Transcript: Windows XP SP2: Windows Firewall, February 9, 2005
Published: February 17, 2005
Please note: Portions of this transcript have been edited for clarity
Introduction
Rebecca_MS (Moderator):
Welcome to today’s chat about using and managing the Windows Firewall in Windows XP
SP2. The Windows Firewall product group can answer questions about anything from
configuration to group policy management. We are pleased to welcome our experts for
today. I will have them introduce themselves now.
Rebecca_MS (Moderator):
…and your pleasant host, Rebecca. We will try to answer as many questions as we can
today. Participants should type their questions, click “Submit a question,” and click
“Send.” Those posts will go into a private queue, from which our experts will draft
answers and repost questions in the upper window with their answers. (To confirm: if
you clicked “Submit a question” when you posted, you don’t need to resubmit. We’ll get
to them as soon as we can before the end of the chat (11 a.m. Pacific).
Grant_MS (Expert):
Hello. I'm Grant Bugher, a program manager on the Longhorn team working on Windows
Firewall.
Joe_MS (Expert):
I am Joe Davies, a technical writer for the Windows Networking and Devices
group.
Steve (Expert):
Hello, I'm Steve (Cartwright). I am a software testing engineer. I worked on the
Windows Firewall during the development and testing of XPSP2.
Michael [MS] (Expert):
I am a program manager with the Windows Firewall.
Rebecca_MS (Moderator):
Rebecca_MS (Moderator): …and your pleasant host, Rebecca. We will try to answer as
many questions as we can today. Participants should type their questions, click
“Submit a question,” and click “Send.” Those posts will go into a private queue, from
which our experts will draft answers and repost questions in the upper window with
their answers. (To confirm: if you clicked “Submit a question” when you posted, you
don’t need to resubmit. We’ll get to them as soon as we can before the end of the chat
(11 a.m. Pacific). You can begin asking your questions now.
Start of Chat
Grant_MS (Expert):
Q: Will we see a greater level of firewall config
in Longhorn, possibly making it a seperate product like the Antispyware
A: In Longhorn, Windows Firewall will continue to
be part of the operating system, rather than a separate product. However, we will be
working to improve the user experience for firewall configuration, particularly for
enterprise and GP administrators, as well as adding new firewall features.
Michael [MS] (Expert):
Q: When Windows Firewall is enabled on a remote
computer that I connect to via PPTP VPN, I can connect to the VPN fine, but cannot
connect to any resources on the VPN server. If I disable Windows Firewall, I have no
problems connecting to that machine.
A: This is an interesting problem that would need
to be investigated in more depth to come up with an answer. I suggest you post this on
the "microsoft.public.windows.networking.firewall" newsgroup. You could include some
data from the firewall log file to show what is actually being dropped.
Grant_MS (Expert):
Q: Will there be an update of the windows
firewall, eg graphs to display statistics of the firewalls activities, so users could
analyse if something is constantly attaking the pc and so something might be able to
be done about it, such as closing a port
A: Though the Windows Firewall does not have a
graphical statistics display, it does write a W3C-compliant packet log file that can
be parsed and analyzed with third-party analysis tools or Microsoft Log Parser. In
Longhorn, we're investigating options for a realtime status and troubleshooting UI to
improve this experience.
Steve (Expert):
Q: When Windows Firewall is turned ON, my users
experience difficulties with Outlook/Exchange; (they have to click Send/Receive button
to get new mails). Why is this? I end up having to turn the Windows Firewall OFF in
order to impove their experience.
A: There is a KB article that describes and
addresses this issue. I will try to find it for you, this is not the precise article
but hopefully it may help. I have not been able to find the precise kb for this. http://support.microsoft.com/default.aspx?scid=kb;en-us;843191
Michael [MS] (Expert):
Q: Ive heard various complaints about the windows
firewall, complains about downloading items, when ZoneAlarm is active as well, could
you please explain?
A: Could you be more specific in the areas you
are concerned about? Yes, we hear requests for additional features in the Windows
Firewall, but there are also millions of people who are happy using it. It is
important to remember that the Windows Firewall is NOT intended to be a replacement
for third party products. There are many features people might want from add-on
firewalls that the Windows Firewall doesn't have. If those are important to you, then
it would be a great idea to consider using the other firewall.
Michael [MS] (Expert):
Q: Michael...I have tried various message boards
and the best response that I have received to this issue is..."XP was not designed for
that application." That's not really an acceptable answer! I would really like a
direct contact that I can work with.
A: What applications are you having problems
with? I would be happy to try and answer any specific problems you might have.
Joe_MS (Expert):
Q: I have been experiencing many issues with one
of my networks not staying or getting connected to their network. the last I was told
is that it may be related to the firewall. Any known issues?
A: The Windows Firewall should not be affecting
your ability to connect or stay connected to the network. It only drops unsolicited
incoming traffic that has not been excepted. Server, listener, and peer applications
might be affected until you configure the appropriate exceptions.
Grant_MS (Expert):
Q: Any plans for a MS firewall for Windows 2000
Pro Users or windows 2000 Server??
A: Microsoft does not currently have plans to
create a firewall for Windows 2000.
Rebecca_MS (Moderator):
Thanks for joining us for today's chat about the firewall in Windows XP SP2. Remember
that if you want to ask a question of our experts, you should type your question,
click “Submit a question,” and click “Send.”
Michael [MS] (Expert):
Q: Recently, the MSanti-spy beta has been guilty
of turning off the windows firewall, exposing some users to MSBlaster, and other
risks. Is any update being considered for preventing this, (and other) firewall
attacks by unruly software?
A: We have noticed some situations where the
removal of some spyware (by anti-spyware products) can leave the network stack in a
corrupted state which can cause many applications (including the Windows Firewall) to
break. I think that the anti-spyware group is going to be releasing an update to their
beta that tries to address this issue.
Steve (Expert):
Q: When Windows Firewall is turned ON, my users
experience difficulties with Outlook/Exchange; (they have to click Send/Receive button
to get new mails). Why is this? I end up having to turn the Windows Firewall OFF in
order to impove their experience.
A: update on the kb http://support.microsoft.com/default.aspx?scid=kb;en-us;839226 this
looks like this is what you need.
Joe_MS (Expert):
Q: not that I want to at present.... but is there
anyway to remove the firewall rather than just turning it off?
A: Windows Firewall is built into the networking
components of Windows XP SP2 and cannot be uninstalled through Control Panel-Network.
You can disable it and you can stop the Windows Firewall/Internet Connection Sharing
service.
Grant_MS (Expert):
Q: Are there any plans to intergrate the firewall
with the Network Setup Wizard new in SP2, this would be especially useful when saving
not just the network settings to a USB pen?
A: We have investigated this, but many users have
different applications on different computers in their homes, and thus do not want to
migrate the same firewall settings to all machines in the way that the Networking
Setup Wizard would do. We'll continue to look into the usability of this and
determine if migrating firewall settings would increase or decrease the difficulty of
setting up a network before making a decision for the future.
Joe_MS (Expert):
Q: I dont mean to go against conduct and ask
again, but I have been experiencing many issues with one of my networks not staying or
getting connected to their network. the last I was told is that it may be related to
the firewall. Any known issues?
A: There are no known issues with Windows
Firewall causing intermittent network connectivity. Can you be more specific about
your problem? Is it just specific computers on a specific network?
Michael [MS] (Expert):
Q: Michael...The problem is with every
application. Once connected to the VPN Server, I can connect to other PCs on the
network, but everything, even Pings are not responded to by the PC that also hosts the
VPN Server.
A: I don't know why this problem would be
occuring. I assume that you are saying that this problem only occurs when the Windows
Firewall is turned on for the client (i.e. there is NO firewall running on the VPN
host). This problem will need more detailed diagnosis. I suggest you post your
question on the firewall support newsgroup.
Steve (Expert):
Q: I dont mean to go against conduct and ask
again, but I have been experiencing many issues with one of my networks not staying or
getting connected to their network. the last I was told is that it may be related to
the firewall. Any known issues?
A: Do you mean netowrks or clients and/or their
applications are stopping. There are too many reasons outside of the Firewall why this
could happen. One possible cause is connections timing out due to periods of idleness
so the Firewall will reset those connections. O workaround is to havve those
applications send heartbeats periodically to keep the connection active.
Grant_MS (Expert):
Q: are there conflicts with Norton Internet
Security firewall & Microsofts firewall?
A: There are no conflicts between them, but
running more than one firewall at a time is not recommended. It does not make you
more secure, and makes policy configuration and management more complicated. Most
third-party firewalls disable Windows Firewall when they're turned on for this
reason.
Rebecca_MS (Moderator):
Q: Not really about firewall, but I would like to
know when sql server 2005 and visual studio whidbey are coming out? (2nd courter, 3rd
courter) ( maybe even a price indication? :P)
A: We can't really answer those questions in this
particular chat! :-)
Michael [MS] (Expert):
Q: are there any plans to build a more indepth
interface for the firewall for advanced users. EG advanced rules and session by
session allow and denying of applications on various ports?
A: There are no current plans to add more
features to the Windows Firewall UI, but we would love to hear your suggestions for
future product releases.
Joe_MS (Expert):
Q: are there any know issues with the firewall
and with networking? I am fighting a network that will sometimes connect and the last
thing told to me was that is was an issue with the firewall and that I needed to
change some settings
A: If by "network" you are talking about a group
of computers bounded by a router, Windows Firewall has nothing to do with the entire
network's intermittent connectivity. Windows Firewall only runs on specific hosts and
only runs after an individual computer has successful network connectivity.
Steve (Expert):
Q: Will microsoft make the firewall into a suite
with antivirus/firewall etc. all in 1 program like zonealarm? I find zonealarm suite
makes life easy only having to run one program and actually works. Will microsoft try
to compete cuz the firewall is weak.
A: There are no plans at the moment to do this.
Nevertheless we are always looking at improovements particularly in the areas of
security so this is something that may be addressed in the future but not necessarily
as a Firewall product.
Michael [MS] (Expert):
Q: Michael...the problem occurs when Windows
firewall is enabled on the VPN Server. The client has nothing to do with this
problem.
A: Interesting. I wonder what kind of VPN server
you are using. The Windows Firewall won't be available for Server 2003 until SP1 is
released. Nevertheless, this now makes perfect sense. If you are running a host
firewall on your VPN server you will need to create exceptions for whatever ports or
applications you want remote systems to be able to access. It may seem that some
things work without creating expcetions because the Windows Firewall allows responses
to OUTGOING requests.
Joe_MS (Expert):
Q: I understand the original XP firewall only
filtered incoming traffic, and that SP2 upgraded this to incoming and outgoing
traffic. 1. Is this true? and 2. To exactly what degree? (i.e. earlier comment about
not a substitute for third-party firewalls)
A: With the exception of specific types of
Internet Control Message Protocol (ICMP) traffic, Windows Firewall does not filter
outgoing traffic.
Michael [MS] (Expert):
Q: Will we ever see a patch to combat this
problem http://secunia.com/advisories/12793/ apart from removing "remote assistance "from the exceptions tab? It was
apparently known in the security community for about 2 years and still remains
unpatched.
A: I have no idea what updates might, or might
not, be coming from the remote assistance group. However, this issue doesn't have
anything to do with the Windows Firewall. Regardless of which firewall you use, you
will have to allow the appropriate ports to be open to allow remote assistance to
function.
Rebecca_MS (Moderator):
For those just joining us, today’s chat is about using and managing the Windows
Firewall in Windows XP SP2. . To post a question, please click “Submit a question,”
type your question, and click “Send.” That way, we can track which questions we still
need to answer.
Joe_MS (Expert):
Q: Windows Firewall feature suggestion: Timed
blocking/allowing. So that at certain times of the day/night, certain ports/programs
are blocked for an X period of time.
A: Thanks. We will take this feature in
consideration when we are planning updates to Windows Firewall for Windows XP or for
the next version of Windows.
Benjamin (Expert):
Q:
I cannot install one of the new Windows updates Net Framework 1.1 SP1 it FAILS to
install, how can i fix this?
A: Hi Denb45,
Benjamin (Expert):
This does not sound related to the Windows Firewall. If you can post an error message
I may be able to give you a more succint answer.
Joe_MS (Expert):
Q: features to allow traffic for various
applications. ie tick box for "outlook express" better network support, ie allow by
default network and server traffic.. maybe a thruput measurement for each application
which it has sent and recieved...
A: Thanks. We will take these features into
consideration when planning updates to Windows Firewall for Windows XP or for the next
version of Windows.
Steve (Expert):
Q: steve - I also have file sharing turned on in
the exceptions, so the firewall must have something to do with networking
A: yes it does, you would need to enable file and
print sharing to allow files to be shared. It also has options to address your network
scope and ports that can be altered.
Grant_MS (Expert):
Q: Is it possible for the firewall to cause
around 10 sec wait when right-clicking file or folder which is located in other xp
computer. It takes 10 sec for the right click menu to appear, then it works normal for
a while and then again with delay.
A: That doesn't sound like a firewall issue. If
the firewall on the remote machine were blocking you, you wouldn't be delayed 10
seconds, you'd be blocked altogether. And the firewall on your local machine isn't
likely the issue, since it only blocks incoming traffic, not outgoing. There are a
large number of issues that can cause performance problems (indeed, they're among the
most difficult issues to diagnose), but the firewall is not likely to be part of this
problem.
Michael [MS] (Expert):
Q: Michael...I am using the Microsoft VPN Server.
It is a built-in component in Windows. I would love to work with someone who can
ensure that the Firewall and VPN will work together properly. This affects me and my
many clients...I use VPN to support them
A: I gather you are using XP as your "VPN
Server"? XP only has limited VPN support (called "incoming connections"), Microsoft's
VPN server is only available with Server 2003 or Server 2000, and the Windows Firewall
is not available for those OSes. Nevertheless, it should be very simple to configure
the Windows Firewall to work on an XP system running as a VPN host. Simply create the
exceptions in the firewall for the ports or apps you want remote users to access. If
you want remote users to be able ping the box, then open ICMP. If you want remote
systems to be able to access file and print sharing, then enable the file and print
sharing exception.
Benjamin (Expert):
Q: Is it possible for the firewall to cause
around 10 sec wait when right-clicking file or folder which is located in other xp
computer. It takes 10 sec for the right click menu to appear, then it works normal for
a while and then again with delay.
A: This does not sound like it is related to the
firewall. If the firewall was dropping file and print packets then you would not be
able to connect at all. Are you having any resolution issues? This sounds like a much
more likely reason. Also does this happen on the first attempt only or on every
attempt? If it is the first only this may be related to a resolution issue. Have you
performed any aditional steps to troubleshoot this?
Rebecca_MS (Moderator):
Just a reminder that if you repeatedly ask questions that are off-topic, we might have
to ban you from the chat! We appreciate you keeping your questions on the topic of the
firewall in Windows XP SP2. :)
Joe_MS (Expert):
Q: Is there anyway I can restrict certain IPs or
hosts using the Microsoft Windows Fiirewall. I have yet to find out how to do so. The
way I understand it as of now is that you can only block or allow an application. Am I
correct or incorrect?
A: You can configure a custom scope on either a
port or program-based exception to restrict the IP address or addresses from which the
incoming traffic is allowed. When configuring the exception, click the "Change scope"
button. For details, see http://www.microsoft.com/technet/community/columns/cableguy/cg0204.mspx.
Grant_MS (Expert):
Q: Hi, a friend of mine said that the feature i
suggested and many more will not be included because he stated that Microsoft cannot
include a full firewall in their Operating System due to competition laws... could you
please tell me if this is true? Thanks.
A: We are sometimes constrained in our product
design by antitrust settlements. However, rest assured that we are planning many
innovations and new features for the Windows Firewall in Longhorn, and it is not
accurate to say we're unable to include a "full firewall" in the operating
system.
Grant_MS (Expert):
Q: Follow-up: with little effective outgoing
filtering in the SP2 firewall, is Microsoft planning to do any serious upgrading to
the firewall in the future, in view of their willingness to acquire multiple anti-
spyware companies recently?
A: Microsoft is planning a major upgrade to the
firewall in Longhorn. We are carefully looking at options for outbound filtering,
particularly in managed (enterprise/GP) scenarios.
Michael [MS] (Expert):
Q: Michael.... The problem is caused due to the
firewall by default accepting incoming connections to ports listened on by the
"sessmgr.exe" process. Wil there be a patch to stop this automatic acception of
connections from these?
A: If you don't want sessmgr to accept incoming
connections, just turn off the remote administration exception. keep in mind that
sessmgr won't be listening at all unless something is running that wants to use
it.
Benjamin (Expert):
Q: Is there a command DOS to access directly to
XP firewall
A: Command line support is available through the
Net Shell Firewall context (netsh fi).
Joe_MS (Expert):
Q: Is there a command DOS to access directly to
XP firewall
A: From the Windows XP command prompt, you can
manage the firewall using "netsh firewall" commands. See http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/depfwset/wfsp2a
pb.mspx for details.
Michael [MS] (Expert):
Q: How is http.sys handled in the firewall? Say
one has allowed app x to use http.sys for servicing to internet, does this mean only
app x or does the firewall only have 1 "entry" for all http.sys hosted "sites", giving
all apps full listening access later.
A: Application exceptions for apps that use
http.sys don't work, you will need to open the specific ports they need in these
cases.
Michael [MS] (Expert):
Q: Michael...Those are all turned on!...the
problem is with the scope as the scope is different with each connection. my guess is
that this is a complex problem, but these 2 features of XP should work together. Is
there any way that we can get a KB article?
A: Have you tried having no scope at all?
Benjamin (Expert):
Q: :'( HOW CAN I DISABLE FIREWALL ON WXP SP2
COMPLETELY? I HAVE NIS THAT IS PROTECTING MY PC ALL THE TIME. PLEASE ADVICE. I'M
GOING CRAZY WITH SP2. IF IT WAS NOT READY, WHY DID MS PUT IT OUT?
A: You can disable the firewall through Control
Panel (Start + Control Panel + Windows Firewall and then select disable).
Steve (Expert):
Q: oops this is to steve (experts) steve - ok,
the file print sharing is on, so we have established it does have something to do with
networks, what do my other settings need to be to ensure a connection to their network
A: Not knowing your configuration. You can enable
file and print sharing and the defaults for the ports which will be a scope of any and
the 4 ports all checked. To limit the exposure you can uncheck ports, for example
check the boxes for UDP ports but not the ones for TCP ports. This aviods
unnecessarily opening TCP 139/445 mitigating a lot of potential attacks.
Grant_MS (Expert):
Q: Do you have any knowledge if in LH there will
be additional measures to avoid user running downloaded apps in full trust non sandbox
setting if he/she accidently/out of ignorance happens to click yes after web dl? Cert
coud have look authentic for example.
A: One security improvement we're looking at in
Longhorn is reducing the standard level of privilege that users (even members of the
Administrators group) run with, so as to minimize the damage malicious software can do
even if it is executed. You can look at a high-level overview of this work in the
document "Focus on Least Privilege", at http://msdn.microsoft.com/library/default.asp?
url=/library/en-us/dnlong/html/leastprivlh.asp
Benjamin (Expert):
Q: Benjamin> thanks but i didnt mean that. I
meant how can i access directly to firewall by a command. (Start > Run)
A: You can launch the Control Panel applet (Start
+ Run + firewall.cpl) or give a netsh command. If you give a netsh command you may not
see the results of it as it will close afterwords. Can you give me more details on
what you want to accomplish?
Rebecca_MS (Moderator):
We will need to wrap up this chat in about 5 minutes. Please post any other questions
(click “Submit a Question”) that you would like us to answer. Thanks.
Steve (Expert):
Q: The firewall blocks internet/network traffic.
This doesn't seem to have anything to do with your firewall. You may have
misconfigured some registry settings or permissions.
A: This reads like an answer. What was the
question?
Steve (Expert):
Q: Oh sorry, please ignore that. The "Submit a
Question" was selected.
A: No problems.
Grant_MS (Expert):
Q: is Microsoft intending to remove the cap on
the number of sockets a program can open? It only let's an EXE open 20 sockets i
believe.
A: I think that you're referring to the per-
process cap on the number of half-open sockets, to prevent your computer from being
used in denial of service and other attacks. The number of fully-connected sockets is
not subject to this limitation, so an application can get around it simply by not
opening sockets faster than they can connect. The limit on half-open sockets is an
intended security feature and there is no intention to remove it.
Joe_MS (Expert):
Q: I have turned off the Windows firewall as I'm
behind a hardware firewall. Is there any upsides to enabling the firewall in a
situation such as this? I know some say a software and hardware firewall is desirable.
A: The recommendation is that you enable Windows
Firewall even though you are behind a hardware firewall. A hardware firewall might
help protect you from attacks originating from the Inernet, but cannot prevent attacks
originating from a infected computer on your private network. Windows Firewall enabled
on all private network hosts helps prevent the spread of malicious software that
relies on unsolicited incoming traffic.
Rebecca_MS (Moderator):
If we don't get to answer your question today, please join us next month, on March 9,
at 10 a.m. Pacfic Time for another chat on the same topic.
Michael [MS] (Expert):
Q: Does the SP2 firewall have 'stealth'
capabilities? If not, any suggestions (other than third-party) for 'safe/stealth'
configuration for the average user? Also, any differences between SP2 firewall
running on Home vs Pro editions?
A: The concept of "stealth" has a lot of
definitions. The Windows Firewall certainly reduces the visibility of systems, and
resources, by a HUGE amount. However, there are still a handful of network openings
the Windows Firewall leaves by default. I don't have any specific add-on products to
recommend, but if you feel that the "stealth" abilities of the Windows Firewall are
inadequate for your needs, you may want to look at third party host firewall
offerings.
david[ms] (Expert):
Q: Can future/today's malware (future malware
likely written in .net) use just couple lines to do whatever they want with the
firewall if user has been foolish enough to run such in full trust? Does Win popup a
note when app tries to fool aroundwith firewall?
A: It'll probably take more than a couple lines,
but not much more:) No pop-up will be displayed, however if you have policy change
auditing enabled, a security event will be posted (visable by tools like event viewer)
saying what change was made.
Rebecca_MS (Moderator):
We will post a transcript of the upper window within a few days at http://msdn.micro
soft.com/chats/transcripts/default.aspx
Benjamin (Expert):
Q: here the error I get when i try to install
this update: SLA.tmp- Common Language Runtime Debugging Service....App has generated
an Exception that could not be handled......Process id= 0xe 88 (3720) Thread id= 0x590
(14240) click ok to trminate, or debugg
A: I am not familiar with this exact error. I
would suggest having a look on technet.microsoft.com and on the Microsoft News Groups
as this question is unfortunatly out of the scope of this Expert Zone chat.
Michael [MS] (Expert):
Q: Michael...Yes, I have tried that...can you
connect me with someone that can reproduce and produce a KB article? If inot
solvable, then they can work wot get this fixed in future releases.
A: It would be great for you to take this to the
firewall newsgroup for more in-depth investigation.
Rebecca_MS (Moderator):
Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack
2
http://www.microsoft.com/downloads/details.aspx?
FamilyID=4454e0e1-61fa-447a-bdcd-499f73a637d1&DisplayLang=en
Manually Configuring Windows Firewall in Windows XP Service Pack 2
ht
tp://www.microsoft.com/technet/community/columns/cableguy/cg0204.mspx
Troubleshooting Windows Firewall in Microsoft Windows XP Service Pack 2
http://www.microsoft.com/downloads/details.aspx?
FamilyID=a7628646-131d-4617-bf68-f0532d8db131&displaylang=en
Rebecca_MS (Moderator):
Oops, sent that before I'd finished it: those were helpful firewall-related
links.
Rebecca_MS (Moderator):
Thank you for joining us today on a Microsoft Community Chat to talk about the Windows
Firewall in Windows XP SP2. I would like to thank our hosts Steve, Michael, David,
Benjamin, Joe, and Grant, and the rest of you for your questions and comments. See you
next month!
