Learn the pros and cons of Windows Firewall

Windows Firewall debuted with the release of Windows XP, and Windows XP Service Pack 2 enabled this feature by default. This host-based stateful firewall replaced Windows’ Internet Connection Firewall.

This feature’s default configuration rejects incoming IP traffic unless you’ve specifically allowed it. To configure or adjust the Windows Firewall settings, go to Start | Control Panel, and double-click the Windows Firewall applet. Let’s take a closer look at the various settings.

Know your options

On the General tab, you can use the On and Off radio buttons to enable or disable Windows Firewall. You can also choose to disallow exceptions.

The Exceptions tab includes a list of programs and services that you can select or deselect to allow or remove access to the network. You can also add or delete ports (both TCP and UDP).

When adding programs or ports, you also have the following options to limit the scope of access: Any Computer (Including Those On The Internet), My Network (Subnet) Only, or Custom List, which allows you to choose a mix of IP addresses and subnets.

On the Advanced tab, you can choose which connections the firewall will apply to, and you can specify logging features. You can also control, with some granularity, how the firewall handles Internet Control Message Protocol (ICMP) packets.

Finally, if you get completely lost and make changes that prevent the computer from connecting to the Internet, you can click the Restore Defaults button. This removes all of your changes, returning Windows Firewall to the Microsoft default state.

Know how to adjust the settings

You can use the method described above to manually change the Windows Firewall settings. However, you can also use a variety of methods more suited for enterprise deployments. Here are some of your options:

  • Unattend.txt: You can use this text file used during unattended setup when deploying multiple systems that have similar configurations.
  • Netfw.ini: You can modify and deploy this file via login scripts or a control system such as Systems Management Server (SMS). You can find this file in the %windir%\Inf folder.
  • Netsh: You can execute this command at the command prompt or through a scripted batch file deployed at login.
  • Group Policy: In an Active Directory environment you can use Group Policy to deploy Windows Firewall configurations. Update existing Group Policy Objects with the Windows Firewall policy settings from the updated System.adm template included with Windows XP SP2. You can find these new settings under Computer Configuration | Administrative Templates | Network | Network Connections.

Of course, all of these available configuration and deployment options beg the question: Does this firewall adequately protect your computer?

Weigh the pros and cons

The Windows Firewall does a good job of proxying inbound responses to outbound connection requests, and it does a good job of blocking inbound connection requests for TCP or UDP conversations that you haven’t initiated. It will block any connection attempts that you haven’t specifically allowed in the settings. However, that’s only half of what a firewall needs to do.

A firewall should also monitor, inspect, and proxy outbound communication—and this is where Windows Firewall fails. Any program on your computer can initiate any type of connection to any IP address on the Internet, and the Windows Firewall will sit by passively and let it happen!

Don’t let any prompts fool you: Even though it tells you a program has initiated a connection to the Internet and asks if you want to allow this connection, the connection has already occurred. What it’sreally asking is whether you want to allow the Internet to connect to this program.

This entry was posted in Technical Archive. Bookmark the permalink.