SUMMARY

The Windows Firewall feature in Windows XP Service Pack 2 (SP2) includes significant enhancements to help protect your computer from attack by malicious users or by malicious software such as viruses. Windows Firewall replaces the Internet Connection Firewall (ICF) feature that is included in earlier versions of Windows XP. By default, Windows Firewall is turned on for all network connections, including connections to the Internet. For additional information about Windows Firewall, click the following article number to view the article in the Microsoft Knowledge Base:

This step-by-step article describes how to turn on remote debugging when you are using Microsoft Windows Firewall in Microsoft Windows XP with SP2.

Turn on remote debugging

To turn on remote debugging in Windows XP with SP2, Windows Firewall must be configured as follows:

• If Windows Firewall is in "shielded" mode, you must perform the appropriate actions so that Windows Firewall is no longer in "shielded" mode.
• If Windows Firewall is on, some ports must be opened and permissions must be granted to Microsoft Visual Studio .NET and to other executable programs that are used in remote debugging.
• If Windows Firewall is off, you may not have to configure a firewall.
• Additionally, if the user who runs Visual Studio .NET is not a system administrator on the remote computer, you must configure the DCOM settings.

To follow the step-by-step instructions to turn on remote debugging, the current user must have system administrative credentials. These instructions are only for Internet Protocol version 4 (IPV4) based network settings.

Configure DCOM on the computer that is running Visual Studio .NET

Note After you make changes by using the Distributed Component Object Model Configuration utility (Dcomcnfg.exe), you must restart your computer for the changes to take effect.

1. At a command prompt, type dcomcnfg, and then press ENTER. Component Services opens.
2. In Component Services, expand Component Services, expand Computers, and then expand My Computer.
3. On the toolbar, click the Configure My Computer button. The My Computer dialog box appears.
4. In the My Computer dialog box, click the COM Security tab.
5. Under Access Permission, click Edit Limits. The Access Permission dialog box appears.
6. Under Group or user names, click ANONYMOUS LOGON.
7. Under Permissions for ANONYMOUS LOGON, select the Remote Access check box, and then click OK.

Note If you cannot click the Configure My Computer button that is described in step 3, follow these steps:

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

1. Remove the Microsoft Distributed Transaction Service (MSDTC). To do this, follow these steps:
   1. Click Start, click Run, type cmd, and then click OK.
   2. At the command prompt, type the following command to stop the MSDTC service:

      Net stop msdtc

   3. At the command prompt, type the following command to remove MSDTC:

      Msdtc –uninstall

      The command prompt will return without a message.
2. In Registry Editor, delete the \HKEY_LOCAL_MACHINE\Software\Microsoft\MSDTC subkey.
3. Install the MSDTC service. To do this, follow these steps:
   1. At the command prompt, type the following command to install MSDTC:

      Msdtc –install

   2. At the command prompt, type the following command to start the MSDTC service:

      Net start msdtc

Configure the computer that is running Visual Studio .NET

Open Windows Firewall

To do this, click Start, click Run, type firewall.cpl, and then click OK.

Open TCP port 135

DCOM Remote Procedure Call (RPC) uses Transfer Control Protocol (TCP) port 135. If the program uses DCOM to communicate with remote computers, this port must be opened. To open TCP port 135, follow these steps:

1. On the Exceptions tab, click Add port, and then click TCP.
2. In the Port number box, type 135.
3. In the Name box, type Remote Procedure Call (RPC).
4. Click Change scope, click My network (subnet) only, and then click OK. This step is optional.
5. If you have no other port exceptions to add, click OK two times to close the Windows Firewall dialog box.

Open UDP port 4500

User Datagram Protocol (UDP) port 4500 is used for Internet Protocol security (IPSec). If your domain policy requires that all network communication be completed through IPSec, this port must be opened for any network operation. If your domain policy does not require IPSec, go to the "Open UDP port 500" section.

To open UDP port 4500, follow these steps:

1. On the Exceptions tab, click Add port, and then click TCP.
2. In the Port number box, type 4500.
3. In the Name box, type User Datagram Protocol (UDP).
4. Click Change scope, click My network (subnet) only, and then click OK. (This step is optional.)
5. If you have no other port exceptions to add, click OK two times to close the Windows Firewall dialog box.

Open UDP port 500

UDP port 500 is used for IPSec. If your domain policy requires that all network communication be completed through IPSec, this port must be opened for any network operation. If your domain policy does not require IPSec, go to step 5.

To open UDP port 500, follow these steps:

1. On the Exceptions tab, click Add port, and then click TCP.
2. In the Port number box, type 500.
3. In the Name box, type IPSec.
4. Click Change scope, click My network (subnet) only, and then click OK. (This step is optional.)
5. Click OK two times to close the Windows Firewall dialog box.

Turn on file and print sharing

1. In the Programs and Services area of the Exceptions tab, click File and Print Sharing, and then click Edit.
2. In the Exceptions dialog box, select the following check boxes:
   • TCP 139
   • TCP 445
   • UDP 137
   • UDP 138
3. Click Local Subnet Only for all the ports that are mentioned in step 2. (This step is optional.)
4. Click OK.

Add Devenv.exe to the application exceptions list

To enable applications that require ports to be opened dynamically at runtime to work correctly, you must add the applications to the application exceptions list.

To add the Visual Studio .NET Development Environment (Devenv.exe) to the application exceptions list, follow these steps:

1. On the Exceptions tab, click Add Program. The Add a Program dialog box appears.
2. Click Browse, locate Devenv.exe, and then click OK.
   
   Note Devenv.exe is located in the following folder:

   Drive:\Program Files\Microsoft Visual Studio .NET (2003)\Common7\IDE

3. Click Change scope, click to select My network (subnet) only, and then click OK. (This step is optional.)
4. In the Add a Program dialog box, click OK.
5. In Windows Firewall, click OK to save your settings.

Configure the remote computer

All the ports that were opened on the debugger computer must also be opened on the remote computer. To open the ports TCP 135, UDP 4500, and UDP 500, and to turn on file and print sharing, follow the steps in the "Configure the computer that is running Visual Studio .NET" section.

You must also add the following executable (.exe) files to the application exceptions list:

• Mdm.exe
• Vs7Jit.exe
• Msvcmon.exe

These executable files are components that Visual Studio .NET uses for remote debugging. To include these components in the list of applications that can open DCOM ports dynamically at runtime, follow these steps.

Open Windows Firewall

1. Click Start, click Run, type firewall.cpl, and then click OK.
2. Click the Exceptions tab.

Add Mdm.exe to the application exceptions list

1. On the Exceptions tab, click Add Program. The Add a Program dialog box appears.
2. In the Add a Program dialog box, click Browse.
3. Locate Mdm.exe, and then click OK.
   

Note Mdm.exe is located in the Drive:\Program Files\Common Files\Microsoft Shared\VS7Debug folder.

1. Click Change scope, click to select My network (subnet) only, and then click OK. (This step is optional.)
2. In the Add a Program dialog box, click OK.
3. In Windows Firewall, click OK to save your settings.

Add Vs7jit.exe to the application exceptions list

1. Determine the short file path of Vs7jit.exe. To do this, follow these steps:
   1. At a command prompt, type the following command, and then press ENTER:

      for %d in ("%CommonProgramFiles%\Microsoft Shared\VS7Debug\vs7jit.exe" ) do @echo %~sd

   2. Save the output from this command that looks similar to the following:

      C:\PROGRA~1\COMMON~1\MICROS~1\VS7Debug\vs7jit.exe

2. On the Exceptions tab, click Add Program. The Add a Program dialog box appears.
3. In the Add a Program dialog box, click Browse.
4. In the Filename box, type the path of Vs7jit.exe that you saved in step 1b.
5. Click Change scope, click to select My network (subnet) only, and then click OK. (This step is optional.)
6. In the Add a Program dialog box, click OK.
7. In Windows Firewall, click OK to save your settings.

Add MSVCMon.exe to the application exceptions list

1. On the Exceptions tab, click Add Program. The Add a Program dialog box appears.
2. In the Add a Program dialog box, click Browse.
3. Locate Msvcmon.exe, and then click OK.
   

Note Msvcmon.exe is located in the Drive:\Program Files\Common Files\Microsoft Shared\VS7Debug folder.

1. Click Change scope, click to select My network (subnet) only, and then click OK. (This step is optional.)
2. In the Add a Program dialog box, click OK.
3. In Windows Firewall, click OK to save your settings.

Enable Web server debugging

HTTP uses TCP port 80. To do Web-based debugging, you must open TCP port 80. This is true for Microsoft ASP.NET debugging, for classic ASP debugging, and for ATL Server debugging.

To open TCP port 80, follow these steps:

1. Click Start, click Run, type firewall.cpl, and then click OK.
2. On the Exceptions tab, click Add Port, and then click TCP.
3. In the Port number box, type 80.
4. In the Name box, type HTTP.
5. Click Change scope, click My network (subnet) only, and then click OK. (This step is optional.)
6. Click OK two times to close the Windows Firewall dialog box.

Enable script debugging

To debug script code that runs on a remote computer, you must add the process that hosts the script code to the application exceptions list. Typically, in classic ASP debugging, script code is loaded in the Dllhost.exe process or in the Inetinfo.exe process. However, for a script that runs in Microsoft Internet Explorer, script code is generally loaded in the Iexplore.exe process or in the Explorer.exe process.

To add the process that hosts the script code to the application exceptions list, follow these steps:

1. Click Start, click Run, type firewall.cpl, and then click OK.
2. In Windows Firewall, click the Exceptions tab.
3. On the Exceptions tab, click Add Program. The Add a Program dialog box appears.
4. In the Add a Program dialog box, click Browse.
5. Locate the process that hosts the script code, and then click OK.
6. Click Change scope, click to select My network (subnet) only, and then click OK. (This step is optional.)
7. In the Add a Program dialog box, click OK.
8. In Windows Firewall, click OK to save your settings.

Run the debugger as a typical user

If you want to run the debugger as a typical user, you must have full user rights to the folder where the executables are located. Additionally, if you do not have Administrator user rights on the remote computer, you must have access permissions and launch permissions to run the debugger as a typical user.

Note A typical user is a user who does not have Administrator user rights.

Note After you make changes by using the Distributed Component Object Model Configuration utility (Dcomcnfg.exe), you must restart your computer for the changes to take effect.

To grant access permissions and launch permissions, you must have Administrator user rights. First, obtain Administrator user rights. Then, follow these steps:

1. At a command prompt, type dcomcnfg, and then press ENTER. Component Services opens.
2. In Component Services, expand Component Services, expand Computers, and then expand My Computer.
3. On the toolbar, click the Configure My Computer button. The My Computer dialog box appears.
4. In the My Computer dialog box, click the COM Security tab.
5. Under Launch and Activate Permissions, click Edit Limits.
6. If your group or user name does not appear in the Groups or user names list in the Launch Permission dialog box, follow these steps:
   1. In the Launch Permission dialog box, click Add.
   2. In the Select Users, Computers, or Groups dialog box, add your user name and your group in the Enter the object names to select box, and then click OK.
7. In the Launch Permission dialog box, select your user name and your group in the Group or user names box.
8. In the Allow column under Permissions for User, select Remote Activation, and then click OK.
   
   Note User is the user name or the group that is selected in the Group or user names box. Repeat steps 7 and 8 for all your users and for all your groups.

Note If you cannot click the Configure My Computer button that is described in step 3, follow these steps.

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

1. At a command prompt, type net stop msdtc, and then press ENTER.
2. Remove the Microsoft Distributed Transaction Service (MSDTC).
3. In Registry Editor, delete the \HKEY_LOCAL_MACHINE\Software\Microsoft\MSDTC subkey.
4. Install the MSDTC service.
5. At the command prompt, type net start msdtc, and then press ENTER.

Windows Vista installation information

In Windows Vista, you should log off and then log back on after you install the remote debugger.