Protecting Clients from Network Attacks
On This Page
 | Introduction |
| Before You Begin |
| Deciding Which Computers to Protect |
| Identifying Ports That Must Remain Open |
| Enabling ICF |
| Opening Ports |
| Enabling Security Logging |
| Related Information |
Introduction
Malicious users or attackers on the Internet create worms and viruses that can reveal or destroy valuable data, and they run tools that attempt to break into your computer. To do this, the tools, viruses, and worms send messages to your client computer, addressed to the ports that various programs use to receive legitimate messages. If the malicious code is able to make contact at a particular port, it may be able gain entrance to your computer. To limit this security threat, you can enable firewall software, which blocks all ports except the ones you intentionally open. Internet Connection Firewall (ICF) is firewall software that is supplied with Microsoft Windows XP.
The steps in this document explain how to:
1. | Decide which computers to protect |
2. | Identify ports that must remain open |
3. | Enable ICF |
4. | Open additional ports as necessary |
5. | Enable security logging as necessary |
By following steps in this document, you change your system by enabling ICF and configuring it. Thereafter, ICF runs and helps prevent the computer from responding to the unsolicited messages that malicious code uses to spread and to damage systems and data.
IMPORTANT: All the step-by-step instructions included in this document were developed by using the Start menu that appears by default when you install your operating system. If you have modified your Start menu, the steps might differ slightly.
Before You Begin
This section explains what you should do before enabling ICF:
| • | Verify the operating system and service pack |
| • | Understand how applications use ports |
| • | Test ICF on clients before you deploy it |
| • | Troubleshooting |
Verify the Operating System and Service Pack
The recommendations in this document are mainly for systems that are running Windows XP Professional with Service Pack 1 (SP1) or SP1(a). If SP1 or SP1a is not installed on a particular computer, or if you do not know whether it is installed, you can go to the Windows Update page on the Microsoft Web site at http://windowsupdate.microsoft.com and have Windows Update scan your computer for available updates. If Service Pack 1 appears as an available update, install it before proceeding with the procedures in this document.
This guide does not address the wide variety of needs and configurations that a large corporation might require. Additionally, it might not fully address the specific security needs of some organizations.
Most of the tasks in this guide also apply to a computer that is running Microsoft Windows Server 2003, but enabling ICF on a server typically requires significantly more research and troubleshooting, and these are beyond the scope of this guide.
Versions of Windows prior to Windows XP do not include ICF. To protect these systems, you can use hardware or software firewalls. To learn more about software firewalls made by other companies, hardware firewalls, and network routers, and for more information about selecting a firewall for your computer, see "Install a firewall to help protect your computer" on the Microsoft Web site at http://www.microsoft.com/athome/security/viruses/fwbenefits.mspx.
Understand How Applications Use Ports
A port is a connection point that a program uses to communicate with other programs, especially programs running on other computers. Each port is identified by the combination of a transport and a number. The transport can be either Transmission Control Protocol (TCP) or User Datagram Protocol (UDP). Specific ports are associated with each type of application or service. For example, the standard port for a Web server is TCP port 80, the standard port for a File Transfer Protocol (FTP) server is TCP port 21, and the Windows Server service that provides file and print sharing receives messages at four ports: UDP ports 137 and 138, and TCP ports 139 and 445.
When you enable ICF, by default it blocks all ports from receiving unsolicited inbound messages. This protects your computer because it blocks the messages that malicious code typically uses to gain access to your computer. ICF does not interfere with most legitimate business software because, as a general rule, that software does not send unsolicited messages to clients. However, there are exceptions to this rule, and if ICF prevents legitimate communication, you configure ICF to open the ports that the legitimate software uses.
Most services use one or more specific ports, but some services and many applications also pick one or more ports at random from a range that varies depending on the application. If such an application is designed to notify ICF about the ports it picks, then the application will work with ICF. Otherwise, you usually must choose to run the application or ICF but not both. Although it is possible to open every port in the application's range, it is often impractical to open a range that contains more than a small number of ports. Even if it were easy, it would rarely be a wise decision, because increasing the range of open ports generally decreases the security of the computer.
Test ICF on Clients Before You Deploy It
It is important to test ICF with the typical applications in your network environment before you enable it on all your client computers. You enable ICF separately on each client computer, and if it must be configured, you configure it on each client computer separately. If you do not test ICF before enabling it on 50 client computers, and a problem occurs that affects all of the clients, the only solution is to reconfigure each computer individually.
Troubleshooting
ICF typically runs on client computers without interfering with business software, but when conflicts occur the troubleshooting can be complicated because the problem and solution often depend on the combination of software that is running on the client. Accordingly, troubleshooting is beyond the scope of this document. For more information about troubleshooting ICF, see "Troubleshooting Internet Connection Firewall on Microsoft Windows XP" on the Microsoft Web site at http://www.microsoft.com/downloads/details.aspx?familyid=b3d01193-ad93-492f-b74b-97c2fc44e08b&displaylang=en.
Deciding Which Computers to Protect
It is recommended that you enable ICF on all client computers, including desktop computers that connect only to the organization network. Most organization networks include hardware or software firewalls that screen each connection between the network and the Internet, and in this case it might seem redundant to enable firewalls on the network clients. However, malicious code can bypass the network firewall by infecting an unprotected mobile computer that connects directly to the Internet, and that later connects to the organization network. By enabling ICF on client computers, you help limit the ability of malicious code to spread through your network and damage your systems.
The clients that are most at risk from attack are those that connect directly to the Internet, particularly mobile devices such as laptops. If you choose to protect only a subset of the client computers, it is recommended that you protect the mobile devices.
Consider enabling ICF on server computers, but be aware of these complications:
| • | Firewalls are much more likely to interfere with server software than with client software, because the purpose of server software is to receive unsolicited inbound messages. |
| • | If the firewall interferes with server software the resulting problems can be harder to troubleshoot. |
| • | Each conflict that occurs between the firewall and the server software can affect large numbers of clients. |
An example of a conflict between the firewall and server software is an application that requires a port that is blocked by the firewall, as described later in this document.
Identifying Ports That Must Remain Open
To minimize the possibility that ICF will interfere with legitimate software, identify the ports that must remain open before you enable ICF. The programs that most commonly require access to ports are listed in the user interface of ICF, and you can select them by name without needing to research the ports that each one uses:
| • | FTP Server |
| • | E-mail servers that use IMAP3, IMAP4, SMTP, or POP3 |
| • | Remote desktop |
| • | Standard and secure web servers |
| • | Telnet server |
The next most common programs that require open ports are:
| • | Internet file sharing or music sharing software. |
| • | Multiplayer games. |
| • | Business software that relies on the server to notify the client when something happens. E-mail servers usually notify clients when new e-mail arrives, and some e-mail servers do this by sending messages to the clients. Database servers can notify clients when a particular database field changes. |
| • | Peer-to-peer features and applications that allow a client computer to act like a server. A Windows XP computer can share files and printers with other clients, and this requires the computer to receive inbound messages. Instant messaging clients can send files to each other, and this requires sending an unsolicited message. |
Many of these programs, and the ports they use, are listed in the following resources:
| • | Reference: Network Ports Used by Key Microsoft Server Products" in the Security Guidance Kit. |
| • | 832017: Services that run on Windows Server 2003 on the Microsoft Web site at http://support.microsoft.com/kb/832017. |
| • | Application Media-Types" on the Internet Assigned Numbers Authority Web site at http://www.iana.org/assignments/port-numbers. |
If the information in the articles does not indicate which ports you need to open, contact the manufacturer.
Enabling ICF
Perform the following procedure to enable ICF on client computers that are running Windows XP SP1.
Note: Screenshots in this document reflect a test environment and the information might differ from the information displayed on your computer.
Requirements
| • | Credentials: You must log on as a member of the local Administrators group. |
| • | Tools: Control Panel. |
| • | To enable ICF
|
Opening Ports
After you enable ICF, you can perform the following procedure to open ports that legitimate software uses. You must know the transport (either UDP or TCP) and the port number of the port you wish to open. To obtain this information, you perform the task titled "Identifying Ports That Must Remain Open" earlier in this document.
Requirements
| • | Credentials: You must log on as a member of the local Administrators group. |
| • | Tools: Control Panel. |
| • | To open a port
|
Enabling Security Logging
After you enable ICF, you can enable security logging to record information about the inbound messages that ICF manages. This information might help an ICF specialist troubleshoot ICF problems or analyze attacks against the computer.
Requirements
| • | Credentials: You must log on as a member of the local Administrators group. |
| • | Tools: Control Panel. |
| • | To enable security logging
|
Related Information
For more information about opening ports, see the following:
| • | "Reference: Network Ports Used by Key Microsoft Server Products" in the Security Guidance Kit. |
| • | "How to Open Ports in the Windows XP Internet Connection Firewall" on the Microsoft Web site. |
For more general information about firewalls, see the following:
| • | "Install a firewall to help protect your computer" on the Microsoft Web site. |
| • | "Internet Connection Firewall Feature Overview" on the Microsoft Web site. |