Opening Particular Ports
The remaining settings open particular ports. The first, Allow Dynamically Assigned Ports for RPC and DCOM, is a bit of a conundrum—to enable or not to enable? I'm a big fan of Windows Management Instrumentation (WMI)-based tools such as WMI VBScripts and the Microsoft Management Console (MMC) Manage Computer snap-in, and WMI needs Remote Procedure Calls (RPCs). You can't use the Manage Computer snap-in to control a system remotely without using WMI, so if you want to leave Windows Firewall in place but still use Manage Computer to control remote systems, you'll have to enable this setting. The problem with opening ports for RPC is that Microsoft has discovered some scary bugs in RPC in the past 2 years, perhaps the most memorable of which led to MSBlaster. So enabling a firewall but also opening ports for RPC might be a self-defeating exercise, like installing locks on all your doors but leaving the front door unlocked for convenience: Burglars will find it convenient, too. Like the previous setting, this setting lets you open ports to all IP addresses or just to the local subnet, but that option doesn't seem very helpful either. In many cases in which MSBlaster attacked a business, the attack launched from an infected laptop that someone carried into the company. So think long and hard before you enable this setting.
The File and Print Sharing, Remote Assistance Support, and Universal Plug and Play settings work the same way as the RPC setting: You can turn them on or off, and if you turn them on you can restrict them to the local subnet. You can enable all but Remote Assistance support from the command line by using the
netsh firewall ipv4 set service
command, followed by type= and the name of the service (i.e., FILEANDPRINT, RPCANDDCOM, or UPNP), as well as scope= and either all (the entire Internet) or subnet (the local subnet). For example, to enable file and print sharing for only the local subnet, you'd type
netsh firewall ipv4 set service
type=fileandprint scope=subnet
You can append profile= and interface= to any command, so if you wanted to open file and print services on your wired Ethernet connection only when your system was connected to the domain, you'd use the command
netsh firewall ipv4 set service
type=fileandprint scope=subnet
interface="local area connection"
profile=corporate
Whereas Group Policy refers to Domain and Mobile profiles, command-line tools refer to corporate and other profiles.
Two policy settings remain. Allow ICMP Settings affects the Internet Control Message Protocol (ICMP) subsystem. In general, you don't need to worry much about ICMP, but you probably will care about one aspect of it: Ping. By default, firewalled systems block all ICMP requests and therefore ignore pings. A look at the Allow ICMP Settings Properties shows nine types of ICMP requests that Windows Firewall permits. For ping purposes, you need to enable only Allow Inbound Echo Request. This setting has no option for restricting ICMP traffic to the local subnet.
From the command line, you'd open up ICMP with the command
netsh firewall ipv4 set icmpsetting
followed by type= and a number (3, 4, 5, 8, 10, 11, 12, 13, or 17) or the word all. Each number refers to one of the nine ICMP settings, and the one you want—incoming echo request—is number 8. To make your system respond to pings, then, you'd type
netsh firewall ipv4 set icmpsetting type=8
Again, you can add profile= or interface= to make the command more specific.
What if you want to open a port for a service that I haven't discussed? Just use the ninth policy setting, Define Custom Open Ports. Enable it, then click Show as I explained for Define Allowable Programs. Next, specify the number of the port you want Windows Firewall to open, whether the port is TCP or UDP, whether to open it up to the world or just the local subnet, and whether to enable or disable it. Optionally, you can give the port a descriptive name. For example, your mail server might want TCP port 25 open to the whole world, so you might specify
25:TCP:*:enabled:SMTP
where 25 is the port number, TCP is the protocol, the asterisk (*) opens the port to the whole world (the alternative is subnet), enabled opens the port instead of closing it, and SMTP is a descriptive phrase. From the command line, use the command
netsh firewall ipv4 add portopening
followed by protocol= (with tcp, udp, or all), port= (with the number), name= (with a name), mode= (with enable or disable), and scope= (with all or subnet). To enable your mail server, you'd type
Playing around with these settings, you might get confused—Hey, I closed that port, why is it still open?—unless you understand an important difference between how the firewall behaves when controlled by a Group Policy setting and how it behaves when controlled from the command line. Command-line commands typically take effect immediately. Group Policy changes can take a while to appear. You can make local Group Policy changes in Windows Firewall take effect immediately by using the command
gpupdate
Wait for the command to finish, then go to Services in the Manage Computer snap-in and restart the Internet Connection Firewall service. (Microsoft might rename this service by the time SP2 debuts.)
I work for a company that hasn't yet made the leap to XPSP2. I installed it myself to fix a video driver bug. Now I'm setting up a VPN between home and my work computer. I want to use the XPSP2 firewall to block access to Remote Desktop, VNC and telnet normally, but allow it through from the VPN subnet.
I set stuff up through the GUI but discovered I could still telnet and VNC in to my wireless and wired IPs. After playing with netsh, I noticed that the first line of `firewall show config` says "Domain Profile Config Operational mode = Disable"
I'm guessing that my firewall policies are being overridden by a company Domain policy, which they haven't set since they don't yet use XPSP2.
1) Am I right about why my fw doesn't work? 2) Is there any way round it (other than buying a proprietary firewall or, worse yet, trying to convince company tech support to change group policy)?
On Sunday, the Times of London reported that Microsoft had renewed talks with failing Internet giant Yahoo! and would manage its search engine for 10 years, while Yahoo! would retain control of its email, messaging, and content services. This report ...
Order Your Fundamentals CD Today! Register today for your in-depth copy of one of three Fundamental CDs on the following topics – Exchange, SQL, and SharePoint.
DonJuan64 August 03, 2004 (Article Rating: