How to configure Firewall in XPE SP2?

  • Article

Hi All:

Windows XP Embedded SP2 is coming and one of the major feature that has changed is windows firewall. Firewall is enabled by default in SP2 and you will need to open ports used by your applications. Here is how you can configure Windows Firewall in XPE SP2:

To Configure Firewall Pre-FBA (offline) you can do one of the following:

1. In TD configuration, go to "Windows Firewall/Internet Connection Sharing (ICS)" component and modify settings.

2. If you have already built image and want to change firewall options without rebuilding image, you can do one of the following:

                A) You can use firewall configuration information file (netfw.inf). This file is located in your image folder under "windows\inf" directory.

This file has two sections:

[ICF.AddReg.DomainProfile] - change settings under this section to change firewall settings for all domain accounts (domain firewall policy)

[ICF.AddReg.StandardProfile] - change settings under this section to only affect local system account(s).

Following settings are available under each of the above sections (The value shown for each setting s the default value):

HKLM,"System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile","EnableFirewall",0x00010001,1

- EnableFirewall = Enable Firewall? Values: 0 = Firewall Off, 1= Firewall On (default)

HKLM,"System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile","DoNotAllowExceptions",0x00010001,0

-DoNotAllowExceptions = Don’t allow any exceptions? Values: 0 = Allow Exceptions (default), 1 = No Exceptions

NOTE:

- If you want to turn on the firewall w/o any exceptions, set EnableFirewall = 1 and DoNotAllowExceptions = 1

- If you want to turn on the firewall with exceptions, set EnableFirewall = 1 and DoNotAllowExceptions = 0

- If you want to turn off the firewall, set EnableFirewall = 0. (The value that you set for DoNotAllowExceptions does not matter until you turn on the firewall in runtime. At this point the default starting value for exceptions will be the one that you set using DoNotAllowExceptions)

HKLM,"System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile","DisableNotifications",0x00010001,0

- DisableNotifications = Disable Firewall Notifications when a program is blocked? Values: 0 = Notify when a program is blocked (default), 1=DON’T notify when a program is blocked.

All ICMP settings can be found here under IcmpSettings subkey (default setting is to NOT allow any ICMP requests).

For e.g.

HKLM,"System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\IcmpSettings","AllowInboundTimeStampRequest",0x00010001,0

- AllowInboundTimeStampRequst = Allow incoming timestamp request? Values: 0 = No (default), 1= Yes

List of Authorized Applications:

HKLM,"System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List","%windir%\system32\sessmgr.exe",0x00000000, "%windir%\system32\sessmgr.exe:*:Enabled:Remote Assistance"

The last part of the entry is formatted as:

"%windir%\system32\sessmgr.exe:*:Enabled:Remote Assistance"

(Path to program executable): (Scope – LocalSubnet or * (for any source) ): (Enabled/Disabled): (Program Name)

There is only one application that is authorized by default – remote assistance. You can, however, add more entries here. Here is an example of how you will add your application – myapp.exe in authorized application list and enable it for local subnet.

HKLM,"System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List", "C:\Program Files\Applications\myapp.exe", 0x00000000, "C:\Program Files\Applications\myapp.exe: LocalSubnet: Enabled: My Application"

List of Port Openings:

HKLM,"System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List", "137:UDP" ,0x00000000, "137:UDP:LocalSubnet:Disabled:NetBIOS Name Service"

The last part of this entry is formatted as:

"137:UDP:LocalSubnet:Disabled:NetBIOS Name Service"

(Port Number(1-65535) : Protocol(UDP/TCP) : Scope(LocalSubnet/*) : Enabled/Disabled : Port Name

Port openings can be added either as enabled or disabled. If port opening entry is disabled, that port is effectively blocked by firewall, until it is enabled in the runtime. There are 7 entries for port opening by default and all of them are disabled. You can edit those entries to enable some port opening(s) or you can add new entries. For example, you can edit the above port to enable it for any source.

HKLM,"System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List", "137:UDP" ,0x00000000, "137:UDP:*:Enabled:NetBIOS Name Service"

                B) Alternatively you can open regedit and load system hive from image folder located at windows\system32\config\system.sav. Go to the following sub tree under this hive:

CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile

Or

CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\GlobalProfile

Add/Edit/Delete the registry keys according to the settings explained above in (A). All ICMP related settings will be under “ICMPSettings” subkey. All authorized application settings will be under “Authorized Applications\List” subkey. All port opening settings will be under “GloballyOpenPorts\List” subkey.

To configure Firewall Post-FBA you can do one of the following:

  1. If you added “Windows Firewall Control Panel” component in the configuration, you can run firewall.cpl to change all firewall related settings.
  2. If you don’t have control panel access, but if your runtime has access to netsh shell you can use it to change firewall settings.

Using netsh:

        netsh>Firewall

        netsh firewall> show state (to check the current status of firewall)

netsh firewall>set opmode [enable/disable] [enable/disable]

Where first parameter is state of the firewall (enable=on, disable=off) and second parameter is whether you want to allow exceptions (enable=allow exceptions, disable=don’t allow exceptions). You can also specify interface and/or profile. Please use netsh shell help for details.

netsh firewall>set notifications [enable/disable]

enable = notify when program is blocked, disable = do not notify when program is blocked

You can also change ICMP settings, create port openings and authorized application/service using the following netsh commands.

        netsh firewall>set icmpsetting (to change ICMP Settings)

        netsh firewall>set service (to create authorized applications)

        netsh firewall>set portopening (to create port openings)

  1. If you have access to regedit in runtime, edit the related registry keys directly as explained above.