Small Business Susan

What does the default firewall policies in SBS’s Vista policy do?

If you’ve ever taken a look at the Vista firewall policies on the group policy on a SBS box you will notice that it just is in the “extra registry” settings. To actually get into where they are stored, you need to take a Vista machine, log in with a domain administrator account Domain\AdminAccount and password and then in the search box you type in GPMC.MSC


The first thing that one has to get used to is that it’s not in the network section where you might think it would be, it’s in Computer Configuration, Windows Settings, Security Settings, Windows Firewall with Advanced Security, then click on inbound rules:



You can see the rules here:


The first section of polices are defined as “Core Networking” 


  • Core Networking – Destination Unreachable (ICMPv6-In) – Destination Unreachable error messages are sent from any node that a packet traverses which is unable to forward the packet for any reason except congestion.
  • Core Networking – Destination Unreachable Fragmentation Needed (ICMPv4-In) – Destination Unreachable Fragmentation Needed error messages are sent from any node that a packet traverses which is unable to forward the packet because fragmentation was needed and the don’t fragment bit was set.
  • Core Networking – Dynamic Host Configuration Protocol (DHCP-In) – Allows DHCP (Dynamic Host Configuration Protocol) messages for stateful auto-configuration.
  • Core Networking – Internet Group Management Protocol (IGMP-In) – IGMP messages are sent and received by nodes to create, join and depart multicast groups.
  • Core Networking – IPv6 (IPv6-In) – Outbound rule required to permit IPv6 traffic for ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) and 6to4 tunneling services.
  • Core Networking – Multicast Listener Done (ICMPv6-In) – Multicast Listener Done messages inform local routers that there are no longer any members remaining for a specific multicast address on the subnet.
  • Core Networking – Multicast Listener Query (ICMPv6-In) – An IPv6 multicast-capable router uses the Multicast Listener Query message to query a link for multicast group membership.
  • Core Networking – Multicast Listener Report (ICMPv6-In) – The Multicast Listener Report message is used by a listening node to either immediately report its interest in receiving multicast traffic at a specific multicast address or in response to a Multicast Listener Query.
  • Core Networking – Multicast Listener Report v2 (ICMPv6-In) – Multicast Listener Report v2 message is used by a listening node to either immediately report its interest in receiving multicast traffic at a specific multicast address or in response to a Multicast Listener Query.
  • Core Networking – Neighbor Discovery Advertisement (ICMPv6-In) – Neighbor Discovery Advertisement messages are sent by nodes to notify other nodes of link-layer address changes or in response to a Neighbor Discovery Solicitation request.
  • Core Networking – Neighbor Discovery Solicitation (ICMPv6-In) – Neighbor Discovery Solicitations are sent by nodes to discover the link-layer address of another on-link IPv6 node.
  • Core Networking – Packet Too Big (ICMPv6-In) – Packet Too Big error messages are sent from any node that a packet traverses which is unable to forward the packet because the packet is too large for the next link.
  • Core Networking – Parameter Problem (ICMPv6-In) – Parameter Problem error messages are sent by nodes as a result of incorrectly generated packets.
  • Core Networking – Router Advertisement (ICMPv6-In) – Router Advertisements are sent to by routers to other nodes for stateless auto-configuration.
  • Core Networking – Teredo (UDP-In) – Outbound UDP rule to allow Teredo edge traversal, a technology that provides address assignment and automatic tunneling for unicast IPv6 traffic when an IPv6/IPv4 host is located behind an IPv4 network address translator.
  • Core Networking – Time Exceeded (ICMPv6-In) – Time Exceeded error messages are generated from any node that a packet traverses if the Hop Limit value is decremented to zero at any point on the path.

The next section are File and Printer sharing policies

  • File and Printer Sharing (Echo Request – ICMPv4-In) – Echo Request messages are sent as ping requests to other nodes.
  • File and Printer Sharing (Echo Request – ICMPv6-In) – Echo Request messages are sent as ping requests to other nodes.
  • File and Printer Sharing (NB-Datagram-In) – Inbound rule for File and Printer Sharing to allow NetBIOS Datagram transmission and reception. [UDP 138] (Domain)
  • File and Printer Sharing (NB-Datagram-In)  – Inbound rule for File and Printer Sharing to allow NetBIOS Datagram transmission and reception. [UDP 138] (Any profile) – Local Subnet
  • File and Printer Sharing (NB-Name-In) – Inbound rule for File and Printer Sharing to allow NetBIOS Name Resolution. [UDP 137] (Domain)
  • File and Printer Sharing (NB-Name-In) – Inbound rule for File and Printer Sharing to allow NetBIOS Name Resolution. [UDP 137] (Any profile) – Local Subnet
  • File and Printer Sharing (NB-Session-In) – Inbound rule for File and Printer Sharing to allow NetBIOS Session Service connections. [TCP 139] (Domain)
  • File and Printer Sharing (NB-Session-In) – Inbound rule for File and Printer Sharing to allow NetBIOS Session Service connections. [TCP 139] (Any profile) – Local Subnet
  • File and Printer Sharing (SMB-In) – Inbound rule for File and Printer Sharing to allow Server Message Block transmission and reception via Named Pipes. [TCP 445] (Domain)
  • File and Printer Sharing (SMB-In) – Inbound rule for File and Printer Sharing to allow Server Message Block transmission and reception via Named Pipes. [TCP 445] (Any profile) – Local Subnet
  • File and Printer Sharing (Spooler Service – RPC) – Inbound rule for File and Printer Sharing to allow the Print Spooler Service to communicate via TCP/RPC. (Any profile) – Local Subnet
  • File and Printer Sharing (Spooler Service – RPC) – Inbound rule for File and Printer Sharing to allow the Print Spooler Service to communicate via TCP/RPC. (Domain)
  • File and Printer Sharing (Spooler Service – RPC-EPMAP) – Inbound rule for the RPCSS service to allow RPC/TCP traffic for the Spooler Service. (Domain)
  • File and Printer Sharing (Spooler Service – RPC-EPMAP) – Inbound rule for the RPCSS service to allow RPC/TCP traffic for the Spooler Service. (Any profile) – Local Subnet

The next set are for Remote Assistance:


  • Remote Assistance (DCOM-In) – Inbound rule for Remote Assistance to allow offers for assistance via DCOM. [TCP 135]
  • Remote Assistance (RA Server TCP-In) – Inbound rule for Remote Assistance to allow offers for assistance. [TCP]
  • Remote Assistance (SSDP-In) – Inbound rule for Remote Assistance to allow use of the Simple Service Discovery Protocol. [UDP 1900] (Domain) – Local Subnet
  • Remote Assistance (SSDP-In) - Inbound rule for Remote Assistance to allow use of the Simple Service Discovery Protocol. [UDP 1900] (Any profile) – Local Subnet
  • Remote Assistance (TCP-In) – Inbound rule for Remote Assistance traffic. [TCP] (Domain)
  • Remote Assistance (TCP-In) – Inbound rule for Remote Assistance traffic. [TCP] (Any profile)
  • Remote Assistance (UPnP-In) – Inbound rule for Remote Assistance to allow use of Universal Plug and Play. [TCP 2869] (Any profile) – Local Subnet
  • Remote Assistance (UPnP-In) – Inbound rule for Remote Assistance to allow use of Universal Plug and Play. [TCP 2869] (Domain) – Local Subnet

The last one is for Remote Desktop

  • Remote Desktop (TCP-In) - Inbound rule for the Remote Desktop service to allow RDP traffic. [TCP 3389]
     

There’s a nice write up on this preview of the Vista resource kit that talks about the firewall rules – http://download.microsoft.com/download/f/c/7/fc7d048b-b7a5-4add-be2c-baaee38091e3/9780735622838_WindowsVistaRK_ch27.pdf which is included in this book.


But you can see just from the title of them …sorta what they are doing can’t you?