Computer Security




                    Notes          Tip: It’s a good idea to leave the [ICF.AddReg.StandardProfile] unchanged so that the default
                                   firewall configuration for your machines when not joined to a domain is to have Windows
                                   Firewall enabled. This is especially true of machines like laptops that can be removed from the
                                   network.

                                   Scenario 2

                                   To allow incoming traffic on TCP port 80 for an XP SP2 machine running as an intranet web
                                   server in a workgroup environment, add the following entries to the
                                   [ICF.AddReg.StandardProfile] section of Netfw.inf:
                                   HKLM,”SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\
                                   GloballyOpenPorts\List”,”80:TCP”,0x00000000,”80:TCP:LocalSubnet:enabled:Web Server (TCP
                                   80)”

                                   This allows unsolicited inbound traffic on TCP port 80 from machines on the local subnet.

                                   Using Netsh

                                   The new netsh firewall context can also be used to configure Windows Firewall. This can be
                                   done either by opening a command prompt on an XP SP2 machine and executing the appropriate
                                   netsh commands, or by creating a batch file of netsh commands and running it from a run-once
                                   script. Here’s how to do this for each scenario:

                                   Scenario 1

                                   To disable Windows Firewall on XP SP2 machines in a domain environment, use the following
                                   command:
                                   netsh firewall set opmode mode=DISABLE profile=DOMAIN

                                   Scenario 2

                                   To allow incoming traffic on TCP port 80 for an XP SP2 machine running as an intranet web
                                   server in a workgroup environment, use the following command:

                                   netsh firewall add portopening protocol=TCP port=80 name=”Web Server (TCP 80)”
                                   mode=ENABLE scope=SUBNET profile=DOMAIN
                                   Once again, this allows unsolicited inbound traffic on TCP port 80 from machines on the local
                                   subnet.

                                   Using Group Policy

                                   Finally, in an Active Directory environment you can use Group Policy to configure Windows
                                   Firewall on your XP SP2 desktops. This involves two steps: first, update your existing Group
                                   Policy Objects (GPOs) with the new Windows Firewall policy settings found in the updated
                                   System.adm template included in XP SP2. This adds a new Windows Firewall folder under
                                   Network Connections in the Administrative Templates portion of Computer Configuration:












          166                               LOVELY PROFESSIONAL UNIVERSITY