Re: NETFW.INF, Preconfigured Firewall settings and dialogs

Thanks for the response.

Yes, it is Windows Server 2003 SP1 firewall that i'm using. The link thats
you provided will be useful, but dont really answer the questino of whether
i should pre-configure specific ports in the exclusions list, or specific
applications/exes/services.

Personally, i think that services would be the best answer, using the
following procedure:

1) Decide what services/features are required
2) Using the document '832017 Port Requirements for the Microsoft Windows
Server System' that you reference, look up the specific servicename (the
'System service name' value in the document)
3) Using this service name, look in the regsitry to see what .exe this
service runs with
4) Add this .exe to the firewall exlusions list

How does this sound? Is this a sensible, and more importantly a SECURE way
to doing things with regard to the standard services available on Windows
Server 2003?

Many thanks
Jim watts



--
--
Jim Watts,
Technology Consultant
Information Systems Services
University of Southampton

"Amanda Wang [MSFT]" <v-amanwa@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:TMpHiIDaFHA.2476@xxxxxxxxxxxxxxxxxxxxxxxx
> Hi Jim,
>
> Thanks for your post.
>
> I understand that you are performing your standard, scripted build of
> Server 2003 SP1. You want to pre-configure lots of the firewall settings
> to achieve the following goal: some ports are open by default and others
> are listed in the firewall dialog box. Therefore, you want to know if MS
> has a NETFW.INF that includes all the normal Server 2003 services. If I
> have misunderstood your question, please feel free to let me know.
>
> For this issue, the function can be fulfilled by using script, if you want
> to use script, I suggest you address in the Developer newsgroups. I have
> provided the link below:
>
> http://msdn.microsoft.com/newsgroups/default.asp
>
> Or you may ask for developer support:
> http://support.microsoft.com/directory/directory/phonepro.asp?sd=msdn
>
> Meanwhile, I would like to provide some information related the issue.
>
> First, I want to know if it is win2k3 firewall, if so, I'm afraid that you
> need create these protocols to open the ports manually because this is
> based on specific customer's needs on different scenarios. Please refer
> to:
>
> Configuring Exceptions for Specific Connections
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Opera
> tions/d30543b9-8d2c-4b8d-9bed-5f116a5dc698.mspx
>
> Second, I found some helpful articles describe the INF file in Windows XP
> Service Pack 2 and Port Requirements for the Microsoft Windows Server
> System for your reference:
>
> Using the Windows Firewall INF File in Microsoft Windows XP Service Pack 2
> http://www.microsoft.com/downloads/ThankYou.aspx?familyId=cb307a1d-2f97-4e63
> -a581-bf25685b4c43&displayLang=en
>
> 832017 Port Requirements for the Microsoft Windows Server System
> http://support.microsoft.com/?id=832017
>
> HTH and thanks for your understanding.
>
> Thanks & Regards
>
> Amanda Wang [MSFT]
>
> Microsoft Online Partner Support
>
> Get Secure! - www.microsoft.com/security
>
> ====================================================================
>
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
>
> =====================================================================
>
> --------------------
>>From: "Jim Watts" <j.watts@xxxxxxxxxxxxxx>
>>Subject: NETFW.INF, Preconfigured Firewall settings and dialogs
>>Date: Thu, 2 Jun 2005 11:19:30 +0100
>>Lines: 30
>>X-Priority: 3
>>X-MSMail-Priority: Normal
>>X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
>>X-RFC2646: Format=Flowed; Original
>>Message-ID: <evLtoi4ZFHA.2788@xxxxxxxxxxxxxxxxxxxx>
>>Newsgroups: microsoft.public.windows.server.networking
>>NNTP-Posting-Host: dhcp-135-063.staff.iss.soton.ac.uk 152.78.135.63
>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
>>Xref: TK2MSFTNGXA01.phx.gbl
> microsoft.public.windows.server.networking:16164
>>X-Tomcat-NG: microsoft.public.windows.server.networking
>>
>>Hi,
>>
>>I'm in the process of finishing our standard, scripted build of Server
> 2003
>>SP1. I would like to pre-configure lots of the firewall settings, so that
>>some ports are open by default and others are listed in the firewall
> dialog
>>box to allow our admin staff just to tick the boxes rather than manually
> add
>>ports/apps. I know that this can all be done via the NETFW.INF file, and
>>have successfully got some of it working already.
>>
>>However, for 'services' such as DFS, IIS, SNMP etc should I be adding the
>>individual ports, or should I be adding the service executable?. This
>>question applies to almost ALL of the services that 2003 can provide, as
> I'd
>>like a big range of entries that the support staff can simply tick:
>>
>> e.g. for DFS, dfssvc.exe:*:Enabled:Distributed File System Service OR
>>ports 138,139,389,445 etc
>>
>>I don't suppose that MS have a NETFW.INF that includes all the normal
> Server
>>2003 services do they? If not, this might be a useful thing to make
>>available.
>>
>>All ideas/opinions gratefully received
>>Jim
>>--
>>Jim Watts,
>>Technology Consultant
>>Information Systems Services
>>University of Southampton
>>
>>
>>
>


.

Relevant Pages

  • Re: How to Maintain an IIS Server?
    ... > server running on a Windows 2000 server. ... before a firewall and antivirus have been installed]. ... open ports; however, this will not identify which program is using the port. ...
    (microsoft.public.inetserver.iis.security)
  • Re: login attempts
    ... > Every day i have on my win2000 iternet server a lots of wrong login ... Windows by default allows ... You also need a firewall. ... the internet, except for those ports you know you're using. ...
    (microsoft.public.win2000.security)
  • Re: How to Maintain an IIS Server?
    ... >> server running on a Windows 2000 server. ... > before a firewall and antivirus have been installed]. ... > program or executable using that port. ...
    (microsoft.public.inetserver.iis.security)
  • [NT] Vulnerability in Server Service Allows Code Execution (MS08-067)
    ... Vulnerability in Server Service Allows Code Execution ... This security update resolves a privately reported vulnerability in the ... Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker ... Firewall best practices and standard default ...
    (Securiteam)
  • Re: DCOM 10009 errors on SBS2008 with NAS
    ... make a specific GP rule that allows the ports to that NAS unit. ... The DCOM event id 10009 will occur when a client workstation has a miss-configured firewall or other issues affecting its network communications within the domain, for example if the workstation is not managed by an SBS GPO. ... Depending on your firewall solution this might be implemented or might require opening several ports. ... If the workstation is on a different subnet than the SBS server and it is running Windows XP SP2 or higher, the firewall exceptions provided by the SBS group policies will not properly allow the required connectivity. ...
    (microsoft.public.windows.server.sbs)