RE: NETFW.INF, Preconfigured Firewall settings and dialogs

Hi Jim,

Thanks for your post.

I understand that you are performing your standard, scripted build of
Server 2003 SP1. You want to pre-configure lots of the firewall settings
to achieve the following goal: some ports are open by default and others
are listed in the firewall dialog box. Therefore, you want to know if MS
has a NETFW.INF that includes all the normal Server 2003 services. If I
have misunderstood your question, please feel free to let me know.

For this issue, the function can be fulfilled by using script, if you want
to use script, I suggest you address in the Developer newsgroups. I have
provided the link below:

http://msdn.microsoft.com/newsgroups/default.asp

Or you may ask for developer support:
http://support.microsoft.com/directory/directory/phonepro.asp?sd=msdn

Meanwhile, I would like to provide some information related the issue.

First, I want to know if it is win2k3 firewall, if so, I'm afraid that you
need create these protocols to open the ports manually because this is
based on specific customer's needs on different scenarios. Please refer to:

Configuring Exceptions for Specific Connections
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Opera
tions/d30543b9-8d2c-4b8d-9bed-5f116a5dc698.mspx

Second, I found some helpful articles describe the INF file in Windows XP
Service Pack 2 and Port Requirements for the Microsoft Windows Server
System for your reference:

Using the Windows Firewall INF File in Microsoft Windows XP Service Pack 2
http://www.microsoft.com/downloads/ThankYou.aspx?familyId=cb307a1d-2f97-4e63
-a581-bf25685b4c43&displayLang=en

832017 Port Requirements for the Microsoft Windows Server System
http://support.microsoft.com/?id=832017

HTH and thanks for your understanding.

Thanks & Regards

Amanda Wang [MSFT]

Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

====================================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================================

--------------------
>From: "Jim Watts" <j.watts@xxxxxxxxxxxxxx>
>Subject: NETFW.INF, Preconfigured Firewall settings and dialogs
>Date: Thu, 2 Jun 2005 11:19:30 +0100
>Lines: 30
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
>X-RFC2646: Format=Flowed; Original
>Message-ID: <evLtoi4ZFHA.2788@xxxxxxxxxxxxxxxxxxxx>
>Newsgroups: microsoft.public.windows.server.networking
>NNTP-Posting-Host: dhcp-135-063.staff.iss.soton.ac.uk 152.78.135.63
>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
>Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.networking:16164
>X-Tomcat-NG: microsoft.public.windows.server.networking
>
>Hi,
>
>I'm in the process of finishing our standard, scripted build of Server
2003
>SP1. I would like to pre-configure lots of the firewall settings, so that
>some ports are open by default and others are listed in the firewall
dialog
>box to allow our admin staff just to tick the boxes rather than manually
add
>ports/apps. I know that this can all be done via the NETFW.INF file, and
>have successfully got some of it working already.
>
>However, for 'services' such as DFS, IIS, SNMP etc should I be adding the
>individual ports, or should I be adding the service executable?. This
>question applies to almost ALL of the services that 2003 can provide, as
I'd
>like a big range of entries that the support staff can simply tick:
>
> e.g. for DFS, dfssvc.exe:*:Enabled:Distributed File System Service OR
>ports 138,139,389,445 etc
>
>I don't suppose that MS have a NETFW.INF that includes all the normal
Server
>2003 services do they? If not, this might be a useful thing to make
>available.
>
>All ideas/opinions gratefully received
>Jim
>--
>Jim Watts,
>Technology Consultant
>Information Systems Services
>University of Southampton
>
>
>

.

Relevant Pages

  • Re: Interesting webserver intrusion (apache 1.3.31, mod_ssl 2.8.18, php 4.3.7)
    ... > fairly tight(only allowing 4 ports in), but perhaps I could tighten it ... The host systems firewall rules govern the access to the jailed system. ... What connections does your server need to ... Perhaps there is a 0-day for your ftp server out there. ...
    (Incidents)
  • Re: MS Security CD, wsh topic buried, non automated post (promise)
    ... Their stuff is for server is seems. ... you most likely want to script your 'access'. ... the firewall still inserted stuff in about every ... > Saying that you network drives may cease working. ...
    (microsoft.public.scripting.wsh)
  • Re: Add 2nd NIC after intial install?
    ... My biggest question with 1 NIC is: even if workstations are protected with individual firewall products, what is protecting the SBS server itself if ports are open for remote access through the Linksys firewall? ...
    (microsoft.public.windows.server.sbs)
  • Re: Source Code to Filter out WindowsMessenger POP-UPS
    ... Zone Alarm does NOT support 'server'. ... Very few ports are open, ... >What you are asking for amounts to a firewall. ... I would NOT search for source code to compile ...
    (microsoft.public.inetserver.iis.security)
  • Re: Using Office Outlook with exchange server behind windows firewall
    ... On our network I have windows firewall turned on, on both my small business server and my windows xp workstations. ... Based on an article I read about all the ports that exhange may use I also tried making exceptions for ports ...
    (microsoft.public.windows.server.sbs)