National Institute of Standards and Technology 5.3 2008-10-30T13:24:55.000-04:00 Microsoft Windows XP This setting allows file and printer sharing by configuring Windows Firewall to open UDP ports 137 and 138 and TCP ports 139 and 445. If you enable this policy setting, Windows Firewall opens these ports so that the computer can receive print jobs and requests for access to shared files. You must specify the IP addresses or subnets from which these incoming messages are allowed. If you disable this policy setting, Windows Firewall blocks these ports and prevents the computer from sharing files and printers. Because the computers in your environment running Windows XP will not normally be sharing files and printers, this appendix recommends you configure this setting as Disabled in all environments. Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (such as those sent by the Ping utility), even if the Windows Firewall: Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall: Allow file and printer sharing exception, Windows Firewall: Allow remote administration exception, and Windows Firewall: Define port exceptions. Sudhir Gandhe DRAFT Microsoft Windows XP The Windows Firewall: Allow ICMP exceptions setting defines the set of Internet Control Message Protocol (ICMP) message types that Windows Firewall allows. Utilities can use ICMP messages to determine the status of other computers. For example, Ping uses the echo request message. If you set this policy setting to Enabled, you must specify which ICMP message types Windows Firewall allows the computer to send or receive. When you set this policy to Disabled, Windows Firewall blocks all unsolicited incoming ICMP message types and the listed outgoing ICMP message types. As a result, utilities that use the blocked ICMP messages will not be able to send those messages to or from the computer. Many attacker tools take advantage of computers that accept ICMP message types and use these messages to mount a variety of attacks. However, some applications require some ICMP messages in order to function properly. For that reason, this appendix recommends that you configure this setting to Disabled whenever possible. If your environment requires some ICMP messages to get through Windows Firewall, configure the setting with the appropriate message types. Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (such as those sent by the Ping utility), even if the Windows Firewall: Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall: Allow file and printer sharing exception, Windows Firewall: Allow remote administration exception, and Windows Firewall: Define port exceptions. Sudhir Gandhe DRAFT Microsoft Windows XP The Windows Firewall: Allow local port exceptions setting allows administrators to use the Windows Firewall component in Control Panel to define a local port exceptions list. Windows Firewall can use two port exceptions lists; the other is defined by the Windows Firewall: Define port exceptions policy setting. If you enable this policy setting, the Windows Firewall component in Control Panel allows administrators to define a local port exceptions list. If you disable this policy setting, the Windows Firewall component in Control Panel does not allow administrators to define such a list. Typically, local administrators are not authorized to override organizational policy and establish their own port exceptions list in enterprise or high security environments. For that reason, this appendix recommends configuring this option as Disabled. Sudhir Gandhe DRAFT Microsoft Windows XP The Windows Firewall: Allow local program exceptions setting allows administrators to use the Windows Firewall component in Control Panel to define a local program exceptions list. Disabling this policy setting does not allow administrators to define a local program exceptions list, and ensures that program exceptions only come from Group Policy. Setting this policy to Enabled allows local administrators to use Control Panel to define program exceptions locally. For enterprise client computers, there may be conditions that justify having the client define local program exceptions. These conditions may include applications that were not analyzed when creating the organization's firewall policy or new applications that require nonstandard port configuration. In those cases, you may choose to enable this setting, recognizing that the attack surface of the affected computers is increased. Sudhir Gandhe DRAFT Microsoft Windows XP Allows Windows Firewall to record information about the unsolicited incoming messages that it receives. If you enable this policy setting, Windows Firewall writes the information to a log file. You must provide the name, location, and maximum size of the log file. The location can contain environment variables. You must also specify whether to record information about incoming messages that the firewall blocks (drops) and information about successful incoming and outgoing connections. Windows Firewall does not provide an option to log successful incoming messages. If you disable this policy setting, Windows Firewall does not record information in the log file. If you enable this policy setting, and Windows Firewall creates the log file and adds information, then upon disabling this policy setting, Windows Firewall leaves the log file intact. In the Windows Firewall component of Control Panel, the "Security Logging" settings are cleared and administrators cannot select them. If you do not configure this policy setting, Windows Firewall behaves as if the policy setting were disabled, except that administrators can choose whether to select the "Security Logging" settings. Sudhir Gandhe DRAFT Microsoft Windows XP Allows Windows Firewall to record information about the unsolicited incoming messages that it receives. If you enable this policy setting, Windows Firewall writes the information to a log file. You must provide the name, location, and maximum size of the log file. The location can contain environment variables. You must also specify whether to record information about incoming messages that the firewall blocks (drops) and information about successful incoming and outgoing connections. Windows Firewall does not provide an option to log successful incoming messages. If you disable this policy setting, Windows Firewall does not record information in the log file. If you enable this policy setting, and Windows Firewall creates the log file and adds information, then upon disabling this policy setting, Windows Firewall leaves the log file intact. In the Windows Firewall component of Control Panel, the "Security Logging" settings are cleared and administrators cannot select them. If you do not configure this policy setting, Windows Firewall behaves as if the policy setting were disabled, except that administrators can choose whether to select the "Security Logging" settings. Sudhir Gandhe DRAFT Microsoft Windows XP Allows Windows Firewall to record information about the unsolicited incoming messages that it receives. If you enable this policy setting, Windows Firewall writes the information to a log file. You must provide the name, location, and maximum size of the log file. The location can contain environment variables. You must also specify whether to record information about incoming messages that the firewall blocks (drops) and information about successful incoming and outgoing connections. Windows Firewall does not provide an option to log successful incoming messages. If you disable this policy setting, Windows Firewall does not record information in the log file. If you enable this policy setting, and Windows Firewall creates the log file and adds information, then upon disabling this policy setting, Windows Firewall leaves the log file intact. In the Windows Firewall component of Control Panel, the "Security Logging" settings are cleared and administrators cannot select them. If you do not configure this policy setting, Windows Firewall behaves as if the policy setting were disabled, except that administrators can choose whether to select the "Security Logging" settings. Sudhir Gandhe DRAFT Microsoft Windows XP Allows Windows Firewall to record information about the unsolicited incoming messages that it receives. If you enable this policy setting, Windows Firewall writes the information to a log file. You must provide the name, location, and maximum size of the log file. The location can contain environment variables. You must also specify whether to record information about incoming messages that the firewall blocks (drops) and information about successful incoming and outgoing connections. Windows Firewall does not provide an option to log successful incoming messages. If you disable this policy setting, Windows Firewall does not record information in the log file. If you enable this policy setting, and Windows Firewall creates the log file and adds information, then upon disabling this policy setting, Windows Firewall leaves the log file intact. In the Windows Firewall component of Control Panel, the "Security Logging" settings are cleared and administrators cannot select them. If you do not configure this policy setting, Windows Firewall behaves as if the policy setting were disabled, except that administrators can choose whether to select the "Security Logging" settings. Sudhir Gandhe DRAFT Microsoft Windows XP Many organizations take advantage of remote computer administration in their daily operations. However, some attacks have exploited the ports typically used by remote administration programs; Windows Firewall can block these ports. To provide flexibility for remote administration, the Windows Firewall: Allow remote administration exception setting is available. Configuring this setting to Enabled allows the computer to receive the unsolicited incoming messages associated with remote administration on TCP ports 135 and 445. This policy setting also allows SVCHOST.EXE and LSASS.EXE to receive unsolicited incoming messages and allows hosted services to open additional dynamically-assigned ports, typically in the range of 1024 to 1034 but potentially anywhere from 1024 to 65535. Enabling this setting also requires you to specify the IP addresses or subnets from which these incoming messages are allowed. If you configure this policy setting as Disabled, Windows Firewall makes none of the described exceptions. This appendix recommends you enable this setting for enterprise computers if necessary, and to always disable the setting for high security computers. Computers in your environment should accept remote administration requests from as few computers as possible. To maximize the protection provided by the Windows Firewall, make sure to specify only the necessary IP addresses and subnets of computers used for remote administration. Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (such as those sent by the Ping utility), even if the Windows Firewall: Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall: Allow file and printer sharing exception, Windows Firewall: Allow remote administration exception, and Windows Firewall: Define port exceptions. Sudhir Gandhe DRAFT Microsoft Windows XP Many organizations use Remote Desktop connections in their normal troubleshooting procedures or operations. However, some attacks have occurred that exploited the ports typically used by Remote Desktop. To provide flexibility for remote administration, the Windows Firewall: Allow Remote Desktop exception setting is available. Enabling this setting configures Windows Firewall to open TCP port 3389 for inbound connections. You must also specify the IP addresses or subnets from which these incoming messages are allowed. If you disable this policy setting, Windows Firewall blocks this port and prevents the computer from receiving Remote Desktop requests. If an administrator attempts to open this port by adding it to a local port exceptions list, Windows Firewall does not open the port. Some attacks can exploit an open port 3389. To maintain the enhanced management capabilities provided by Remote Desktop, you should configure this setting to Enabled and specify the IP addresses and subnets of the computers used for remote administration. Computers in your environment should accept Remote Desktop requests from as few computers as possible. Sudhir Gandhe DRAFT Microsoft Windows XP The Windows Firewall: Allow UPnP framework exception setting allows a computer to receive unsolicited Plug and Play messages sent by network devices, such as routers with built-in firewalls. To receive these messages, Windows Firewall opens TCP port 2869 and UDP port 1900. If you enable this policy setting, Windows Firewall opens these ports so that the computer can receive Plug and Play messages. You must specify the IP addresses or subnets from which these incoming messages are allowed. If you disable this policy setting, Windows Firewall blocks these ports and prevents the computer from receiving Plug and Play messages. Sudhir Gandhe DRAFT Microsoft Windows XP The Windows Firewall port exceptions list should be defined by Group Policy, which allows you to centrally manage and deploy your port exceptions and ensure that local administrators do not create less secure settings. The Windows Firewall: Define port exceptions policy setting allows you to centrally manage these settings. If you enable this policy setting, you can view and change the port exceptions list defined by Group Policy. To view and modify the port exceptions list, configure the policy setting to Enabled and then click the Show button. Note that if you type an invalid definition string, Windows Firewall adds it to the list without checking for errors, which means you can accidentally create multiple entries for the same port with conflicting Scope or Status values. If you disable this policy setting, the port exceptions list defined by Group Policy is deleted but other policy settings can continue to open or block ports. Also, if a local port exceptions list exists, it is ignored unless you enable the Windows Firewall: Allow local port exceptions policy setting. Environments with nonstandard applications that require specific ports to be open should consider deploying program exceptions. This appendix recommends enabling this setting and specifying a list of port exceptions only when program exceptions cannot be defined. Program exceptions allow the Windows Firewall to accept unsolicited network traffic only while the specified program is running, and port exceptions keep the specified ports open at all times. Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (such as those sent by the Ping utility), even if the Windows Firewall: Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall: Allow file and printer sharing exception, Windows Firewall: Allow remote administration exception, and Windows Firewall: Define port exceptions. Microsoft Windows XP Windows Firewall can display notifications to users when a program requests that Windows Firewall add the program to the program exceptions list. This situation occurs when programs attempt to open a port and are not allowed to do so based on current Windows Firewall rules. The Windows Firewall: Prohibit notifications setting configures whether these settings are shown to the users. If you set this policy to Enabled, Windows Firewall prevents the display of these notifications. If you set it to Disabled, Windows Firewall allows the display of these notifications. Sudhir Gandhe DRAFT Microsoft Windows XP The Windows Firewall: Prohibit unicast response to multicast or broadcast requests setting prevents a computer from receiving unicast responses to its outgoing multicast or broadcast messages. When this policy setting is enabled and the computer sends multicast or broadcast messages to other computers, Windows Firewall blocks the unicast responses sent by those other computers. When the setting is disabled and this computer sends a multicast or broadcast message to other computers, Windows Firewall waits up to three seconds for unicast responses from the other computers and then blocks all later responses. Typically, you would not want to receive unicast responses to multicast or broadcast messages. Such responses can indicate a denial of service (DoS) attack or an attacker attempting to probe a known live computer. This appendix recommends you configure this policy setting to Enabled to help prevent this type of attack. Note: This policy setting has no effect if the unicast message is a response to a Dynamic Host Configuration Protocol (DHCP) broadcast message sent by the computer. Windows Firewall always permits those DHCP unicast responses. However, this policy setting can interfere with the NetBIOS messages that detect name conflicts. Sudhir Gandhe DRAFT Microsoft Windows XP The Windows Firewall: Protect all network connections setting turns on Windows Firewall, which replaces Internet Connection Firewall on all computers that are running Windows XP SP2. This appendix recommends configuring this setting to Enabled to protect all network connections for computers in all environments. If this setting is configured as Disabled, Windows Firewall is turned off and all other settings for Windows Firewall are ignored. Note: If you enable this policy setting, Windows Firewall runs and ignores the Computer Configuration\Administrative Templates\Network\Network Connections\Prohibit use of Internet Connection Firewall on your DNS domain network policy setting. Sudhir Gandhe DRAFT Microsoft Windows XP This setting allows file and printer sharing by configuring Windows Firewall to open UDP ports 137 and 138 and TCP ports 139 and 445. If you enable this policy setting, Windows Firewall opens these ports so that the computer can receive print jobs and requests for access to shared files. You must specify the IP addresses or subnets from which these incoming messages are allowed. If you disable this policy setting, Windows Firewall blocks these ports and prevents the computer from sharing files and printers. Because the computers in your environment running Windows XP will not normally be sharing files and printers, this appendix recommends you configure this setting as Disabled in all environments. Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (such as those sent by the Ping utility), even if the Windows Firewall: Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall: Allow file and printer sharing exception, Windows Firewall: Allow remote administration exception, and Windows Firewall: Define port exceptions. Sudhir Gandhe DRAFT Microsoft Windows XP The Windows Firewall: Allow ICMP exceptions setting defines the set of Internet Control Message Protocol (ICMP) message types that Windows Firewall allows. Utilities can use ICMP messages to determine the status of other computers. For example, Ping uses the echo request message. If you set this policy setting to Enabled, you must specify which ICMP message types Windows Firewall allows the computer to send or receive. When you set this policy to Disabled, Windows Firewall blocks all unsolicited incoming ICMP message types and the listed outgoing ICMP message types. As a result, utilities that use the blocked ICMP messages will not be able to send those messages to or from the computer. Many attacker tools take advantage of computers that accept ICMP message types and use these messages to mount a variety of attacks. However, some applications require some ICMP messages in order to function properly. For that reason, this appendix recommends that you configure this setting to Disabled whenever possible. If your environment requires some ICMP messages to get through Windows Firewall, configure the setting with the appropriate message types. Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (such as those sent by the Ping utility), even if the Windows Firewall: Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall: Allow file and printer sharing exception, Windows Firewall: Allow remote administration exception, and Windows Firewall: Define port exceptions. Sudhir Gandhe DRAFT Microsoft Windows XP The Windows Firewall: Allow local port exceptions setting allows administrators to use the Windows Firewall component in Control Panel to define a local port exceptions list. Windows Firewall can use two port exceptions lists; the other is defined by the Windows Firewall: Define port exceptions policy setting. If you enable this policy setting, the Windows Firewall component in Control Panel allows administrators to define a local port exceptions list. If you disable this policy setting, the Windows Firewall component in Control Panel does not allow administrators to define such a list. Typically, local administrators are not authorized to override organizational policy and establish their own port exceptions list in enterprise or high security environments. For that reason, this appendix recommends configuring this option as Disabled. Sudhir Gandhe DRAFT Microsoft Windows XP The Windows Firewall: Allow local program exceptions setting allows administrators to use the Windows Firewall component in Control Panel to define a local program exceptions list. Disabling this policy setting does not allow administrators to define a local program exceptions list, and ensures that program exceptions only come from Group Policy. Setting this policy to Enabled allows local administrators to use Control Panel to define program exceptions locally. For enterprise client computers, there may be conditions that justify having the client define local program exceptions. These conditions may include applications that were not analyzed when creating the organization's firewall policy or new applications that require nonstandard port configuration. In those cases, you may choose to enable this setting, recognizing that the attack surface of the affected computers is increased. Sudhir Gandhe DRAFT Microsoft Windows XP Many organizations take advantage of remote computer administration in their daily operations. However, some attacks have exploited the ports typically used by remote administration programs; Windows Firewall can block these ports. To provide flexibility for remote administration, the Windows Firewall: Allow remote administration exception setting is available. Configuring this setting to Enabled allows the computer to receive the unsolicited incoming messages associated with remote administration on TCP ports 135 and 445. This policy setting also allows SVCHOST.EXE and LSASS.EXE to receive unsolicited incoming messages and allows hosted services to open additional dynamically-assigned ports, typically in the range of 1024 to 1034 but potentially anywhere from 1024 to 65535. Enabling this setting also requires you to specify the IP addresses or subnets from which these incoming messages are allowed. If you configure this policy setting as Disabled, Windows Firewall makes none of the described exceptions. This appendix recommends you enable this setting for enterprise computers if necessary, and to always disable the setting for high security computers. Computers in your environment should accept remote administration requests from as few computers as possible. To maximize the protection provided by the Windows Firewall, make sure to specify only the necessary IP addresses and subnets of computers used for remote administration. Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (such as those sent by the Ping utility), even if the Windows Firewall: Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall: Allow file and printer sharing exception, Windows Firewall: Allow remote administration exception, and Windows Firewall: Define port exceptions. Sudhir Gandhe DRAFT Microsoft Windows XP Many organizations use Remote Desktop connections in their normal troubleshooting procedures or operations. However, some attacks have occurred that exploited the ports typically used by Remote Desktop. To provide flexibility for remote administration, the Windows Firewall: Allow Remote Desktop exception setting is available. Enabling this setting configures Windows Firewall to open TCP port 3389 for inbound connections. You must also specify the IP addresses or subnets from which these incoming messages are allowed. If you disable this policy setting, Windows Firewall blocks this port and prevents the computer from receiving Remote Desktop requests. If an administrator attempts to open this port by adding it to a local port exceptions list, Windows Firewall does not open the port. Some attacks can exploit an open port 3389. To maintain the enhanced management capabilities provided by Remote Desktop, you should configure this setting to Enabled and specify the IP addresses and subnets of the computers used for remote administration. Computers in your environment should accept Remote Desktop requests from as few computers as possible. Sudhir Gandhe DRAFT Microsoft Windows XP The Windows Firewall: Allow UPnP framework exception setting allows a computer to receive unsolicited Plug and Play messages sent by network devices, such as routers with built-in firewalls. To receive these messages, Windows Firewall opens TCP port 2869 and UDP port 1900. If you enable this policy setting, Windows Firewall opens these ports so that the computer can receive Plug and Play messages. You must specify the IP addresses or subnets from which these incoming messages are allowed. If you disable this policy setting, Windows Firewall blocks these ports and prevents the computer from receiving Plug and Play messages. Sudhir Gandhe DRAFT Microsoft Windows XP The Windows Firewall: Do not allow exceptions setting specifies that Windows Firewall blocks all unsolicited incoming messages. This policy setting overrides all other Windows Firewall policy settings that allow such messages. If you enable this policy setting in the Windows Firewall component of Control Panel, the Don't allow exceptions check box is selected and administrators cannot clear it. Many environments contain applications and services that must be allowed to receive inbound unsolicited communications as part of their normal operation. In those cases, you may need to consider configuring this policy to Disabled to allow those applications and services to run properly. However, before making any change to this policy, you should test the environment to determine exactly what to allow and what to disallow. Note: This setting provides a strong defense against external attackers and should be set to Enabled in situations where you require complete protection from external attacks such as the outbreak of a new network worm. Setting this policy to Disabled allows Windows Firewall to apply other policy settings that allow unsolicited incoming messages. Sudhir Gandhe DRAFT Microsoft Windows XP Windows Firewall can display notifications to users when a program requests that Windows Firewall add the program to the program exceptions list. This situation occurs when programs attempt to open a port and are not allowed to do so based on current Windows Firewall rules. The Windows Firewall: Prohibit notifications setting configures whether these settings are shown to the users. If you set this policy to Enabled, Windows Firewall prevents the display of these notifications. If you set it to Disabled, Windows Firewall allows the display of these notifications. Sudhir Gandhe DRAFT Microsoft Windows XP The Windows Firewall: Prohibit unicast response to multicast or broadcast requests setting prevents a computer from receiving unicast responses to its outgoing multicast or broadcast messages. When this policy setting is enabled and the computer sends multicast or broadcast messages to other computers, Windows Firewall blocks the unicast responses sent by those other computers. When the setting is disabled and this computer sends a multicast or broadcast message to other computers, Windows Firewall waits up to three seconds for unicast responses from the other computers and then blocks all later responses. Typically, you would not want to receive unicast responses to multicast or broadcast messages. Such responses can indicate a denial of service (DoS) attack or an attacker attempting to probe a known live computer. This appendix recommends you configure this policy setting to Enabled to help prevent this type of attack. Note: This policy setting has no effect if the unicast message is a response to a Dynamic Host Configuration Protocol (DHCP) broadcast message sent by the computer. Windows Firewall always permits those DHCP unicast responses. However, this policy setting can interfere with the NetBIOS messages that detect name conflicts. Sudhir Gandhe DRAFT Microsoft Windows XP The Windows Firewall: Protect all network connections setting turns on Windows Firewall, which replaces Internet Connection Firewall on all computers that are running Windows XP SP2. This appendix recommends configuring this setting to Enabled to protect all network connections for computers in all environments. If this setting is configured as Disabled, Windows Firewall is turned off and all other settings for Windows Firewall are ignored. Note: If you enable this policy setting, Windows Firewall runs and ignores the Computer Configuration\Administrative Templates\Network\Network Connections\Prohibit use of Internet Connection Firewall on your DNS domain network policy setting. Sudhir Gandhe DRAFT Microsoft Windows XP A version of Microsoft Windows XP (x86) Service Pack 2 is installed. Andrew Buttner DRAFT INTERIM ACCEPTED Andrew Buttner INTERIM ACCEPTED ACCEPTED Microsoft Windows XP A version of Microsoft Windows XP (x86) Service Pack 3 is installed. Sudhir Gandhe DRAFT DRAFT