Microsoft KB Archive/889740

= Windows XP Service Pack 2 (Part 6): Windows Firewall =

Article ID: 889740

Article Last Modified on 2/6/2007

-

APPLIES TO

 Microsoft Windows XP Service Pack 2, when used with:  Microsoft Windows XP Home Edition

 Microsoft Windows XP Professional 

-



SUMMARY
This article is Part 6 of the Windows XP Service Pack 2 - Step by Step guide. This article describes the new Windows Firewall in Microsoft Windows XP Service Pack 2 (SP2).

To view the other articles in the Windows XP Service Pack 2 - Step by Step guide, see the Microsoft Knowledge Base articles that are listed in the &quot;References&quot; section.

The Windows XP Service Pack 2 - Step by Step guide includes the following topics: Part 1: Better security with Service Pack 2

Part 2: Installing Service Pack 2

Part 3: The new Security Center

Part 4: Automatic Updates

Part 5: Virus protection

Part 6: Windows Firewall

Part 7: Protecting against buffer overflows

Part 8: Improvements in Internet Explorer and Outlook Express

Part 9: Uninstalling Service Pack 2



Part 6: Windows Firewall
Internet users do not always realize that an Internet connection is bidirectional. In the same manner that you can access other computers when you are online, other computers can access yours. This means that there is a constant threat of attack. That is why computers should never connect to the Internet without the protection of a firewall.

When you install Windows XP SP2, the new Windows Firewall is automatically activated for all network connections, regardless of whether there is already another desktop firewall on the computer. Windows Firewall blocks all unsolicited traffic and lets desired network traffic to pass as normal.

The firewall lets you surf the Internet, send e-mail, download files, and communicate with other computers in a small, private network. If the computer receives an unsolicited request, Windows Firewall blocks the connection. Rules are created so that the firewall can identify which connections should be allowed and which should be blocked. Some programs, such as Internet Explorer, set the rules internally. In other cases, you must define exceptions manually.

Modifying firewall settings
You can modify the firewall settings at any time. To modify firewall settings, use the following methods:  Click Start, point to Control Panel, and then click Windows Firewall.

</li> Click Security Center in Control Panel, and then click Windows Firewall under Manage security settings for.



</li></ul>

Activating and deactivating the firewall
<ol> Open Windows Firewall.</li> Click the General tab.



</li> Select your preferred option, and then click OK.  On (recommended)

This is the default setting. This setting blocks all unsolicited attempts to establish a connection with the computer. It only allows programs or tools that were specified automatically or manually as exceptions.</li> Don't allow exceptions

The exceptions specified on the Exceptions tab are ignored. This setting is recommended when you are on the move and require a high level of protection. For example, use this setting when you connect using a WLAN connection that is categorized as nonsecure, such as a WLAN connection in a hotel or in an airport.</li> Off (not recommended)

Disables the firewall. You should only select this setting if you are installing another firewall.</li></ul> </li></ol>

Installing another firewall
If you want to use another desktop firewall, you must deactivate the Windows Firewall. If two firewalls are activated at the same time, neither will operate correctly. The Security Center will note this conflict and notify you accordingly.



<ol> Deactivate Windows Firewall as described earlier in this article.



The Security Center will probably warn you that the firewall has been deactivated.



</li> In this case, click Recommendations, click I have a firewall solution that I'll monitor myself, and then click OK.



</li> You must now monitor the correct operation of the firewall.



</li></ol>

Setting exceptions
Some programs and games need to exchange information to operate correctly. If you wish to play a game against other users on the Internet, or use a chat service, this information is transmitted through incoming ports on the computer. However, this only works if these ports are open.

To prevent Windows Firewall from blocking all traffic, you must specify trusted programs in the list of exceptions. There are several methods of doing this.

Defining exceptions &quot;on the fly&quot;
Windows notifies you that it is blocking a program. You then have three options:  Keep blocking

The program will also be blocked in the future.</li> Unblock

The program will be able to receive data or additional requests in the future.</li> Ask Me Later

The program will be unable to receive data. However, you will be prompted to block it or allow it at the next attempt.



If you select Unblock, Windows Firewall creates an exception. Otherwise it will continue to block the program.</li></ul>

Creating exceptions manually
<ol> <li>Open Windows Firewall.</li> <li>Click the Exceptions tab.



</li> <li>Click Add Program. Select the program that you want to add to the list of exceptions, and then click OK.



</li> <li>The program is now added to the list and checked.



</li></ol>

Note You can define a corresponding port as an exception instead of defining a program. However, to do this, you must know the port number. <ol> <li>Open Windows Firewall.</li> <li>Click the Exceptions tab.</li> <li>Click Add Port. Specify a name for the type of connection that uses this port, and then enter the port number. (You can find the port number in system documentation or on the Internet.) Specify whether the connection is through TCP or UDP, and then click OK.



</li> <li>If you open a port, it is not assigned to a program. However, it remains open even when you are not using the program. If this is the case, you should close the port to help secure the computer. (To close the port, remove the check mark in the list of exceptions.)</li></ol>

Automatic exceptions
For some programs, such as Windows Messenger, Windows automatically creates rules. These are then automatically added to the list of exceptions.

Modifying the scope
If you set an exception for the firewall, this automatically applies to all computers worldwide. However, you can limit the exceptions by changing the scope. <ol> <li>Open Windows Firewall.</li> <li>Click the Exceptions tab.</li> <li>Select the exceptions that you want to limit, and then click Edit. Select the port, if available, and then click Change scope. (If no port is listed, click Change scope.)</li> <li>Select the option that you want to apply, and then click OK.



</li></ol>

Problems with file and printer sharing
By default, if you work at a stand-alone computer, file sharing and printer sharing are blocked. This section does not apply to you. However, if an Internet-enabled computer is connected to a network, file sharing and printer sharing is set as an exception for the subnet scope during installation of Windows XP SP2.

Important This setting makes file and printer sharing visible worldwide, even when Windows Firewall is activated.



The computer must only be available for internal LAN sharing and must establish a direct connection to the Internet through a modem, ISDN, or DSL. In addition, ICS (Internet Connection Sharing) must be deactivated on this computer. This does not apply to DSL users who already have a firewall integrated in their DSL modem or who use a DSL router.

There is a workaround for this problem by setting a custom configuration for file and printer sharing. <ol> <li>Open Windows Firewall.</li> <li>Click the Exceptions tab.</li> <li>Select File and Printer Sharing, and then click Edit.

</li> <li>Select TCP port 139, and then click Change scope.



</li> <li>Click Custom list, and then enter the network range that you want to use for file and printer sharing. This is usually the 192.168.0.0 range that has the subnet mask 255.255.255.0. Use the following format:

192.168.0.0/255.255.255.0



</li> <li>Click OK. Repeat this process for the three other ports, and then close the window by clicking OK.



</li> <li>Your file and printer sharing should no longer be openly available.



</li></ol>

<div class="references_section">