Re: NETFW.INF, Preconfigured Firewall settings and dialogs

Hi Jim,

Glad to hear from you.

Based on my research, you needn't find the sevices' .exe files to add to
the firewall exclusion list. You can only Add Ports in firewall exclustion
list.

You can use the document '832017 Port Requirements for the Microsoft
Windows to find the corresponding port and protocol for the specific
service, and then click Add port button in firewall's exceptions Tab and
add the port and choose the protocol which the service uses.

HTH!

Thanks & Regards

Amanda Wang [MSFT]

Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

====================================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================================

--------------------
>From: "Jim Watts" <j.watts@xxxxxxxxxxxxxx>
>References: <evLtoi4ZFHA.2788@xxxxxxxxxxxxxxxxxxxx>
<TMpHiIDaFHA.2476@xxxxxxxxxxxxxxxxxxxxx>
>Subject: Re: NETFW.INF, Preconfigured Firewall settings and dialogs
>Date: Mon, 6 Jun 2005 14:48:14 +0100
>Lines: 152
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
>X-RFC2646: Format=Flowed; Original
>Message-ID: <e$Eln5paFHA.3684@xxxxxxxxxxxxxxxxxxxx>
>Newsgroups: microsoft.public.windows.server.networking
>NNTP-Posting-Host: dhcp-135-063.staff.iss.soton.ac.uk 152.78.135.63
>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
>Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.networking:16254
>X-Tomcat-NG: microsoft.public.windows.server.networking
>
>Thanks for the response.
>
>Yes, it is Windows Server 2003 SP1 firewall that i'm using. The link thats
>you provided will be useful, but dont really answer the questino of
whether
>i should pre-configure specific ports in the exclusions list, or specific
>applications/exes/services.
>
>Personally, i think that services would be the best answer, using the
>following procedure:
>
>1) Decide what services/features are required
>2) Using the document '832017 Port Requirements for the Microsoft Windows
>Server System' that you reference, look up the specific servicename (the
>'System service name' value in the document)
>3) Using this service name, look in the regsitry to see what .exe this
>service runs with
>4) Add this .exe to the firewall exlusions list
>
>How does this sound? Is this a sensible, and more importantly a SECURE way
>to doing things with regard to the standard services available on Windows
>Server 2003?
>
>Many thanks
>Jim watts
>
>
>
>--
>--
>Jim Watts,
>Technology Consultant
>Information Systems Services
>University of Southampton
>
>"Amanda Wang [MSFT]" <v-amanwa@xxxxxxxxxxxxxxxxxxxx> wrote in message
>news:TMpHiIDaFHA.2476@xxxxxxxxxxxxxxxxxxxxxxxx
>> Hi Jim,
>>
>> Thanks for your post.
>>
>> I understand that you are performing your standard, scripted build of
>> Server 2003 SP1. You want to pre-configure lots of the firewall settings
>> to achieve the following goal: some ports are open by default and others
>> are listed in the firewall dialog box. Therefore, you want to know if MS
>> has a NETFW.INF that includes all the normal Server 2003 services. If I
>> have misunderstood your question, please feel free to let me know.
>>
>> For this issue, the function can be fulfilled by using script, if you
want
>> to use script, I suggest you address in the Developer newsgroups. I have
>> provided the link below:
>>
>> http://msdn.microsoft.com/newsgroups/default.asp
>>
>> Or you may ask for developer support:
>> http://support.microsoft.com/directory/directory/phonepro.asp?sd=msdn
>>
>> Meanwhile, I would like to provide some information related the issue.
>>
>> First, I want to know if it is win2k3 firewall, if so, I'm afraid that
you
>> need create these protocols to open the ports manually because this is
>> based on specific customer's needs on different scenarios. Please refer
>> to:
>>
>> Configuring Exceptions for Specific Connections
>>
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Opera
>> tions/d30543b9-8d2c-4b8d-9bed-5f116a5dc698.mspx
>>
>> Second, I found some helpful articles describe the INF file in Windows XP
>> Service Pack 2 and Port Requirements for the Microsoft Windows Server
>> System for your reference:
>>
>> Using the Windows Firewall INF File in Microsoft Windows XP Service Pack
2
>>
http://www.microsoft.com/downloads/ThankYou.aspx?familyId=cb307a1d-2f97-4e63
>> -a581-bf25685b4c43&displayLang=en
>>
>> 832017 Port Requirements for the Microsoft Windows Server System
>> http://support.microsoft.com/?id=832017
>>
>> HTH and thanks for your understanding.
>>
>> Thanks & Regards
>>
>> Amanda Wang [MSFT]
>>
>> Microsoft Online Partner Support
>>
>> Get Secure! - www.microsoft.com/security
>>
>> ====================================================================
>>
>> When responding to posts, please "Reply to Group" via your newsreader so
>> that others may learn and benefit from your issue.
>>
>> =====================================================================
>>
>> --------------------
>>>From: "Jim Watts" <j.watts@xxxxxxxxxxxxxx>
>>>Subject: NETFW.INF, Preconfigured Firewall settings and dialogs
>>>Date: Thu, 2 Jun 2005 11:19:30 +0100
>>>Lines: 30
>>>X-Priority: 3
>>>X-MSMail-Priority: Normal
>>>X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
>>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
>>>X-RFC2646: Format=Flowed; Original
>>>Message-ID: <evLtoi4ZFHA.2788@xxxxxxxxxxxxxxxxxxxx>
>>>Newsgroups: microsoft.public.windows.server.networking
>>>NNTP-Posting-Host: dhcp-135-063.staff.iss.soton.ac.uk 152.78.135.63
>>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
>>>Xref: TK2MSFTNGXA01.phx.gbl
>> microsoft.public.windows.server.networking:16164
>>>X-Tomcat-NG: microsoft.public.windows.server.networking
>>>
>>>Hi,
>>>
>>>I'm in the process of finishing our standard, scripted build of Server
>> 2003
>>>SP1. I would like to pre-configure lots of the firewall settings, so that
>>>some ports are open by default and others are listed in the firewall
>> dialog
>>>box to allow our admin staff just to tick the boxes rather than manually
>> add
>>>ports/apps. I know that this can all be done via the NETFW.INF file, and
>>>have successfully got some of it working already.
>>>
>>>However, for 'services' such as DFS, IIS, SNMP etc should I be adding the
>>>individual ports, or should I be adding the service executable?. This
>>>question applies to almost ALL of the services that 2003 can provide, as
>> I'd
>>>like a big range of entries that the support staff can simply tick:
>>>
>>> e.g. for DFS, dfssvc.exe:*:Enabled:Distributed File System Service
OR
>>>ports 138,139,389,445 etc
>>>
>>>I don't suppose that MS have a NETFW.INF that includes all the normal
>> Server
>>>2003 services do they? If not, this might be a useful thing to make
>>>available.
>>>
>>>All ideas/opinions gratefully received
>>>Jim
>>>--
>>>Jim Watts,
>>>Technology Consultant
>>>Information Systems Services
>>>University of Southampton
>>>
>>>
>>>
>>
>
>
>

.