are the following: • [ICF.AddReg.DomainProfile] – Windows Firewall maintains two sets of configuration known as profiles. One profile is used when a computer is connected to the domain to which it is joined, while the other profile is used when the computer is not connected to its domain. This section is for defining changes to Windows Firewall’s default configuration when a computer is connected to a network that contains its domain. • [ICF.AddReg.StandardProfile] – This section is for defining changes to Windows Firewall’s default configuration when a computer is not connected to a network that contains its domain. If a computer is not a member of a domain, then Windows Firewall will always enforce the configuration stored in the Standard Profile. © 2004 Microsoft Corporation. All rights reserved.
  • 7. Using the Windows Firewall .Inf File in Microsoft® Windows® XP Service Pack 2 7 Configuration Options Provided in the Windows Firewall .Inf File The majority of the default configurations for Windows Firewall can be defined in the Windows Firewall .inf file. This includes the following settings: • Operational mode • Disable notifications • Block unicast responses to multicast and broadcast packets • Enable Remote Administration • Enable ICMP messages • Open ports • Enable programs These settings are described in the next sections. Notes: All of the settings made in the Windows Firewall .inf file will be applied to all of a computer’s network interfaces. You cannot open ports nor enable ICMP messages for individual interfaces through the Windows Firewall .inf file. Logging settings cannot be defined through the Windows Firewall .inf file. Changing Windows Firewall’s Default Operational Mode • Windows Firewall can be placed in one of three operational modes: • On – This is the default operational mode for Windows Firewall. In this mode, Windows Firewall drops all unsolicited, incoming traffic, except those matching enabled entries in Windows Firewall’s exceptions lists. Because this is the default operational mode, no entries need to be included in the Windows Firewall .inf file. • The assumed entries for the Domain Profile in the [ICF.AddReg.DomainProfile] section of the Windows Firewall .inf file are: HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yDomainProfile","DoNotAllowExceptions",0x00010001,0 HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yDomainProfile","EnableFirewall",0x00010001,1 • The assumed entries for the Standard Profile in the [ICF.AddReg.StandardProfile] section of the Windows Firewall .inf file are: HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yStandardProfile","DoNotAllowExceptions",0x00010001,0 HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yStandardProfile","EnableFirewall",0x00010001,0x00000001 © 2004 Microsoft Corporation. All rights reserved.
  • 8. Using the Windows Firewall .Inf File in Microsoft® Windows® XP Service Pack 2 8 • On with No Exceptions – In this mode, Windows Firewall blocks all unsolicited, incoming traffic, even those matching enabled entries in Windows Firewall’s exceptions lists. • To make this the default operational mode for the Domain Profile, add the following entries to the [ICF.AddReg.DomainProfile] section of the Windows Firewall .inf file: HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yDomainProfile","DoNotAllowExceptions",0x00010001,1 HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yDomainProfile","EnableFirewall",0x00010001,1 • To make this the default operational mode for the Standard Profile, add the following entries to the [ICF.AddReg.StandardProfile] section of the Windows Firewall .inf file: HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yStandardProfile","DoNotAllowExceptions",0x00010001,1 HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yStandardProfile","EnableFirewall",0x00010001,1 • Off – In this mode, Windows Firewall is disabled and does not do any filtering of unsolicited, incoming traffic. All unsolicited, incoming traffic is enabled, and Windows Firewall does not help to protect the computer from network attacks. • To make this the default operational mode for the Domain Profile, add the following entries to the [ICF.AddReg.DomainProfile] section of the Windows Firewall .inf file: HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yDomainProfile","DoNotAllowExceptions",0x00010001,0 HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yDomainProfile","EnableFirewall",0x00010001,0 • To make this the default operational mode for the Standard Profile, add the following entries to the [ICF.AddReg.StandardProfile] section of the Windows Firewall .inf file: HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yStandardProfile","DoNotAllowExceptions",0x00010001,0 HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yStandardProfile","EnableFirewall",0x00010001,0 Disabling Windows Firewall’s Notifications By default, Windows Firewall displays a notification to users when a program not already included in the Windows Firewall exceptions list uses the new Windows Firewall APIs to add itself or its traffic to an exceptions list. By adding the appropriate entries to the Windows Firewall .inf file, these notifications can be disabled in either or both of Windows Firewall’s profiles. • To disable notifications by default in the Domain Profile, add the following entry to the [ICF.AddReg.DomainProfile] section of the Windows Firewall .inf file: © 2004 Microsoft Corporation. All rights reserved.
  • 9. Using the Windows Firewall .Inf File in Microsoft® Windows® XP Service Pack 2 9 HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yDomainProfile","DisableNotifications",0x00010001,1 • To disable notifications by default in the Standard Profile, add the following entry to the [ICF.AddReg.StandardProfile] section of the Windows Firewall .inf file: HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yStandardProfile","DisableNotifications",0x00010001,1 Blocking Unicast Responses to Multicast and Broadcast Packets By default, Windows Firewall enables incoming, unicast-response packets to a port for three seconds after a multicast or broadcast packet is sent from the port. By adding the appropriate entries to the Windows Firewall .inf file, this behavior can be disabled in either or both of Windows Firewall’s profiles. • To block unicast responses to multicast and broadcast packets by default in the Domain Profile, add the following entry to the [ICF.AddReg.DomainProfile] section of the Windows Firewall .inf file: HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yDomainProfile","DisableUnicastResponsesToMulticastBroadcast",0x00010001,1 • To block unicast responses to multicast and broadcast packets by default in the Standard Profile, add the following entry to the [ICF.AddReg.StandardProfile] section of the Windows Firewall .inf file: HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yStandardProfile","DisableUnicastResponsesToMulticastBroadcast",0x00010001,1 Enabling Remote Administration Windows Firewall includes a Remote Administration option that alters its configuration to enable Remote Procedure Call (RPC) and Distributed Component Object Model (DCOM) communication. Enabling this option statically opens TCP 135 and TCP 445 to unsolicited, incoming traffic. Additionally, communication over named pipes is permitted, and ports are dynamically opened as needed by Windows services using RPC. By adding the appropriate entries to the Windows Firewall .inf file, you can enable the Remote Administration option in either or both of Windows Firewall’s profiles. • To enable Remote Administration by default in the Domain Profile, add the following entry to the [ICF.AddReg.DomainProfile] section of the Windows Firewall .inf file: HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yDomainProfileRemoteAdminSettings","Enabled",0x00010001,1 • To enable Remote Administration by default in the Standard Profile, add the following entry to the [ICF.AddReg.StandardProfile] section of the Windows Firewall .inf file: HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yStandardProfileRemoteAdminSettings","Enabled",0x00010001,1 When enabling Remote Administration, the set of IP addresses from which unsolicited, incoming traffic is accepted can also be specified through an additional entry in the appropriate section of the Windows Firewall .inf file. © 2004 Microsoft Corporation. All rights reserved.
  • 10. Using the Windows Firewall .Inf File in Microsoft® Windows® XP Service Pack 2 10 To define the default scope for Remote Administration in the Domain Profile, add the following entry to the [ICF.AddReg.DomainProfile] section of the Windows Firewall .inf file: HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yDomainProfileRemoteAdminSettings","RemoteAddresses",0x00000000,scope To define the default scope for Remote Administration in the Standard Profile, add the following entry to the [ICF.AddReg.StandardProfile] section of the Windows Firewall .inf file: HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yStandardProfileRemoteAdminSettings","RemoteAddresses",0x00000000,scope Permitted values for scope are defined in the “Defining the Scope for an Entry in the Windows Firewall .Inf File" section of this article. Allowing ICMP Messages through Windows Firewall While the default configuration for Windows Firewall blocks all ICMP message types, you can modify this behavior by adding entries to the Windows Firewall .inf file that enable certain ICMP message types by default. To enable an ICMP message type by default in the Domain Profile, add the following entry to the [ICF.AddReg.DomainProfile] section of the Windows Firewall .inf file: HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yDomainProfileIcmpSettings","ICMP Message Type",0x00010001,1 To enable an ICMP message type by default in the Standard Profile, add the following entry to the [ICF.AddReg.StandardProfile] section of the Windows Firewall .inf file: HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yStandardProfileIcmpSettings","ICMP Message Type",0x00010001,1 Both of these entries require an ICMP Message Type to be specified. The permitted values for ICMP Message Type are listed in Table 1. Table 1. ICMP Message Types ICMP Message Type Number Description AllowOutboundPacketTooBig 2 When an Internet Protocol version 6 (IPv6) packet is too large to be forwarded, data is dropped and a computer replies to the sender with a Packet Too Big message. AllowOutboundDestinationUnreachabl 3 Sent data that fails to reach this e computer due to an error is discarded and reported with a Destination Unreachable message explaining the failure. AllowOutboundSourceQuench 4 When a computer’s ability to process incoming data cannot keep up with the rate of a transmission, data is dropped and the sender is © 2004 Microsoft Corporation. All rights reserved.
  • 11. Using the Windows Firewall .Inf File in Microsoft® Windows® XP Service Pack 2 11 asked to transmit more slowly. AllowRedirect 5 Data sent from a computer is rerouted. AllowInboundEchoRequest 8 Messages sent to a computer are repeated back to the sender. This is commonly used for troubleshooting (for example, to ping a computer). AllowInboundRouterRequest 10 A computer responds to router discovery messages. AllowOutboundTimeExceeded 11 When a computer discards a packet because its hop count was exceeded or it ran out of time to assemble fragments of a packet, it replies to the sender with a Time Exceeded message. AllowOutboundParameterProblem 12 When a computer discards data that it has received because of a problematic header, it replies to the sender with a Parameter Problem error message. AllowInboundTimestampRequest 13 A confirmation message is sent, indicating the time that the data was received at a computer. AllowInboundMaskRequest 17 A computer listens for and responds to requests for a network subnet mask. Adding Static Ports to Windows Firewall’s Default Exceptions List In Windows XP SP2, Windows Firewall maintains an exceptions list for each of its two profiles. When in normal operation, Windows Firewall statically opens ports that are included in its current profile’s exceptions list. It is generally recommended that programs be added to the exceptions list, instead of statically opening ports. This enables Windows Firewall to open and close ports dynamically and to minimize the number of ports open at any one time. It is recognized, however, that there are scenarios in which ports need to be statically opened. For example, a static port may need to be opened in order for a Windows service to receive unsolicited, incoming traffic. To support such scenarios, OEMs have the ability to add static ports to either or both of Windows Firewall’s default exceptions lists through the Windows Firewall .inf file. To add a static port to the Domain Profile’s exceptions list, an entry in the following format should be added to the [ICF.AddReg.DomainProfile] section of the Windows Firewall .inf file: © 2004 Microsoft Corporation. All rights reserved.
  • 12. Using the Windows Firewall .Inf File in Microsoft® Windows® XP Service Pack 2 12 HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yDomainProfileGloballyOpenPortsList","port number:protocol",0x00000000, "port number:protocol:scope:mode:port’s friendly name" To add a static port to the Standard Profile’s exceptions list, an entry in the following format should be added to the [ICF.AddReg.StandardProfile] section of the Windows Firewall .inf file: HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yStandardProfileGloballyOpenPortsList","port number:protocol",0x00000000, "port number:protocol:scope:mode:port’s friendly name" In the two entries above, the following elements must be defined, based upon the port added to Windows Firewall’s default exceptions lists and the desired behavior: • port number – A port is specified by the combination of a protocol and a port number. The port number must be between 1 and 65535 inclusive. • protocol – A port is specified by the combination of a protocol and a port number. The protocol must be either TCP or UDP. • scope – Permitted values for scope are defined in the “Defining the Scope for an Entry in the Windows Firewall .Inf File” section of this article. • mode – An entry can be added to Windows Firewall’s default exceptions lists as either enabled or disabled. The two permitted values for this element are Enabled and Disabled. If a port’s entry is enabled, the port will be statically opened in Windows Firewall. If a port’s entry is disabled, the port will not be statically opened in Windows Firewall. • port’s friendly name – This is the description that will be used to represent the entry for Windows Firewall in Control Panel. It should provide an indication of why the port is statically opened, such as "Web Server (TCP 80)" or "Telnet Server (TCP 23)". As an example for opening a port, two entries are required to enable the static port used by the Internet Key Exchange (IKE) protocol, which uses UDP 500, for a scope of all IP addresses in the default exceptions lists for both of Windows Firewall’s profiles. This entry is added to the [ICF.AddReg.DomainProfile] section of the Windows Firewall .inf file: HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yDomainProfileGloballyOpenPortsList","500:UDP",0x00000000,"500:UDP:*:enabl ed:IKE (UDP 500)" This entry is added to the [ICF.AddReg.StandardProfile] section of the Windows Firewall .inf file: HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yStandardProfileGloballyOpenPortsList","500:UDP",0x00000000, "500:UDP:*:enabled:IKE (UDP 500)" Adding Programs to Windows Firewall’s Default Exceptions List In Windows XP SP2, Windows Firewall maintains an exceptions list for each of its two profiles. When in normal operation, Windows Firewall dynamically opens the ports used by programs in its current profile’s exceptions list. The Windows Firewall .inf file can be used to add programs to either or both of Windows Firewall’s default exceptions lists. © 2004 Microsoft Corporation. All rights reserved.
  • 13. Using the Windows Firewall .Inf File in Microsoft® Windows® XP Service Pack 2 13 Only programs that actually require unsolicited, incoming traffic should be added to the exceptions lists; there is no benefit to adding programs that use only outgoing connections to the exceptions lists. To add a program to the Domain Profile’s exceptions list, an entry in the following format should be added to the [ICF.AddReg.DomainProfile] section of the Windows Firewall .inf file: HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yDomainProfileAuthorizedApplicationsList","program’s image path",0x00000000,"program’s image path:scope:mode:program’s friendly name" To add a program to the Standard Profile’s Exceptions List, an entry in the following format should be added to the [ICF.AddReg.StandardProfile] section of the Windows Firewall .inf file: HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yDomainProfileAuthorizedApplicationsList","program’s image path",0x00000000,"program’s image path:scope:mode:program’s friendly name" In the two entries above, the following elements must be defined, based upon the program added to Windows Firewall’s default exceptions lists and the desired behavior: • program’s image path – This is the fully qualified path for the file to be added to Windows Firewall’s default exceptions lists. It may include environmental variables, such as %ProgramFiles%. • scope – Permitted values for scope are defined in the “Defining the Scope for an Entry in the Windows Firewall .Inf File” section of this article. • mode – An entry can be added to Windows Firewall’s default exceptions lists as either enabled or disabled. The two permitted values for this element are Enabled and Disabled. If a program’s entry is enabled, ports are dynamically opened in Windows Firewall for the program when it opens ports. If a program’s entry is disabled, ports will not be dynamically opened in Windows Firewall for the program. • program’s friendly name – This is the name that is used to represent the entry in the Windows Firewall user interface. It should include the product name and publisher, such as MSN Messenger v6.1 or AOL Instant Messenger v5.5. As an example of enabling programs, two entries are included in the Windows Firewall .inf file to enable Remote Assistance with a scope of all IP addresses in the default exceptions lists for both Windows Firewall profiles. This entry is included in the [ICF.AddReg.DomainProfile] section of the Windows Firewall .inf file: HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yDomainProfileAuthorizedApplicationsList","%WINDIR %system32sessmgr.exe",0x00000000,"%WINDIR %system32sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" This entry is included in the [ICF.AddReg.StandardProfile] section of the Windows Firewall .inf file: HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolic yStandardProfileAuthorizedApplicationsList","%WINDIR %system32sessmgr.exe",0x00000000,"%WINDIR %system32sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" © 2004 Microsoft Corporation. All rights reserved.
  • 14. Using the Windows Firewall .Inf File in Microsoft® Windows® XP Service Pack 2 14 Defining the Scope for an Entry in the Windows Firewall .Inf File When enabling Remote Assistance, opening a port, or enabling a program, the set of IP addresses from which the unsolicited, incoming traffic is enabled can be defined. This set of IP addresses from which unsolicited, incoming traffic is enabled is the scope of the exception. There are three options for defining the scope for a Windows Firewall exception. • All IP addresses – This is the default scope for a Windows Firewall exception, and it enables unsolicited, incoming traffic that matches the exception from any computer. In the Windows Firewall .inf file, making an entry’s scope element an asterisk ("*") results in a scope of all IP addresses for the entry. • Local subnet only – This scope enables unsolicited, incoming traffic that matches the exception from any computer on the same subnet as the network connection on which the traffic was received through Windows Firewall, while dropping unsolicited, incoming traffic from all other computers. When a computer’s subnet changes, the set of enabled IP addresses dynamically changes to match the new subnet. In the Windows Firewall .inf file, making an entry’s scope element LocalSubnet results in a local subnet-only scope for the entry. • Custom – The final option is to define a custom scope, which is a list of IPv4 addresses and address ranges that typically correspond to subnets. Unsolicited, incoming traffic that matches the exception and originates from a computer with an IPv4 address in the defined list is enabled through Windows Firewall. Unsolicited, incoming traffic from computers with IPv4 addresses that are not in the list is dropped. A custom scope can include the local subnet (using the "LocalSubnet" string), IPv4 addresses, and IPv4 address ranges, but cannot include IPv6 addresses and IPv6 address ranges. For IPv4 address ranges, you can specify the range using a dotted decimal subnet mask notation or a prefix length (w.x.y.z/n). When you use a dotted decimal subnet mask, you can specify the range as an IPv4 network ID (such as 10.47.81.0/255.255.255.0) or by using an IPv4 address within the range (such as 10.47.81.231/255.255.255.0). When you use a network prefix length, you can specify the range as an IPv4 network ID (such as 10.47.81.0/24) or by using an IPv4 address within the range (such as 10.47.81.231/24). Some examples of custom scope elements include the following: • 192.168.0.5 • 192.168.0.0/255.255.255.0 • 192.168.0.5,LocalSubnet • 157.54.0.1,172.16.0.0/12,10.0.0.0/255.0.0.0,LocalSubnet • 10.91.12.56,10.7.14.9/255.255.255.0,10.116.45.0/255.255.255.0,172.16.31.11/ 24,172.16.111.0/24 Note: You cannot have any spaces between the entries in the list of sources, or the entire list is ignored and Windows Firewall uses the default scope of any source IPv4 address. This can create an unintended vulnerability. Please double-check your scope syntax before saving changes to the Windows Firewall .inf file. © 2004 Microsoft Corporation. All rights reserved.
  • 15. Using the Windows Firewall .Inf File in Microsoft® Windows® XP Service Pack 2 15 Summary To install Windows XP SP2 with customized default settings for the new Windows Firewall or to change settings after installation, use the Windows Firewall .inf file (Netfw.inf). The Windows Firewall .inf file contains two main sections: [ICF.AddReg.DomainProfile] for modifying Windows Firewall settings for the domain profile, [ICF.AddReg.StandardProfile] for modifying settings for the standard profile, and [Strings] for defining strings for some settings. Typical uses of the Windows Firewall .inf file include disabling the Windows Firewall (if a third-party .inf file is already installed and enabled) and adding either programs or ports to the Windows Firewall exceptions lists (one list for each profile). Related Links See the following resources for more information: • Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2 at http:// www.microsoft.com/downloads/details.aspx?familyid=4454e0e1-61fa-447a- bdcd-499f73a637d1&displaylang=en • Manually Configuring Windows Firewall in Windows XP Service Pack 2 at http://www.microsoft.com/technet/community/columns/cableguy/cg0204.mspx • Windows XP Service Pack 2: Resources for IT Professionals at http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/winxpsp2.mspx For the latest information about Windows XP, see the Windows XP Web site at http://www.microsoft.com/windowsxp. © 2004 Microsoft Corporation. All rights reserved.