• Revista PROGRAMAR: Já está disponível a edição #53 da revista programar. Faz já o download aqui!


Firewall dedicada com win XP - Dica SANS Institute

1 post in this topic

uma proposta a analisar... uma firewall dedicada com o XP SP2... e porque não??

de qualquer forma é uma optimo guia para aprender sobre a segurança em XP...

o original no Site do SANS Institute... uma referência na segurança informática


I'm sure almost everyone knows about the host based firewall that was added to Windows XP with the Service Pack 2. Although Windows XP had a possibility of filtering network traffic before the SP2 was releasedit was rarely used as it required use of IPsec policies.

UPDATE: Small correction - Windows XP (before SP2)as well as Windows 2000had very basic TCP/IP filtering options that did not directly depend on IPsec policies (although you were able to layer rules by using TCP/IP filtering with IPsec filters). HoweverWindows 2000 and XP (before SP2) lacked quite a bit on features - the biggest one is scoping of incoming traffic. This means that accepted traffic to allowed port(s) was able to originate from *any* IPv4 address. ICF (Internet Connection Firewall) in Windows XP pre SP2 also wasn't automatically enabled. This diary therefore explains how to use Windows XP SP2 firewall only.

With the release of SP2Microsoft also made a pretty brave step (let's stay on the firewall in this diary) – the firewall was turned on by default and this inevitably caused some applications to break.

The idea of today's tip of the day is to encourage you to use the host based firewall in your corporations. I'm explicitly mentioning corporations as I noticed that in a lot of cases administrators in corporations simply turn off the host based firewall provided with SP2 because it prevents them from managing the machine remotely.

The host based firewall that comes with Windows XP SP2 is in no way perfectbut it can offer an additional layer of protection (and we all know that defense in depth is the only way to get more secure) that can help you a lot sometimes.

For exampletake a look at the last month patch bundle Microsoft released. The most critical and remotely exploitable vulnerability was in the Server service (MS06-040).

Windows XP SP2 machines which were just running the host based firewall in the default configuration were automatically protected from this. Of coursethese machines should still be patched (as soon as possible)but this at least gives some breathing space.

One thing that you have to be aware of is that the host based firewall that comes with Windows XP SP2 filters only inbound traffic. While this isn't as good as some commercial firewallsit still offers decent nice protection. I won't go into why Microsoft didn't filter outbound traffic as wellbut the bottom line is that if a machine gets infected with a malwareit can easily turn the firewall off (or add itself on the list of allowed programsas many malware does today)so if you look at it this wayoutbound traffic filtering isn't that important. The firewall in Windows Vista is much more powerful and does allow outbound traffic filtering.

Letting the good guys in

The biggest problem with the host based firewall not being used in corporations today is thatbesides bad trafficit also drops legitimate inbound traffic.

Typically administrators need access to IPC in order to remotely manage your machineor they use remote desktop services to perform actions on client machines. The host based firewall effectively stops this and administrators have to rely to group policies in order to change configuration on client machines. As group policies are read only when machine is booted (with Windows XPthis is different with Vista) and remote users typically put their machines in standbyyou can see why administrators don't like this.

UPDATE: Thanks to reader Chris for sending us some information about this. Group policies on Windows 2000XP and 2003 machines will update every 90 (+30) minutes in a background group policy refresh interval. Soin this casean administrator will still have to wait some time for  new group policies to applybut it's not as bad as I thought it is.

Soin order to still have some securityI typically recommend that administrators just put holes on their client machines which will allow connection from their designated management machine or network. This way the host based firewall will still protect the machine from everything (and everyone) else and the administrator can freely manage the machine remotely.

Adding such a rule is pretty easy. On a client machine you can add this through the Windows firewall control applet for a service or port you want to allow access to and select the appropriate scope. For exampleyou can allow access to port 445 just to IP address is your management server.

Using profiles

Fellow handler Swa (who else?) noted that the bad guys might know this (for examplea disgruntled employee in your company) and then wait at local Starbucks where your employees hangget the internal IP address for himself and attack the target machine.

Windows actually comes with a pretty nice feature for different firewall profiles. In GPOsan administrator can define different rules for the "Domain Profile" and different rules for the "Standard Profile".

Windows has a NLA (Network Location Awareness) service which determines where the machine isand applies appropriate policy for the host based firewall:


NowNLA will use the connection-specific DNS suffix to determine where your machine is. If it matches your domainthe Domain Profile will be used. Otherwisethe Standard Profile is used (you can check the connection-specific DNS suffix with the ipconfig command). So all you have to do now is setup rules you need for administration in the Domain profilewhile completely closing machine in the Standard profile.

A bad guy could still spoof an Access point on a wireless networkfor exampleand have his own DHCP server to issue fake information to youbut this indeed raises the bar a bit.

Command line kung-fu

Seeing that command line kung-fu is very popular with our readersI'd just like to end this tip of the day with some nice command line options you can use to configure the host based firewall on Windows XP SP2.

You have full firewall configuration options through the netsh command interface. This is very useful when you want to create a batch file which will open or close some ports on your machine.

I've used this to open the host based firewall to only one IPso the anti-virus product we had was able to communicate with the client machines (poll their statustell them to update definitionsetc).

Solet's say that you want to open port 10000 to the IP address your AV server is. This can be easily done with the following command line:

netsh firewall add portopening TCP 10000 Anti-Virus ENABLE CUSTOM

You can script this easily to do whatever you want. Just be aware of the limitation – you can't have port ranges so you'll have to open every port separatelyin case you need to open more ports.

If you have some neat tricks with the Windows XP SP2 host based firewall let us knowand I'll update the diary with the best tips we receive.


horus herakty

haill hathor


Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now