DOC

wfinf_guide

By Lynn Jackson,2014-06-06 19:31
8 views 0
wfinf_guide

    Operating System

    Using the Windows Firewall INF File in Microsoft Windows XP with Service Pack 2 (SP2)

Microsoft Corporation

    Published: March 2004

    Updated: August 2004

Abstract

    ??Microsoft Windows XP with Service Pack 2 (SP2) includes the Windows Firewall, a replacement for the

    Internet Connection Firewall component in Windows XP and Windows XP with Service Pack 1 (SP1). Windows Firewall is a stateful host firewall that discards unsolicited incoming traffic, providing a level of protection for computers against malicious users or programs. To provide better protection for computers connected to any kind of network (such as the Internet, a home network, or an organization network), Windows XP with SP2 enables Windows Firewall on all network connections by default. Network administrators can use the Windows Firewall INF file (Netfw.inf) to modify default settings either before or after installation. This article describes the usage of the Windows Firewall INF file.

    Microsoft Windows XP Technical Article

    The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

    This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT.

    Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

    Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Microsoft does not make any representation or warranty regarding specifications in this document or any product or item developed based on these specifications. Microsoft disclaims all express and implied warranties, including but not limited to the implied warranties or merchantability, fitness for a particular purpose and freedom from infringement. Without limiting the generality of the foregoing, Microsoft does not make any warranty of any kind that any item developed based on these specifications, or any portion of a specification, will not infringe any copyright, patent, trade secret or other intellectual property right of any person or entity in any country. It is your responsibility to seek licenses for such intellectual property rights where appropriate. Microsoft shall not be liable for any damages arising out of or in connection with the use of these specifications, including liability for lost profit, business interruption, or any other damages whatsoever. Some states do not allow the exclusion or limitation of liability or consequential or incidental damages; the above limitation may not apply to you. ? 2004 Microsoft Corporation. All rights reserved. Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

    The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Microsoft Windows XP Technical Article

    Contents

    Overview ............................................................................................................................ 1 Scenarios for Modifying Default Windows Firewall Configuration .......................................... 1

    Third Party Firewall Enabled....................................................................................... 1

    Preinstalled Programs ................................................................................................ 1

    Pre-Opened Ports ...................................................................................................... 2 Location of Windows Firewall INF File ................................................................................. 2 Replacing the Default Windows Firewall Configuration ......................................................... 2 Default Windows Firewall INF File ....................................................................................... 2 Configuration Options Provided in the Windows Firewall INF File ......................................... 3 Changing Windows Firewall’s Default Operational Mode .................................................. 5 Disabling Windows Firewall’s Notifications ...................................................................... 5 Blocking Unicast Responses to Multicast and Broadcast Packets..................................... 5 Enabling Remote Administration ..................................................................................... 6 Allowing ICMP Messages through Windows Firewall ....................................................... 7 Adding Static Ports to Windows Firewall’s Default Exceptions List .................................... 8 Adding Programs to Windows Firewall’s Default Exceptions List ...................................... 9 Defining the Scope for an Entry in the Windows Firewall INF File ....................................... 11 Summary .......................................................................................................................... 12 Related Links .................................................................................................................... 12

Overview

    Windows XP with Service Pack 2 (SP2) includes the Windows Firewall, a replacement for the Internet Connection Firewall (ICF) component in Windows XP with Service Pack 1 (SP1) and Windows XP with no service packs installed. Windows Firewall is a stateful host-based firewall that drops all unsolicited incoming traffic that does not correspond to either traffic sent in response to a request of the computer (solicited traffic) or unsolicited traffic that has been specified as allowed (excepted traffic). This behavior of Windows Firewall provides a level of protection from malicious users and programs that rely on unsolicited incoming traffic to attack computers.

    One of the enhancements in Windows XP with SP2 is the enabling of Windows Firewall by default during the installation of Windows XP or update to Windows XP with SP2. Since Windows Firewall is enabled by default, network administrators need the flexibility to modify the default configuration of Windows Firewall during the installation of Windows XP with SP2 and after its installation. Typical configuration modifications that may need to be performed include adding programs to Windows Firewall’s exception list or disabling Windows Firewall, for example if a third-party host-based firewall is already installed and enabled. Such modifications can be made to Windows Firewall’s default configuration by editing the Windows Firewall INF file, named Netfw.inf. This article describes how to edit the Windows Firewall INF file in order to create custom default configurations for Windows Firewall.

    Note This document can be used to configure the Windows Firewall on computers

    running Microsoft? Windows Server 2003? with Service Pack 1 (SP1). The Windows

    Firewall is disabled by default in Windows Server 2003 with SP1.

    Scenarios for Modifying Default Windows Firewall Configuration

    The following are common scenarios for modifying the default configuration of Windows Firewall.

    Third Party Firewall Enabled

    An original equipment manufacturer (OEM) may choose to provide its customers with a third-party host-based firewall. If this firewall is enabled by default, then it is recommended that Windows Firewall be disabled. This can be done by modifying the Windows Firewall INF file to disable Windows Firewall by default.

    Preinstalled Programs

    An OEM or enterprise may choose to install a suite of programs by default. Some of these programs may need to receive unsolicited incoming traffic in order to function correctly. Windows Firewall can be configured to allow specific unsolicited incoming traffic by default by adding the programs to the Windows Firewall’s exceptions list. This can be done by adding entries for the programs to the Windows Firewall INF file. Only programs that require unsolicited incoming traffic should be added to the exceptions list; programs that do not require unsolicited incoming traffic should not be added to the exceptions list.

Using the Windows Firewall INF File in Microsoft Windows XP with Service Pack 2 2

    Pre-Opened Ports

    An enterprise may choose to use various network services and want to ensure that the

    network traffic for those services are allowed by default through Windows Firewall. For

    example, an enterprise may use some of the remote management functionality included

    in Windows XP. Windows Firewall can be configured to open the necessary ports by

    default by adding them to the Windows Firewall’s exceptions list. This can be done by

    adding entries for the TCP or UDP ports to the Windows Firewall INF file. Statically

    opening ports does potentially increase a computer’s exposure to attack, so the number of ports opened in Windows Firewall by default should be kept to a minimum.

    Location of Windows Firewall INF File

    On a Windows XP CD image, the location of the Windows Firewall INF file is:

    Cd_drive:\I386\Netfw.in_ Note On a Windows XP CD image, the file’s name is Netfw.in_ (not Netfw.inf).

    After the installation of Windows XP with SP2, the location of the Windows Firewall INF

    file is:

     %WINDIR%\Inf\Netfw.inf

    Replacing the Default Windows Firewall

    Configuration

    1. Copy the default Windows Firewall INF file (Netfw.inf) from an installation of

    Windows XP with SP2.

    2. Make the desired modifications to the INF file. Directions for modifying the INF file

    are provided in the "Configuration Options Provided in the Windows Firewall INF

    File" section of this article

    3. Save the modified INF file as Netfw.inf.

    4. Replace the default Netfw.inf with the modified Netfw.inf in the installation of

    Windows XP with SP2.

    5. Run the command netsh firewall reset on the computer running Windows XP with

    SP2. This can be done manually by entering the command at a command prompt or

    by including the command in a run-once script.

    Default Windows Firewall INF File

    The default contents of the Netfw.inf file are the following:

    [Version] Signature = "$Windows NT$" DriverVer =07/01/2001,5.1.2600.2132 [DefaultInstall] AddReg=ICF.AddReg.DomainProfile AddReg=ICF.AddReg.StandardProfile [ICF.AddReg.DomainProfile]

    ? 2004 Microsoft Corporation. All rights reserved.

Using the Windows Firewall INF File in Microsoft Windows XP with Service Pack 2 3

    HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List","%windir%\system32\sessmgr.exe",The first two sections of Netfw.inf contain versioning and configuration information and 0x00000000,"%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" do not need to be modified. The sections that are significant for modifying the default [ICF.AddReg.StandardProfile] configuration for Windows Firewall are the following: HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List","%windir%\system32\sessmgr.exe? ICF.AddReg.DomainProfile Windows Firewall maintains two sets of configuration ",0x00000000,"%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" known as profiles. One profile is used when a computer is connected to the domain to

    which it is joined, while the other profile is used when the computer is not connected to

    its domain. This section is for defining changes to Windows Firewall’s default

    configuration when a computer is connected a network that contains its domain.

    ? ICF.AddReg.StandardProfile This section is for defining changes to Windows

    Firewall’s default configuration when a computer is not connected to a network that

    contains its domain. If a computer is not a member of a domain, then Windows Firewall

    will always enforce the configuration stored in the Standard Profile.

    Configuration Options Provided in the Windows

    Firewall INF File

    The majority of the default configuration for Windows Firewall can be defined in the

    Windows Firewall INF file. This includes the following settings:

    ? Operational mode

    ? Disable notifications

    ? Block unicast responses to multicast and broadcast packets

    ? Enable Remote Administration

    ? Allow ICMP messages

    ? Open ports

    ? Allow programs

    These settings are described in the following sections.

    Notes All of the settings made in the Windows Firewall INF file will be applied to all of a computer’s network interfaces.

    The opening of ports and allowing of ICMP messages for individual interfaces cannot be

    done through the Windows Firewall INF file.

    Logging settings cannot be defined through the Windows Firewall INF file.

    ? 2004 Microsoft Corporation. All rights reserved.

    Using the Windows Firewall INF File in Microsoft Windows XP with Service Pack 2 4

    Changing Windows Firewall’s Default Operational Mode

    Windows Firewall can be placed in one of three operational modes:

    ? On This is the default operational mode for Windows Firewall. In this mode, Windows Firewall drops all unsolicited incoming traffic, except those matching enabled entries in

    Windows Firewall’s exceptions lists. Since this is the default operational mode, no

    entries need to be included in Windows Firewall INF file.

    ? The assumed entries for the Domain Profile in the ICF.AddReg.DomainProfile

    section of the Windows Firewall INF file are:

    o HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\F

    irewallPolicy\DomainProfile","DoNotAllowExceptions",0x00010001,0

    o HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\F

    irewallPolicy\DomainProfile","EnableFirewall",0x00010001,1 ? The assumed entries for the Standard Profile in the ICF.AddReg.StandardProfile

    section of the Windows Firewall INF file are:

    o HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\F

    irewallPolicy\StandardProfile","DoNotAllowExceptions",0x00010001,

    0

    o HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\F

    irewallPolicy\StandardProfile","EnableFirewall",0x00010001,0x0000

    0001

    ? On with No Exceptions In this mode, Windows Firewall blocks all unsolicited

    incoming traffic, even those matching enabled entries in Windows Firewall’s exceptions

    lists.

    ? To make this the default operational mode for the Domain Profile, add the following

    entries to the ICF.AddReg.DomainProfile section of the Windows Firewall INF file:

    o HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\F

    irewallPolicy\DomainProfile","DoNotAllowExceptions",0x00010001,1

    o HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\F

    irewallPolicy\DomainProfile","EnableFirewall",0x00010001,1 ? To make this the default operational mode for the Standard Profile, add the

    following entries to the ICF.AddReg.StandardProfile section of the Windows Firewall

    INF file:

    o HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\F

    irewallPolicy\StandardProfile","DoNotAllowExceptions",0x00010001,

    1

    o HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\F

    irewallPolicy\StandardProfile","EnableFirewall",0x00010001,1

    ? 2004 Microsoft Corporation. All rights reserved.

Using the Windows Firewall INF File in Microsoft Windows XP with Service Pack 2 5

    ? Off In this mode, Windows Firewall is disabled and does not do any filtering of

    unsolicited incoming traffic. All unsolicited incoming traffic is allowed, and Windows

    Firewall is not helping to protect the computer from network attacks.

    ? To make this the default operational mode for the Domain Profile, add the following

    entries to the ICF.AddReg.DomainProfile section of the Windows Firewall INF file:

    o HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\F

    irewallPolicy\DomainProfile","DoNotAllowExceptions",0x00010001,0

    o HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\F

    irewallPolicy\DomainProfile","EnableFirewall",0x00010001,0

    ? To make this the default operational mode for the Standard Profile, add the

    following entries to the ICF.AddReg.StandardProfile section of the Windows Firewall

    INF file:

    o HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\F

    irewallPolicy\StandardProfile","DoNotAllowExceptions",0x00010001,

    0

    o HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\F

    irewallPolicy\StandardProfile","EnableFirewall",0x00010001,0 Disabling Windows Firewall’s Notifications

    By default, Windows Firewall displays a notification to users when a program not already

    included in the Windows Firewall exceptions list uses the new Windows Firewall APIs to

    add itself or its traffic to an exceptions list. By adding the appropriate entries to the

    Windows Firewall INF file, these notifications can be disabled in either or both of

    Windows Firewall’s profiles.

    To disable notifications by default in the Domain Profile, add the following entry to the

    ICF.AddReg.DomainProfile section of the Windows Firewall INF file:

    HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Fire

    wallPolicy\DomainProfile","DisableNotifications",0x00010001,1

    To disable notifications by default in the Standard Profile, add the following entry to the

    ICF.AddReg.StandardProfile section of the Windows Firewall INF file:

    HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Fire

    wallPolicy\StandardProfile","DisableNotifications",0x00010001,1

    Blocking Unicast Responses to Multicast and Broadcast

    Packets

    By default, Windows Firewall allows incoming unicast response packets to a port for 3

    seconds after a multicast or broadcast packet is sent from the port. By adding the

    appropriate entries to the Windows Firewall INF file, this behavior can be disabled in

    either or both of Windows Firewall’s profiles.

    ? 2004 Microsoft Corporation. All rights reserved.

Using the Windows Firewall INF File in Microsoft Windows XP with Service Pack 2 6

    To block unicast responses to multicast and broadcast packets by default in the Domain

    Profile, add the following entry to the ICF.AddReg.DomainProfile section of the Windows

    Firewall INF file:

    HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Fire

    wallPolicy\DomainProfile","DisableUnicastResponsesToMulticastBroadca

    st",0x00010001,1

    To block unicast responses to multicast and broadcast packets by default in the Standard

    Profile, add the following entry to the ICF.AddReg.StandardProfile section of the Windows

    Firewall INF file:

    HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\F

    irewallPolicy\StandardProfile","DisableUnicastResponsesToMulticas

    tBroadcast",0x00010001,1

    Enabling Remote Administration

    Windows Firewall includes a Remote Administration option that alters its configuration to

    allow Remote Procedure Call (RPC) and Distributed Component Object Model (DCOM)

    communication. Enabling this option statically opens TCP 135 and TCP 445 to

    unsolicited incoming traffic. Additionally, communication over named pipes is permitted,

    and ports will be dynamically opened as needed by Windows services using RPC. By

    adding the appropriate entries to the Windows Firewall INF file, the Remote

    Administration option can be enabled in either or both of Windows Firewall’s profiles.

    To enable Remote Administration by default in the Domain Profile, add the following entry to

    the ICF.AddReg.DomainProfile section of the Windows Firewall INF file:

    HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Fire

    wallPolicy\DomainProfile\RemoteAdminSettings","Enabled",0x00010001,1 To enable Remote Administration by default in the Standard Profile, add the following entry

    to the ICF.AddReg.StandardProfile section of the Windows Firewall INF file:

    HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\F

    irewallPolicy\StandardProfile\RemoteAdminSettings","Enabled",0x00

    010001,1 When enabling Remote Administration, the set of IP addresses from which unsolicited

    incoming traffic will be accepted can also be specified through an additional entry in the

    appropriate section of the Windows File INF file.

    To define the default scope for Remote Administration in the Domain Profile, add the

    following entry to the ICF.AddReg.DomainProfile section of the Windows Firewall INF

    file:

    HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\F

    irewallPolicy\DomainProfile\RemoteAdminSettings","RemoteAddresses

    ",0x00000000,scope

    To define the default scope for Remote Administration in the Standard Profile, add the

    following entry to the ICF.AddReg.StandardProfile section of the Windows Firewall INF

    file:

    ? 2004 Microsoft Corporation. All rights reserved.

Using the Windows Firewall INF File in Microsoft Windows XP with Service Pack 2 7

    HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\F

    irewallPolicy\StandardProfile\RemoteAdminSettings","RemoteAddress

    es",0x00000000,scope

    Permitted values for scope are defined in the “Defining the Scope for an Entry in the Windows Firewall INF File" section of this article.

    Allowing ICMP Messages through Windows Firewall

    While the default configuration for Windows Firewall blocks all ICMP message types,

    this behavior can be modified by adding entries to the Windows Firewall INF file to allow

    certain ICMP message types by default.

    To allow an ICMP message type by default in the Domain Profile, add the following entry to

    the ICF.AddReg.DomainProfile section of the Windows Firewall INF file:

    HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Fire

    wallPolicy\DomainProfile\IcmpSettings","ICMP Message

    Type",0x00010001,1

    To allow an ICMP message type by default in the Standard Profile, add the following entry to

    the ICF.AddReg.StandardProfile section of the Windows Firewall INF file:

    HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\F

    irewallPolicy\StandardProfile\IcmpSettings","ICMP Message

    Type",0x00010001,1

    Both of these entries require an ICMP Message Type to be specified. The permitted values for ICMP Message Type are listed in Table 1.

    Table 1 ICMP Message Types

    ICMP Message Type Number Description AllowOutboundPacketTooBig 2 When an Internet Protocol version

    6 (IPv6) packet is too large to be

    forwarded, data will be dropped

    and a computer will reply to the

    sender with a Packet Too Big

    message. AllowOutboundDestinationUnreachable 3 Data sent that fails to reach this

    computer due to an error will be

    discarded and reported with a

    Destination Unreachable message

    that explains the failure.

    AllowOutboundSourceQuench 4 When a computer’s ability to

    process incoming data cannot keep

    up with the rate of a transmission,

    data will be dropped and the

    sender will be asked to transmit

    more slowly. AllowRedirect 5 Data sent from a computer will be

    rerouted. ? 2004 Microsoft Corporation. All rights reserved.

Report this document

For any questions or suggestions please email
cust-service@docsford.com