Welcome to the 26th installment of “Learn Windows XP Professional in 15 Minutes a Week.” This article will examine the Internet Connection Firewall in Windows XP Professional.
The latest installment in our ‘Learn Windows XP Professional in 15 Minutes a Week’ series overviews the Internet Connection Firewall and explains the basic configuration process.
[NOTES FROM THE FIELD] — The 70-270 exam requires the test taker have an in-depth understanding of the Internet Connection Firewall.
The Windows XP Professional operating system (as well as Windows XP Home and Windows Server 2003, Standard Edition, and the 32-bit version of Windows Server 2003, Enterprise Edition) includes Internet Connection Firewall (sometimes referred to as ICF) as an added feature of the base operating system. Internet Connection Firewall is a stateful firewall — i.e., a firewall type that will monitor all of the characteristics of the transmitted data that the firewalled system recieves, including examining the source and destination IP address of each packet handled.
All inbound traffic from the Internet and other connected networks is compared against entries in the Internet Connection Firewall configuration table. The inbound traffic is allowed to reach the system only when a matching entry in the table shows the communication exchange either originated from an approved system or is a type of traffic originating from an external location then allowed to pass to an approved system. An example of this is an FTP calling an FTP-enabled system hosting IIS.
An administrator can use Internet Connection Firewall to restrict the information communicated between the Internet and other connected networks. This must be done on a per-adapter basis, so if a Windows XP Professional system is connected to the Internet via dial up, the Internet Connection Firewall can be enabled only on the dial-up connection and configured to a maximum setting where return responses only from calls that originated from the system out to the dial-up adapter connection are allowed to pass inbound. This would not allow any traffic originating from the Internet to pass through the dial-up adapter to the local system and potentially to other systems on the LAN, where the host system might be attached. Having the Internet Connection Firewall DISABLED on the Ethernet network interface card (NIC) allows the system to freely connect to other systems on the LAN via the NIC without any special additional configuration. If it was necessary to perform stateful inspection of network packets through the NIC, as might be the case when a dial-up adapter is not used to connect to the Internet and where a DSL or cable modem broadband connection is used, you would then enable and specify the appropriate Internet Connection Firewall settings on the NIC instead.
[NOTES FROM THE FIELD] — The next section outlines how to enable the Internet Connection Firewall by starting from the Control Panel. The example will use the Classic view of the Control Panel. For those uncomfortable using this view, we recommend following the steps outlined on the Microsoft Web article Use the Internet Connection Firewall, which uses the Category view.
To select the specific network connection to enable the Internet Connection Firewall, go to the Control Panel and open the Network Connections panel. Depending on which adapters are installed on the system, a list of available network connections will appear.
[NOTES FROM THE FIELD] — You might notice some of the enabled LAN or high-speed Internet connections are already firewalled; these are shown with the little lock in the upper-right-hand corner of the icon. Those without the lock are not firewalled via the Internet Connection Firewall. (The system itself may be firewalled via a hardware device, such as a Linksys router, but not by the Internet Connection Firewall software itself.)
Essentially, this means an external connection to the system could be established if the user is dialed into the Internet via, for example, a Prodigy dial-up connection, because it is not protected to prevent such a connection attempt.
However, if the user is connected to the Internet via Local Area Connection 3, in which a NIC connection is made via a DSL modem, an inbound externally originating connection cannot be made to the system.
To secure the system in a similar manner for dial-up users connecting to the Intnernet, you must enable the Internet Connection Firewall as shown in the upcoming steps.
The walkthrough that follows will explain how to enable the Internet Connection Firewall on a dial-up connection. To begin, highlight it, right-click it to bring up the Properties page, and go to the Advanced tab as shown below.
Select the “Protect my computer and network by limiting or preventing access to this computer from the Internet” check-box in the Internet Connection Firewall section.
To use the default settings (which are usually secure and require limited tuning in a home environment), simply hit OK to allow them to take effect.
[NOTES FROM THE FIELD] — The captioning in the Internet Connection Firewall section is somewhat misleading; by enabling the “Protect my computer and network by limiting or preventing access to this computer from the Internet” check-box the system is protected via that network device from incoming traffic, which may or may not be Internet traffic. If the “Protect my computer and network by limiting or preventing access to this computer from the Internet” check-box is enabled on your Local Area Connection for your NIC and you were connected to a LAN only, you would be “protecting” your system by limiting or preventing access to the system from the LAN itself.