15-51 7. After reviewing the firewall log, close the Notepad window, click OK to exit the Log Settings dialog box, and then click OK again to close the Windows Firewall dialog box. Exam Tip You should know where Windows Firewall log files are stored, whether logging is available, and what kind of information you can learn from log files.  How to Create an Exception for a Service or Application By default, Windows Firewall blocks all unsolicited traffic. You can create exceptions so that particular types of unsolicited traffic are allowed through the firewall. For exam- ple, if you want to allow sharing of files and printers on a local computer, you must enable the File And Printer Sharing exception in Windows Firewall so that requests for the shared resources are allowed to reach the computer. Windows Firewall includes a number of common exceptions, such as Remote Assis- tance, Remote Desktop, File And Printer Sharing, and Windows Messenger. Windows Firewall also automatically extends the exceptions available for you to enable accord- ing to the programs installed on a computer. You can manually add exceptions to the list by browsing for program files. To create a global exception that applies to all network connections for which Win- dows Firewall is enabled, use these steps: 1. Click Start, and then click Control Panel. 2. In the Control Panel window, click Network And Internet Connections. 3. In the Network And Internet Connections window, click Windows Firewall. 4. In the Windows Firewall dialog box, click the Exceptions tab, shown in Figure 15-27. F15us27r.bmp Figure 15-27 Create a global exception for all connections in Windows Firewall. ! Lesson 5 Configuring Windows Firewall 15-52 Chapter 15 Configuring Network and Internet Connections 5. In the Programs And Services list, select the check box for the service you want to allow. If you need to add an exception for an installed program that does not appear on the list, click Add Program to locate the executable file for the program, and then enable the exception after the program is added to the list. 6. Click OK to close the Windows Firewall dialog box.  How to Create an Exception for a Particular Port If Windows Firewall does not include an exception for the traffic you need to allow, and adding an executable file to the list does not produce the results you need, you can also create an exception by unblocking traffic for a particular port. To create a global exception for a port that applies to all network connections for which Windows Firewall is enabled, use these steps. 1. Click Start, and then click Control Panel. 2. In the Control Panel window, click Network And Internet Connections. 3. In the Network And Internet Connections window, click Windows Firewall. 4. In the Windows Firewall dialog box, on the Exceptions tab, click Add Port. Windows displays the Add A Port dialog box. To create an exception based on a Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) port num- ber, you must know the proper port number used by an application or service to use this option. 5. Type a name for the exception, type the port number you want to allow access for, and then select whether the port is a TCP or UDP port. You can also change the scope to which the exception applies. Your options are to have the exception apply to any computer (including computers on the Inter- net), the local network only, or a custom list of IP addresses. 6. To change the scope of the exception, click Change Scope to open the Change Scope dialog box, where you can configure the scope options. Click OK to return to the Add A Port dialog box. 7. Click OK again to add the exception and return to the Windows Firewall dialog box. After you have added the exception, it appears in the Programs And Services list on the Exceptions tab of the Windows Firewall dialog box. 8. Select the check box for the exception to enable it. 9. Click OK to close the Windows Firewall dialog box. 15-53 To create a service exception for a particular network connection for which Windows Firewall is enabled, use these steps. 1. Click Start, and then click Control Panel. 2. In the Control Panel window, click Network And Internet Connections. 3. In the Network And Internet Connections window, click Windows Firewall. 4. In the Windows Firewall dialog box, on the Advanced tab, in the Network Con- nection Settings section, click the connection for which you want to configure an exception, and then click Settings. Windows displays the Advanced Settings dialog box, shown in Figure 15-28. F15us28r.bmp Figure 15-28 Create an exception for a particular network connection in Windows Firewall. 5. On the Services tab, click Add. Windows displays the Service Settings dialog box. 6. Type a description of the service. 7. If the computer on which you are configuring Windows Firewall is an ICS host, you can configure Windows Firewall to forward traffic for the port to a particular computer on the network by typing that computer’s IP address. If the computer is not an ICS host, you should enter the IP address for the local computer. Tip Instead of entering the IP address for the local computer, you can also use the loop- back address 127.0.0.1, which always refers to the local computer. This is useful should the IP address of the local computer change. Lesson 5 Configuring Windows Firewall 15-54 Chapter 15 Configuring Network and Internet Connections 8. Enter the port information for the service. 9. Click OK to close the Service Settings dialog box. Click OK to close the Advanced Settings dialog box. Click OK again to close the Windows Firewall dialog box.  ICMP Exceptions ICMP allows routers and host computers to swap basic error and configuration infor- mation. The information includes whether or not the data sent reaches its final desti- nation, whether it can or cannot be forwarded by a specific router, and what the best route for the data is. ICMP tools such as Pathping, Ping, and Tracert are often used to troubleshoot network connectivity. ICMP troubleshooting tools and their resulting messages are helpful when used by a network administrator, but harmful when used by an attacker. For instance, a network administrator sends a ping request in the form of an ICMP packet that contains an echo request message to the IP address that is being tested. The reply to that echo request message allows the administrator to verify that the computer is reachable. An attacker, on the other hand, can send a storm of specially formed pings that can overload a computer so that it cannot respond to legitimate traffic. Attackers can also use ping commands to determine the IP addresses of computers on a network. By configuring ICMP, you can control how a system responds (or does not respond) to such ping requests. By default, Windows Firewall blocks all ICMP messages. Table 15-5 provides details about ICMP exceptions you can enable in Windows Firewall. Table 15-5 ICMP Options ICMP Option Description Allow Incoming Echo Request Controls whether a remote computer can ask for and receive a response from the computer. Ping is a command that requires you to enable this option. When enabled (as with other options), attackers can see and contact the host computer. Allow Incoming Timestamp Request Sends a reply to another computer, stating that an incoming message was received and includes time and date data. Allow Incoming Mask Request Provides the sender with the subnet mask for the network of which the computer is a member. The sender already has the IP address; giving the subnet mask is all an administrator (or attacker) needs to obtain the remaining network information about the computer’s network. Allow Incoming Router Request Provides information about the routes the computer recognizes and passes on information it has about any routers to which it is connected. 15-55 Security Alert Generally, you should enable ICMP exceptions only when you need them for troubleshooting, and then disable them after you have completed troubleshooting. Make sure that you do not allow or enable these options without a full understanding of them and of the consequences and risks involved. How to Enable ICMP Exceptions To enable a global ICMP exception for all connections on a computer, use these steps: 1. Click Start, and then click Control Panel. 2. In the Control Panel window, click Network And Internet Connections. 3. In the Network And Internet Connections window, click Windows Firewall. 4. In the Windows Firewall dialog box, click the Advanced tab. 5. In the ICMP section, click Settings. 6. Select the check box for the exception you want to enable. 7. Click OK to close the ICMP Settings dialog box. Click OK again to close the Win- dows Firewall dialog box. Allow Outgoing Destination Unreachable The computer sends a Destination Unreachable error message to clients who attempt to send packets through the computer to a remote network for which there is no route. Allow Outgoing Source Quench Offers information to routers about the rate at which data is received; tells routers to slow down if too much data is being sent and it cannot be received fast enough to keep up. Allow Outgoing Parameter Problem The computer sends a Bad Header error message when the com- puter discards data it has received that has a problematic header. This message allows the sender to understand that the host exists, but that there were unknown problems with the message itself. Allow Outgoing Time Exceeded The computer sends the sender a Time Expired message when the computer must discard messages because the messages timed out. Allow Redirect Data that is sent from this computer will be rerouted if the path changes. Table 15-5 ICMP Options ICMP Option Description Lesson 5 Configuring Windows Firewall 15-56 Chapter 15 Configuring Network and Internet Connections To enable an ICMP exception for a network connection, use these steps: 1. Click Start, and then click Control Panel. 2. In the Control Panel window, click Network And Internet Connections. 3. In the Network And Internet Connections window, click Windows Firewall. 4. In the Windows Firewall dialog box, click the Advanced tab. 5. In the Network Connection Settings section, click the connection for which you want to configure an exception, and then click Settings. 6. In the Advanced Settings dialog box, click the ICMP tab, shown in Figure 15-29. F15us29r.bmp Figure 15-29 Create an ICMP exception for a connection. 7. Select the check box for the exception you want to enable. 8. Click OK to close the Advanced Settings dialog box. Click OK again to close the Windows Firewall dialog box. Troubleshooting Windows Firewall There are a few fairly common problems that end users encounter when using Win- dows Firewall, including the inability to enable or disable Windows Firewall on a con- nection, problems with file and print sharing, a network user’s inability to access a server on the network (such as a Web server), problems with Remote Assistance, and problems running Internet programs. When troubleshooting Windows Firewall, make sure that you remember to check the obvious first. The following are some basic rules that you must follow, and any 15-57 deviation from them can cause many of the common problems that are encountered when using Windows Firewall: ■ Windows Firewall can be enabled or disabled only by administrators. ICF can be enabled or disabled by a Local Security Policy or Group Policy, as well— sometimes preventing access even by a local administrator. ■ To share printers and files on a local computer that is running Windows Firewall, you must enable the File And Printer Sharing exception. ■ If the local computer is running a service, such as a Web server, FTP server, or other service, network users cannot connect to these services unless you create the proper exceptions in Windows Firewall. ■ Windows Firewall blocks Remote Assistance and Remote Desktop traffic by default. You must enable the Remote Desktop exception for remote users to be able to connect to a local computer with Remote Desktop or Remote Assistance. Practice: Configure Windows Firewall In this practice, you will ensure that Windows Firewall is enabled on all connections on your computer. You will disable and then re-enable Windows Firewall on your LAN connection only. You will then enable an exception in Windows Firewall for all con- nections. The practices in this exercise require that you have a properly configured LAN connection. Exercise 1: Ensure that Windows Firewall is Enabled For All Network Connections 1. Click Start, and then click Control Panel. 2. In the Control Panel window, click Network And Internet Connections. 3. In the Network Connections window, right-click your LAN connection, and then click Properties. 4. In the Local Area Connection Properties dialog box, on the Advanced tab, in the Windows Firewall section, click Settings. 5. In the Windows Firewall dialog box, ensure that On (Recommended) is selected. Also ensure that the Don’t Allow Exceptions check box is cleared. Leave both the Windows Firewall dialog box and the Local Area Connection Prop- erties dialog box open for the next exercise. Exercise 2: Disable and Re-Enable Windows Firewall on Your Local Area Connection Only 1. In the Windows Firewall dialog box, click the Advanced tab. 2. In the Network Connection Settings section, in the list of connections, clear the check box next to Local Area Connection, and then click OK. Lesson 5 Configuring Windows Firewall 15-58 Chapter 15 Configuring Network and Internet Connections Windows Firewall is now disabled for the local area connection. A bubble appears in the notification area informing you that your computer is at risk because the firewall is disabled. 3. In the Network Connections window, right-click Local Area Connection, and then click Properties. In the Local Area Connection Properties dialog box, click the Advanced tab. In the Windows Firewall section, click Settings. 4. In the Windows Firewall dialog box, on the Advanced tab, select the check box next to Local Area Connection, and then click OK. Windows Firewall is now enabled for the local area connection. Leave the Local Area Connection Properties dialog box open for the next exercise. Exercise 3: Enable an Exception in Windows Firewall for all Connections 1. In the Local Area Connection Properties dialog box, on the Advanced tab, in the Windows Firewall section, click Settings. 2. In the Windows Firewall dialog box, on the Exceptions tab, select the File And Printer Sharing check box. 3. Click OK. Windows Firewall is now configured to allow file and printer sharing traffic into your computer. 4. Click OK again to close the Local Area Connection Properties dialog box. Lesson Review Use the following questions to help determine whether you have learned enough to move on to the next lesson. If you have difficulty answering these questions, review the material in this lesson before beginning the next lesson. You can find answers to these questions in the “Questions and Answers” section at the end of this chapter. 1. You are troubleshooting a network connection and need to use the Ping com- mand to see if a computer is reachable. Which ICMP exception must you enable on that computer? Choose the correct answer. a. Allow Incoming Router Request b. Allow Incoming Echo Request c. Allow Outgoing Source Quench d. Allow Redirect 15-59 2. By default, what two types of traffic does Windows Firewall allow into a computer? 3. Windows Firewall protects a computer running Windows XP Professional even while the computer is starting up. (True/False) Lesson Summary ■ Windows Firewall is a software-based firewall built into Windows XP Professional. Windows Firewall blocks all incoming network traffic except for solicited traffic and excepted traffic. ■ You can enable or disable Windows Firewall globally for all network connections on a computer, including LAN, dial-up, and wireless connections. ■ You can also enable or disable Windows Firewall selectively for each network connection on a computer. ■ Windows Firewall allows you to configure a number of advanced options, includ- ing the following: ❑ Enabling Windows Firewall logging to log network activity ❑ Creating an exception for a service or application to allow traffic through the firewall ❑ Creating a custom service definition when a built-in exception does not suit your needs ❑ Creating an ICMP exception so that the computer responds to traffic from cer- tain network utilities ■ Troubleshooting Windows Firewall typically involves enabling or disabling Win- dows Firewall and creating exceptions so that specific network traffic is allowed into the computer. Lesson 5 Configuring Windows Firewall 15-60 Chapter 15 Configuring Network and Internet Connections Case Scenario Exercise In this exercise, you will read a scenario about configuring network connections and then answer the questions that follow. If you have difficulty completing this work, review the material in this chapter before beginning the next chapter. You can find answers to these questions in the “Questions and Answers” section at the end of this chapter. Scenario You are an administrator working for a company named Contoso, Ltd., a developer of custom networking applications based in Houston. Greta, a user in the Sales depart- ment, has contacted you for help in setting up a demonstration of one of the com- pany’s applications at a seminar in a hotel in Las Vegas. The hotel has provided a conference room with broadband Internet access via an Ethernet cable, but your staff must configure their own network when they get there. The company is sending five notebook computers running Windows XP Professional. Each computer has a built-in Ethernet network adapter and a built-in wireless network adapter, but none has been configured for networking. All five of the computers will be used in demonstrations and must be networked together. In addition, all the computers will need access to the Internet. Because all the computers are running Windows XP Professional, you have configured each computer so that it is a member of a workgroup named Contoso. Questions 1. Because each of the computers has a wireless network adapter, you have decided to create a wireless network to connect the computers. However, the company did not send any wireless networking devices. Can you create a wireless network without additional hardware? If so, what kind of wireless network can you create? 2. You want to secure the wireless network. What kind of security could you imple- ment on the type of wireless network you can create? 3. Because there is only one Internet connection, and each computer must have Internet access, you have decided to use ICS to share Internet access among the computers. The connection you have been provided requires that the computer [...]... 1 6-3 ■ Lesson 2: Configuring Account Policies 1 6-1 6 ■ Lesson 3: Configuring User Rights 1 6-2 4 ■ Lesson 4: Configuring Security Options 1 6-3 1 ■ Lesson 5: Implementing an Audit Policy 1 6-3 6 ■ Lesson 6: Configuring Internet Explorer Options 1 6-4 6 1 6-1 1 6-2 Chapter... Snap-In 4 In the Add/Remove Snap-In dialog box, click Add Lesson 1 Overview of Security Policy 1 6-1 3 5 In the Available Standalone Snap-Ins dialog box, click Resultant Set Of Policy, and then click Add 6 Click Close, and then click OK In the console window, Windows displays the Resultant Set Of Policy, as shown in Figure 1 6-6 F16us06 Figure 1 6-6 Use RSoP to view the settings in effect on a computer 7. .. Add 6 Click Close, and then click OK In the console window, Windows displays the Security Templates add-in, as shown in Figure 1 6-4 1 6-8 Chapter 16 Configuring Security Settings and Internet Options F16us04 Figure 1 6-4 Add the Security Templates snap-in to a console 7 Right-click the predefined template you want to customize, and then click Save As 8 In the Save As dialog box, type a new name for your... click Add/Remove Snap-In 4 In the Add/Remove Snap-In dialog box, click Add 5 In the Add Standalone Snap-Ins dialog box, click Security Configuration And Analysis, and then click Add 6 Click Close, and then click OK Lesson 1 Overview of Security Policy 1 6-9 In the console window, Windows displays the Security Configuration And Analysis, as shown in Figure 1 6-5 F16us05 Figure 1 6-5 Add the Security Configuration... window, double-click Local Security Policy 5 In the Local Security Policy window, select the folder containing the policy you want to edit 1 6-6 Chapter 16 Configuring Security Settings and Internet Options 6 In the right pane, double-click the policy you want to edit Windows displays the dialog box for the policy, as shown in Figure 1 6-3 F16us03 Figure 1 6-3 Change the settings for the policy 7 Configure... opens the Microsoft Management Console (MMC) with a blank console window named Console1 3 In the console, click File, and then click Add/Remove Snap-In 4 In the Add/Remove Snap-In dialog box, click Add 5 In the Add Standalone Snap-Ins dialog box, click Security Templates, and then click Add 6 Click Close, and then click OK In the console window, Windows displays the Security Templates add-in, as shown... available settings, refer to Chapter 16 of the Microsoft Windows XP Professional Resource Kit Documentation, available at http:// www .microsoft. com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/ prork_overview.asp How to Modify Local Security Policy To modify Local Security Policy, you use the Local Security Policy console (see Figure 1 6-1 ), which is found in the Administrative Tools... Lesson 1 Overview of Security Policy 1 6-5 F16us01 Figure 1 6-1 Use the Local Security Policy tool to set local policies When you select a policy folder (for example, the Password Policy folder), the right pane displays the available policies you can set, as shown in Figure 1 6-2 For each policy, the current setting is also shown F16us02 Figure 1 6-2 The Local Security Policy tool shows available policies... source GPOs 1 6-1 4 Chapter 16 Configuring Security Settings and Internet Options Group Policy Result Tool Windows XP Professional also supplies a tool named Group Policy Result Tool, which is a command-line utility that helps you determine which policies are actually applied to a computer You can start this tool by typing Gpresult.exe at the command prompt The results, shown in Figure 1 6 -7 , show the policies... disable Windows Firewall globally for all network connections on a computer, or enable and disable it on individual connections Exam Highlights Before taking the exam, review the key points and terms that are presented in this chapter You need to know this information 1 5-6 4 Chapter 15 Configuring Network and Internet Connections Key Points ■ Repairing a network connection forces several actions, the . Exceptions tab, shown in Figure 1 5-2 7. F15us27r.bmp Figure 1 5-2 7 Create a global exception for all connections in Windows Firewall. ! Lesson 5 Configuring Windows Firewall 1 5-5 2 Chapter 15 Configuring. individual con- nections. Exam Highlights Before taking the exam, review the key points and terms that are presented in this chapter. You need to know this information. Exam Highlights 1 5-6 4 Chapter. 192.168.0.254 to other computers on the network. 1 5-6 7 Lesson 5 Review Page 1 5-5 8 1. You are troubleshooting a network connection and need to use the Ping com- mand to see if a computer is reachable.