Windows Firewall: Building Security

Windows Firewall comes with several predefined Programs and Services that you can configure as exceptions, and you can add more. Each exception is based on a specific TCP or UDP port or on an executable name. The classic method of defining firewall rules is by using port numbers, but backdoor and Trojan horse programs have proven that port numbers aren't always a dependable way of judging incoming packets. A backdoor program that successfully installs itself on a computer opens a port and waits for an attacker to connect. Some of these backdoor programs open ports that legitimate programs use; other backdoor programs insert themselves between a legitimate program and its port, inspecting incoming traffic and intercepting incoming requests to the backdoor (these requests masquerade as requests to the legitimate program). To defeat both types of backdoor programs, Windows Firewall also lets you authorize specific programs to open ports. Let's examine two of Windows Firewall's prebuilt exceptions, which demonstrate the port- and program-based approaches.

Ports. To view a port-based exception configuration, select the Remote Assistance and Remote Desktop check box under Programs and Services on the applet's Exceptions tab to open the Exceptions dialog box. As Figure 2 shows, this built-in exception is based on TCP port 3389, which is used by the Remote Desktop Protocol (RDP), through which Remote Assistance and Remote Desktop communicate.

At the bottom of the Exceptions dialog box, you'll find two Scope options: You can open the specified port to All IP addresses (i.e., systems on the local LAN segment and from across the Internet), or you can open the port to Local Subnet Only. The Local Subnet Only option's value is limited to small and midsized businesses that have only one subnet or to organizations that can be sure that the people or programs that need to access the workstation from over the network will be on the same subnet as the workstation. For companies with more than one subnet, the Scope setting is fairly useless. If you use a systems-management program such as Microsoft Systems Management Server (SMS) or if your administrators need network access to workstations on multiple subnets, you have no choice but to set the Scope to All IP addresses. An alternative to using the Scope option is to use XP's built-in IP Security (IPSec) support. You can use IPSec policies to link Allow or Deny rules to multiple IP subnets so that computers outside your overall intranet subnet ranges can't connect to ports that you must open up within Windows Firewall. You can use the same Group Policy Object (GPO) that you use to control Windows Firewall to easily distribute these IPSec policies. (For more information about using such policies within your intranet, see "Resources.")

Programs. Now let's look at a program-based exception. Click Cancel on the Exceptions dialog box to close the box, then select the Windows Messenger check box on the Exceptions tab to open a new Exceptions dialog box. As Figure 3 shows, this exception is tied to a specific program file (%ProgramFiles%\Messenger\msmsgs.exe) instead of a port number. (Some programs, such as Windows Messenger, don't use predefined port numbers.)

Windows Firewall comes with several prebuilt exception definitions, but only three—Files and Settings Transfer Wizard (%windir%\system32\usmt\migwiz.exe), NetMeeting (%ProgramFiles%\NetMeeting\conf.exe), and Windows Messenger (%ProgramFiles%\Messenger\msmsgs.exe)—are enabled by default. To enable another prebuilt exception, select its check box on the Exceptions tab. To define an exception for another program or port, click Add, then provide the appropriate program or port information.

Keep the Connection
If a computer uses multiple network connections (including dialup and VPN connections), you might need to enable, disable, or tailor Windows Firewall differently for each connection. You can accomplish this task on the Windows Firewall applet's Network Connections tab, which Figure 4 shows. To enable or disable Windows Firewall for a connection, select or clear the check box for that connection on the Network Connections tab. To configure advanced settings for a connection, select the connection's check box and click Settings to open the Advanced Settings dialog box. The Services tab, which Figure 5 shows, lets you open certain services to Internet traffic, as long as you're using Internet Connection Sharing (ICS). Similarly, the Advanced Settings dialog box's ICMP tab, which Figure 6 shows, lets you configure how Windows Firewall will respond to Internet Control Message Protocol (ICMP) messages (e.g., pings) that are received on the specified network connection. (The applet's ICMP tab, which Figure 7 shows, lets you configure global settings that determine how Windows Firewall will respond when the system receives an ICMP message such as a ping. You can enable or disable each type of ICMP request as you see fit.)

You might wonder how network connection-specific port exceptions relate to the global port exceptions that you put into effect when you create a port-based exception. The easiest way to explain is with an example. Suppose you have two NICs: NIC1 and NIC2. You want to open port 3389 on both NICs, but you also want to open port 80 on NIC1 but not on NIC2. You can create an exception that opens port 3389, then use the Network Connections Advanced Settings to add a service that opens port 80 on NIC1.