Modifying Your XP SP2 Firewall INF File

Windows XP Service Pack 2 includes the Windows Firewall, a replacement for the Internet Connection Firewall component in Windows XP with Service Pack 1 and Windows XP with no service packs installed. Windows Firewall is a stateful host-based firewall that drops all unsolicited incoming traffic that does not relate to either traffic sent in response to solicited traffic or unsolicited traffic that has been specified as allowed.

One of the enhancements in Windows XP SP2 is the enabling of Windows Firewall by default during the installation of Windows XP or update to Windows XP SP2. In this thread, i’ll describe how to edit the Windows Firewall INF file in order to create custom default configurations for Windows Firewall or just to have a tinker. There are so many configurations that can be use so i can’t tell you all of them, but tinkering and knowing what you wan’t will help alot.
If you have a second machine running XP, you may wan’t to experiment with that first so you don’t screw anything up too bad.

Scenarios for Firewall modification
Disabling the Windows Firewall:
If a third party firewall such as ZoneLabs’ ZoneAlarm is enabled by default, then it is recommended that Windows Firewall be disabled. This can be done by modifying the Windows Firewall INF file to disable Windows Firewall by default.

Preinstalled Programs:
An OEM or yourself may choose to install a suite of programs. Some of these programs may need to receive unsolicited incoming traffic in order to function properly. The Windows Firewall can be configured to allow unsolicited incoming traffic by default by adding the programs to the Windows Firewall’s exceptions list. This can be done by adding entries for the programs to the Windows Firewall INF file. Only programs that require unsolicited incoming traffic should be added to the exceptions list; programs that do not require unsolicited incoming traffic should not be added.

Opening Ports:
You may choose to use various network services and want to ensure that the network traffic for those services are allowed through the Windows Firewall. Windows Firewall can be configured to open the necessary ports by adding them to the Windows Firewall’s exceptions list. This can be done by adding entries for the TCP or UDP ports to the Windows Firewall INF file. Statically opening ports does potentially increase a computer’s exposure to an attack, so the number of ports opened in Windows Firewall should be kept to a minimum.

Location of Windows Firewall INF File:
On a Windows XP CD, the location of the Windows Firewall INF file is:
CD Drive:\I386\Netfw.in_
Note; On the Windows CD, the file’s name is Netfw.in_ (not .inf).
On the machine Windows is installed on, the location of the Windows Firewall INF file is: %windir%\Inf\Netfw.inf

Replacing the Default Windows Firewall Configuration:

1. Copy the Windows Firewall INF file (Netfw.inf) from an installation of Windows XP SP2 to somwehere else on your machine
2. Make the desired modifications to the INF file
3. Save the modified INF file as Netfw.inf
4. Replace the default Netfw.inf with the modified Netfw.inf
5. Run the command netsh firewall resetfrom command prompt.

To customize Netfw.inf prior to installing XP SP2:

1. Extract the Netfw.in_ file from an XP SP2 Integrated CD image.
2. Make the desired modifications to the INF file.
3. Replace Netfw.in_ on your XP SP2 CD image with your customized version.
4. Burn your customised XP image

This is what Netfw.inf (and Netfw.in_) contain by default:
[CODE][version]
Signature = “$Windows NT$”
DriverVer =07/01/2001,5.1.2600.2132

[DefaultInstall]
AddReg=ICF.AddReg.DomainProfile
AddReg=ICF.AddReg.StandardProfile

[ICF.AddReg.DomainProfile]
HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List","%windir%\system32\sessmgr.exe",0x00000000,"%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[ICF.AddReg.StandardProfile]
HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List","%windir%\system32\sessmgr.exe",0x00000000,"%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"[/CODE]

Standard profile: used by default in workgroup environments (computer not connected to a domain).
Domain profile: used by default in domain environments and allows exceptions based on installed Windows XP services and applications.
Continued…

Disabling Windows Firewall’s Notifications
By default, Windows Firewall displays a notification when a program not already included in the Windows Firewall exceptions list uses the new Windows Firewall APIs to add itself to the exceptions list. By adding the right entries to the INF file, these notifications can be disabled in either or both of Windows Firewall’s profiles.

To disable notifications by default in the Domain Profile, add the following entry to the ICF.AddReg.DomainProfile section of the Windows Firewall INF file:

HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile","DisableNotifications",0x00010001,1

To disable notifications by default in the Standard Profile, add the following entry to the ICF.AddReg.StandardProfile section of the Windows Firewall INF file:

HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile","DisableNotifications",0x00010001,1

Adding Programs to Windows Firewall’s Default Exceptions List
By Default, the Firewall dynamically opens the ports used by programs in its current profile’s exceptions list. The INF file can be used to add programs to the Firewall’s exceptions lists. Only programs that actually require unsolicited incoming traffic should be added to the exceptions lists; there is no benefit to adding programs that only use outgoing connections to the exceptions lists because of the firewall’s nature.

To add a program to the Domain Profile’s exceptions list, an entry should be added to the ICF.AddReg.DomainProfile section of the Windows Firewall INF file:

HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List","program’s image path",0x00000000,”program’s image path:scope:mode:program’s friendly name”

To add a program to the Standard Profile’s Exceptions List, an entry should be added to the ICF.AddReg.StandardProfile section of the Windows Firewall INF file:

HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List","program’s image path",0x00000000, ”program’s image path:scope:mode:program’s friendly name”

The following characteristics must be defined based upon the program being added to the Firewall’s exceptions lists and for the desired behavior:

1. Program’s image path – Such as C:\ProgramFiles\Fraps\fraps.exe
2. Scope – Permitted values for scope are explained later in this guide.
3. Mode –The two values for this element are either enabled or disabled. If a program’s entry is enabled, ports are dynamically opened in Windows Firewall for the program when it opens ports. If a program’s entry is disabled, ports will not be dynamically opened in Windows Firewall for the program.
4. Program’s friendly name – This is name that will be used to represent the entry in the Windows Firewall GUI. It should include the product name such as MSN Messenger v7.1 etc…

Defining the Scope for an Entry in the INF File
When enabling opening a port or allowing a program, the set of IP addresses from which the unsolicited incoming traffic is allowed can be defined. This set of IP addresses from which unsolicited incoming traffic are allowed is the scope of the exception. There are three options when defining the scope for a

Windows Firewall exception:

1. All IP addresses – This is the default scope for a Windows Firewall exception, and it allows unsolicited incoming traffic that matches the exception from any computer. In the INF file, making an entry’s scope element an asterisk (“*”) will result in a scope of all IP addresses for the entry.

2. Local subnet only – This scope allows unsolicited incoming traffic that matches the exception from any computer on the same subnet as the network connection on which the traffic was received through Windows Firewall, while dropping unsolicited incoming traffic from all other computers. When a computer’s subnet changes, the set of allowed IP addresses changes to match the new subnet. In the INF file, making an entry’s scope element LocalSubnet will result in a local subnet only scope for the entry.

3. Custom – The final option is to define a custom scope, which is a list of IP addresses and address ranges that typically correspond to subnets. Unsolicited incoming traffic that matches the exception and originates from a computer with an IP address in the defined list is allowed through Windows Firewall. Unsolicited incoming traffic from computers with IP addresses that are not in the list is dropped. A custom scope can include the local subnet, IP addresses, and IP address ranges. For IP address ranges, you can specify the range using a dotted decimal subnet mask or a prefix length (w.x.y.z/n). When you use a dotted decimal subnet mask, you can specify the range as an IP network ID such as 10.47.81.0/255.255.255.0 or by using an IP address within the range such as 10.47.81.231/255.255.255.0. When you use a network prefix length, you can specify the range as an IP network ID such as 10.47.81.0/24 or by using an IP address within the range such as 10.47.81.231/24.
   Some examples of custom scope elements are as follows:

4. 192.168.0.5

5. 192.168.0.0/255.255.255.0

6. 192.168.0.5,LocalSubnet

7. 157.54.0.1,172.16.0.0/12,10.0.0.0/255.0.0.0,LocalSubnet
   5-10.91.12.56,10.7.14.9/255.255.255.0,10.116.45.0/255.255.255.0,172.16.31.11/24,172.16.111.0/24
   Note: You cannot have any spaces between the entries in the list of sources or the entire list is ignored and Windows Firewall uses the default scope of any source IP address. Please double-check your scope before saving changes to the INF file.

Adding Static Ports to the Exceptions List

It is generally recommended that programs be added to the exceptions list instead of statically opening ports. This allows for Windows Firewall to dynamically open and close ports and keep the number of ports open at any one time to a minimum. It is however understood that there are cases where ports need to be statically opened.

To add a static port to the Domain Profile’s exceptions list, an entry in the following format should be added to the ICF.AddReg.DomainProfile section of the Windows Firewall INF file:

HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List","port number:protocol",0x00000000,"port number:protocol:scope:mode:port’s friendly name"

To add a static port to the Standard Profile’s exceptions list, an entry in the following format should be added to the ICF.AddReg.StandardProfile section of the Windows Firewall INF file:

HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List","port number:protocol",0x00000000,"port number:protocol:scope:mode:port’s friendly name"

In the two entries above, the following elements must be defined:

1. Port number – The port number must be between 1 and 65535 inclusive.
2. Protocol – The protocol must be either TCP or UDP.
3. Scope – Previously explained in the ‘Adding Programs to Windows Firewall’s Default Exceptions List’ part of this guide.
4. Mode – This can either be enabled or disabled. If a port’s entry is enabled, the port will be statically opened in Windows Firewall. If a port’s entry is disabled, the port will not be statically opened in Windows Firewall.
5. Port’s friendly name – This is the description that will be used to represent the entry in the Windows Firewall GUI applet. It should provide an indication of why the port is statically opened, such as “Web Server” or “P2P Sharing”.

As an example for opening a port, two entries are needed to enable the static port used by the Internet Key Exchange protocol which uses UDP 500, for a scope of all IP addresses in the default exceptions lists for both of Windows Firewall’s profiles.
This entry is added to the ICF.AddReg.DomainProfile section of the Windows Firewall INF file:

HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List","500:UDP",0x00000000,"500:UDP:*:enabled:IKE (UDP 500)"

This entry is added to the ICF.AddReg.StandardProfile section of the Windows Firewall INF file:

HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List","500:UDP",0x00000000,"500:UDP:*:enabled:IKE (UDP 500)"

Hope you actually enjoyed reading all that mess.
Hopefully, it didn’t confuse you as much as it did i :good:

Did you really type all of that your self?

It’s very good - very complete.

Although most of it can be done a lot easier using the GUI!

I actually had a mate help a little but yes.
I know it can be done through the GUI but it isn’t as easy that way.