Page 171 - DCAP516_COMPUTER_SECURITY
P. 171

Unit 13: Firewalls




          1.   Create your custom Netfw.inf file.                                               Notes
          2.   Copy your new file over the default Netfw.inf file on each workstation.
          3.   Open a command prompt and type netsh firewall reset.
          This last step restores an XP SP2 machine to its default firewall configuration, which means the
          configuration specified in the machine’s Netfw.inf file.
          To customize Netfw.inf prior to installing XP SP2, do the following:
          1.   Extract the Netfw.in_file from an XP SP2 Integrated CD image or distribution point.

          2.   Customize the Netfw.in_file as desired and sign it.
          3.   Replace Netfw.in_ on your XP SP2 Integrated CD image or distribution point with your
               customized version.

          4.   Deploy XP SP2 in the desired way (e.g. unattended, Sysprep, etc.)
          Here is what Netfw.inf (and Netfw.in_) contain by default:
          [version]
          Signature = “$Windows NT$”

          DriverVer = 07/01/2001,5.1.2600.2132
          [DefaultInstall]
          AddReg=ICF.AddReg.DomainProfile
          AddReg=ICF.AddReg.StandardProfile

          [ICF.AddReg.DomainProfile]
          HKLM,”SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\
          AuthorizedApplications\List”,”%windir%\system32\sessmgr.exe”,0x00000000,”%windir%\system32
          \sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
          [ICF.AddReg.StandardProfile]
          HKLM,”SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\
          AuthorizedApplications\List”,”%windir%\system32\sessmgr.exe”,0x00000000,”%windir%\system32\
          sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

          The third and fourth sections describe the domain and standard firewall profiles as described in
          Using Unattend.txt above. Let’s now look at how to customize Netfw.inf for our two scenarios.

          Scenario 1

          To disable Windows Firewall on XP SP2 machines in a domain environment, add the following
          entries to the [ICF.AddReg.DomainProfile] section of Netfw.inf:
          HKLM,”SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\
          DomainProfile”,”DoNotAllowExceptions”,0x00010001,0

          HKLM,”SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\
          DomainProfile”,”EnableFirewall”,0x00010001,0
          What these entries do is to add the necessary registry keys to your XP SP2 machines to disable
          Windows Firewall when the machines belong to a domain.






                                           LOVELY PROFESSIONAL UNIVERSITY                                   165
   166   167   168   169   170   171   172   173   174   175   176