Transcript: Windows XP SP2: Windows Firewall, December 8, 2004
Published: December 16, 2004
Chat Date: December 8, 2004
Please note: Portions of this transcript have been edited for clarity
Introduction
rebecca_ms (Moderator):
Thank you for joining today’s chat about the using and managing the Windows Firewall in Windows XP SP2.
Joe_MSFT (Expert):
See also the "Troubleshooting Windows Firewall in Microsoft Windows XP Service Pack 2" white paper at http://www.microsoft.com/downloads/details.aspx?FamilyID=a7628646-131d-4617-bf68-f0532d8db131&displaylang=en.
rebecca_ms (Moderator):
Welcome to today’s chat about using and managing the Windows Firewall in Windows XP SP2. The Windows Firewall product group can answer questions about anything from configuration to group policy management. We are pleased to welcome our experts for today. I will have them introduce themselves now.
Joe_MSFT (Expert):
I am Joe Davies, a technical writer for the Windows Networking and Devices team.
Michael_MS (Expert):
Hi, I am a program manager with the Windows Firewall.
rebecca_ms (Moderator):
€and your pleasant host, Rebecca. We will try to answer as many questions as we can today. Participants should type their questions, click “Submit a question,” and click “Send.” Those posts will go into a private queue, from which our experts will draft answers and repost questions in the upper window with their answers. (To confirm: if you clicked “Submit a question” when you posted, you don’t need to resubmit. We’ll get to them as soon as we can before the end of the chat (11 a.m. Pacific).
rebecca_ms (Moderator):
Hi all, just a reminder to keep your questions on the topic of the Windows XP Firewall. We can't answer other questions at this time.
rebecca_ms (Moderator):
If you need help with general issues, try the Microsoft newsgroups at:: http://www.microsoft.com/communities/newsgroups/default.mspx
Start of Chat
Michael_MS (Expert):
Q: I am looking for a WMI event to tell me if the Windows firewall is turned on or off. I've found the WMI event to tell me if a 3rd party firewall is turned off or on. I want to be able to turn the firewall on if something turns it off. Thanks!
A: No, there are some special hooks that 3rd party firewalls use to indicate their presence for the security center, but these aren't really useful for end-users, or other developers. If you want to know if the Windows Firewall is present, you should use the Windows Firewall APIs, published in the SP1 SDK (available on MSDN).
Joe_MSFT (Expert):
Q: I was wondering why XP firewall created many problems on computers when installed. I am student learning computers at college just wanting to know.
A: The firewall drops all unsolicited incoming traffic to help protect computers from malicious software such as worms and viruses. Client/server types of programs should still work fine. Server, peer-to-peer, and listening programs might have problems. You will need to configure Windows Firewall exceptions for these types of programs. See http://www.microsoft.com/technet/community/columns/cableguy/cg0204.mspx and http://www.microsoft.com/downloads/details.aspx?FamilyID=4454e0e1-61fa-447a-bdcd-499f73a637d1&DisplayLang=en for details.
Michael_MS (Expert):
Q: Many of the ip addresses in my firewall log resolve to web hosts outside the domain of the page I chose (ex. whois resolves to blighty.com). Is the anyway to confirm these identities? Does a Microsoft or Yahoo publish lists of their web host affiliates?
A: I really don't know how Internet Explorer determines which addresses to go to. I suggest you ask this question in an IE related chat.
Michael_MS (Expert):
Q: why isn't the firewall as efficient as it could be?
A: Could you be more specific? What do you find is "inefficient"?
Michael_MS (Expert):
Q: However, when I attempt to configure DCOM through dcomcnfg, I am unable to access the "edit Limits" buttons because they are grayed out. Why?
A: Sorry, I don't know much about this specific DCOM configuration tool. What I can say is that the Windows Firewall isn't involved with keeping some items grayed out. There is a "Remote Administration" option for the Windows Firewall in Group Policy that stops blocking DCOM. But this wouldn't effect whether options were grayed out in dcomcnfg.
Joe_MSFT (Expert):
Q: I assume there are GPOs for Windows Firewall in a Windows 2003 environment. Are there any in a Windows 2000 environment?
A: See http://www.microsoft.com/downloads/details.aspx?FamilyID=4454e0e1-61fa-447a-bdcd-499f73a637d1&DisplayLang=en for instructions on how to get Windows Firewall GP settings into a Windows 2000 Active Directory. Also, download and install http://support.microsoft.com/default.aspx?scid=kb;en-us;842933.
Michael_MS (Expert):
Q: rt¶iu: why still the need for third party firewalls/anti-virus/malware systems?
A: The Windows Firewall provides excellent protection from preventing unsolicited incoming traffic from entering your system. However, there are other features that go beyond simple firewalling that many other 3rd party products have. If these other features (e.g. anti-virus support, mal-ware prevention, etc) are important to you, then these third party products are good alternatives to consider. Determining which features go into the OS all depend on what can be done within certain release dates, and what will offer the greatest amount of security benefit. We could have added lots more features into Windows Firewall if we waited another year to ship it. :)
Michael_MS (Expert):
Q: Michael.. Thank you for the response. but, I really need to find out why my "edit Limits" button is grayed out in the COM Security Tab of DCOM configuration. Do you have a contact for me to ask the question.
A: Sorry, I don't have a contact on that team.
Joe_MSFT (Expert):
Q: How can be use Internet Connection Firewall (ICF) utility in XP?
A: The Internet Connection Firewall is a host-based firewall that discards unsolicited incoming traffic. You can enable if from the Advanced tab from the properties of a connection in the Network and Connection folder.
Michael_MS (Expert):
Q: How can we prevent port scanning?
A: You can prevent port scanning by ensuring the Windows Firewall is on, and having as few exceptions created as possible. Using the "don't allow exceptions" option will lock your network access down even more if you are really concerned.
Joe_MSFT (Expert):
Q: Is there any way to control the SP2 firewall, by device (i.e. LAN, WIFI, etc)? I know the ICF is done like this for pre SP2 connections.
A: Yes, you can configure settings on a per-connection basis, but you only have the ability to configure the same types of setting as you could with Internet Connection Firewall (port-based exceptions and ICMP) with the Windows Firewall component of Control panel or through netsh commands.
Joe_MSFT (Expert):
Q: will there a much better firewall next time? with a new sp?
A: What would you like to see in a future version of Windows Firewall?
Joe_MSFT (Expert):
Q: What is the maximum number of exceptions u can allow in sp2 firewall, is there any limit??
A: There is no built-in limit to the number of exceptions. However, with many exceptions, the display of the exceptions in the Windows Firewall component of Control Panel will be slower on slower computers.
Michael_MS (Expert):
Q: it is maybe a strange question? will there a new version like Lockdown?
A: What are you referring to by "lockdown"?
Joe_MSFT (Expert):
Q: why XP Firewall is unable to prevent out bound traffic?
A: Windows Firewall was designed to prevent the spread of malicious software that relies on unsolicited incoming traffic. The filtering of outgoing traffic has much less security value than the filtering of incoming traffic.
Joe_MSFT (Expert):
Q: If a have a 3rd party Firewall should I disable the Windows firewall or leave them both running?
A: The recommendation is that you disable Windows Firewall if a third-party firewall product is installed.
Michael_MS (Expert):
Q: under which key are the exceptions stored in the registry??
A: Take a look at the Windows Firewall deployment guide. There is some information about the registry keys in one of the Appendixes.
Joe_MSFT (Expert):
Q: I will ask it sort, will Microsoft build a new firewall which has a graphical interface?
A: The Windows Firewall component of Control Panel provides a graphical interface to configuring firewall settings.
Joe_MSFT (Expert):
Q: where do u get the Windows Firewall deployment guide
A: http://www.microsoft.com/downloads/details.aspx?FamilyID=4454e0e1-61fa-447a-bdcd-499f73a637d1&DisplayLang=en
Joe_MSFT (Expert):
Q: This may be a Group Policy question, but how do I disable the firewall using a GP?
A: See http://www.microsoft.com/downloads/details.aspx?FamilyID=4454e0e1-61fa-447a-bdcd-499f73a637d1&DisplayLang=en for details.
Michael_MS (Expert):
Q: is there any compatibility issues with 3rd party firewalls and sp2 firewalls?
A: No, most third party firewalls co-exist just fine with the Windows Firewall. That said, we recommend that people only run one firewall on their system. Multiple firewalls do not make you more secure, and only make policy management more difficult. Actually, most third party firewalls now programmatically shut off the Windows Firewall anyway.
rebecca_ms (Moderator):
Does anyone have more firewall-related questions for our experts?
Michael_MS (Expert):
Q: Have you seen an issue with E-trust Anti-Virus not being able to download virus signatures if the Windows firewall is turned on?
A: This is a known issue we are working with e-trust on.
Michael_MS (Expert):
Q: ok, is the only workaround turning off the Windows firewall?
A: No, turning the firewall off doesn't necessarily fix the problem with e-trust. This issue might not even be firewall related at all. We are working with e-trust to better diagnose the root cause.
Michael_MS (Expert):
We would like to know how many people are using the XP SP2 Windows Firewall. Has anyone turned it off?
Joe_MSFT (Expert):
Q: My firewall log is often full of drops from doubleclick.com. Some are flagged AP some not. I expect some advertising while browsing but the number of these drops surprises me. Can you give me an example of the type of ad that windows firewall drops?
A: The Windows Firewall is dropping incoming unsolicited traffic from doubleclick.com, which for the "AP" flag corresponds to incoming Transmission Control Protocol segments with the Acknowledge and Push flags set. So Windows Firewall is not dropping ads, but specific types of segments for the ad traffic.
Joe_MSFT (Expert):
Q: y cant xP firewall can protect from Trojan Applications?
A: Windows Firewall is a packet-level filter and cannot determine if solicited incoming traffic contains trojan horse apps. Please use anti-virus software to protect yourself from these types of applications.
rebecca_ms (Moderator):
We will need to wrap up this chat in about 8 minutes. Please post any other questions (click €œSubmit a Question€) that you would like us to answer. Thanks.
Michael_MS (Expert):
Q: If I open ports per device in the ICF, are there going to be any issues with the SP2 firewall blocking incoming traffic to those ports?
A: Yes, if you open ports in Windows Firewall, then they won't be blocked unless you enable the "don't allow exceptions" option. If you had previously configured the Internet Connection Firewall to have open ports before installing SP2, then the new Windows Firewall (ICF no longer exists in SP2) will honour those opened ports.
rebecca_ms (Moderator):
We will need to wrap up this chat in about 3 minutes. Please post any other questions (click €œSubmit a Question€) that you would like us to answer. Thanks.
Michael_MS (Expert):
Q: What is Circuit Level gateway how it is different from application Level gateway?
A: We don't know off the top of our heads. This would be a great question to post to the microsoft.public.windows.networking.firewall newsgroup.
Joe_MSFT (Expert):
Q: shois: followup to Joe: a specific example of graphically what this traffic segment looks like to me were I to receive it. Thanks.
A: See http://www.faqs.org/rfcs/rfc793.html (section 3.1) for information about the Transmission Control Protocol (TCP) header and the use of the Acnowledge (A) and Push (P) flags.
Michael_MS (Expert):
Do any of the chat participants use group policy to manage Windows Firewall?
rebecca_ms (Moderator):
Before we wrap up here, here are some URLs you might find helpful. For the firewall deployment guide: http://www.microsoft.com/downloads/details.aspx?FamilyID=4454e0e1-61fa-447a-bdcd-499f73a637d1&DisplayLang=en
rebecca_ms (Moderator):
Here is an article on how to manually configure your firewall: http://www.microsoft.com/technet/community/columns/cableguy/cg0204.mspx
rebecca_ms (Moderator):
Also, here is the link to the firewall newsgroup: microsoft.public.windows.networking.firewall
rebecca_ms (Moderator):
Q: I am experiencing problem with MS Shared Fax Driver. When I manually enter a contact it adds the number prefixes specified in the Dialing Rules. When I select a contact from the address book it ignores the Dailing Rules. Is there a fix for this?
A: Thank you for joining us today on a Microsoft Community Chat to talk about the Windows Firewall in Windows XP SP2. I would like to thank our hosts and the rest of you for your questions and comments.
For further information on this topic please visit the following:
Newsgroups: Windows XP General Discussion
Transcripts: Read the archive of past Windows XP chats.
Website: Visit the home page for Windows XP
