Fine-Tuning Windows Firewall

Opening Particular Ports
The remaining settings open particular ports. The first, Allow Dynamically Assigned Ports for RPC and DCOM, is a bit of a conundrum—to enable or not to enable? I'm a big fan of Windows Management Instrumentation (WMI)-based tools such as WMI VBScripts and the Microsoft Management Console (MMC) Manage Computer snap-in, and WMI needs Remote Procedure Calls (RPCs). You can't use the Manage Computer snap-in to control a system remotely without using WMI, so if you want to leave Windows Firewall in place but still use Manage Computer to control remote systems, you'll have to enable this setting. The problem with opening ports for RPC is that Microsoft has discovered some scary bugs in RPC in the past 2 years, perhaps the most memorable of which led to MSBlaster. So enabling a firewall but also opening ports for RPC might be a self-defeating exercise, like installing locks on all your doors but leaving the front door unlocked for convenience: Burglars will find it convenient, too. Like the previous setting, this setting lets you open ports to all IP addresses or just to the local subnet, but that option doesn't seem very helpful either. In many cases in which MSBlaster attacked a business, the attack launched from an infected laptop that someone carried into the company. So think long and hard before you enable this setting.

The File and Print Sharing, Remote Assistance Support, and Universal Plug and Play settings work the same way as the RPC setting: You can turn them on or off, and if you turn them on you can restrict them to the local subnet. You can enable all but Remote Assistance support from the command line by using the

netsh firewall ipv4 set service

command, followed by type= and the name of the service (i.e., FILEANDPRINT, RPCANDDCOM, or UPNP), as well as scope= and either all (the entire Internet) or subnet (the local subnet). For example, to enable file and print sharing for only the local subnet, you'd type

netsh firewall ipv4 set service
  type=fileandprint scope=subnet

You can append profile= and interface= to any command, so if you wanted to open file and print services on your wired Ethernet connection only when your system was connected to the domain, you'd use the command

netsh firewall ipv4 set service
  type=fileandprint scope=subnet
  interface="local area connection"
  profile=corporate

Whereas Group Policy refers to Domain and Mobile profiles, command-line tools refer to corporate and other profiles.

Two policy settings remain. Allow ICMP Settings affects the Internet Control Message Protocol (ICMP) subsystem. In general, you don't need to worry much about ICMP, but you probably will care about one aspect of it: Ping. By default, firewalled systems block all ICMP requests and therefore ignore pings. A look at the Allow ICMP Settings Properties shows nine types of ICMP requests that Windows Firewall permits. For ping purposes, you need to enable only Allow Inbound Echo Request. This setting has no option for restricting ICMP traffic to the local subnet.

From the command line, you'd open up ICMP with the command

netsh firewall ipv4 set icmpsetting

followed by type= and a number (3, 4, 5, 8, 10, 11, 12, 13, or 17) or the word all. Each number refers to one of the nine ICMP settings, and the one you want—incoming echo request—is number 8. To make your system respond to pings, then, you'd type

netsh firewall ipv4 set icmpsetting type=8

Again, you can add profile= or interface= to make the command more specific.

What if you want to open a port for a service that I haven't discussed? Just use the ninth policy setting, Define Custom Open Ports. Enable it, then click Show as I explained for Define Allowable Programs. Next, specify the number of the port you want Windows Firewall to open, whether the port is TCP or UDP, whether to open it up to the world or just the local subnet, and whether to enable or disable it. Optionally, you can give the port a descriptive name. For example, your mail server might want TCP port 25 open to the whole world, so you might specify

25:TCP:*:enabled:SMTP

where 25 is the port number, TCP is the protocol, the asterisk (*) opens the port to the whole world (the alternative is subnet), enabled opens the port instead of closing it, and SMTP is a descriptive phrase. From the command line, use the command

netsh firewall ipv4 add portopening

followed by protocol= (with tcp, udp, or all), port= (with the number), name= (with a name), mode= (with enable or disable), and scope= (with all or subnet). To enable your mail server, you'd type

netsh firewall ipv4 add portopening
  protocol=tcp port=25 name=SMTP
  mode=enable scope=all

If you don't specify a mode, enable is assumed, and if you don't specify a scope, subnet is assumed.

If you change your mind and want to close a port, use the command

netsh firewall ipv4 delete portopening

along with the protocol and the port number to identify which port you want to close. For example, to close your email server's port, you'd type

netsh firewall ipv4 delete portopening
  protocol=tcp port=25

Playing around with these settings, you might get confused—Hey, I closed that port, why is it still open?—unless you understand an important difference between how the firewall behaves when controlled by a Group Policy setting and how it behaves when controlled from the command line. Command-line commands typically take effect immediately. Group Policy changes can take a while to appear. You can make local Group Policy changes in Windows Firewall take effect immediately by using the command

gpupdate

Wait for the command to finish, then go to Services in the Manage Computer snap-in and restart the Internet Connection Firewall service. (Microsoft might rename this service by the time SP2 debuts.)

   Previous  1  [2]  3  Next