How to Configure Windows Firewall in Windows XP Embedded with Service Pack 2
Summary
This white paper describes offline and online methods for configuring Microsoft Windows Firewall in Microsoft Windows XP Embedded with Service Pack 2 (SP2).
Introduction
Microsoft Windows XP Embedded with Service Pack 2 (SP2) delivers the same security features that Service Pack 2 provides to the Microsoft Windows XP Professional operating system. One of the most critical of these security features is Windows Firewall.
The most important change to Windows Firewall for Service Pack 2 is that it is now enabled by default. This new "On-by-Default" setting makes it important to configure Windows Firewall so that it provides the appropriate level of security for your run-time image. For example, you might want to open specific ports only to certain applications, or you might want to set and deny exceptions to firewall policy.
There are several ways to configure Windows Firewall for use in your run-time image:
- You can configure Windows Firewall in offline mode, before running First Boot Agent and deploying your run-time image.
- You can configure Windows Firewall in online mode, after running FBA and deploying your run-time image.
- You can configure Windows Firewall with or without rebuilding your run-time image.
This white paper describes the different methods that you can use to configure Windows Firewall in a Windows XP Embedded-based run-time image.
Configuring Windows Firewall Before the First Boot Agent Process
There are two ways to configure Windows Firewall in offline mode, before you run First Boot Agent (FBA) on your run-time image:
- To configure Windows Firewall before building your run-time image, you can use Target Designer to modify the settings of the Windows Firewall/Internet Connection Sharing (ICS) component. For more information about how to configure Windows Firewall settings in Target Designer, see Windows Firewall in the Windows XP Embedded documentation.
- To configure Windows Firewall without rebuilding your run-time image, you can either use the firewall configuration information (INF) file, or you can directly configure the registry settings for Windows Firewall. This section explains how to indirectly and directly change the settings.
Using the Firewall Configuration Information File to Configure Windows Firewall
Microsoft provides the information (INF) file, netfw.inf, which you can use to indirectly configure Windows Firewall. This firewall configuration file is located in your image folder under the "windows\inf" directory.
The netfw.inf file includes a firewall profile section that consists of two INF file sections. Each INF file section contains registry subkeys and values that are added to the system registry as Windows Firewall is installed. The following table describes these sections and the type of settings that they include.
| INF file section | Included settings |
| [ICF.AddReg.DomainProfile] | Domain profile settings used by default in domain environments (networks where domain controls exist). |
| [ICF.AddReg.StandardProfile] | Standard profile settings used by default in workgroup environments (where computers are not connected to a domain). |
These INF file sections use the same settings, but you can set different policies in each INF file section. Depending on your network environment, only one of these INF file sections is implemented when you deploy your run-time image. For example, this makes it possible for laptops, which can be dynamically joined to and removed from a network, to be subject to two different policies depending on their status. A firewall could be enabled when the laptop is joined to the domain, but not when the laptop is removed from the domain. To determine which set of policies is in force at any time after deployment, see the General tab in the Firewall Control Panel (firewall.cpl).
This section describes the entries that are contained in the firewall profile section of the netfw.inf file.
Entries Contained in the Firewall Profile Section of the INF File
This section describes how to configure the firewall registry entries that are contained in the firewall profile section of the netfw.inf file. These configurable settings are summarized in the following table.
| Section | Descriptions |
| EnableFirewall | Enables or disables Windows Firewall. |
| DoNotAllowExceptions | Allows or denies exceptions to Windows Firewall policies. |
| DisableNotifications | Enables or disables notifications of blocked applications and services. |
| IcmpSettings | Denies or allows Internet Control Message Protocol (ICMP) requests. |
| AuthorizedApplications\List | Authorizes or blocks specified applications and services. |
| GloballyOpenPorts\List | Enables or disables specified port openings. |
Basic Firewall Settings
Two basic firewall settings are located under the StandardProfile subkey for the local machine. By default, these settings enable Windows Firewall and deny exceptions to firewall policy. These settings appear in the [ICF.AddReg.StandardProfile] section of the netfw.inf file as follows:
HKLM,"System\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile","EnableFirewall",0x00010001,1
HKLM,"System\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile","DoNotAllowExceptions",0x00010001,0"
The following table describes the configurable settings for these INF file entries.
| Setting | Default value | Description |
| EnableFirewall |
1 | Set to 0 to disable Windows Firewall. The default value of 1 enables the "On-by-Default" feature of Windows Firewall. |
| DoNotAllowExceptions |
0 | Set to 1 to deny any exceptions. The default value of 0 allows exceptions. |
The following table describes how to combine the EnableFirewall and DoNotAllowExceptions settings for specific results.
| To… | Setting |
| Turn on Windows Firewall without any exceptions | EnableFirewall = 1 DoNotAllowExceptions = 1 |
| Turn on Windows Firewall with exceptions | EnableFirewall = 1 DoNotAllowExceptions = 0 |
| Turn off Windows Firewall | EnableFirewall = 0 The value that you set for DoNotAllowExceptions has no effect unless Windows Firewall is enabled in the run-time image. |
The DisableNotifications setting determines whether the user is notified when a program is blocked. By default, this value is set to 0 to enable notifications and appears in the INF file as follows:
HKLM,"System\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile","DisableNotifications",0x00010001,0
The following table describes the configurable settings for the DisableNotifications INF file entry.
| Setting | Default value | Description |
| DisableNotifications |
0 | Set to 1 to disable notifications when a program is blocked. By default this setting is set to 0 to enable notifications. |
All of the ICMP settings can be found under the IcmpSettings subkey. The IcmpSettings subkey includes the AllowInboundTimeStampRequest setting, which determines whether ICMP requests are denied or allowed. By default, this value is set to 0 to deny ICMP requests and appears in the INF file as follows:
HKLM,"System\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\IcmpSettings",
"AllowInboundTimeStampRequest",0x00010001,0
The following table describes all of the configurable settings for the IcmpSettings INF file entry.
| Setting | Default value | Description |
| AllowInBoundEchoRequest |
0 | Set to 1 to repeat messages that are sent to this computer back to the sender. By default, echo request are denied. |
| AllowInboundTimeStampRequest |
0 | Set to 1 to cause this computer to acknowledge data transmissions with a confirmation message indicating the time of receipt. By default, no confirmation messages are sent. |
| AllowInboundMaskRequest |
0 | Set to 1 to cause this computer to listen for and respond to requests for information about the public network that includes it. By default, such requests for information are ignored. |
| AllowInboundRouterRequest |
0 | Set to 1 to cause this machine to respond to requests for routing information. By default, requests for routing information are ignored. |
| AllowOutboundDestinationUnreachable |
0 | Set to 1 to cause a "destination unreachable" message and explanation to be sent when data that is sent over the Internet fails to reach this machine. In such an event, the data is discarded. By default, no message is sent. |
| AllowOutboundSourceQuench |
0 | Set to 1 to cause a request to be made to the sender to slow the rate of transmission when this computer cannot keep up with the transmission rate. By default, no request is made. |
| AllowOutboundParameterProblem |
0 | Set to 1 to cause this computer to issue a "bad header" error message when it must discard data that it has received because of faulty header information. By default, no error message is sent. |
| AllowOutboundTimeExceed |
0 | Set to 1 to cause this machine to transmit a "time expired" message to the sender when an incomplete data transmission is discarded because the entire transmission required more time than was allowed. By default, no error message is sent. |
| AllowRedirect |
0 | Set to 1 to cause data that is sent from this computer to be rerouted if the default path changes. By default, no rerouting occurs if the default path changes. |
List of Authorized Applications
The netfw.inf file includes an entry that lists authorized applications. By default, Remote Assistance is the only application that is authorized for the local machine. This entry is shown in the INF file as follows:
HKLM,"System\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List",
"%windir%\system32\sessmgr.exe",0x00000000,"%windir%\system32\sessmgr.exe:*:Enabled:Remote Assistance"
This entry is configured by using the following syntax:
Absolute Path to program executable: Scope (LocalSubnet/*): Status (Enabled/Disabled): Program Name
In the preceding example, "%windir%\system32\sessmgr.exe:" is the path to the program executable. The "*:" label denotes a scope of any source. You can insert "LocalSubnet" in place of the asterisk to limit the scope. Finally, "Enabled:Remote Assistance" enables the Remote Assistance program. You can use this syntax to enable or disable any specified program.
The following registry setting adds the myapp.exe application, named My Application, to the authorized application list and enables it for the local subnet:
HKLM,"System\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List",
"C:\Program Files\Applications\myapp.exe",0x00000000,
"C:\Program Files\Applications\myapp.exe: LocalSubnet: Enabled: My Application"
List of Port Openings
The netfw.inf file includes an entry that lists the ports that are specified to be open. The default entry and setting for the NetBIOS Name Service port is shown in the INF file as follows:
HKLM,"System\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\GloballyOpenPorts\List",
"137:UDP",0x00000000,"137:UDP:LocalSubnet:Disabled:NetBIOS Name Service"
In this entry, 137 is the port number. "UDP" is the protocol, in this case User Datagram Protocol. The scope is specified as LocalSubnet for the local subnet. The NetBIOS Name Service port (UDP 137) is disabled. The following syntax can be used to configure this INF file entry:
Port Number (1-65535): Protocol (UDP/TCP) : Scope (LocalSubnet/*) : Status (Enabled/Disabled) : Port Name
INF file entries that specify port openings can be added as enabled or disabled port openings. By default, the seven INF file entries that specify port openings are set to disable the ports. If a port opening entry is disabled, that port is effectively blocked by Windows Firewall until it is enabled in the run-time image.
You can edit port entries in the INF file to enable some port openings, or you can add new entries. The following example shows how to enable the NetBIOS Name Service port entry for any source:
HKLM,"System\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\GloballyOpenPorts\List",
"137:UDP",0x00000000,"137:UDP:*:Enabled:NetBIOS Name Service"
Editing the Registry to Configure Windows Firewall
This section describes how to configure Windows Firewall in offline mode by using the regedit utility to directly change settings in the system registry.
To configure Windows Firewall settings in the system registry
- Open regedit and load the system hive from the image folder at %windir%\system32\config\system.sav.
- Locate the appropriate hive and subtree:
CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
-or-
CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile - Modify the appropriate registry key value by using the firewall settings that were explained earlier in this white paper.
- For adding authorized applications and opened ports, create AuthorizedApplications\List and GloballyOpenPorts\List subkeys respectively, if they do not already exist under the subtree. Add or modify the appropriate registry key values under these subkeys.
Configuring Windows Firewall After the First Boot Agent Process
There are several ways to configure Windows Firewall in online mode, after First Boot Agent (FBA) has been run. You can configure settings in online mode by using any of the following tools:
- Windows Firewall Control Panel
- Netsh utility, to indirectly edit the system registry from the command line
- Regedit, to directly edit the system registry
This section describes these configuration methods.
Using Control Panel to Configure Windows Firewall
If you added the Windows Firewall Control Panel component to the configuration, you can use the firewall.cpl Control Panel application to configure Windows Firewall.
Using the Netsh Utility to Configure Windows Firewall
If you do not have control panel access, but if your run-time image has access to netsh shell, you can use netsh to change Windows Firewall settings, for example:
netsh>Firewall
To check the current status of the firewall:
netsh firewall>show state
In the following command, the first parameter sets the state of the firewall. To enable the firewall, use the enable argument; to disable the firewall, use the disable argument. The second parameter specifies whether to allow or deny exceptions. To allow exceptions, specify enable; to disable exceptions, specify disable. You can also specify either or both of the interface and profile.
netsh firewall>set opmode [enable/disable] [enable/disable]
The following command is used to enable or disable notification when a program is blocked. To enable notification when a program is blocked, use the enable switch. To disable notification when a program is blocked, use the disable switch.
netsh firewall>set notifications [enable/disable]
You can also change Internet Control Message Protocol (ICMP) settings and create lists of port openings and authorized applications and services by using the following netsh commands. For example, to change ICMP settings:
netsh firewall>set icmpsetting
To create authorized applications:
netsh firewall>set service
To create port openings:
netsh firewall>set portopening
For more information about the command syntax for netsh, see the netsh shell documentation.
Using Regedit to Configure Windows Firewall
If you have access to regedit in your run-time image, you can edit the system registry keys directly to configure Windows Firewall. In this case, it is not necessary to load the registry hive. All that is required is to locate the registry subtree and change the registry key values. For more information, see the section of this white paper entitled, "Editing the Registry to Configure Windows Firewall."
No comments:
Post a Comment