Learn Windows XP in 15 Minutes a Week, Internet Connection Firewall

by Jason Zandri

The latest installment in our 'Learn Windows XP Professional in 15 Minutes a Week' series overviews the Internet Connection Firewall and explains the basic configuration process.

Welcome to the 26th installment of "Learn Windows XP Professional in 15 Minutes a Week." This article will examine the Internet Connection Firewall in Windows XP Professional.

[NOTES FROM THE FIELD] -- The 70-270 exam requires the test taker have an in-depth understanding of the Internet Connection Firewall.

The Windows XP Professional operating system (as well as Windows XP Home and Windows Server 2003, Standard Edition, and the 32-bit version of Windows Server 2003, Enterprise Edition) includes Internet Connection Firewall (sometimes referred to as ICF) as an added feature of the base operating system. Internet Connection Firewall is a stateful firewall -- i.e., a firewall type that will monitor all of the characteristics of the transmitted data that the firewalled system recieves, including examining the source and destination IP address of each packet handled.

All inbound traffic from the Internet and other connected networks is compared against entries in the Internet Connection Firewall configuration table. The inbound traffic is allowed to reach the system only when a matching entry in the table shows the communication exchange either originated from an approved system or is a type of traffic originating from an external location then allowed to pass to an approved system. An example of this is an FTP calling an FTP-enabled system hosting IIS.

An administrator can use Internet Connection Firewall to restrict the information communicated between the Internet and other connected networks. This must be done on a per-adapter basis, so if a Windows XP Professional system is connected to the Internet via dial up, the Internet Connection Firewall can be enabled only on the dial-up connection and configured to a maximum setting where return responses only from calls that originated from the system out to the dial-up adapter connection are allowed to pass inbound. This would not allow any traffic originating from the Internet to pass through the dial-up adapter to the local system and potentially to other systems on the LAN, where the host system might be attached. Having the Internet Connection Firewall DISABLED on the Ethernet network interface card (NIC) allows the system to freely connect to other systems on the LAN via the NIC without any special additional configuration. If it was necessary to perform stateful inspection of network packets through the NIC, as might be the case when a dial-up adapter is not used to connect to the Internet and where a DSL or cable modem broadband connection is used, you would then enable and specify the appropriate Internet Connection Firewall settings on the NIC instead.

[NOTES FROM THE FIELD] -- The next section outlines how to enable the Internet Connection Firewall by starting from the Control Panel. The example will use the Classic view of the Control Panel. For those uncomfortable using this view, we recommend following the steps outlined on the Microsoft Web article Use the Internet Connection Firewall, which uses the Category view.

To select the specific network connection to enable the Internet Connection Firewall, go to the Control Panel and open the Network Connections panel. Depending on which adapters are installed on the system, a list of available network connections will appear.

[NOTES FROM THE FIELD] -- You might notice some of the enabled LAN or high-speed Internet connections are already firewalled; these are shown with the little lock in the upper-right-hand corner of the icon. Those without the lock are not firewalled via the Internet Connection Firewall. (The system itself may be firewalled via a hardware device, such as a Linksys router, but not by the Internet Connection Firewall software itself.)

Essentially, this means an external connection to the system could be established if the user is dialed into the Internet via, for example, a Prodigy dial-up connection, because it is not protected to prevent such a connection attempt.

However, if the user is connected to the Internet via Local Area Connection 3, in which a NIC connection is made via a DSL modem, an inbound externally originating connection cannot be made to the system.

To secure the system in a similar manner for dial-up users connecting to the Intnernet, you must enable the Internet Connection Firewall as shown in the upcoming steps.

The walkthrough that follows will explain how to enable the Internet Connection Firewall on a dial-up connection. To begin, highlight it, right-click it to bring up the Properties page, and go to the Advanced tab as shown below.

Select the "Protect my computer and network by limiting or preventing access to this computer from the Internet" check-box in the Internet Connection Firewall section.

To use the default settings (which are usually secure and require limited tuning in a home environment), simply hit OK to allow them to take effect.

[NOTES FROM THE FIELD] -- The captioning in the Internet Connection Firewall section is somewhat misleading; by enabling the "Protect my computer and network by limiting or preventing access to this computer from the Internet" check-box the system is protected via that network device from incoming traffic, which may or may not be Internet traffic. If the "Protect my computer and network by limiting or preventing access to this computer from the Internet" check-box is enabled on your Local Area Connection for your NIC and you were connected to a LAN only, you would be "protecting" your system by limiting or preventing access to the system from the LAN itself.

To enable additional settings, select the Settings button in the bottom right-hand corner of the Advanced tab.

This will bring up the Advanced settings property pages as shown below.

To enable standard services on the firewalled XP system, check off those services to allow them inbound access through the enabled Internet Connection Firewall filter.

To edit these services, choose the Edit button. Also, if the local system is host a service that must be configured to allow inbound access, select the Add button to display the service settings window shown below.

This will allow you to show a name for the custom service being hosted on the system as well as allow you to enter the name of the local system (or IP address) and the TCP and UDP port numbers necessary to be identified and allowed to pass for this service to run successfully.

On the Security Logging tab of the Advanced Settings property page you can set your logging options to log all of the dropped packets (connection attempts refused). You can also elect to log all of the successful connections made to the system (which can be nothing, either, or both.)

[NOTES FROM THE FIELD] -- The default location for the log file is the default installation directory, which is located on C:\Windows by default. The name of the log is pfirewall.log, and both the default path and file name can and should be changed as a best practice. The default size of the log is 4 MB, which should be increased if it is to detail all of the successful and failed connection attempts via this log.

Another point to bear in mind is that all of the detailed logging in the world is of no good if it is not reviewed on a regular basis.

On the ICMP tab of the Advanced Settings property page you can set how your system will and will not respond to Internet Control Messaging Protocol packets. The default settings, shown below, will make it so that to system responds to nothing sent to it via ICMP.

Once you have completed all of the configurations and selected OK on the last property page, the connection will be firewalled and will show up with the lock symbol, as is apparent on the Prodigy dial-up connection below.

That wraps up this installment of "Learn Windows XP Professional in 15 Minutes a Week." As always, if you have any questions, comments, or even constructive criticism, feel free to drop me a note. I want to write solid technical articles that appeal to a wide range of readers and skill levels, and it is only through your feedback that I can be sure I am doing that.

Until next time, best of luck in your studies and remember:

"Any computer system connected to any network is subject to potential compromise."

This article was originally published on Thursday Jan 8th 2004
Mobile Site | Full Site