accepted
FDCC: Guidance for Securing Microsoft Windows XP Firewall for IT Professional
NIST Special Publication 800-68 has been created to assist IT professionals, in particular Windows XP system administrators and information security personnel, in effectively securing Windows XP Professional SP2 and SP3 systems with Windows Firewall.
Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. NIST assumes no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic. NIST would appreciate acknowledgement if the document and template are used.
todo - add text
Trademark InformationMicrosoft, Windows, Windows XP, Windows Vista, Internet Explorer, and Windows Firewall are either registered trademarks or trademarks of Microsoft Corporation in the United States and other countries.All other names are registered trademarks or trademarks of their respective companies.
National Institute of Standards and Technology
SP 800-68
v1.2.1.0
800-53 Low
This profile selects specific controls that are recommended by Special Publication 800-53 for information systems in which all three security objectives (i.e., confidentiality, integrity, and availability) are assigned a FIPS 199 potential impact value of low. Each control has an effect on other groups within this document as individual rule require certain controls to be selected.
800-53 Moderate
This profile selects specific controls that are recommended by Special Publication 800-53 for information systems in which at least one security objectives (i.e., confidentiality, integrity, and availability) are assigned a FIPS 199 potential impact value of moderate and no security objective is assigned a FIPS 199 potential impact value of high. Each control has an effect on other groups within this document as individual rule require certain controls to be selected.
800-53 High
This profile selects specific controls that are recommended by Special Publication 800-53 for information systems in which at least one security objectives (i.e., confidentiality, integrity, and availability) are assigned a FIPS 199 potential impact value of high. Each control has an effect on other groups within this document as individual rule require certain controls to be selected.
800-53 All
This profile selects all the security controls that are recommended by Special Publication 800-53 for information systems. Each control has an effect on other groups within this document as individual rule require certain controls to be selected.
Federal Desktop Core Configuration version 1.2.1.0
This profile represents guidance outlined in Federal Core Configuration settings for Windows XP Firewall on desktop systems.
NIST SP 800-53 Controls
Applicable 800-53 Access Control Checks
Access Control Policy and Procedures
ISO/IEC 17799: 11.1.1, 11.4.1, 15.1.1
NIST 800-26: 15, 16
DOD 8500.2: ECAN-1, ECPA-1, PRAS-1, DCAR-1
DCID 6/3: 2.B.4.e(5), 4.B.1.a(1)(b)
Account Management
ISO/IEC 17799: 6.2.2, 6.2.3, 8.3.3, 11.2.1, 11.2.2, 11.2.4, 11.7.2
NIST 800-26: 6.1.8, 15.1.1, 15.1.4, 15.1.15, 15.1.8, 15.2.2, 16.1.3, 16.1.5, 16.2.12
GAO FISCAM: AC-2.1 AC-2.2, AC-3.2, SP-4.1
DOD 8500.2: IAAC-1
DCID 6/3: 4.B.2.a(3)
Access Enforcement
ISO/IEC 17799: 11.2.4, 11.4.5
NIST 800-26: 10.1.2, 15.1.1, 16.1.1, 16.1.2, 16.1.3, 16.1.7, 16.1.9, 16.2.1, 16.2.7, 16.2.10, 16.2.11, 16.2.15
GAO FISCAM: AC-2, AC-3.2
DOD 8500.2: DCFA-1, ECAN-1, EBRU-1, PRNK-1, ECCD-1, ECSD-2
DCID 6/3: Discretionary Access Control (DAC): 4.B.2.a(2), Mandatory Access Control (MAC): 4.B.4.a(3)
Information Flow Enforcement
ISO/IEC 17799: 10.6.2, 11.4.5, 11.4.6, 11.4.7
DOD 8500.2: EBBD-1, EBBD-2
DCID 6/3: 4.B.3.a(3), 7.B.3.g
Separation of Duties
ISO/IEC 17799: 10.1.3, 10.6.1, 10.10.1
NIST 800-26: 6.1.1, 6.1.2, 6.1.3, 15.2.1, 16.1.2, 17.1.5
GAO FISCAM: AC-3.2, SD-1.2
DOD 8500.2: ECLP-1
DCID 6/3: 2.A.1, 4.B.3.a(18)
Least Privilege
ISO/IEC 17799: 11.2.2
NIST 800-26: 16.1.2, 16.1.3, 17.1.5
GAO FISCAM: AC-3.2
DOD 8500.2: ECLP-1
DCID 6/3: 4.B.2.a(10)
Unsuccessful Login Attempts
ISO/IEC 17799: 11.5.1
NIST 800-26: 15.1.14
GAO FISCAM: AC-3.2
DOD 8500.2: ECLO-1
DCID 6/3: 4.B.2.a(17)(c)-(d)
System Use Notification
ISO/IEC 17799: 11.5.1, 15.1.5
NIST 800-26: 16.2.13, 16.3.1, 17.1.9
GAO FISCAM: AC-3.2
DOD 8500.2: ECWM-1
DCID 6/3: 4.B.1.a(6)
Previous Logon Notification
ISO/IEC 17799: 11.5.1
GAO FISCAM: AC-3.2
DOD 8500.2: ECLO-2
Concurrent Session Control
DOD 8500.2: ECLO-1
DCID 6/3: 4.B.2.a(17)(a)
Session Lock
ISO/IEC 17799: 11.3.2
NIST 800-26: 16.1.4
GAO FISCAM: AC-3.2
DOD 8500.2: PESL-1
DCID 6/3: 4.B.1.a(5)
Session Termination
ISO/IEC 17799: 11.3.2, 11.5.5
NIST 800-26: 16.1.4, 16.2.6
GAO FISCAM: AC-3.2
DCID 6/3: 4.B.2.a(17)(b)
Supervision and Review—Access Control
ISO/IEC 17799: 10.10.2, 11.2.4
NIST 800-26: 7.1.10, 11.2.2, 16.1.10, 16.2.5, 17.1.6, 17.1.7
GAO FISCAM: AC-4, AC-4.3, SS-2.2
DOD 8500.2: ECAT-1, ECAT-2, E3.3.9
DCID 6/3: 2.B.7.c, 4.B.3.a(8)(b)
Permitted Actions without Identification or Authentication
NIST 800-26: 16.2.12
DCID 6/3: 7.D.3.a
Automated Marking
ISO/IEC 17799: 7.2.2
NIST 800-26: 8.2.4, 16.1.6
GAO FISCAM: AC-3.2
DOD 8500.2: ECML-1
DCID 6/3: 4.B.2.a(11)
Automated Labeling
ISO/IEC 17799: 7.2.2
NIST 800-26: 16.1.6
GAO FISCAM: AC-3.2
DOD 8500.2: ECML-1
DCID 6/3: 4.B.1.a(3), 4.B.4.a(15), 4.B.4.a(16)
Remote Access
ISO/IEC 17799: 11.4.2, 11.4.3, 11.4.4
NIST 800-26: 16.2.4, 16.2.8
GAO FISCAM: AC-3.2
DOD 8500.2: EBRP-1, EBRU-1
DCID 6/3: 4.B.1.a(1)(b), 4.B.3.a(11), 7.D.2.e
Wireless Access Restrictions
ISO/IEC 17799: 11.4.2, 11.7.1, 11.7.2
DOD 8500.2: ECCT-1, ECWN-1
DCID 6/3: 4.B.1.a(8), 5.B.3.a(11)
Access Control for Portable and Mobile Systems
ISO/IEC 17799: 11.7.1
NIST 800-26: 7.3.1, 7.3.2
DOD 8500.2: ECWN-1
DCID 6/3: 8.B.6.c, 9.G.4
Use of External Information Systems
ISO/IEC 17799: 6.1.4, 9.2.5, 11.7.1
NIST 800-26: 10.2.13
DCID 6/3: 8.B.6.c
Applicable 800-53 Awareness and Training
Security Awareness and Training Policy and Procedures
ISO/IEC 17799: 5.1.1, 8.2.2, 15.1.1
NIST 800-26: 13
DOD 8500.2: PRTN-1, DCAR-1
DCID 6/3: DCID: B.3.c, Manual: 2.B.2.b(8); 2.B.4.e(6)
Security Awareness
ISO/IEC 17799: 6.2.3, 8.2.2, 10.4.1, 11.7.1, 13.1.1, 14.1.4, 15.1.4
NIST 800-26: 13.1.4, 13.1.5
DOD 8500.2: PRTN-1
DCID 6/3: 8.B.1
Security Training
ISO/IEC 17799: 8.2.2, 10.3.2, 11.7.1, 13.1.1, 14.1.4
NIST 800-26: 13.1, 13.1.3, 13.1.5
DOD 8500.2: PRTN-1
DCID 6/3: 8.B.1
Security Training Records
NIST 800-26: 13.1.2
DCID 6/3: 8.B.1
Contacts with Security Groups and Associations
ISO/IEC 17799: 6.1.7
Applicable 800-53 Audit and Accountability
Audit and Accountability Policy and Procedures
ISO/IEC 17799: 10.1, 15.1.1
NIST 800-26: 17
DOD 8500.2: ECAT-1, ECTB-1, DCAR-1
DCID 6/3: DCID: B.2.d, Manual: 2.B.4.e(5); 4.B.2.a(4)
Auditable Events
ISO/IEC 17799: 10.10.1
NIST 800-26: 17.1.1, 17.1.2, 17.1.4
DOD 8500.2: ECAR-3
DCID 6/3: 4.B.2.a(4)(d)
Content of Audit Records
ISO/IEC 17799: 10.10.1, 10.10.4
NIST 800-26: 17.1.1
DOD 8500.2: ECAR-1, ECAR-2, ECAR-3, ECLC-1
DCID 6/3: 4.B.2.a(4)(a), 4.B.2.a(5)(a)
Audit Storage Capacity
ISO/IEC 17799: 10.10.3
DCID 6/3: 5.B.2.a(5)(a)(1)
Response to Audit Processing Failures
ISO/IEC 17799: 10.10.3
DCID 6/3: 4.B.4.a(9)(d)
Audit Monitoring, Analysis, and Reporting
ISO/IEC 17799: 10.10.2, 10.10.4, 13.2.1
NIST 800-26: 16.2.5, 17.1.7, 17.1.8
GAO FISCAM: AC-4.3
DOD 8500.2: ECAT-1, E3.3.9
DCID 6/3: 4.B.4.a(10)
Audit Reduction and Report Generation
ISO/IEC 17799: 10.10.3
NIST 800-26: 17.1.2, 17.1.7
DOD 8500.2: ECRG-1
DCID 6/3: 4.B.3.a(6)
Time Stamps
ISO/IEC 17799: 10.10.6
DOD 8500.2: ECAR-1
DCID 6/3: 4.B.2.a(4)(a)
Protection of Audit Information
ISO/IEC 17799: 10.10.3, 15.1.3, 15.3.2
NIST 800-26: 17.1.3, 17.1.4
DOD 8500.2: ECTP-1
DCID 6/3: 4.B.2.a(4)(b)
Non-repudiation
ISO/IEC 17799: 10.8.2, 10.9.1, 12.3.1
NIST 800-26: 15.1.2, 17.1.1
DOD 8500.2: DCNR-1
DCID 6/3: 5.B.3.a(8)
Audit Record Retention
ISO/IEC 17799: 10.10.1, 15.1.3
NIST 800-26: 17.1.4
DOD 8500.2: ECRR-1
DCID 6/3: 4.B.2.a(4)(c)
Applicable 800-53 Certification, Accreditation, and Security Assessment
Certification, Accreditation, and Security Assessment Policies and Procedures
ISO/IEC 17799: 6.1.4, 10.3.2, 15.1.1
NIST 800-26: 2, 4
DOD 8500.2: DCAR-1, DCII-1
DCID 6/3: DCID: B.3, Manual: 2.B.2.b(1)
Security Assessments
ISO/IEC 17799: 6.1.8, 15.2.1, 15.2.2
NIST 800-26: 2.1.1, 2.1.3, 2.1.4
GAO FISCAM: SP-5.1
DOD 8500.2: DCII-1, ECMT-1, PEPS-1, E3.3.10
DCID 6/3: DCID: B.2.b; B.3.a, Manual: 4.B.2.b(6); 5.B.1.b(1); 9.B.1; 9.B.4
Information System Connections
ISO/IEC 17799: 10.6.2, 10.9.1, 11.4.5, 11.4.6, 11.4.7
NIST 800-26: 1.1.1, 3.2.9, 4.1.8, 12.2.3
GAO FISCAM: CC-2.1
DOD 8500.2: DCID-1, EBCR-1 EBRU-1, EBPW-1, ECIC-1
DCID 6/3: 9.B.3, 9.D.3.c
Security Certification
ISO/IEC 17799: 10.3.2
NIST 800-26: 2.1.2, 3.2.3, 3.2.5, 3.2.6, 4.1.1, 4.1.6, 11.2.8. 12.2.5
GAO FISCAM: CC-2.1
DOD 8500.2: DCAR-1, 5.7.5
DCID 6/3: DCID: B.3, Manual: 4.B.3.b(8); 9.E.2.a(2); 9.E.2.a(3)
Plan of Action and Milestones
ISO/IEC 17799: 15.2.1
NIST 800-26: 1.1.5, 1.2.3, 2.2.1, 4.2.1
GAO FISCAM: SP-5.1 SP-5.2
DOD 8500.2: 5.7.5
DCID 6/3: 9.E.2.a(3)(a)
Security Accreditation
ISO/IEC 17799: 10.3.2
NIST 800-26: 3.2.7, 12.2.5
DOD 8500.2: 5.7.5
DCID 6/3: DCID: B.3, Manual: 9.D.3; 9.D.4
Continuous Monitoring
ISO/IEC 17799: 15.2.1, 15.2.2
NIST 800-26: 10.2.1
DOD 8500.2: DCCB-1, DCPR-1, E3.3.9
DCID 6/3: DCID: B.2.d; Manual: 2.B.4.e(7); 2.B.5.c(10); 5.B.2.b(2); 9.B.1; 9.D.7
Applicable 800-53 Configuration Management
Configuration Management Policy and Procedures
ISO/IEC 17799: 12.4.1, 12.5.1, 15.1.1
DOD 8500.2: DCCB-1, DCPR-1, DCAR-1, E3.3.8
DCID 6/3: DCID: B.2.a Manual: 2.B.4.e(5); 5.B.2.a(5)
Baseline Configuration and System Component Inventory
ISO/IEC 17799: 7.1.1, 15.1.2
NIST 800-26: 1.1.1, 3.1.9, 10.2.7, 10.2.9, 12.1.4
GAO FISCAM: CC-2.3, CC-3.1, SS-1.2
DOD 8500.2: DCHW-1, DCSW-1
DCID 6/3: 2.B.7.c(7), 4.B.1.c(3), 4.B.2.b(6)
Configuration Change Control
ISO/IEC 17799: 10.1.2, 10.2.3, 12.4.1, 12.5.1, 12.5.2, 12.5.3
NIST 800-26: 3.1.4, 10.2.2, 10.2.3, 10.2.8, 10.2.10, 10.2.11
GAO FISCAM: SS-3.2, CC-2.2
DOD 8500.2: DCPR-1
DCID 6/3: 2.B.7.c(7) 4.B.1.c(3), 4.B.2.b(6), 5.B.2.a(5)
Monitoring Configuration Changes
ISO/IEC 17799: 10.1.2
NIST 800-26: 10.2.1, 10.2.4
GAO FISCAM: SS-3.1, SS-3.2, CC-2.1
DOD 8500.2: DCPR-1, E3.3.8
DCID 6/3: 2.B.7.c(7), 4.B.1.c(3), 5.B.2.b(2), 8.B.8.c(7)
Access Restrictions for Change
ISO/IEC 17799: 11.6.1
NIST 800-26: 6.1.3, 6.1.4, 10.1.1, 10.1.4, 10.1.5
GAO FISCAM: SD-1.1, SS-1.2, SS-2.1
DOD 8500.2: DCPR-1, ECSD-2
DCID 6/3: 5.B.3.a(2)(b)
Configuration Settings
NIST 800-26: 10.2.6, 10.3.1, 16.2.2, 16.2.3, 16.2.11
DOD 8500.2: DCSS-1, ECSC-1, E3.3.8
DCID 6/3: 4.B.2.a(10)
Least Functionality
NIST 800-26: 10.3.1
DOD 8500.2: DCPP-1, ECIM-1, ECVI-1, E3.3.8
DCID 6/3: 4.B.2.a(10), 7.D.2.b
Applicable 800-53 Contingency Planning
Contingency Planning Policy and Procedures
ISO/IEC 17799: 5.1.1, 10.4.1, 14.1.1, 14.1.3, 15.1.1
NIST 800-26: 9
DOD 8500.2: COBR-1, DCAR-1
DCID 6/3: 2.B.4.e(5), 6.B.1.a(1)
Contingency Plan
ISO/IEC 17799: 10.3.2, 10.4.1, 10.8.5, 14.1.3, 14.1.4
NIST 800-26: 4.1.4, 9.1.1, 9.2, 9.2.1, 9.2.2, 9.2.3, 9.2.10, 12.1.8, 12.2.2
GAO FISCAM: SC-3.1, SC-1.1
DOD 8500.2: CODP-1, COEF-1
DCID 6/3: 6.B.2.b(1)
Contingency Training
ISO/IEC 17799: 14.1.3, 14.1.4
NIST 800-26: 9.3.2
GAO FISCAM: SC-2.3
DOD 8500.2: PRTN-1
DCID 6/3: 8.B.1
Contingency Plan Testing
ISO/IEC 17799: 10.5.1, 14.1.5
NIST 800-26: 4.1.4, 9.3.3
GAO FISCAM: SC-3.1
DOD 8500.2: COED-1
DCID 6/3: 6.B.3.b(2)(b)
Contingency Plan Update
ISO/IEC 17799: 14.1.3, 14.1.5
NIST 800-26: 9.3.1, 9.3.3, 10.2.12
GAO FISCAM: SC-2.1, SC-3.1
DOD 8500.2: DCAR-1
DCID 6/3: 6.B.3.b(2)
Alternate Storage Sites
ISO/IEC 17799: 10.5.1
NIST 800-26: 9.2.4, 9.2.5, 9.2.7, 9.2.9
GAO FISCAM: SC-2.1, SC-3.1
DOD 8500.2: CODB-2
DCID 6/3: 6.B.2.a(2), 6.B.3.a(2)(d)
Alternate Processing Sites
ISO/IEC 17799: 14.1.4
NIST 800-26: 9.1.3, 9.2.4, 9.2.5, 9.2.7, 9.2.9
GAO FISCAM: SC-2.1, SC-3.1
DOD 8500.2: COAS-1, COEB-1, COSP-1, COSP-2
DCID 6/3: 6.B.3.a(2)(d)
Telecommunications Services
ISO/IEC 17799: 14.1.4
DCID 6/3: 6.B.2.a(4)
Information System Backup
ISO/IEC 17799: 10.5.1, 11.7.1
NIST 800-26: 9.1.1, 9.2.6, 9.2.9, 9.3.1, 12.1.9
GAO FISCAM: SC-2.1
DOD 8500.2: CODB-1, CODB-2, COSW-1
DCID 6/3: 6.B.1.a(2)
Information System Recovery and Reconstitution
ISO/IEC 17799: 14.1.4
NIST 800-26: 9.2.8
GAO FISCAM: SC-2.1
DOD 8500.2: COTR-1, ECND-1
DCID 6/3: 4.B.1.a(4), 6.B.1.a(1), 6.B.2.a(3)(d)
Applicable 800-53 Identification and Authentication
Identification and Authentication Policy and Procedures
ISO/IEC 17799: 15.1.1
NIST 800-26: 11.2.3
DOD 8500.2: IAIA-1, DCAR-1
DCID 6/3: DCID: B.2.a Manual: 2.B.4.e(5)
User Identification and Authentication
ISO/IEC 17799: 11.2.3, 11.4.2, 11.5.2
NIST 800-26: 15.1
DOD 8500.2: IAIA-1
DCID 6/3: 4.B.2.a(7)
Device Identification and Authentication
ISO/IEC 17799: 11.4.2, 11.4.3, 11.7.1
NIST 800-26: 16.2.7
DCID 6/3: 4.B.5.a(14)
Identifier Management
ISO/IEC 17799: 11.2.3, 11.5.2
NIST 800-26: 15.1.1, 15.2.2, 15.1.8
GAO FISCAM: AC-2.1, AC-3.2, SP-4.1
DOD 8500.2: IAGA-1, IAIA-1
DCID 6/3: 4.B.1.a(2)
Authenticator Management
ISO/IEC 17799: 11.5.2, 11.5.3
NIST 800-26: 15.1.6, 15.1.7, 15.1.9, 15.1.10, 15.1.11, 15.1.12, 15.1.13, 16.1.3, 16.2.3
GAO FISCAM: AC-3.2
DOD 8500.2: IAKM-1, IATS-1
DCID 6/3: 4.B.2.a(7), 4.B.3.a(11)
Authenticator Feedback
ISO/IEC 17799: 11.5.1
DCID 6/3: 4.B.2.a(7)(g)
Cryptographic Module Authentication
NIST 800-26: 16.1.7
DCID 6/3: 1.G
Applicable 800-53 Incident Response
Incident Response Policy and Procedures
ISO/IEC 17799: 10.4.1, 13.1, 13.2.1, 15.1.1
NIST 800-26: 14
DOD 8500.2: VIIR-1, DCAR-1
DCID 6/3: DCID: B.2.c; C.4 Manual: 2.B.4.e(5); 2.B.2.b(6); 2.B.6.c(10); 8.B.7
Incident Response Training
ISO/IEC 17799: 13.1.1
NIST 800-26: 14.1.4
GAO FISCAM: SP-3.4
DOD 8500.2: VIIR-1
DCID 6/3: 8.B.1.b(1)(f), 8.B.1.c(1)(e), 8.B.1.c(2)©
Incident Response Testing
ISO/IEC 17799: 14.1.5
DOD 8500.2: VIIR-1
DCID 6/3: 8.B.7
Incident Handling
ISO/IEC 17799: 6.1.6, 13.2.1, 13.2.2
NIST 800-26: 2.1.5, 14.1.1, 14.1.2, 14.1.6
GAO FISCAM: SP-3.4
DOD 8500.2: VIIR-1, E3.3.9
DCID 6/3: 8.B.7, 9.B.2.e
Incident Monitoring
NIST 800-26: 14.1.3
DOD 8500.2: VIIR-1
DCID 6/3: 8.B.7.a
Incident Reporting
ISO/IEC 17799: 6.1.6, 6.2.2, 6.2.3, 13.1.1, 13.1.2
NIST 800-26: 14.1.2, 14.1.3, 14.2.1, 14.2.2, 14.2.3
DOD 8500.2: VIIR-1, E3.3.9
DCID 6/3: 8.B.7
Incident Response Assistance
ISO/IEC 17799: 14.1.3
NIST 800-26: 8.1.1, 14.1.1
GAO FISCAM: SP-3.4
DCID 6/3: 8.B.7.c
Applicable 800-53 Maintenance
System Maintenance Policy and Procedures
ISO/IEC 17799: 10.1.1, 15.1.1
NIST 800-26: 10
DOD 8500.2: PRMP-1, DCAR-1
DCID 6/3: DCID: B.2.a Manual: 2.B.4.e(5); 6.B.2.a(5)
Periodic Maintenance
ISO/IEC 17799: 9.2.4
NIST 800-26: 10.1.1, 10.1.3, 10.2.1
GAO FISCAM: SS-3.1
DCID 6/3: 6.B.2.a(5), 8.B.8.c
Maintenance Tools
NIST 800-26: 10.1.3, 11.2.4
DCID 6/3: 6.B.3.a(5), 8.B.8.c(4), 8.B.8.c(5)
Remote Maintenance
ISO/IEC 17799: 11.4.4
NIST 800-26: 10.1.1, 17.1.1
GAO FISCAM: SS-3.1
DOD 8500.2: EBRP-1
DCID 6/3: 8.B.8.d
Maintenance Personnel
ISO/IEC 17799: 6.2.3, 9.2.4
NIST 800-26: 10.1.1, 10.1.3
GAO FISCAM: SS-3.1
DOD 8500.2: PRMP-1
DCID 6/3: 8.B.8.a
Timely Maintenance
NIST 800-26: 9.1.2
GAO FISCAM: SC-1.2
DOD 8500.2: COMS-1, COSP-1
DCID 6/3: 6.B.2.a(5)
Applicable 800-53 Media Protection
Media Protection Policy and Procedures
ISO/IEC 17799: 10.1.1, 10.7, 15.1.1, 15.1.3
NIST 800-26: 8.2
DOD 8500.2: PESP-1, DCAR-1
DCID 6/3: DCID: B.2.a Manual: 2.B.6.c(7); 8.B.2
Media Access
ISO/IEC 17799: 10.7.3
NIST 800-26: 8.2.1, 8.2.2, 8.2.3, 8.2.6, 8.2.7
DOD 8500.2: PEDI-1, PEPF-1
DCID 6/3: 2.B.9.b(4), 4.B.1.a(1), 4.B.1.a(7)
Media Labeling
ISO/IEC 17799: 7.2.2, 10.7.3, 10.8.2, 15.1.3
NIST 800-26: 8.2.5, 8.2.6, 10.2.9
DOD 8500.2: ECML-1
DCID 6/3: 2.B.9.b(4), 8.B.2.a, 8.B.2.c
Media Storage
ISO/IEC 17799: 10.7.1, 10.7.2, 10.7.3, 10.7.4, 15.1.3
NIST 800-26: 7.1.4, 8.2.1, 8.2.2, 8.2.9, 10.1.2
GAO FISCAM: AC-3.1
DOD 8500.2: PESS-1
DCID 6/3: 2.B.9.b(4), 4.B.1.a(7)
Media Transport
ISO/IEC 17799: 10.8.3
NIST 800-26: 8.2.2, 8.2.4
DCID 6/3: 2.B.9.b(4)
Media Sanitization
ISO/IEC 17799: 9.2.6, 10.7.1, 10.7.2
NIST 800-26: 3.2.11, 3.2.12, 3.2.13, 8.2.8, 8.2.9, 8.2.10
GAO FISCAM: AC-3.4
DOD 8500.2: PECS-1, PEDD-1
DCID 6/3: 8.B.5, 2.B.9.b(4), 8.B.5.a(4), 8.B.5.d, 8.B.5.e
Media Destruction and Disposal
ISO/IEC 17799:
NIST 800-26:
GAO FISCAM:
DOD 8500.2:
DCID 6/3:
Applicable 800-53 Physical and Environmental Protection
Physical and Environmental Protection Policy and Procedures
ISO/IEC 17799: 15.1.1
NIST 800-26: 7
DOD 8500.2: PETN-1, DCAR-1
DCID 6/3: DCID: B.2.a, Manual: 2.B.4.e(5); 8.D
Physical Access Authorizations
ISO/IEC 17799: 9.1.2, 9.1.6
NIST 800-26: 7.1.1, 7.1.2
GAO FISCAM: AC-3.1
DOD 8500.2: PECF-1
DCID 6/3: 4.B.1.a(1), 8.E
Physical Access Control
ISO/IEC 17799: 9.1.1, 9.1.2, 9.1.5, 9.1.6, 10.5.1
NIST 800-26: 7.1.1, 7.1.2, 7.1.5, 7.1.6, 7.1.8
GAO FISCAM: AC-3.1
DOD 8500.2: PEPF-1
DCID 6/3: 4.B.1.a(1), 8.D.2, 8.E
Access Control for Transmission Medium
ISO/IEC 17799: 9.2.3
NIST 800-26: 7.2.2, 16.2.9
DCID 6/3: 8.D.2, 4.B.1.a(8)
Access Control for Display Medium
ISO/IEC 17799: 9.1.2, 11.3.3
NIST 800-26: 7.2.1
DOD 8500.2: PEDI-1, PEPF-1
DCID 6/3: 8.C.2.a, 8.D.2
Monitoring Physical Access
ISO/IEC 17799: 9.1.2
NIST 800-26: 7.1.9
GAO FISCAM: AC-4
DOD 8500.2: PEPF-2
DCID 6/3: 4.B.1.a(1), 8.C.2.a, 8.D.2
Visitor Control
ISO/IEC 17799: 9.1.2
NIST 800-26: 7.1.7, 7.1.11
GAO FISCAM: AC-3.1
DOD 8500.2: PEVC-1
DCID 6/3: 8.C.2.a, 8.D.2, 8.E
Access Records
ISO/IEC 17799: 9.1.2
NIST 800-26: 7.1.9
GAO FISCAM: AC-4
DOD 8500.2: PEPF-2, PEVC-1
DCID 6/3: 8.C.2.a, 8.D.2, 8.E
Power Equipment and Power Cabling
ISO/IEC 17799: 9.2.2, 9.2.3
NIST 800-26: 7.1.16
GAO FISCAM: SC-2.2
DCID 6/3: 8.D.2
Emergency Shutoff
ISO/IEC 17799: 9.2.2
DOD 8500.2: PEMS-1
DCID 6/3: 8.D.2
Emergency Power
ISO/IEC 17799: 9.2.2
NIST 800-26: 7.1.18
GAO FISCAM: SC-2.2
DOD 8500.2: COPS-1, COPS-2, COPS-3
DCID 6/3: 6.B.2.a(6), 6.B.2.a(7)
Emergency Lighting
ISO/IEC 17799: 9.2.2
DOD 8500.2: PEEL-1
DCID 6/3: 8.D.2
Fire Protection
ISO/IEC 17799: 9.1.4, 9.2.1
NIST 800-26: 7.1.12
GAO FISCAM: SC-2.2
DOD 8500.2: PEFD-1, PEFS-1
DCID 6/3: 8.C.2.a, 8.D.2
Temperature and Humidity Controls
ISO/IEC 17799: 9.2.1, 10.5.1, 10.7.1
NIST 800-26: 7.1.14, 7.1.15
GAO FISCAM: SC-2.2
DOD 8500.2: PEHC-1, PETC-1
DCID 6/3: 8.D.2
Water Damage Protection
ISO/IEC 17799: 9.1.4, 9.2.1
NIST 800-26: 7.1.17
GAO FISCAM: SC-2.2
DCID 6/3: 8.C.2.a, 8.D.2
Delivery and Removal
ISO/IEC 17799: 9.1.6, 9.2.7, 10.7.1
NIST 800-26: 7.1.3
GAO FISCAM: AC-3.1
DCID 6/3: 8.B.5.e
Alternate Work Site
ISO/IEC 17799: 11.7.2
DOD 8500.2: EBRU-1
Location of Information System Components
ISO/IEC 17799: 9.2.1
Information Leakage
Applicable 800-53 Planning
Security Planning Policy and Procedures
ISO/IEC 17799: 6.1, 15.1.1
NIST 800-26: 5
DOD 8500.2: DCAR-1, E3.4.6
DCID 6/3: DCID: B.2.a, Manual: 2.B.4.e(5)
System Security Plan
ISO/IEC 17799: 6.1
NIST 800-26: 4.1.5, 5.1.1, 5.1.2, 12.2.1
GAO FISCAM: SP-2.1
DOD 8500.2: DCSD-1
DCID 6/3: 1.F.6, 2.B.6.c(3), 2.B.7.c(5), 9.E.2.a(1)(d), 9.F.2.a, Appendix C
System Security Plan Update
ISO/IEC 17799: 6.1
NIST 800-26: 3.2.10, 5.2.1
GAO FISCAM: SP-2.1
DOD 8500.2: 5.7.5
DCID 6/3: 2.B.7.c(5)
Rules of Behavior
ISO/IEC 17799: 7.1.3, 8.1.3, 15.1.5
NIST 800-26: 4.1.3, 13.1.1
DOD 8500.2: PRRB-1
DCID 6/3: 2.B.9.b
Privacy Impact Assessment
ISO/IEC 17799: 15.1.4
DCID 6/3: DCID: B.3.a; Manual: 8.B.9
Security-Related Activity Planning
ISO/IEC 17799: 15.3.1
Applicable 800-53 Personnel Security
Personnel Security Policy and Procedures
ISO/IEC 17799: 8.1.1, 15.1.1
NIST 800-26: 6
DOD 8500.2: PRRB-1, DCAR-1
DCID 6/3: DCID: B.2.a, Manual: 2.B.4.e(5); 8.E
Position Categorization
ISO/IEC 17799: 8.1.2
NIST 800-26: 6.1.1, 6.1.2
GAO FISCAM: SD-1.2
DCID 6/3: 8.E
Personnel Screening
ISO/IEC 17799: 8.1.2
NIST 800-26: 6.2.1, 6.2.3
GAO FISCAM: SP-4.1
DOD 8500.2: PRAS-1
DCID 6/3: 2.B.7.c(2), 2.B.8.b(5), 8.E
Personnel Termination
ISO/IEC 17799: 8.1.3, 8.3, 11.2.1
NIST 800-26: 6.1.7
GAO FISCAM: SP-4.1
DOD 8500.2: 5.12.7
DCID 6/3: 2.B.9.b(6), 4.B.2.a(3)(e), 8.E
Personnel Transfer
ISO/IEC 17799: 8.3.1, 8.3.3, 11.2.1
NIST 800-26: 6.1.7
GAO FISCAM: SP-4.1
DOD 8500.2: 5.12.7
DCID 6/3: 2.B.9.b(6)
Access Agreements
ISO/IEC 17799: 6.1.5, 8.1.3
NIST 800-26: 6.1.5, 6.2.2
GAO FISCAM: SP-4.1
DOD 8500.2: PRRB-1
DCID 6/3: 1.E.2, 8.E
Third-Party Personnel Security
ISO/IEC 17799: 6.2.1, 6.2.3, 8.1.1, 8.1.2, 8.1.3, 8.2.1, 8.2.2, 11.2.1
GAO FISCAM: SP-4.1
DOD 8500.2: 5.7.10
DCID 6/3: 1.A.1, 8.D, 8.E
Personnel Sanctions
ISO/IEC 17799: 8.2.3, 11.2.1
NIST 800-26: 6.1.5
DOD 8500.2: PRRB-1
DCID 6/3: 4.B.2.a(3)(e), 8.E
Applicable 800-53 Risk Assessment
Risk Assessment Policy and Procedures
ISO/IEC 17799: 4.1, 15.1.1
NIST 800-26: 1
DOD 8500.2: DCAR-1
DCID 6/3: DCID: B.3.a, Manual: 2.B.4.e(5)
Security Categorization
ISO/IEC 17799: 7.2.1
NIST 800-26: 1.1.3, 3.1.1
GAO FISCAM: SP-1, AC-1.1, AC-1.2
DOD 8500.2: E3.4.2
DCID 6/3: 3.C, 3.D, 9.E.2.a(1)(a), 9.E.2.a(1)(d)
Risk Assessment
ISO/IEC 17799: 4, 4.1, 4.2, 6.2.1, 10.10.2, 10.10.5, 12.5.1, 12.6.1, 14.1.1, 14.1.2
NIST 800-26: 1.1.2, 1.1.4, 1.1.5, 1.1.6, 1.2.1, 1.2.2, 1.2.3, 3.1.7, 3.1.8, 4.1.7, 7.1.13, 7.1.19, 12.2.4
GAO FISCAM: SP-1
DOD 8500.2: DCDS-1, DCII-1, E3.3.10
DCID 6/3: 9.B
Risk Assessment Update
ISO/IEC 17799: 4.1
NIST 800-26: 1.1.2, 4.1.2
GAO FISCAM: SP-1
DOD 8500.2: DCAR-1, DCII-1
DCID 6/3: 9.B.4.f, 9.D.1.d
Vulnerability Scanning
ISO/IEC 17799: 12.6.1
NIST 800-26: 10.3.2, 14.2.1
DOD 8500.2: ECMT-1, VIVM-1
DCID 6/3: 4.B.3.a(8)(b), 4.B.3.b(6)(b), 9.B.4.e
Applicable 800-53 System and Services Acquisition
System and Services Acquisition Policy and Procedures
ISO/IEC 17799: 12.1, 15.1.1
NIST 800-26: 3
DOD 8500.2: DCAR-1
DCID 6/3: DCID: B.2.a, Manual: 2.B.4.e(5)
Allocation of Resources
ISO/IEC 17799: 10.3.1
NIST 800-26: 3.1.2, 3.1.3, 3.1.5, 5.1.3
DOD 8500.2: DCPB-1, E3.3.4
DCID 6/3: DCID: C.2.a, Manual: 2.B.4.e(8)
Life Cycle Support
NIST 800-26: 3.1
DOD 8500.2: 5.8.1
DCID 6/3: DCID: B.2.a, Manual: 9.E.2
Acquisitions
ISO/IEC 17799: 12.1.1
NIST 800-26: 3.1.6, 3.1.7, 3.1.10, 3.1.11, 3.1.12
DOD 8500.2: DCAS-1, DCDS-1, DCIT-1, DCMC-1
DCID 6/3: DCID: B.2.a; C.2.a, Manual: 9.B.4
Information System Documentation
ISO/IEC 17799: 10.7.4
NIST 800-26: 3.2.3, 3.2.4, 3.2.8, 12.1.1, 12.1.2, 12.1.3, 12.1.6, 12.1.7
GAO FISCAM: CC-2.1
DOD 8500.2: DCCS-1, DCHW-1, DCID-1, DCSD-1, DCSW-1, ECND-1, DCFA-1
DCID 6/3: 4.B.2.b(2), 4.B.2.b(3), 4.B.4.b(4), 9.C.3
Software Usage Restrictions
ISO/IEC 17799: 15.1.2
NIST 800-26: 10.2.10, 10.2.13
GAO FISCAM: SS-3.2, SP-2.1
DOD 8500.2: DCPD-1
DCID 6/3: 2.B.9.b(11)
User Installed Software
ISO/IEC 17799: 15.1.2
NIST 800-26: 10.2.10
GAO FISCAM: SS-3.2
DCID 6/3: 2.B.9.b(11)
Security Engineering Principles
ISO/IEC 17799: 12.1
NIST 800-26: 3.2.1
DOD 8500.2: DCBP-1, DCCS-1, E3.4.4
DCID 6/3: 1.H.1
Outsourced Information System Services
ISO/IEC 17799: 6.2.1, 6.2.3, 10.2.1, 10.2.2, 10.6.2
NIST 800-26: 12.2.3
DOD 8500.2: DCDS-1, DCID-1 DCIT-1, DCPP-1
DCID 6/3: 1.B.1, 8.C.2, 8.E
Developer Configuration Management
ISO/IEC 17799: 12.5.1, 12.5.2
GAO FISCAM: SS-3.1, CC-3
DCID 6/3: 4.B.4.b(4), 8.C.2.a
Developer Security Testing
ISO/IEC 17799: 12.5.1, 12.5.2
NIST 800-26: 3.2.1, 3.2.2, 10.2.5, 12.1.5
GAO FISCAM: SS-3.1, CC-2.1
DOD 8500.2: E3.4.4
DCID 6/3: 4.B.4.b(4)
Applicable 800-53 System and Communication Protection
System and Communications Protection Policy and Procedures
ISO/IEC 17799: 10.8.1, 15.1.1
DOD 8500.2: DCAR-1
DCID 6/3: DCID: B.2.a, Manual: 2.B.4.e(5)
Application Partitioning
ISO/IEC 17799: 11.4.5
DOD 8500.2: DCPA-1
DCID 6/3: 4.B.3.b(6)(a), 4.B.4.b(8), 5.B.3.b(2)
Security Function Isolation
ISO/IEC 17799: 11.4.5
DOD 8500.2: DCSP-1
DCID 6/3: 4.B.3.b(6)(a), 4.B.4.b(8), 5.B.3.b(1), 5.B.3.b(2)
Information Remnants
ISO/IEC 17799: 10.8.1
GAO FISCAM: AC-3.4
DOD 8500.2: ECRC-1
DCID 6/3: 4.B.2.a(14)
Denial of Service Protection
ISO/IEC 17799: 10.8.4, 13.2.1
DCID 6/3: 6.B.3.a(6)
Resource Priority
DCID 6/3: 6.B.3.a(11)
Boundary Protection
ISO/IEC 17799: 11.4.6
NIST 800-26: 16.2.2, 16.2.7, 16.2.9, 16.2.10, 16.2.11, 16.2.14
GAO FISCAM: AC-3.2
DOD 8500.2: COEB-1, EBBD-1, ECIM-1, ECVI-1
DCID 6/3: 4.B.4.a(27), 5.B.3.a(11)(b), 7.A.3, 7.B, 7.C, 7.D
Transmission Integrity
ISO/IEC 17799: 10.6.1, 10.8.1, 10.9.1
NIST 800-26: 11.2.1, 11.2.4, 11.2.9, 16.2.14
GAO FISCAM: AC-3.2
DOD 8500.2: ECTM-1
DCID 6/3: 5.B.3.a(11)
Transmission Confidentiality
ISO/IEC 17799: 10.6.1, 10.8.1, 10.9.1
DOD 8500.2: ECCT-1
DCID 6/3: 4.B.1.a(8)(a)
Network Disconnect
ISO/IEC 17799: 11.5.6
NIST 800-26: 16.2.6
GAO FISCAM: AC-3.2
DCID 6/3: 4.B.2.a(17)
Trusted Path
ISO/IEC 17799: 10.9.2
NIST 800-26: 16.2.7
DCID 6/3: 4.B.4.a(14)
Cryptographic Key Establishment and Mgmt.
ISO/IEC 17799: 12.3.1, 12.3.2
NIST 800-26: 16.1.7, 16.1.8
DOD 8500.2: IAKM-1
DCID 6/3: 1.G
Use of Validated Cryptography
NIST 800-26: 16.1.7, 16.1.8
DOD 8500.2: IAKM-1, IATS-1
DCID 6/3: 1.G.1
Public Access Protections
ISO/IEC 17799: 10.7.4, 10.9.3
DOD 8500.2: EBPW-1
Collaborative Computing
DOD 8500.2: ECVI-1
DCID 6/3: 7.G
Transmission of Security Parameters
ISO/IEC 17799: 7.2.2, 10.8.2, 10.9.2
NIST 800-26: 16.1.6
GAO FISCAM: AC-3.2
DOD 8500.2: ECTM-2
DCID 6/3: 4.B.1.a(3)
Public Key Infrastructure Certificates
ISO/IEC 17799: 12.3.2
DOD 8500.2: IAKM-1
DCID 6/3: 2.B.4.e(5), 4.B.3.a(11)
Mobile Code
ISO/IEC 17799: 10.4.1, 10.4.2
DOD 8500.2: DCMC-1
DCID 6/3: 2.B.4.e(5), 7.E
Voice Over Internet Protocol
DOD 8500.2: ECVI-1
DCID 6/3: DCID 6/3 2.B.4.d, 9.D.1.a
Secure Name Address Resolution Service (Authoritative Source)
Secure Name Address Resolution Service (Resolution)
Architecture and Provisioning for Name/Address Resolution Service
Session Authenticity
Applicable 800-53 System and Information Integrity
System and Information Integrity Policy and Procedures
ISO/IEC 17799: 15.1.1
NIST 800-26: 11
DOD 8500.2: DCAR-1
DCID 6/3: DCID: B.2.a, Manual: 2.B.4.e(5), 5.B.1.b(1), 5.B.2.a(5)(a)(1)
Flaw Remediation
ISO/IEC 17799: 10.10.5, 12.4.1, 12.5.1, 12.5.2, 12.6.1
NIST 800-26: 10.3.2, 11.1.1, 11.1.2, 11.2.2, 11.2.7
GAO FISCAM: SS-2.2
DOD 8500.2: DCSQ-1, DCCT-1, VIVM-1
DCID 6/3: 5.B.2.a(5)(a)(3), 6.B.2.a(5)
Malicious Code Protection
ISO/IEC 17799: 10.4.1
NIST 800-26: 11.1.1, 11.1.2
DOD 8500.2: ECVP-1, VIVM-1
DCID 6/3: 5.B.1.a(4), 7.B.4.b(1)
Information System Monitoring Tools and Techniques
ISO/IEC 17799: 10.6.2, 10.10.1, 10.10.2, 10.10.4
NIST 800-26: 11.2.5, 11.2.6
DOD 8500.2: EBBD-1, EBVC-1, ECID-1
DCID 6/3: 4.B.2.a(5)(b), 4.B.3.a(8)(b), 6.B.3.a(8)
Security Alerts and Advisories
ISO/IEC 17799: 6.1.7, 10.4.1
NIST 800-26: 14.1.1, 14.1.2, 14.1.5
GAO FISCAM: SP-3.4
DOD 8500.2: VIVM-1
DCID 6/3: 8.B.7
Security Functionality Verification
NIST 800-26: 11.2.1, 11.2.2
GAO FISCAM: SS-2.2
DOD 8500.2: DCSS-1
DCID 6/3: 4.B.1.c(2), 5.B.2.b(2)
Software and Information Integrity
ISO/IEC 17799: 12.2.1, 12.2.2, 12.2.4
NIST 800-26: 11.2.1, 11.2.4
DOD 8500.2: ECSD-2
DCID 6/3: 4.B.1.c(2), 5.B.1.a(3), 5.B.2.a(6)
Spam Protection
DCID 6/3: 5.B.1.a(4)
Information Input Restrictions
ISO/IEC 17799: 12.2.1, 12.2.2
GAO FISCAM: SD-1
DCID 6/3: 2.B.9.b(11)
Information Accuracy, Completeness, Validity, and Authenticity
ISO/IEC 17799: 10.7.3, 12.2.1, 12.2.2
DCID 6/3: 7.B.2.h, 2.B.4.d
Error Handling
ISO/IEC 17799: 12.2.1, 12.2.2, 12.2.3, 12.2.4
DCID 6/3: 2.B.4.d
Information Output Handling and Retention
ISO/IEC 17799: 10.7.3, 12.2.4
DOD 8500.2: PESP-1
DCID 6/3: 2.B.4.d, 8.B.9, 8.G
Introduction
This guide has been created to assist federal agencies in effectively securing systems with Microsoft Windows XP Firewall based on OMB Federal Desktop Core Configuration recommendations.Under the direction of OMB and in collaboration with DHS, DISA, NSA, USAF, and Microsoft, NIST has provided the following baseline to help agencies test, implement, and deploy the Microsoft Windows XP Firewall Federal Desktop Core Configuration (FDCC) baseline. The Federal Desktop Core Configuration (FDCC) is an OMB-mandated security configuration.Please refer to the FDCC home page for additional information. http://fdcc.nist.gov
FDCC Other Settings
FDCC has identified the following additional controls that must be checked in order to verify compliance.
Windows Firewall - Domain Profile
The Domain Profile applies when a computer is connected to a network and authenticates to a domain controller in the domain to which the computer belongs.
Allow file and print sharing exception
This setting allows file and printer sharing by configuring Windows Firewall to open UDP ports 137 and 138 and TCP ports 139 and 445. If you enable this policy setting, Windows Firewall opens these ports so that the computer can receive print jobs and requests for access to shared files. You must specify the IP addresses or subnets from which these incoming messages are allowed. If you disable this policy setting, Windows Firewall blocks these ports and prevents the computer from sharing files and printers. Because the computers in your environment running Windows XP will not normally be sharing files and printers, this appendix recommends you configure this setting as Disabled in all environments. Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (such as those sent by the Ping utility), even if the Windows Firewall: Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall: Allow file and printer sharing exception, Windows Firewall: Allow remote administration exception, and Windows Firewall: Define port exceptions.
1
1
0
Allow local port exceptions
The Windows Firewall: Allow local port exceptions setting allows administrators to use the Windows Firewall component in Control Panel to define a local port exceptions list. Windows Firewall can use two port exceptions lists; the other is defined by the Windows Firewall: Define port exceptions policy setting. If you enable this policy setting, the Windows Firewall component in Control Panel allows administrators to define a local port exceptions list. If you disable this policy setting, the Windows Firewall component in Control Panel does not allow administrators to define such a list. Typically, local administrators are not authorized to override organizational policy and establish their own port exceptions list in enterprise or high security environments. For that reason, this appendix recommends configuring this option as Disabled.
0
1
0
Allow local program exceptions
The Windows Firewall: Allow local program exceptions setting allows administrators to use the Windows Firewall component in Control Panel to define a local program exceptions list. Disabling this policy setting does not allow administrators to define a local program exceptions list, and ensures that program exceptions only come from Group Policy. Setting this policy to Enabled allows local administrators to use Control Panel to define program exceptions locally. For enterprise client computers, there may be conditions that justify having the client define local program exceptions. These conditions may include applications that were not analyzed when creating the organization's firewall policy or new applications that require nonstandard port configuration. In those cases, you may choose to enable this setting, recognizing that the attack surface of the affected computers is increased.
0
1
0
Allow Logging: Log Dropped Packets
Allows Windows Firewall to record information about the unsolicited incoming messages that it receives. If you enable this policy setting, Windows Firewall writes the information to a log file. You must provide the name, location, and maximum size of the log file. The location can contain environment variables. You must also specify whether to record information about incoming messages that the firewall blocks (drops) and information about successful incoming and outgoing connections. Windows Firewall does not provide an option to log successful incoming messages. If you disable this policy setting, Windows Firewall does not record information in the log file. If you enable this policy setting, and Windows Firewall creates the log file and adds information, then upon disabling this policy setting, Windows Firewall leaves the log file intact. In the Windows Firewall component of Control Panel, the "Security Logging" settings are cleared and administrators cannot select them. If you do not configure this policy setting, Windows Firewall behaves as if the policy setting were disabled, except that administrators can choose whether to select the "Security Logging" settings.
1
1
0
Allow Logging: Log Successful Connections
Allows Windows Firewall to record information about the unsolicited incoming messages that it receives. If you enable this policy setting, Windows Firewall writes the information to a log file. You must provide the name, location, and maximum size of the log file. The location can contain environment variables. You must also specify whether to record information about incoming messages that the firewall blocks (drops) and information about successful incoming and outgoing connections. Windows Firewall does not provide an option to log successful incoming messages. If you disable this policy setting, Windows Firewall does not record information in the log file. If you enable this policy setting, and Windows Firewall creates the log file and adds information, then upon disabling this policy setting, Windows Firewall leaves the log file intact. In the Windows Firewall component of Control Panel, the "Security Logging" settings are cleared and administrators cannot select them. If you do not configure this policy setting, Windows Firewall behaves as if the policy setting were disabled, except that administrators can choose whether to select the "Security Logging" settings.
1
1
0
Allow Logging: Log Size
Allows Windows Firewall to record information about the unsolicited incoming messages that it receives. If you enable this policy setting, Windows Firewall writes the information to a log file. You must provide the name, location, and maximum size of the log file. The location can contain environment variables. You must also specify whether to record information about incoming messages that the firewall blocks (drops) and information about successful incoming and outgoing connections. Windows Firewall does not provide an option to log successful incoming messages. If you disable this policy setting, Windows Firewall does not record information in the log file. If you enable this policy setting, and Windows Firewall creates the log file and adds information, then upon disabling this policy setting, Windows Firewall leaves the log file intact. In the Windows Firewall component of Control Panel, the "Security Logging" settings are cleared and administrators cannot select them. If you do not configure this policy setting, Windows Firewall behaves as if the policy setting were disabled, except that administrators can choose whether to select the "Security Logging" settings.
1
4096
16384
Allow Logging: Log Path
Allows Windows Firewall to record information about the unsolicited incoming messages that it receives. If you enable this policy setting, Windows Firewall writes the information to a log file. You must provide the name, location, and maximum size of the log file. The location can contain environment variables. You must also specify whether to record information about incoming messages that the firewall blocks (drops) and information about successful incoming and outgoing connections. Windows Firewall does not provide an option to log successful incoming messages. If you disable this policy setting, Windows Firewall does not record information in the log file. If you enable this policy setting, and Windows Firewall creates the log file and adds information, then upon disabling this policy setting, Windows Firewall leaves the log file intact. In the Windows Firewall component of Control Panel, the "Security Logging" settings are cleared and administrators cannot select them. If you do not configure this policy setting, Windows Firewall behaves as if the policy setting were disabled, except that administrators can choose whether to select the "Security Logging" settings.
%systemroot%\DomainFW.log
%systemroot%\DomainFW.log
Allow remote administration exceptions
Many organizations take advantage of remote computer administration in their daily operations. However, some attacks have exploited the ports typically used by remote administration programs; Windows Firewall can block these ports. To provide flexibility for remote administration, the Windows Firewall: Allow remote administration exception setting is available. Configuring this setting to Enabled allows the computer to receive the unsolicited incoming messages associated with remote administration on TCP ports 135 and 445. This policy setting also allows SVCHOST.EXE and LSASS.EXE to receive unsolicited incoming messages and allows hosted services to open additional dynamically-assigned ports, typically in the range of 1044 to 1044 but potentially anywhere from 1044 to 65535. Enabling this setting also requires you to specify the IP addresses or subnets from which these incoming messages are allowed. If you configure this policy setting as Disabled, Windows Firewall makes none of the described exceptions. This appendix recommends you enable this setting for enterprise computers if necessary, and to always disable the setting for high security computers. Computers in your environment should accept remote administration requests from as few computers as possible. To maximize the protection provided by the Windows Firewall, make sure to specify only the necessary IP addresses and subnets of computers used for remote administration. Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (such as those sent by the Ping utility), even if the Windows Firewall: Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall: Allow file and printer sharing exception, Windows Firewall: Allow remote administration exception, and Windows Firewall: Define port exceptions.
0
1
0
Allow Remote Desktop exception
Many organizations use Remote Desktop connections in their normal troubleshooting procedures or operations. However, some attacks have occurred that exploited the ports typically used by Remote Desktop. To provide flexibility for remote administration, the Windows Firewall: Allow Remote Desktop exception setting is available. Enabling this setting configures Windows Firewall to open TCP port 3389 for inbound connections. You must also specify the IP addresses or subnets from which these incoming messages are allowed. If you disable this policy setting, Windows Firewall blocks this port and prevents the computer from receiving Remote Desktop requests. If an administrator attempts to open this port by adding it to a local port exceptions list, Windows Firewall does not open the port. Some attacks can exploit an open port 3389. To maintain the enhanced management capabilities provided by Remote Desktop, you should configure this setting to Enabled and specify the IP addresses and subnets of the computers used for remote administration. Computers in your environment should accept Remote Desktop requests from as few computers as possible.
0
1
0
Allow UPnP framework exception
The Windows Firewall: Allow UPnP framework exception setting allows a computer to receive unsolicited Plug and Play messages sent by network devices, such as routers with built-in firewalls. To receive these messages, Windows Firewall opens TCP port 2869 and UDP port 1900. If you enable this policy setting, Windows Firewall opens these ports so that the computer can receive Plug and Play messages. You must specify the IP addresses or subnets from which these incoming messages are allowed. If you disable this policy setting, Windows Firewall blocks these ports and prevents the computer from receiving Plug and Play messages.
0
1
0
Prohibit notification
Windows Firewall can display notifications to users when a program requests that Windows Firewall add the program to the program exceptions list. This situation occurs when programs attempt to open a port and are not allowed to do so based on current Windows Firewall rules. The Windows Firewall: Prohibit notifications setting configures whether these settings are shown to the users. If you set this policy to Enabled, Windows Firewall prevents the display of these notifications. If you set it to Disabled, Windows Firewall allows the display of these notifications.
1
1
0
Prohibit unicast response to multicast or broadcast requests
The Windows Firewall: Prohibit unicast response to multicast or broadcast requests setting prevents a computer from receiving unicast responses to its outgoing multicast or broadcast messages. When this policy setting is enabled and the computer sends multicast or broadcast messages to other computers, Windows Firewall blocks the unicast responses sent by those other computers. When the setting is disabled and this computer sends a multicast or broadcast message to other computers, Windows Firewall waits up to three seconds for unicast responses from the other computers and then blocks all later responses. Typically, you would not want to receive unicast responses to multicast or broadcast messages. Such responses can indicate a denial of service (DoS) attack or an attacker attempting to probe a known live computer. This appendix recommends you configure this policy setting to Enabled to help prevent this type of attack. Note: This policy setting has no effect if the unicast message is a response to a Dynamic Host Configuration Protocol (DHCP) broadcast message sent by the computer. Windows Firewall always permits those DHCP unicast responses. However, this policy setting can interfere with the NetBIOS messages that detect name conflicts.
1
1
0
Protect all Network Connections
The Windows Firewall: Protect all network connections setting turns on Windows Firewall, which replaces Internet Connection Firewall on all computers that are running Windows XP SP2. This appendix recommends configuring this setting to Enabled to protect all network connections for computers in all environments. If this setting is configured as Disabled, Windows Firewall is turned off and all other settings for Windows Firewall are ignored. Note: If you enable this policy setting, Windows Firewall runs and ignores the Computer Configuration\Administrative Templates\Network\Network Connections\Prohibit use of Internet Connection Firewall on your DNS domain network policy setting.
1
1
0
Allow file and print sharing exception
This setting allows file and printer sharing by configuring Windows Firewall to open UDP ports 137 and 138 and TCP ports 139 and 445. If you enable this policy setting, Windows Firewall opens these ports so that the computer can receive print jobs and requests for access to shared files. You must specify the IP addresses or subnets from which these incoming messages are allowed. If you disable this policy setting, Windows Firewall blocks these ports and prevents the computer from sharing files and printers. Because the computers in your environment running Windows XP will not normally be sharing files and printers, this appendix recommends you configure this setting as Disabled in all environments. Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (such as those sent by the Ping utility), even if the Windows Firewall: Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall: Allow file and printer sharing exception, Windows Firewall: Allow remote administration exception, and Windows Firewall: Define port exceptions.
GPO
Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile
CCE-3247-4
CCE-555
Allow ICMP exceptions (Allow inbound echo request and block everything else)
The Windows Firewall: Allow ICMP exceptions setting defines the set of Internet Control Message Protocol (ICMP) message types that Windows Firewall allows. Utilities can use ICMP messages to determine the status of other computers. For example, Ping uses the echo request message. If you set this policy setting to Enabled, you must specify which ICMP message types Windows Firewall allows the computer to send or receive. When you set this policy to Disabled, Windows Firewall blocks all unsolicited incoming ICMP message types and the listed outgoing ICMP message types. As a result, utilities that use the blocked ICMP messages will not be able to send those messages to or from the computer. Many attacker tools take advantage of computers that accept ICMP message types and use these messages to mount a variety of attacks. However, some applications require some ICMP messages in order to function properly. For that reason, this appendix recommends that you configure this setting to Disabled whenever possible. If your environment requires some ICMP messages to get through Windows Firewall, configure the setting with the appropriate message types. Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (such as those sent by the Ping utility), even if the Windows Firewall: Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall: Allow file and printer sharing exception, Windows Firewall: Allow remote administration exception, and Windows Firewall: Define port exceptions.
GPO
Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile
CCE-3141-9
CCE-277
Allow local port exceptions
The Windows Firewall: Allow local port exceptions setting allows administrators to use the Windows Firewall component in Control Panel to define a local port exceptions list. Windows Firewall can use two port exceptions lists; the other is defined by the Windows Firewall: Define port exceptions policy setting. If you enable this policy setting, the Windows Firewall component in Control Panel allows administrators to define a local port exceptions list. If you disable this policy setting, the Windows Firewall component in Control Panel does not allow administrators to define such a list. Typically, local administrators are not authorized to override organizational policy and establish their own port exceptions list in enterprise or high security environments. For that reason, this appendix recommends configuring this option as Disabled.
GPO
Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile
CCE-3258-1
CCE-370
Allow local program exceptions
The Windows Firewall: Allow local program exceptions setting allows administrators to use the Windows Firewall component in Control Panel to define a local program exceptions list. Disabling this policy setting does not allow administrators to define a local program exceptions list, and ensures that program exceptions only come from Group Policy. Setting this policy to Enabled allows local administrators to use Control Panel to define program exceptions locally. For enterprise client computers, there may be conditions that justify having the client define local program exceptions. These conditions may include applications that were not analyzed when creating the organization's firewall policy or new applications that require nonstandard port configuration. In those cases, you may choose to enable this setting, recognizing that the attack surface of the affected computers is increased.
GPO
Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile
CCE-2828-2
CCE-502
Allow Logging: Log Dropped Packets
Allows Windows Firewall to record information about the unsolicited incoming messages that it receives. If you enable this policy setting, Windows Firewall writes the information to a log file. You must provide the name, location, and maximum size of the log file. The location can contain environment variables. You must also specify whether to record information about incoming messages that the firewall blocks (drops) and information about successful incoming and outgoing connections. Windows Firewall does not provide an option to log successful incoming messages. If you disable this policy setting, Windows Firewall does not record information in the log file. If you enable this policy setting, and Windows Firewall creates the log file and adds information, then upon disabling this policy setting, Windows Firewall leaves the log file intact. In the Windows Firewall component of Control Panel, the "Security Logging" settings are cleared and administrators cannot select them. If you do not configure this policy setting, Windows Firewall behaves as if the policy setting were disabled, except that administrators can choose whether to select the "Security Logging" settings.
GPO
Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile
CCE-2965-2
CCE-251
Allow Logging: Log Successful Connections
Allows Windows Firewall to record information about the unsolicited incoming messages that it receives. If you enable this policy setting, Windows Firewall writes the information to a log file. You must provide the name, location, and maximum size of the log file. The location can contain environment variables. You must also specify whether to record information about incoming messages that the firewall blocks (drops) and information about successful incoming and outgoing connections. Windows Firewall does not provide an option to log successful incoming messages. If you disable this policy setting, Windows Firewall does not record information in the log file. If you enable this policy setting, and Windows Firewall creates the log file and adds information, then upon disabling this policy setting, Windows Firewall leaves the log file intact. In the Windows Firewall component of Control Panel, the "Security Logging" settings are cleared and administrators cannot select them. If you do not configure this policy setting, Windows Firewall behaves as if the policy setting were disabled, except that administrators can choose whether to select the "Security Logging" settings.
GPO
Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile
CCE-3090-8
CCE-617
Allow Logging: Log Size
Allows Windows Firewall to record information about the unsolicited incoming messages that it receives. If you enable this policy setting, Windows Firewall writes the information to a log file. You must provide the name, location, and maximum size of the log file. The location can contain environment variables. You must also specify whether to record information about incoming messages that the firewall blocks (drops) and information about successful incoming and outgoing connections. Windows Firewall does not provide an option to log successful incoming messages. If you disable this policy setting, Windows Firewall does not record information in the log file. If you enable this policy setting, and Windows Firewall creates the log file and adds information, then upon disabling this policy setting, Windows Firewall leaves the log file intact. In the Windows Firewall component of Control Panel, the "Security Logging" settings are cleared and administrators cannot select them. If you do not configure this policy setting, Windows Firewall behaves as if the policy setting were disabled, except that administrators can choose whether to select the "Security Logging" settings.
GPO
Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile
CCE-2958-7
CCE-57
Allow Logging: Log Path
Allows Windows Firewall to record information about the unsolicited incoming messages that it receives. If you enable this policy setting, Windows Firewall writes the information to a log file. You must provide the name, location, and maximum size of the log file. The location can contain environment variables. You must also specify whether to record information about incoming messages that the firewall blocks (drops) and information about successful incoming and outgoing connections. Windows Firewall does not provide an option to log successful incoming messages. If you disable this policy setting, Windows Firewall does not record information in the log file. If you enable this policy setting, and Windows Firewall creates the log file and adds information, then upon disabling this policy setting, Windows Firewall leaves the log file intact. In the Windows Firewall component of Control Panel, the "Security Logging" settings are cleared and administrators cannot select them. If you do not configure this policy setting, Windows Firewall behaves as if the policy setting were disabled, except that administrators can choose whether to select the "Security Logging" settings.
GPO
Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile
CCE-2923-1
CCE-793
Allow remote administration exceptions
Many organizations take advantage of remote computer administration in their daily operations. However, some attacks have exploited the ports typically used by remote administration programs; Windows Firewall can block these ports. To provide flexibility for remote administration, the Windows Firewall: Allow remote administration exception setting is available. Configuring this setting to Enabled allows the computer to receive the unsolicited incoming messages associated with remote administration on TCP ports 135 and 445. This policy setting also allows SVCHOST.EXE and LSASS.EXE to receive unsolicited incoming messages and allows hosted services to open additional dynamically-assigned ports, typically in the range of 1044 to 1044 but potentially anywhere from 1044 to 65535. Enabling this setting also requires you to specify the IP addresses or subnets from which these incoming messages are allowed. If you configure this policy setting as Disabled, Windows Firewall makes none of the described exceptions. This appendix recommends you enable this setting for enterprise computers if necessary, and to always disable the setting for high security computers. Computers in your environment should accept remote administration requests from as few computers as possible. To maximize the protection provided by the Windows Firewall, make sure to specify only the necessary IP addresses and subnets of computers used for remote administration. Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (such as those sent by the Ping utility), even if the Windows Firewall: Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall: Allow file and printer sharing exception, Windows Firewall: Allow remote administration exception, and Windows Firewall: Define port exceptions.
GPO
Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile
CCE-2476-0
CCE-771
Allow Remote Desktop exception
Many organizations use Remote Desktop connections in their normal troubleshooting procedures or operations. However, some attacks have occurred that exploited the ports typically used by Remote Desktop. To provide flexibility for remote administration, the Windows Firewall: Allow Remote Desktop exception setting is available. Enabling this setting configures Windows Firewall to open TCP port 3389 for inbound connections. You must also specify the IP addresses or subnets from which these incoming messages are allowed. If you disable this policy setting, Windows Firewall blocks this port and prevents the computer from receiving Remote Desktop requests. If an administrator attempts to open this port by adding it to a local port exceptions list, Windows Firewall does not open the port. Some attacks can exploit an open port 3389. To maintain the enhanced management capabilities provided by Remote Desktop, you should configure this setting to Enabled and specify the IP addresses and subnets of the computers used for remote administration. Computers in your environment should accept Remote Desktop requests from as few computers as possible.
GPO
Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile
CCE-3304-3
CCE-832
Allow UPnP framework exception
The Windows Firewall: Allow UPnP framework exception setting allows a computer to receive unsolicited Plug and Play messages sent by network devices, such as routers with built-in firewalls. To receive these messages, Windows Firewall opens TCP port 2869 and UDP port 1900. If you enable this policy setting, Windows Firewall opens these ports so that the computer can receive Plug and Play messages. You must specify the IP addresses or subnets from which these incoming messages are allowed. If you disable this policy setting, Windows Firewall blocks these ports and prevents the computer from receiving Plug and Play messages.
GPO
Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile
CCE-3176-5
CCE-590
Define port exceptions
The Windows Firewall port exceptions list should be defined by Group Policy, which allows you to centrally manage and deploy your port exceptions and ensure that local administrators do not create less secure settings. The Windows Firewall: Define port exceptions policy setting allows you to centrally manage these settings. If you enable this policy setting, you can view and change the port exceptions list defined by Group Policy. To view and modify the port exceptions list, configure the policy setting to Enabled and then click the Show button. Note that if you type an invalid definition string, Windows Firewall adds it to the list without checking for errors, which means you can accidentally create multiple entries for the same port with conflicting Scope or Status values. If you disable this policy setting, the port exceptions list defined by Group Policy is deleted but other policy settings can continue to open or block ports. Also, if a local port exceptions list exists, it is ignored unless you enable the Windows Firewall: Allow local port exceptions policy setting. Environments with nonstandard applications that require specific ports to be open should consider deploying program exceptions. This appendix recommends enabling this setting and specifying a list of port exceptions only when program exceptions cannot be defined. Program exceptions allow the Windows Firewall to accept unsolicited network traffic only while the specified program is running, and port exceptions keep the specified ports open at all times. Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (such as those sent by the Ping utility), even if the Windows Firewall: Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall: Allow file and printer sharing exception, Windows Firewall: Allow remote administration exception, and Windows Firewall: Define port exceptions.
GPO
Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile
CCE-2866-2
CCE-114
Prohibit notification
Windows Firewall can display notifications to users when a program requests that Windows Firewall add the program to the program exceptions list. This situation occurs when programs attempt to open a port and are not allowed to do so based on current Windows Firewall rules. The Windows Firewall: Prohibit notifications setting configures whether these settings are shown to the users. If you set this policy to Enabled, Windows Firewall prevents the display of these notifications. If you set it to Disabled, Windows Firewall allows the display of these notifications.
GPO
Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile
CCE-3198-9
CCE-762
Prohibit unicast response to multicast or broadcast requests
The Windows Firewall: Prohibit unicast response to multicast or broadcast requests setting prevents a computer from receiving unicast responses to its outgoing multicast or broadcast messages. When this policy setting is enabled and the computer sends multicast or broadcast messages to other computers, Windows Firewall blocks the unicast responses sent by those other computers. When the setting is disabled and this computer sends a multicast or broadcast message to other computers, Windows Firewall waits up to three seconds for unicast responses from the other computers and then blocks all later responses. Typically, you would not want to receive unicast responses to multicast or broadcast messages. Such responses can indicate a denial of service (DoS) attack or an attacker attempting to probe a known live computer. This appendix recommends you configure this policy setting to Enabled to help prevent this type of attack. Note: This policy setting has no effect if the unicast message is a response to a Dynamic Host Configuration Protocol (DHCP) broadcast message sent by the computer. Windows Firewall always permits those DHCP unicast responses. However, this policy setting can interfere with the NetBIOS messages that detect name conflicts.
GPO
Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile
CCE-2972-8
CCE-696
Protect all Network Connections
Many organizations use Remote Desktop connections in their normal troubleshooting procedures or operations. However, some attacks have occurred that exploited the ports typically used by Remote Desktop. To provide flexibility for remote administration, the Windows Firewall: Allow Remote Desktop exception setting is available. Enabling this setting configures Windows Firewall to open TCP port 3389 for inbound connections. You must also specify the IP addresses or subnets from which these incoming messages are allowed. If you disable this policy setting, Windows Firewall blocks this port and prevents the computer from receiving Remote Desktop requests. If an administrator attempts to open this port by adding it to a local port exceptions list, Windows Firewall does not open the port. Some attacks can exploit an open port 3389. To maintain the enhanced management capabilities provided by Remote Desktop, you should configure this setting to Enabled and specify the IP addresses and subnets of the computers used for remote administration. Computers in your environment should accept Remote Desktop requests from as few computers as possible.
GPO
Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile
CCE-3154-2
CCE-806
Windows Firewall - Standard Profile
The Standard Profile is the default network location type when the computer is not connected to a domain. Standard profile settings should be the most restrictive because the computer is connected to a public network where security cannot be as tightly controlled as within an IT environment.
Allow file and print sharing exception
This setting allows file and printer sharing by configuring Windows Firewall to open UDP ports 137 and 138 and TCP ports 139 and 445. If you enable this policy setting, Windows Firewall opens these ports so that the computer can receive print jobs and requests for access to shared files. You must specify the IP addresses or subnets from which these incoming messages are allowed. If you disable this policy setting, Windows Firewall blocks these ports and prevents the computer from sharing files and printers. Because the computers in your environment running Windows XP will not normally be sharing files and printers, this appendix recommends you configure this setting as Disabled in all environments. Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (such as those sent by the Ping utility), even if the Windows Firewall: Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall: Allow file and printer sharing exception, Windows Firewall: Allow remote administration exception, and Windows Firewall: Define port exceptions.
1
1
0
Allow local port exceptions
The Windows Firewall: Allow local port exceptions setting allows administrators to use the Windows Firewall component in Control Panel to define a local port exceptions list. Windows Firewall can use two port exceptions lists; the other is defined by the Windows Firewall: Define port exceptions policy setting. If you enable this policy setting, the Windows Firewall component in Control Panel allows administrators to define a local port exceptions list. If you disable this policy setting, the Windows Firewall component in Control Panel does not allow administrators to define such a list. Typically, local administrators are not authorized to override organizational policy and establish their own port exceptions list in enterprise or high security environments. For that reason, this appendix recommends configuring this option as Disabled.
0
1
0
Allow local program exceptions
The Windows Firewall: Allow local program exceptions setting allows administrators to use the Windows Firewall component in Control Panel to define a local program exceptions list. Disabling this policy setting does not allow administrators to define a local program exceptions list, and ensures that program exceptions only come from Group Policy. Setting this policy to Enabled allows local administrators to use Control Panel to define program exceptions locally. For enterprise client computers, there may be conditions that justify having the client define local program exceptions. These conditions may include applications that were not analyzed when creating the organization's firewall policy or new applications that require nonstandard port configuration. In those cases, you may choose to enable this setting, recognizing that the attack surface of the affected computers is increased.
0
1
0
Allow remote administration exceptions
Many organizations take advantage of remote computer administration in their daily operations. However, some attacks have exploited the ports typically used by remote administration programs; Windows Firewall can block these ports. To provide flexibility for remote administration, the Windows Firewall: Allow remote administration exception setting is available. Configuring this setting to Enabled allows the computer to receive the unsolicited incoming messages associated with remote administration on TCP ports 135 and 445. This policy setting also allows SVCHOST.EXE and LSASS.EXE to receive unsolicited incoming messages and allows hosted services to open additional dynamically-assigned ports, typically in the range of 1044 to 1044 but potentially anywhere from 1044 to 65535. Enabling this setting also requires you to specify the IP addresses or subnets from which these incoming messages are allowed. If you configure this policy setting as Disabled, Windows Firewall makes none of the described exceptions. This appendix recommends you enable this setting for enterprise computers if necessary, and to always disable the setting for high security computers. Computers in your environment should accept remote administration requests from as few computers as possible. To maximize the protection provided by the Windows Firewall, make sure to specify only the necessary IP addresses and subnets of computers used for remote administration. Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (such as those sent by the Ping utility), even if the Windows Firewall: Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall: Allow file and printer sharing exception, Windows Firewall: Allow remote administration exception, and Windows Firewall: Define port exceptions.
0
1
0
Allow Remote Desktop exception
Many organizations use Remote Desktop connections in their normal troubleshooting procedures or operations. However, some attacks have occurred that exploited the ports typically used by Remote Desktop. To provide flexibility for remote administration, the Windows Firewall: Allow Remote Desktop exception setting is available. Enabling this setting configures Windows Firewall to open TCP port 3389 for inbound connections. You must also specify the IP addresses or subnets from which these incoming messages are allowed. If you disable this policy setting, Windows Firewall blocks this port and prevents the computer from receiving Remote Desktop requests. If an administrator attempts to open this port by adding it to a local port exceptions list, Windows Firewall does not open the port. Some attacks can exploit an open port 3389. To maintain the enhanced management capabilities provided by Remote Desktop, you should configure this setting to Enabled and specify the IP addresses and subnets of the computers used for remote administration. Computers in your environment should accept Remote Desktop requests from as few computers as possible.
0
1
0
Allow UPnP framework exception
The Windows Firewall: Allow UPnP framework exception setting allows a computer to receive unsolicited Plug and Play messages sent by network devices, such as routers with built-in firewalls. To receive these messages, Windows Firewall opens TCP port 2869 and UDP port 1900. If you enable this policy setting, Windows Firewall opens these ports so that the computer can receive Plug and Play messages. You must specify the IP addresses or subnets from which these incoming messages are allowed. If you disable this policy setting, Windows Firewall blocks these ports and prevents the computer from receiving Plug and Play messages.
0
1
0
Do not allow exceptions
The Windows Firewall: Do not allow exceptions setting specifies that Windows Firewall blocks all unsolicited incoming messages. This policy setting overrides all other Windows Firewall policy settings that allow such messages. If you enable this policy setting in the Windows Firewall component of Control Panel, the Don't allow exceptions check box is selected and administrators cannot clear it. Many environments contain applications and services that must be allowed to receive inbound unsolicited communications as part of their normal operation. In those cases, you may need to consider configuring this policy to Disabled to allow those applications and services to run properly. However, before making any change to this policy, you should test the environment to determine exactly what to allow and what to disallow. Note: This setting provides a strong defense against external attackers and should be set to Enabled in situations where you require complete protection from external attacks such as the outbreak of a new network worm. Setting this policy to Disabled allows Windows Firewall to apply other policy settings that allow unsolicited incoming messages.
1
1
0
Prohibit notification
Windows Firewall can display notifications to users when a program requests that Windows Firewall add the program to the program exceptions list. This situation occurs when programs attempt to open a port and are not allowed to do so based on current Windows Firewall rules. The Windows Firewall: Prohibit notifications setting configures whether these settings are shown to the users. If you set this policy to Enabled, Windows Firewall prevents the display of these notifications. If you set it to Disabled, Windows Firewall allows the display of these notifications.
1
1
0
Prohibit unicast response to multicast or broadcast requests
The Windows Firewall: Prohibit unicast response to multicast or broadcast requests setting prevents a computer from receiving unicast responses to its outgoing multicast or broadcast messages. When this policy setting is enabled and the computer sends multicast or broadcast messages to other computers, Windows Firewall blocks the unicast responses sent by those other computers. When the setting is disabled and this computer sends a multicast or broadcast message to other computers, Windows Firewall waits up to three seconds for unicast responses from the other computers and then blocks all later responses. Typically, you would not want to receive unicast responses to multicast or broadcast messages. Such responses can indicate a denial of service (DoS) attack or an attacker attempting to probe a known live computer. This appendix recommends you configure this policy setting to Enabled to help prevent this type of attack. Note: This policy setting has no effect if the unicast message is a response to a Dynamic Host Configuration Protocol (DHCP) broadcast message sent by the computer. Windows Firewall always permits those DHCP unicast responses. However, this policy setting can interfere with the NetBIOS messages that detect name conflicts.
1
1
0
Protect all Network Connections
The Windows Firewall: Protect all network connections setting turns on Windows Firewall, which replaces Internet Connection Firewall on all computers that are running Windows XP SP2. This appendix recommends configuring this setting to Enabled to protect all network connections for computers in all environments. If this setting is configured as Disabled, Windows Firewall is turned off and all other settings for Windows Firewall are ignored. Note: If you enable this policy setting, Windows Firewall runs and ignores the Computer Configuration\Administrative Templates\Network\Network Connections\Prohibit use of Internet Connection Firewall on your DNS domain network policy setting.
1
1
0
Allow file and print sharing exception
This setting allows file and printer sharing by configuring Windows Firewall to open UDP ports 137 and 138 and TCP ports 139 and 445. If you enable this policy setting, Windows Firewall opens these ports so that the computer can receive print jobs and requests for access to shared files. You must specify the IP addresses or subnets from which these incoming messages are allowed. If you disable this policy setting, Windows Firewall blocks these ports and prevents the computer from sharing files and printers. Because the computers in your environment running Windows XP will not normally be sharing files and printers, this appendix recommends you configure this setting as Disabled in all environments. Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (such as those sent by the Ping utility), even if the Windows Firewall: Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall: Allow file and printer sharing exception, Windows Firewall: Allow remote administration exception, and Windows Firewall: Define port exceptions.
GPO
Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile
CCE-3262-3
CCE-626
Allow ICMP exceptions (Block everything)
The Windows Firewall: Allow ICMP exceptions setting defines the set of Internet Control Message Protocol (ICMP) message types that Windows Firewall allows. Utilities can use ICMP messages to determine the status of other computers. For example, Ping uses the echo request message. If you set this policy setting to Enabled, you must specify which ICMP message types Windows Firewall allows the computer to send or receive. When you set this policy to Disabled, Windows Firewall blocks all unsolicited incoming ICMP message types and the listed outgoing ICMP message types. As a result, utilities that use the blocked ICMP messages will not be able to send those messages to or from the computer. Many attacker tools take advantage of computers that accept ICMP message types and use these messages to mount a variety of attacks. However, some applications require some ICMP messages in order to function properly. For that reason, this appendix recommends that you configure this setting to Disabled whenever possible. If your environment requires some ICMP messages to get through Windows Firewall, configure the setting with the appropriate message types. Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (such as those sent by the Ping utility), even if the Windows Firewall: Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall: Allow file and printer sharing exception, Windows Firewall: Allow remote administration exception, and Windows Firewall: Define port exceptions.
GPO
Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile
CCE-3081-7
CCE-797
Allow local port exceptions
The Windows Firewall: Allow local port exceptions setting allows administrators to use the Windows Firewall component in Control Panel to define a local port exceptions list. Windows Firewall can use two port exceptions lists; the other is defined by the Windows Firewall: Define port exceptions policy setting. If you enable this policy setting, the Windows Firewall component in Control Panel allows administrators to define a local port exceptions list. If you disable this policy setting, the Windows Firewall component in Control Panel does not allow administrators to define such a list. Typically, local administrators are not authorized to override organizational policy and establish their own port exceptions list in enterprise or high security environments. For that reason, this appendix recommends configuring this option as Disabled.
GPO
Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile
CCE-2989-2
CCE-77
Allow local program exceptions
The Windows Firewall: Allow local program exceptions setting allows administrators to use the Windows Firewall component in Control Panel to define a local program exceptions list. Disabling this policy setting does not allow administrators to define a local program exceptions list, and ensures that program exceptions only come from Group Policy. Setting this policy to Enabled allows local administrators to use Control Panel to define program exceptions locally. For enterprise client computers, there may be conditions that justify having the client define local program exceptions. These conditions may include applications that were not analyzed when creating the organization's firewall policy or new applications that require nonstandard port configuration. In those cases, you may choose to enable this setting, recognizing that the attack surface of the affected computers is increased.
GPO
Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile
CCE-3183-1
CCE-352
Allow remote administration exceptions Disabled
Many organizations take advantage of remote computer administration in their daily operations. However, some attacks have exploited the ports typically used by remote administration programs; Windows Firewall can block these ports. To provide flexibility for remote administration, the Windows Firewall: Allow remote administration exception setting is available. Configuring this setting to Enabled allows the computer to receive the unsolicited incoming messages associated with remote administration on TCP ports 135 and 445. This policy setting also allows SVCHOST.EXE and LSASS.EXE to receive unsolicited incoming messages and allows hosted services to open additional dynamically-assigned ports, typically in the range of 1044 to 1044 but potentially anywhere from 1044 to 65535. Enabling this setting also requires you to specify the IP addresses or subnets from which these incoming messages are allowed. If you configure this policy setting as Disabled, Windows Firewall makes none of the described exceptions. This appendix recommends you enable this setting for enterprise computers if necessary, and to always disable the setting for high security computers. Computers in your environment should accept remote administration requests from as few computers as possible. To maximize the protection provided by the Windows Firewall, make sure to specify only the necessary IP addresses and subnets of computers used for remote administration. Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (such as those sent by the Ping utility), even if the Windows Firewall: Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall: Allow file and printer sharing exception, Windows Firewall: Allow remote administration exception, and Windows Firewall: Define port exceptions.
GPO
Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile
CCE-2954-6
CCE-467
Allow Remote Desktop exception
Many organizations use Remote Desktop connections in their normal troubleshooting procedures or operations. However, some attacks have occurred that exploited the ports typically used by Remote Desktop. To provide flexibility for remote administration, the Windows Firewall: Allow Remote Desktop exception setting is available. Enabling this setting configures Windows Firewall to open TCP port 3389 for inbound connections. You must also specify the IP addresses or subnets from which these incoming messages are allowed. If you disable this policy setting, Windows Firewall blocks this port and prevents the computer from receiving Remote Desktop requests. If an administrator attempts to open this port by adding it to a local port exceptions list, Windows Firewall does not open the port. Some attacks can exploit an open port 3389. To maintain the enhanced management capabilities provided by Remote Desktop, you should configure this setting to Enabled and specify the IP addresses and subnets of the computers used for remote administration. Computers in your environment should accept Remote Desktop requests from as few computers as possible.
GPO
Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile
CCE-3213-6
CCE-354
Allow UPnP framework exception
The Windows Firewall: Allow UPnP framework exception setting allows a computer to receive unsolicited Plug and Play messages sent by network devices, such as routers with built-in firewalls. To receive these messages, Windows Firewall opens TCP port 2869 and UDP port 1900. If you enable this policy setting, Windows Firewall opens these ports so that the computer can receive Plug and Play messages. You must specify the IP addresses or subnets from which these incoming messages are allowed. If you disable this policy setting, Windows Firewall blocks these ports and prevents the computer from receiving Plug and Play messages.
GPO
Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile
CCE-3235-9
CCE-266
Do not allow exceptions
The Windows Firewall: Do not allow exceptions setting specifies that Windows Firewall blocks all unsolicited incoming messages. This policy setting overrides all other Windows Firewall policy settings that allow such messages. If you enable this policy setting in the Windows Firewall component of Control Panel, the Don't allow exceptions check box is selected and administrators cannot clear it. Many environments contain applications and services that must be allowed to receive inbound unsolicited communications as part of their normal operation. In those cases, you may need to consider configuring this policy to Disabled to allow those applications and services to run properly. However, before making any change to this policy, you should test the environment to determine exactly what to allow and what to disallow. Note: This setting provides a strong defense against external attackers and should be set to Enabled in situations where you require complete protection from external attacks such as the outbreak of a new network worm. Setting this policy to Disabled allows Windows Firewall to apply other policy settings that allow unsolicited incoming messages.
GPO
Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile
CCE-3179-9
CCE-440
Prohibit notification
Windows Firewall can display notifications to users when a program requests that Windows Firewall add the program to the program exceptions list. This situation occurs when programs attempt to open a port and are not allowed to do so based on current Windows Firewall rules. The Windows Firewall: Prohibit notifications setting configures whether these settings are shown to the users. If you set this policy to Enabled, Windows Firewall prevents the display of these notifications. If you set it to Disabled, Windows Firewall allows the display of these notifications.
GPO
Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile
CCE-3134-4
CCE-901
Prohibit unicast response to multicast or broadcast requests
The Windows Firewall: Prohibit unicast response to multicast or broadcast requests setting prevents a computer from receiving unicast responses to its outgoing multicast or broadcast messages. When this policy setting is enabled and the computer sends multicast or broadcast messages to other computers, Windows Firewall blocks the unicast responses sent by those other computers. When the setting is disabled and this computer sends a multicast or broadcast message to other computers, Windows Firewall waits up to three seconds for unicast responses from the other computers and then blocks all later responses. Typically, you would not want to receive unicast responses to multicast or broadcast messages. Such responses can indicate a denial of service (DoS) attack or an attacker attempting to probe a known live computer. This appendix recommends you configure this policy setting to Enabled to help prevent this type of attack. Note: This policy setting has no effect if the unicast message is a response to a Dynamic Host Configuration Protocol (DHCP) broadcast message sent by the computer. Windows Firewall always permits those DHCP unicast responses. However, this policy setting can interfere with the NetBIOS messages that detect name conflicts.
GPO
Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile
CCE-3103-9
CCE-632
Protect all Network Connections
Many organizations use Remote Desktop connections in their normal troubleshooting procedures or operations. However, some attacks have occurred that exploited the ports typically used by Remote Desktop. To provide flexibility for remote administration, the Windows Firewall: Allow Remote Desktop exception setting is available. Enabling this setting configures Windows Firewall to open TCP port 3389 for inbound connections. You must also specify the IP addresses or subnets from which these incoming messages are allowed. If you disable this policy setting, Windows Firewall blocks this port and prevents the computer from receiving Remote Desktop requests. If an administrator attempts to open this port by adding it to a local port exceptions list, Windows Firewall does not open the port. Some attacks can exploit an open port 3389. To maintain the enhanced management capabilities provided by Remote Desktop, you should configure this setting to Enabled and specify the IP addresses and subnets of the computers used for remote administration. Computers in your environment should accept Remote Desktop requests from as few computers as possible.
GPO
Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile
CCE-3284-7
CCE-273