Fine-Tuning Windows Firewall

A look at 9 new Group Policy settings and their corresponding commands

From the June 2004 Edition
of Windows IT Pro
Mark Minasi
Inside Out
InstantDoc #42594
Windows IT Pro

Command-Line Extras
That's the extent of the Group Policy settings for Windows Firewall, but the command line can do a few other things. Recall that Windows Firewall has two profiles: Domain and Mobile. Suppose you want to know which profile your system is using. The following command determines whether you're running the Domain Profile (corporate) or the Mobile Profile (other):

netsh firewall ipv4 show currentprofile

If you want to know more about what the firewall is doing, you can use the Set Logging command, which takes four optional parameters: Filelocation= tells Windows Firewall where to put the ASCII log file, and maxfilesize= lets you specify how large the file can grow. You specify the file size in kilobytes, and the largest value it can take is 32767. The droppedpackets= and connections= parameters take the value enable or disable and tell Windows Firewall whether to log blocked and successful connections. For example, if you want to log both successful and blocked connections to a file called C:\firelog.txt and give it a maximum size of 8MB, you'd use the command

netsh firewall ipv4 set logging
  filelocation="C:\firelog.txt"
  maxfilesize=8192 droppedpackets=
  enable connections=enable

The log can grow large, but if you're trying to track down a regular attacker, you'll be glad you have a complete log of every TCP and UDP connection and refusal. You can use the following command to determine the current logging settings:

netsh firewall ipv4 show logging

For a comprehensive overview of your firewall settings, use the command

netsh firewall ipv4 show config

For different details about what your firewall is doing, replace config with state in that command. To get a smaller report that shows only the open ports, replace config with icmpsetting or portopening.

Too Much Work?
Windows Firewall comes with a lot of new things to understand. However, if your system lacks a personal firewall, Windows Firewall can make your system more secure at no greater cost than a little time to create a GPO to open whatever ports you need. In return, you get the benefit of knowing that a firewalled system is much less vulnerable to the latest worm.

End of Article

Previous 1 2 [3] Next

Liked all the command line examples.

DonJuan64 August 03, 2004 (Article Rating:

)

XP Firewall and Stupid Domain Policy

I work for a company that hasn't yet made the leap to XPSP2. I installed it myself to fix a video driver bug. Now I'm setting up a VPN between home and my work computer. I want to use the XPSP2 firewall to block access to Remote Desktop, VNC and telnet normally, but allow it through from the VPN subnet.

I set stuff up through the GUI but discovered I could still telnet and VNC in to my wireless and wired IPs. After playing with netsh, I noticed that the first line of `firewall show config` says
"Domain Profile Config
Operational mode = Disable"

I'm guessing that my firewall policies are being overridden by a company Domain policy, which they haven't set since they don't yet use XPSP2.

1) Am I right about why my fw doesn't work?
2) Is there any way round it (other than buying a proprietary firewall or, worse yet, trying to convince company tech support to change group policy)?

Anonymous User November 26, 2004

You must log on before posting a comment.

If you don't have a username & password, please register now.