Windows XP and 2003 Firewall steps

This group of steps allows you to define the firewall settings for Windows XP SP2 (32 bit), Windows XP SP1 (64 bit), Windows 2003 SP1 (32 or 64 bit) and Windows 2003 SR2 (32 bit).

Add or Edit a Firewall Rule

This step allows you to add new rules (exceptions) or modify existing rules of the Windows firewall. Editing a program exception allows you to change the path or file name that is associated with the program and configure scope settings for the exception.

Parameter	Description
Application Name	Specifies the friendly name for the exception, which is displayed in the graphical user interface. This may be any string with less than 256 characters.
Address Range	Specifies one or more IPv4 addresses or IPv4 address ranges separated by commas (with no spaces). When you use a dotted decimal subnet mask, you can specify the range as an IPv4 network ID (such as 10.47.81.0/255.255.255.0 ) or by using an IPv4 address within the range (such as 10.47.81.231/255.255.255.0 ). When you use a network prefix length, you can specify the range as an IPv4 network ID (such as 10.47.81.0/24 ) or by using an IPv4 address within the range (such as 10.47.81.231/24 ). The following is an example custom list: 10.91.12.56,10.7.14.9/255.255.255.0,10.116.45.0/255.255.255.0,172.16.31.11/24,172.16.111.0/24 .
Application Path	Specifies the absolute path to the executable ( .exe ) file used by the program or system service. You may use system variables to specify the location where the program is located on your target device.
Profile	Defines if the Windows Firewall settings are to be configured in the standard profile or the domain profile: Domain Profile : Used when a computer is connected to a network in which the computer's domain account resides. Standard Profile :Used when a computer is connected to a network in which the computer's domain account does not reside, such as a public network or the Internet. All : If it is to be applicable to both profiles.
Scope	Select whether you want to allow this application to communicate to any source ( * ), which could include any device on the Internet, or your local network only ( Local Subnet ), which limits communications to devices on your local subnet.
Status	Select the value for the application.

Add or Edit an Open Port

You can configure the Windows Firewall to block all outside sources from connecting to the device, or you can open selected ports and mappings to allow specific services that you trust. This step allows you to add, i.e., open a port or modify an open port of the Windows Firewall.

Windows Firewall allows you to open ports to allow only traffic from addresses on your local subnet, or globally to allow traffic from any network location, local or on the Internet. The local setting is useful for allowing file and printer sharing, and other local networking services. When you configure ports, you can specify the port number and protocol, and then selectively turn that port setting on or off.

When you add a port to the exceptions list, you must specify the protocol (TCP or UDP) and port number. You cannot specify protocols other than TCP or UDP and you cannot add a port number without specifying either TCP or UDP. (For example, you cannot exclude traffic based on protocol alone.) When you add a TCP or UDP port to the exceptions list, the port is open (unblocked) whenever Windows Firewall is running, regardless if there is a program or system service listening for incoming traffic on the port. For this reason, if you need to allow unsolicited incoming traffic through Windows Firewall, you should create a program exception instead of a port exception. When you add a program to the exceptions list, Windows Firewall dynamically opens and closes the ports required by the program. When the program is running and listening for incoming traffic, Windows Firewall opens the required ports; when the program is not running or is not listening for incoming traffic, Windows Firewall closes the ports.

Parameter	Description
Name	Enter the port name of the service or program you want to allow to communicate through a port. This is the user friendly name that appears in the exceptions list in the graphical user interface, it may be any string less than 256 characters.
Address Range	Specifies one or more IPv4 addresses or IPv4 address ranges separated by commas (with no spaces). When you use a dotted decimal subnet mask, you can specify the range as an IPv4 network ID (such as 10.47.81.0/255.255.255.0 ) or by using an IPv4 address within the range (such as 10.47.81.231/255.255.255.0 ). When you use a network prefix length, you can specify the range as an IPv4 network ID (such as 10.47.81.0/24 ) or by using an IPv4 address within the range (such as 10.47.81.231/24 ). The following is an example custom list: 10.91.12.56,10.7.14.9/255.255.255.0,10.116.45.0/255.255.255.0,172.16.31.11/24,172.16.111.0/24. If you define values for this parameter, the previous parameter Scope is ignored.
Port Number	Enter here the port number of the program or service. To find the port number, consult the documentation for the program or service you want to use. Adding this port signifies the port is always open; unsolicited incoming traffic is always allowed to pass through the port unless you uncheck the Allow Exceptions option when changing the Firewall settings with the Change Firewall Status step.
Profile	Defines if the Windows Firewall settings are to be configured in the standard profile or the domain profile: Domain Profile : Used when a computer is connected to a network in which the computer's domain account resides. Standard Profile :Used when a computer is connected to a network in which the computer's domain account does not reside, such as a public network or the Internet. All : If it is to be applicable to both profiles.
Protocol	Select the protocol, either TCP or UDP, which is to be allowed to pass the port from the drop down list.
Scope	Select whether you want to open this port for Any source , which could include any computer on the Internet, or Local network only , which limits opening the port to computers on your local network. There are two scope options: * : signifies any computer including those on the Internet Local Subnet** : Allows traffic only from IPv4 or IPv6 addresses that can be reached directly by your computer.
Status	Select the value for the port.

Change Firewall Status

This step allows you to changes the status of the Windows Firewall, i.e., to enable or disable it.

Parameter	Description
Allow Exceptions	Check this box to specify that all unsolicited incoming traffic is dropped, including traffic that has been added to the exceptions list. This turns on the Windows Firewall and allows all exceptions to take effect. It is useful when you are connected to a public network, such as the Internet, or a non-secure private network. When you perform this procedure, all of the exceptions in the exceptions list are enabled.
Allow Notifications	When allowing notifications, Windows Firewall displays a Windows Security Alert dialog box (referred to as a notification) when a program attempts to listen for unsolicited incoming traffic. If you are a member of the Administrators group on the computer, the notification gives you the ability to add the program to the exceptions list. If you are not a member of the Administrators group on the computer, the notification informs you that a program attempted to listen for incoming traffic but was blocked.
Profile	Defines if the Windows Firewall settings are to be configured in the standard profile or the domain profile: Domain Profile : Used when a computer is connected to a network in which the computer's domain account resides. Standard Profile :Used when a computer is connected to a network in which the computer's domain account does not reside, such as a public network or the Internet. All : If it is to be applicable to both profiles.
Status	Select the value for the change operation.

Configure ICMP Settings

This step configures the ICMP settings of Windows Firewall. In Windows Firewall, the ICMP settings are off by default. This means that no incoming or outgoing ICMP communications are allowed.

This protects the device against attacks such as cascading ping floods. ICMP is also used for network discovery and mapping, and allows computers on a network to share error and status information. Also you should use these settings if your organization uses the ping or tracert commands for troubleshooting. Usually, you configure these settings only once or on an as-needed basis.

Parameter	Description
Allow Incoming Echo Request	Check this box if messages sent to this computer is repeated back to the sender. This is commonly used for troubleshooting, for example, to ping a machine. If disabled, commands that use the ICMP Echo message, such as ping or tracert, do not work.
Allow Incoming Mask Request	Check this option if the device is to listen for and respond to requests for more information about the public network to which it is attached.
Allow Incoming Router Request	Check this option if the device is to respond to requests for information about the routes it recognizes.
Allow Incoming Timestamp Request	Check this option if data sent to this device can be acknowledged with a confirmation message indicating the time that the data was received.
Allow Outgoing Destination Unreachable	Data sent over the Internet that fails to reach this computer due to an error is discarded and acknowledged with a "destination unreachable" message explaining the failure. If you are running network management software that uses ICMP Destination Unreachable messages, you need to enable this option.
Allow Outgoing Packet Too Big	Corresponds to ICMPv6 Type 2 (Packet Too Big) messages.
Allow Outgoing Parameter Problem	Check this option if a device is to reply to the sender with a "bad header" error message when it discards data it has received due to a problematic header.
Allow Outgoing Source Quench	Check this option if the device is to drop data and to ask the sender to slow down when its ability to process incoming data cannot keep up with the rate of a transmission.
Allow Outgoing Time Exceeded	Check this option if the device is to reply to the sender with a "time expired" message when it discards an incomplete data transmission because the entire transmission required more time than allowed.
Allow Redirect	Check this option if data sent from a device is rerouted if the default path changes.
Profile	Defines if the Windows Firewall settings are to be configured in the standard profile or the domain profile: Domain Profile : Used when a computer is connected to a network in which the computer's domain account resides. Standard Profile :Used when a computer is connected to a network in which the computer's domain account does not reside, such as a public network or the Internet. All : If it is to be applicable to both profiles.

Delete Firewall Rules

Deleting a program exception (rule) removes the exception from the exceptions list and prevents the program from receiving unsolicited incoming traffic (unless a port exception or some other exception allows unsolicited incoming traffic to reach the program).

Parameter	Description
Application Path	Specifies the absolute path to the executable ( .exe ) file used by the program or system service. You may use system variables to specify the location where the program is located on your target device.
Profile	Specifies if the rule is currently applied to a specific profile such as the domain or standard profile, or if it is applicable to all profiles.

Delete Open Port

Deleting a port exception closes (blocks) the port and prevents the port from receiving unsolicited traffic (unless another port exception or some other exception allows unsolicited incoming traffic to reach the program).

Parameter	Description
Port Number	Enter the port number to be removed from the list of exceptions.
Profile	Defines if the Windows Firewall settings are to be configured in the standard profile or the domain profile: Domain Profile : Used when a computer is connected to a network in which the computer's domain account resides. Standard Profile :Used when a computer is connected to a network in which the computer's domain account does not reside, such as a public network or the Internet. All : If it is to be applicable to both profiles.
Protocol	Select the protocol, either TCP or UDP, for which the port was defined.

Firewall Settings Inventory

This step gets the Windows Firewall settings and stores them in the custom inventory.

Parameter	Description
Authorized Applications	Defines if the list of exceptions concerning the applications are listed in the inventory.
Firewall Status	Uncheck this box if the status of Windows Firewall is not to be included in the custom inventory.
ICMP Settings	Clear this option if either you are not using ICMP settings or you do not want to include them in the custom inventory.
Open Ports	Clear this option if the open ports on the list of exceptions are not to be included in the inventory.
Profile	Defines if the values are to be included for all profiles or only for a specific type of profile, that is, the domain or the standard profile.

Restore Backup Settings

This step restores the Windows Firewall settings to the backup settings created by the Setting Backup step.

Parameter	Description
Backup Path	Enter the path to the directory in which the backup to be restored is located.

Restore Default Settings

This step restores all default settings of the Windows firewall.

No parameters need to be defined for this step.

Setting Backup

This step creates a backup of the current settings of the Windows Firewall in a specifically defined directory.

Parameter	Description
Backup Path	The relative or absolute path, including the file name, in which the backup is to be created.