NETFW.INF, Preconfigured Firewall settings and dialogs

Hi,

I'm in the process of finishing our standard, scripted build of Server 2003
SP1. I would like to pre-configure lots of the firewall settings, so that
some ports are open by default and others are listed in the firewall dialog
box to allow our admin staff just to tick the boxes rather than manually add
ports/apps. I know that this can all be done via the NETFW.INF file, and
have successfully got some of it working already.

However, for 'services' such as DFS, IIS, SNMP etc should I be adding the
individual ports, or should I be adding the service executable?. This
question applies to almost ALL of the services that 2003 can provide, as I'd
like a big range of entries that the support staff can simply tick:

e.g. for DFS, dfssvc.exe:*:Enabledistributed File System Service OR
ports 138,139,389,445 etc

I don't suppose that MS have a NETFW.INF that includes all the normal Server
2003 services do they? If not, this might be a useful thing to make
available.

All ideas/opinions gratefully received
Jim
--
Jim Watts,
Technology Consultant
Information Systems Services
University of Southampton

Hi Jim,

Thanks for your post.

I understand that you are performing your standard, scripted build of
Server 2003 SP1. You want to pre-configure lots of the firewall settings
to achieve the following goal: some ports are open by default and others
are listed in the firewall dialog box. Therefore, you want to know if MS
has a NETFW.INF that includes all the normal Server 2003 services. If I
have misunderstood your question, please feel free to let me know.

For this issue, the function can be fulfilled by using script, if you want
to use script, I suggest you address in the Developer newsgroups. I have
provided the link below:

http://msdn.microsoft.com/newsgroups/default.asp

Or you may ask for developer support:
http://support.microsoft.com/directo...ro.asp?sd=msdn

Meanwhile, I would like to provide some information related the issue.

First, I want to know if it is win2k3 firewall, if so, I'm afraid that you
need create these protocols to open the ports manually because this is
based on specific customer's needs on different scenarios. Please refer to:

Configuring Exceptions for Specific Connections
http://www.microsoft.com/technet/pro.../library/Opera
tions/d30543b9-8d2c-4b8d-9bed-5f116a5dc698.mspx

Second, I found some helpful articles describe the INF file in Windows XP
Service Pack 2 and Port Requirements for the Microsoft Windows Server
System for your reference:

Using the Windows Firewall INF File in Microsoft Windows XP Service Pack 2
http://www.microsoft.com/downloads/T...7a1d-2f97-4e63
-a581-bf25685b4c43&displayLang=en

832017 Port Requirements for the Microsoft Windows Server System
http://support.microsoft.com/?id=832017

HTH and thanks for your understanding.

Thanks & Regards

Amanda Wang [MSFT]

Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

================================================== ==================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

================================================== ===================

--------------------
>From: "Jim Watts" <(E-Mail Removed)>
>Subject: NETFW.INF, Preconfigured Firewall settings and dialogs
>Date: Thu, 2 Jun 2005 11:19:30 +0100
>Lines: 30
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
>X-RFC2646: Format=Flowed; Original
>Message-ID: <(E-Mail Removed)>
>Newsgroups: microsoft.public.windows.server.networking
>NNTP-Posting-Host: dhcp-135-063.staff.iss.soton.ac.uk 152.78.135.63
>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFT NGP12.phx.gbl
>Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.networking:16164
>X-Tomcat-NG: microsoft.public.windows.server.networking
>
>Hi,
>
>I'm in the process of finishing our standard, scripted build of Server
2003
>SP1. I would like to pre-configure lots of the firewall settings, so that
>some ports are open by default and others are listed in the firewall
dialog
>box to allow our admin staff just to tick the boxes rather than manually
add
>ports/apps. I know that this can all be done via the NETFW.INF file, and
>have successfully got some of it working already.
>
>However, for 'services' such as DFS, IIS, SNMP etc should I be adding the
>individual ports, or should I be adding the service executable?. This
>question applies to almost ALL of the services that 2003 can provide, as
I'd
>like a big range of entries that the support staff can simply tick:
>
> e.g. for DFS, dfssvc.exe:*:Enabledistributed File System Service OR
>ports 138,139,389,445 etc
>
>I don't suppose that MS have a NETFW.INF that includes all the normal
Server
>2003 services do they? If not, this might be a useful thing to make
>available.
>
>All ideas/opinions gratefully received
>Jim
>--
>Jim Watts,
>Technology Consultant
>Information Systems Services
>University of Southampton
>
>
>

Thanks for the response.

Yes, it is Windows Server 2003 SP1 firewall that i'm using. The link thats
you provided will be useful, but dont really answer the questino of whether
i should pre-configure specific ports in the exclusions list, or specific
applications/exes/services.

Personally, i think that services would be the best answer, using the
following procedure:

1) Decide what services/features are required
2) Using the document '832017 Port Requirements for the Microsoft Windows
Server System' that you reference, look up the specific servicename (the
'System service name' value in the document)
3) Using this service name, look in the regsitry to see what .exe this
service runs with
4) Add this .exe to the firewall exlusions list

How does this sound? Is this a sensible, and more importantly a SECURE way
to doing things with regard to the standard services available on Windows
Server 2003?

Many thanks
Jim watts



--
--
Jim Watts,
Technology Consultant
Information Systems Services
University of Southampton

"Amanda Wang [MSFT]" <v-(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi Jim,
>
> Thanks for your post.
>
> I understand that you are performing your standard, scripted build of
> Server 2003 SP1. You want to pre-configure lots of the firewall settings
> to achieve the following goal: some ports are open by default and others
> are listed in the firewall dialog box. Therefore, you want to know if MS
> has a NETFW.INF that includes all the normal Server 2003 services. If I
> have misunderstood your question, please feel free to let me know.
>
> For this issue, the function can be fulfilled by using script, if you want
> to use script, I suggest you address in the Developer newsgroups. I have
> provided the link below:
>
> http://msdn.microsoft.com/newsgroups/default.asp
>
> Or you may ask for developer support:
> http://support.microsoft.com/directo...ro.asp?sd=msdn
>
> Meanwhile, I would like to provide some information related the issue.
>
> First, I want to know if it is win2k3 firewall, if so, I'm afraid that you
> need create these protocols to open the ports manually because this is
> based on specific customer's needs on different scenarios. Please refer
> to:
>
> Configuring Exceptions for Specific Connections
> http://www.microsoft.com/technet/pro.../library/Opera
> tions/d30543b9-8d2c-4b8d-9bed-5f116a5dc698.mspx
>
> Second, I found some helpful articles describe the INF file in Windows XP
> Service Pack 2 and Port Requirements for the Microsoft Windows Server
> System for your reference:
>
> Using the Windows Firewall INF File in Microsoft Windows XP Service Pack 2
> http://www.microsoft.com/downloads/T...7a1d-2f97-4e63
> -a581-bf25685b4c43&displayLang=en
>
> 832017 Port Requirements for the Microsoft Windows Server System
> http://support.microsoft.com/?id=832017
>
> HTH and thanks for your understanding.
>
> Thanks & Regards
>
> Amanda Wang [MSFT]
>
> Microsoft Online Partner Support
>
> Get Secure! - www.microsoft.com/security
>
> ================================================== ==================
>
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
>
> ================================================== ===================
>
> --------------------
>>From: "Jim Watts" <(E-Mail Removed)>
>>Subject: NETFW.INF, Preconfigured Firewall settings and dialogs
>>Date: Thu, 2 Jun 2005 11:19:30 +0100
>>Lines: 30
>>X-Priority: 3
>>X-MSMail-Priority: Normal
>>X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
>>X-RFC2646: Format=Flowed; Original
>>Message-ID: <(E-Mail Removed)>
>>Newsgroups: microsoft.public.windows.server.networking
>>NNTP-Posting-Host: dhcp-135-063.staff.iss.soton.ac.uk 152.78.135.63
>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFT NGP12.phx.gbl
>>Xref: TK2MSFTNGXA01.phx.gbl
> microsoft.public.windows.server.networking:16164
>>X-Tomcat-NG: microsoft.public.windows.server.networking
>>
>>Hi,
>>
>>I'm in the process of finishing our standard, scripted build of Server
> 2003
>>SP1. I would like to pre-configure lots of the firewall settings, so that
>>some ports are open by default and others are listed in the firewall
> dialog
>>box to allow our admin staff just to tick the boxes rather than manually
> add
>>ports/apps. I know that this can all be done via the NETFW.INF file, and
>>have successfully got some of it working already.
>>
>>However, for 'services' such as DFS, IIS, SNMP etc should I be adding the
>>individual ports, or should I be adding the service executable?. This
>>question applies to almost ALL of the services that 2003 can provide, as
> I'd
>>like a big range of entries that the support staff can simply tick:
>>
>> e.g. for DFS, dfssvc.exe:*:Enabledistributed File System Service OR
>>ports 138,139,389,445 etc
>>
>>I don't suppose that MS have a NETFW.INF that includes all the normal
> Server
>>2003 services do they? If not, this might be a useful thing to make
>>available.
>>
>>All ideas/opinions gratefully received
>>Jim
>>--
>>Jim Watts,
>>Technology Consultant
>>Information Systems Services
>>University of Southampton
>>
>>
>>
>

Hi Jim,

Glad to hear from you.

Based on my research, you needn't find the sevices' .exe files to add to
the firewall exclusion list. You can only Add Ports in firewall exclustion
list.

You can use the document '832017 Port Requirements for the Microsoft
Windows to find the corresponding port and protocol for the specific
service, and then click Add port button in firewall's exceptions Tab and
add the port and choose the protocol which the service uses.

HTH!

Thanks & Regards

Amanda Wang [MSFT]

Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

================================================== ==================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

================================================== ===================

--------------------
>From: "Jim Watts" <(E-Mail Removed)>
>References: <(E-Mail Removed)>
<(E-Mail Removed)>
>Subject: Re: NETFW.INF, Preconfigured Firewall settings and dialogs
>Date: Mon, 6 Jun 2005 14:48:14 +0100
>Lines: 152
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
>X-RFC2646: Format=Flowed; Original
>Message-ID: <e$(E-Mail Removed)>
>Newsgroups: microsoft.public.windows.server.networking
>NNTP-Posting-Host: dhcp-135-063.staff.iss.soton.ac.uk 152.78.135.63
>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFT NGP12.phx.gbl
>Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.networking:16254
>X-Tomcat-NG: microsoft.public.windows.server.networking
>
>Thanks for the response.
>
>Yes, it is Windows Server 2003 SP1 firewall that i'm using. The link thats
>you provided will be useful, but dont really answer the questino of
whether
>i should pre-configure specific ports in the exclusions list, or specific
>applications/exes/services.
>
>Personally, i think that services would be the best answer, using the
>following procedure:
>
>1) Decide what services/features are required
>2) Using the document '832017 Port Requirements for the Microsoft Windows
>Server System' that you reference, look up the specific servicename (the
>'System service name' value in the document)
>3) Using this service name, look in the regsitry to see what .exe this
>service runs with
>4) Add this .exe to the firewall exlusions list
>
>How does this sound? Is this a sensible, and more importantly a SECURE way
>to doing things with regard to the standard services available on Windows
>Server 2003?
>
>Many thanks
>Jim watts
>
>
>
>--
>--
>Jim Watts,
>Technology Consultant
>Information Systems Services
>University of Southampton
>
>"Amanda Wang [MSFT]" <v-(E-Mail Removed)> wrote in message
>news:(E-Mail Removed)...
>> Hi Jim,
>>
>> Thanks for your post.
>>
>> I understand that you are performing your standard, scripted build of
>> Server 2003 SP1. You want to pre-configure lots of the firewall settings
>> to achieve the following goal: some ports are open by default and others
>> are listed in the firewall dialog box. Therefore, you want to know if MS
>> has a NETFW.INF that includes all the normal Server 2003 services. If I
>> have misunderstood your question, please feel free to let me know.
>>
>> For this issue, the function can be fulfilled by using script, if you
want
>> to use script, I suggest you address in the Developer newsgroups. I have
>> provided the link below:
>>
>> http://msdn.microsoft.com/newsgroups/default.asp
>>
>> Or you may ask for developer support:
>> http://support.microsoft.com/directo...ro.asp?sd=msdn
>>
>> Meanwhile, I would like to provide some information related the issue.
>>
>> First, I want to know if it is win2k3 firewall, if so, I'm afraid that
you
>> need create these protocols to open the ports manually because this is
>> based on specific customer's needs on different scenarios. Please refer
>> to:
>>
>> Configuring Exceptions for Specific Connections
>>
http://www.microsoft.com/technet/pro.../library/Opera
>> tions/d30543b9-8d2c-4b8d-9bed-5f116a5dc698.mspx
>>
>> Second, I found some helpful articles describe the INF file in Windows XP
>> Service Pack 2 and Port Requirements for the Microsoft Windows Server
>> System for your reference:
>>
>> Using the Windows Firewall INF File in Microsoft Windows XP Service Pack
2
>>
http://www.microsoft.com/downloads/T...7a1d-2f97-4e63
>> -a581-bf25685b4c43&displayLang=en
>>
>> 832017 Port Requirements for the Microsoft Windows Server System
>> http://support.microsoft.com/?id=832017
>>
>> HTH and thanks for your understanding.
>>
>> Thanks & Regards
>>
>> Amanda Wang [MSFT]
>>
>> Microsoft Online Partner Support
>>
>> Get Secure! - www.microsoft.com/security
>>
>> ================================================== ==================
>>
>> When responding to posts, please "Reply to Group" via your newsreader so
>> that others may learn and benefit from your issue.
>>
>> ================================================== ===================
>>
>> --------------------
>>>From: "Jim Watts" <(E-Mail Removed)>
>>>Subject: NETFW.INF, Preconfigured Firewall settings and dialogs
>>>Date: Thu, 2 Jun 2005 11:19:30 +0100
>>>Lines: 30
>>>X-Priority: 3
>>>X-MSMail-Priority: Normal
>>>X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
>>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
>>>X-RFC2646: Format=Flowed; Original
>>>Message-ID: <(E-Mail Removed)>
>>>Newsgroups: microsoft.public.windows.server.networking
>>>NNTP-Posting-Host: dhcp-135-063.staff.iss.soton.ac.uk 152.78.135.63
>>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFT NGP12.phx.gbl
>>>Xref: TK2MSFTNGXA01.phx.gbl
>> microsoft.public.windows.server.networking:16164
>>>X-Tomcat-NG: microsoft.public.windows.server.networking
>>>
>>>Hi,
>>>
>>>I'm in the process of finishing our standard, scripted build of Server
>> 2003
>>>SP1. I would like to pre-configure lots of the firewall settings, so that
>>>some ports are open by default and others are listed in the firewall
>> dialog
>>>box to allow our admin staff just to tick the boxes rather than manually
>> add
>>>ports/apps. I know that this can all be done via the NETFW.INF file, and
>>>have successfully got some of it working already.
>>>
>>>However, for 'services' such as DFS, IIS, SNMP etc should I be adding the
>>>individual ports, or should I be adding the service executable?. This
>>>question applies to almost ALL of the services that 2003 can provide, as
>> I'd
>>>like a big range of entries that the support staff can simply tick:
>>>
>>> e.g. for DFS, dfssvc.exe:*:Enabledistributed File System Service
OR
>>>ports 138,139,389,445 etc
>>>
>>>I don't suppose that MS have a NETFW.INF that includes all the normal
>> Server
>>>2003 services do they? If not, this might be a useful thing to make
>>>available.
>>>
>>>All ideas/opinions gratefully received
>>>Jim
>>>--
>>>Jim Watts,
>>>Technology Consultant
>>>Information Systems Services
>>>University of Southampton
>>>
>>>
>>>
>>
>
>
>