Lose Weight
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
Windows Server

Windows Server 2003 : Windows Firewall (part 3) - Service Pack Firewall Modifications - Modifying firewall behavior using the Windows Firewall INF file and unattend.txt

4/23/2013 4:18:12 PM
2.2. Modifying firewall behavior using the Windows Firewall INF file and unattend.txt

If the service is installed without modification, then the firewall is installed as enabled, and all unsolicited traffic will be blocked. Administrators should configure the service pack installation so that the firewall is installed with appropriate settings for their networks. Use the Windows Firewall INF file (netfw.inf) when performing an interactive installation. Use the unattend.txt file, to configure settings for unattended installations of the service pack.

Figure 6. Security Center

Figure 7. The Security Center can be turned on for domain member computers by using Group Policy

The Windows Firewall INF file (netfw.inf) is a configuration file that can be used by administrators to modify the behavior of the Windows Firewall. Use Notepad or another text editor to modify netfw.inf and use the new version during installation of the service pack to configure the firewall during installation. Modify the local netfw.inf after installation to modify firewall behavior. The netfw.inf file is located on a Windows XP CD-ROM in the I386 directory. There are several reasons why changes to the default behavior are necessary, including the following:

  • A third-party vendor firewall is your default.

  • Installed programs require filters configured for the Windows Firewall to enable traffic.

  • Network services such as remote management are used in your network and, therefore, specific ports must be open.

To modify behavior, modify the ICF.AddReg.DomainProfile and/or ICF.AddReg.StandardProfile sections of the file. These profiles determine how the firewall is configured when the computer is connected to a domain or not, respectively. If the Windows computer is not a member of a domain, the ICF.AddReg.StandardProfile will always be enforced.

To reconfigure the netfw.inf file on an existing Windows XP SP 2 system, use Notepad or another text editor to open the %windir%\Inf\netfw.inf file, as shown in Figure 8.

Figure 8. Use the netfw.inf file to modify firewall behavior

Make changes and save the file. Run the command netsh firewall reset from a command prompt. Firewall behavior is determined by registry settings included in the file. To make changes, add or adjust values located at the paths:


Table 2 lists and describes the values that may be changed in the netfw.inf file.

Table 2. Firewall INF settings
EnableFirewall0x00010001,1The firewall is enabled.
DoNotAllowExceptions0x00010001,1If the firewall is enabled and this setting is configured, the firewall blocks all unsolicited traffic, including that identified in an exception list.
DisableNotifications0x00010001,1Turns off notification when a program not already included in the exceptions list attempts to add itself or its traffic to an exceptions list.
DisableUnicastResponsesToMulticastBroadcast0x00010001,1Prevents incoming unicast response packets. By default, the firewall allows these packets in responses to outgoing multicast or broadcast packets.
RemoteAdminSettings: Enabled0x00010001,1Enables remote administration by statically opening ports TCP 135 and TCP 445 to unsolicited incoming traffic. Communication via named pipes is also permitted. These ports are required for Remote Procedure Call (RPC) and Distributed Component Object Model (DCOM) communications. They are blocked by default. When this setting is enabled, additional ports required by RPC are dynamically opened.
RemoteAdminSettingsRemoteAddresses0,00000000,"scope"When RemoteAdminSettings is enabled, you may specify a scope of addresses from which this traffic is allowed.
IcmpSettings"ICMP MessageType",0x00010001,1Allows ICMP message types as specified.
GloballyOpenPorts\List"Port number:protocol", 0x00000000, "port number:protocol:scope:mode:port's friendly name"Statically opens this list of ports. (See the following discussion.)

When opening TCP 135 and TCP 445 for remote administration, you should carefully limit the scope of addresses from which traffic may be accepted. By default all IP addresses are accepted, and this increases risk unacceptably. A large number of attacks are based on using these Windows ports. Narrow the scope of acceptable addresses to those used by administrators. While you can use the term LocalSubnet in the Firewall INF file to restrict incoming traffic to the local subnet, a better option is to create a custom scope by including a dotted decimal subnet mask or a prefix length. A list of IP addresses delimited by commas is also acceptable. Examples of scopes are and,,

When configuring scope by creating a list of IP addresses, do not leave spaces between the IP addresses in the list, or else the list will be ignored and traffic from all IP addresses will be accepted.

Scope may also be limited when defining statically opened ports. When defining the entry for GloballyOpenPorts\List, you should consider the scope option as well as add information to help identify the port in the Windows Firewall GUI. It is also possible to list ports that should not be statically opened. In the parameters for the option, use the following:

Port number

This is the number assigned to the port.


This is either TCP or UDP.


This is an IP address range.


This is either "enabled" or "disabled." Use disabled to explicitly require the port not to be statically opened.

Port's friendly name

This is a description you provide to help identify the statically opened port in the GUI (for example, "web server TCP 80").

An unattended installation of the service pack can reduce the need to provide feedback during service pack installation. Options for creating different types of service pack installations (including an unattended one) are fully discussed in the documentation accompanying SP2. To read and use the documentation prior to installation, unzip the deploy.cab file located on the service pack CD-ROM. This file is located in the Support\Tools folder. Extract the deploy.chm file and double-click on it to open. Specific information on unattend.txt can be found by extracting and consulting the ref.chm help file.

If you are installing from a command line or simple script, develop an unattened.txt file and use it during installation by entering xpsp2.exe unattend:unattend.txt. While there are many options that can be configured, those important to Windows Firewall installation are listed here. Modifications to the unattend.txt file that affect the Windows Firewall operation are in the sections.


This references the other sections.


These are settings that affect the computer when it is connected to the domain.


These are settings that affect the computer when it is not connected to the domain.

[WindowsFirewall .program_name]

This adds a program by the name of program_name to the exceptions list.

[WindowsFirewall .service_name]

This adds a predefined service such as File and Print to the exceptions list.

[WindowsFirewall .portopening_name]

This adds a port to the exceptions list.

[WindowsFirewall .icmpsetting_name]

This adds ICMP message types to the exception list.

Example 1 is a sample firewall section from the unattend.txt file as described in ref.chm. In the file, the number 1 is used to indicate that the feature is enabled.

Example 1. Sample firewall section from unattend.txt
Profiles = WindowsFirewall.Domain, WindowsFirewall.Standard
LogFile = %WINDIR%\Pfirewall.log
LogSize = 4096
LogDroppedPackets = 1
LogConnections = 1
Type = 3
Mode = 1
Exceptions = 1
Notifications = 1
MulticastBroadcastResponse = 1
AllowedPrograms = WindowsFirewall.RemoteAssistance
Services = WindowsFirewall.RemoteDesktop
PortOpenings = WindowsFirewall.WebService
IcmpSettings = WindowsFirewall.EchoRequest
Type = 3
Mode = 0

Program = "%WINDIR%\System32\Sessmgr.exe"
Name = "Remote Assistance"
Mode = 1
Scope = 2
Addresses = ",LocalSubnet"

Type = 2
Mode = 1
Scope = 2
Addresses = ",LocalSubnet"

Protocol= 6
Port = 80
Name = "Web Server (TCP 80)"
Mode = 1
Scope = 2
Addresses = ",LocalSubnet"

Type = 8
Mode = 1


2.2.1. Modifying firewall settings using the Control Panel

After service pack installation, the "Protect my computer and network by limiting or preventing access to this computer from the Internet" checkbox is removed from the Advanced tab of a network connection Properties pages. While the Setting button remains, it launches the new Firewall applet in the Control Panel. Members of the local Administrators group can configure general settings and exceptions by using this applet. Figure 9 show the page from the Advanced tab, while Table 3 lists and describes the settings available on this page.

Figure 9. The Windows Firewall is turned on by default

Table 3. General firewall settings
OnThe default. Enables the firewall.
Don't allow exceptionsWhen selected, all traffic (even that configured via exceptions) is not allowed. Use this checkbox to temporarily disable exceptions when using the computer in a more risky situation (for example, in a hotel room or at a public setting such as a conference or wireless hotspot).
Off (not recommended)Disables the firewall.

Click the Exceptions tab, as shown in Figure 10, to select or add programs that external clients are allowed to access. Selecting the program in the interface (or by using the Add Program button) asks the Windows Firewall to determine which ports should be opened.

By default, both File and Printer Sharing and Remote Assistance programs are enabled. Both of these programs may be necessary to allow remote administration. However, if they are not used for remote administration, disable them here by unchecking the box.

Selecting the Add Program button allows browsing to any executable on the local hard drive, as shown in Figure 11. The "Change scope... " button is used to restrict the computers that can access these local programs, as shown in Figure 12. You

Figure 10. The Windows Firewall can open the ports required by a program—you do not have to know which ports are required

can also simply add a port filter using the "Add port" button, as shown in Figure 13.

Figure 11. Add programs by browsing the local drive

Settings configured by using the Windows Firewall applet are set for all network connections by default. Use the Advanced tab shown in Figure 10 to configure settings for individual network connections, to configure logging, ICMP, or to restore the default settings.

Figure 12. Restrict computers using the Change scope... button

Figure 13. If desired, a port exception can be added

Selecting an interface, clicking the Settings button, and choosing the Advanced tab provides you with options for configuring different services and ICMP settings for unique network interfaces, as shown in Figure 15.

2.2.2. Modifying alerting and notification using the registry

Three registry settings values can be used to control the alerting and notification feature. Each one represents one of the security tools. Add the DWORD values to HKEY_LOCALMACHINE\SOFTWARE\Microsoft\Security Center and change the value to 1 in order to suppress the alert and notification. The values are as follows:

  • AntiVirusDisableNotify

  • FirewallDisableNotify

  • UpdatesDisableNotify

2.2.3. Modifying firewall behavior using Group Policy

In an Active Directory domain, new Group Policy options can be used to manage the behavior of the Windows Firewall . Windows Server 2003 or Windows 2000 domain controllers can be configured to

Figure 14. Use the Advanced page to complete firewall configuration

Figure 15. Use the Settings button to configure settings on a per network interface basis

support the deployment of these options for Group Policy Objects (GPOs) linked to organizational units (OUs) that include computer accounts for updated Windows Server 2003 SP1 and/or Windows XP SP2 computers.

To use the settings, install the service pack on a client computer joined to a test network domain. The service pack includes an updated system.adm file. After the post service pack installation reboot, log on as an administrator on the updated system and either add the Group Policy Object Editor snap-in to an MMC console, or open Group Policy Management Console. Select a GPO on a DC in the test network domain of which the client computer is a member. Expand the console tree and browse to Computer Configuration → AdministrativeTemplates → Network → NetworkConnections → WindowsFirewall. The updated system.adm file on the client can be used to configure the Group Policy. However, to use the new settings, you must use an updated system.adm file to replace the system.adm file on all domain controllers. You should test the use of these new settings in a test network before deploying on your production network. When satisfied, update all production GPOs that support updated clients.

Configure the policy. The first setting, shown in Figure 16, determines if authenticated IPSec traffic is excluded from the firewall's rule sets.

Figure 16. Determine if the policy for IPSec traffic should be implemented

Additional policy settings can be configured separately for standard or domain profiles. Figure 17 shows a list of policy settings.

Configure the setting for "Allow authenticated IPSec bypass" and then configure settings for both profiles. If "Allow authenticated IPSec bypass" is enabled, then the computer will not process IPSec-secured traffic from specified computers. IPSec-secured traffic is allowed by default. To enable this setting you must also add a Security Descriptor Definition Language (SDDL) string for the group accounts for the computers the policy should apply to. The string is added to the policy definition in the Group Policy properties. An SDDL string is of the form O:DAG:DAD(A;;RCGW;;;sid)

Figure 17. Establish a policy for domain and standard profiles

where sid represents the Security Identifier (SID) of a group account. To obtain the SID, use the Windows Resource Kit tool Getsid.exe. Because Getsid is usually used to compare SIDs, you must enter the DC and group name twice. A sample command line that can be used to specify the DC DC1 group REDTeam is as follows:

    Getsid \\DC1 REDTeam \\DC1 REDTeam

Remember to establish settings for the appropriate profile (domain or standard). Profile settings are located underneath the Standard profile and Domain profile path. The domain profile is used when the computer is connected to the domain, and the standard profile is used when it is not. If neither of the profiles is configured, their defaults are used. The preservice pack upgrade setting "Prohibit use of Internet Connection Firewall on your DNS domain network" is still available for use in networks where some computers exist that have not been updated. Each profile includes the settings described in Table 4.

Table 4. Windows Firewall Group Policy settings
SettingDescriptionPorts openedMicrosoft recommendation
Protect all network connectionsAll connections will have the firewall enabled.NoneEnabled
Do not allow exceptionsAll unsolicited traffic is dropped, even if exceptions are configured. If the setting "Protect all network connections" is not set, a local administrator can bypass the firewall entirely by disabling it.NoneNot configured
Define program exceptionsDefines allowed unsolicited traffic. The full path for the program must be identified. Variables such as %Program Files% can be used in the path statement. Windows Firewall only opens ports for these programs when they are running and listening for traffic.Those definedConfigured for those applications allowed by policy
Allow local program exceptionsEnables local configuration of exceptions.Those definedEnabled
Allow remote administration exceptionEnables remote administration using tools such as MMC consoles and Windows Management Instrumentation (WMI). If this setting is disabled, SVCHOST.EXE and LSASS.EXE are added to the programs exception list with a status of disabled.TCP 135 and 445, as well as dynamically required RPC ports and incoming ICMP Echo Request messagesDisabled
Allow file and print sharing exceptionEnables file and print traffic.UDP 137, UDP 138, TCP 139, TCP 445, and incoming ICMP Echo messagesEnabled only if computers are file and print servers
Allow ICMP exceptionsSpecifies ICMP traffic types that are allowed.ICMPEnabled for diagnostic or management purposes
Allow Remote Desktop exceptionOpens ports for a Remote Desktop connection.TCP 3389Enabled if remote desktop management is used
Allow UPnP framework exceptionEnables unsolicited UPnP message traffic.UDP 1900, TCP 2869Enabled if UPnP devices are used on the network
Prohibit notificationsDisables notification. When an application starts to listen on a port, the Windows Firewall adds the program to the exceptions list with a status of disabled and then notifies the user with a request to allow or disallow traffic to this port.Those required by the program if this setting is not configured or disabledDisabled
Allow loggingConfigures the log file and enables logging of dropped traffic and successful connections. If enabled, the path to the log file must be selected or added and a maximum size must be specified.N/ANot configured
Prohibit unicast response to multicast or broadcast requestsIf enabled, discard unicast packets received in response to multicast or broadcast request messages. By default (if disabled or not configured), these packets are allowed for three seconds following a multicast or broadcast message. Unicast messages that are a response to a DHCP broadcast message are not dropped if this setting is enabled. It can interfere with NetBIOS name conflict detection. NetBIOS name conflict detection can prevent the use of duplicate computer names on the network.NoneDisabled
Define port exceptionsSpecifies exceptions using ports. The port number, type (TCP or UDP), status (Enabled or Disabled) must be entered. Scope is optional.Those definedEnabled as required
Allow local port exceptionsLocal configuration of port exceptions is allowed.Those definedEnabled if required

If ports are explicitly opened to allow unsolicited traffic, setting an exception to explicitly disable them via program name will not prevent the program from running or block them from receiving traffic.

When configuring exceptions, take advantage of the scope setting. The scope setting allows you to specify computers from which this type of traffic is allowed. Always keep in mind that the firewall protects the computer from attacks that use specific ports. These same ports may be used by legitimate traffic. If you open these ports for legitimate traffic, you also open it for malicious traffic. You can limit the risk of compromise by specifying the computers from which traffic is accepted. This is not a foolproof solution, but it does limit your risk.

If you specify programs more than once and use conflicting scopes or status, then any system specified by any entry can send messages.

2.2.4. Modifying firewall behavior using Netsh

Netsh is a network configuration utility that can be used at the command line or in scripts. Syntax is defined in the whitepaper Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2. Netsh commands are available to configure the Windows Firewall and include the following:

Add allowedprogram

This adds program exceptions.

Set allowedprogram

This modifies the settings of an existing program exception.

Delete allowedprogram

This deletes a configured program exception.

Set icmpsetting

This specifies ICMP-accepted traffic.

Set multicastbroadcastresponse

This specifies a unicast response to a muiltcast or broadcast request.

Set notifications

This enables or disables notifications.

Set logging

This configures logging options.

Set opmode

This sets the mode to Enable, Disable, or "Do not allow exceptions."

Add portopening

This creates a port-based exception.

Set portopening

This modifies the settings of an existing port-based exception.

Delete portopening

This deletes a configured port-based exception.

Set service

This enables or disables predefined file and printer sharing, remote administration, remote desktop, and UPnP exceptions.


This resets the configuration to the default.


This is used to display the current configuration.

2.2.5. More modifications

Following are a few other changes to the firewall and its administration:

Don't allow exceptions operating mode

In addition to Enabled or Disabled, there is a new operating mode that prevents the addition of exceptions. If this mode is established, all incoming traffic is dropped, even if exceptions are configured.

Incoming traffic scoping

Ports may be statically opened for use from specific IP addresses only.

Using an Administration Tool with the Firewall Implemented

If the firewall is enabled, by default you will not be able to use the Resultant Set of Policy (RSoP) snap-in to determine the Group Policy status on a remote Windows XP client. If you wish to retain the ability to use RSoP remotely while keeping the Windows Firewall enabled, make the following changes to Group Policy:

On the local computer, enable the Windows Firewall Allow remote Administration exception Group Policy settings. This setting is located at Computer Configuration → Administrative Templates → Network → Network connections → Windows Firewall → [Domain | Standard] Profile\.

To use the Group Policy Management Console (GPMC) on the administrative computers with the firewall enabled, upgrade to GPMC SP1. GPMC uses a callback on the administrative computer. The firewall blocks the callback mechanism of GPMC. To keep the firewall enabled on the administrative computer, upgrade to GPMC SP1 on a computer that does not use the callback mechanism.

To use RSoP, make these changes to the administrative computer: Enable the Windows Firewall: Define the program exceptions option and enter the full path to unsecapp.exe. (By default, unsecapp.exe is located in the C:\Windows\System32\Wbem folder.) Enable the Windows Firewall. Define the port exception policy to open port 135 or enable the Windows Firewall. Allow a remote administration exception in the Group Policy setting on the administrative computer.

Excepted traffic specified by program name

This allows traffic from programs determined by program name, such as File and Print Sharing or Remote Assistance. (Program exceptions can also be specified by port numbers.)

Support for Ipv6

This offers built-in support for Ipv6 traffic.

Global configuration settings

Firewall settings will apply to all network connections. You do not have to reconfigure settings when multiple network connections are available on the same computer. (Settings can be configured for individual settings using scope settings.

New application programming interfaces (APIs)

New APIs provide for more granular programmatic control. For information on these APIs and how to use them, study the Windows Firewall section of the Windows Software Development Kit.

IPSec Policy Aware

If IPSec policies are configured, the Windows Firewall opens UDP ports 500 and 4500 to allow Internet Key Exchange (IKE) traffic. 

2.3. Windows Server 2003 SP1

The Windows Server 2003 firewall will be updated by SP1 and will work in a similar fashion to the Windows Firewall post-Windows XP SP2, with the exception that the Windows Firewall is disabled by default on Windows Server 2003. Since the firewall is not enabled by default, if you wish to use the firewall, you must enable it and configure exceptions. If you do so, the server should be restarted to enable the operating system to automatically add entries to the exceptions list for ports opened by programs that are already installed.

Host-based firewalls can provide excellent protection for servers and workstations. They will do so only if they are enabled and configured. Major changes to the Windows Firewall for XP were made in Service Pack 2, and similar changes are expected for Windows Server Service Pack 1. These changes include increased configuration control, including new Group Policy and registry settings, scope configuration for settings, and, for Windows XP, the firewall is enabled by default. In addition to host-based firewalls, perimeter firewalls should be in place between trusted and untrusted networks. The RRAS firewall can provide rudimentary firewall services for this purpose. The RRAS firewall may not be appropriate in all situations. You should always consider your firewall requirements before selecting a firewall.

Other -----------------
- Windows Server 2003 on HP ProLiant Servers : Server Placement (part 3) - Flexible Single Master Operations (FSMO) Placement
- Windows Server 2003 on HP ProLiant Servers : Server Placement (part 2) - DC Placement, GC Placement
- Windows Server 2003 on HP ProLiant Servers : Server Placement (part 1) - DNS Placement, Site Affinity
- Managing SharePoint 2010 with Windows PowerShell : Managing SharePoint 2010 Sites (part 2)
- Managing SharePoint 2010 with Windows PowerShell : Managing SharePoint 2010 Sites (part 1)
- System Center Configuration Manager 2007 : Reporting Configuration (part 3) - Console Reporting Links, Relational Database Concepts
- System Center Configuration Manager 2007 : Reporting Configuration (part 2) - Copying ConfigMgr Classic Reports to SQL Reporting Services, Report Categories
- System Center Configuration Manager 2007 : Reporting Configuration (part 1) - Configuring the Reporting Point for Classic Reporting, SRS Reporting
- System Center Configuration Manager 2007 : ConfigMgr Classic Reports Versus SQL Reporting Services
- Deploying the Client for Microsoft Exchange Server 2007 : Deploying with Microsoft Systems Management Server, Managing Postdeployment Tasks
- Deploying the Client for Microsoft Exchange Server 2007 : Installing the Exchange Client, Pushing Client Software with Windows Server 2003 Group Policies
- Integrating BizTalk Server 2010 and Microsoft Dynamics CRM : Communicating from Dynamics CRM to BizTalk Server (part 3) - Registering the plugin, Testing the plugin
- Integrating BizTalk Server 2010 and Microsoft Dynamics CRM : Communicating from Dynamics CRM to BizTalk Server (part 2) - Writing the Dynamics CRM plugin
- Integrating BizTalk Server 2010 and Microsoft Dynamics CRM : Communicating from Dynamics CRM to BizTalk Server (part 1) - Setup
- SharePoint 2010 : Farm Governance - Configuring a Managed account
- SharePoint 2010 : Farm Governance - Administering SharePoint Designer
- SQL Server 2008 R2 : Creating and Managing Stored Procedures - Debugging Stored Procedures Using SQL Server Management Studio
- SQL Server 2008 R2 : Creating and Managing Stored Procedures - Using Output Parameters, Returning Procedure Status
- Windows Server 2008 : Designing the Active Directory Administrative Model (part 3) - Planning to Audit AD DS and Group Policy Compliance, Planning Organizational Structure
- Windows Server 2008 : Designing the Active Directory Administrative Model (part 2) - Using Group Strategy to Delegate Management Tasks
Most view of day
- Windows Server 2012 : Ensuring DHCP availability (part 2) - Implementing DHCP failover
- Microsoft Lync Server 2013 : Administration of the Director Role (part 4) - Services Management, Client Version Filter
- Windows Server 2012 : Software and User Account Control Administration (part 4) - Maintaining application integrity - Application access tokens
- Maintaining Desktop Health : Monitoring Reliability and Performance (part 4)
- Microsoft Content Management Server Development : Validating the HtmlPlaceholderControl (part 1) - Retrieving the Current Value of the HtmlPlaceholderControl
- Microsoft Excel 2010 : Protecting and Securing a Workbook - Protecting a Worksheet - Apply a Password to a Worksheet
- Windows Server 2012 : Provisioning and managing shared storage (part 7) - Managing shared storage - Managing volumes, Managing shares
- Microsoft Dynamic AX 2009 : Working with .NET Business Connector (part 3) - Querying Data Across Companies, Invoking Business Logic
- Managing Change through Group Policy (part 3) - Working with GPO tools
- Sharing Your Computer with Others : Create a Homegroup
Top 10
- MDT's Client Wizard : Package Properties
- MDT's Client Wizard : Driver Properties
- MDT's Client Wizard : Application Properties
- MDT's Client Wizard : Operating System Properties
- MDT's Client Wizard : Customizing the Deployment Share
- Windows Server 2012 : Software and User Account Control Administration (part 5) - Maintaining application integrity - Configuring run levels
- Windows Server 2012 : Software and User Account Control Administration (part 4) - Maintaining application integrity - Application access tokens
- Windows Server 2012 : Software and User Account Control Administration (part 3) - Mastering User Account Control - Configuring UAC and Admin Approval Mode
- Windows Server 2012 : Software and User Account Control Administration (part 2) - Mastering User Account Control - Elevation, prompts, and the secure desktop
- Windows Server 2012 : Software and User Account Control Administration (part 1) - Software installation essentials
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
2015 Camaro