Tuesday, May 24, 2011

Windows XP Firewall All Ports IP Exception

Windows XP is no longer officially supported by Microsoft, but that does not mean it has cease to exist in the enterprise. With SP2, Microsoft introduced a built in firewall (and I use that term loosely) which improved security (compared to pre-SP2).

For whatever reason, Microsoft decided to not offer the ability to simply specify a port range. Each specified rule can be related to a service or a port/protocol combination. This might not seem like a major hurdle, until you come across a specific need such as vulnerability scanning.

I recently ran into this issue where I needed to make an exception for a specific vulnerability scanner IP for all port/protocol combinations on a Windows XP machine. Disabling the firewall was not an option because the target network of Windows XP hosts is in a high risk environment and to make matters worse, the users have administrative privileges.

There are two solutions to this problem, you can either run a for-loop and insert your firewall rules, or you can update the %windir%\Inf\Netfw.inf file.

For-loop Approach

Run the following using a script of command-line:
FOR /L %I IN (1,1,65535) DO netsh firewall add portopening protocol = ALL port = %I name = scanner mode = ENABLE scope = CUSTOM addresses =
The result of this command is 131070 lines of firewall rules, all named 'scanner'.  Also, it will take a long time for this command to run.

Based on my test on a VM (1 x 1.6 GHz, 512 MB), I was able to process 66 rules per minute.  So it will take approximately 16 hours to insert all 131070 rules!  :-O

Netfw.inf Approach 

Windows XP firewall has two modes, domain and standard.  Depending on your use scenario, add a variation of the following lines under the appropriate section:
HKLM,"SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List","port number:protocol",0x00000000,"port number:protocol:scope:mode:port’s friendly name"
port number – A port is specified by the combination of a protocol and a port number. The port number must be between 1 and 65535 inclusive.

protocol – A port is specified by the combination of a protocol and a port number. The protocol must be either TCP or UDP. 

scope – Permitted values for scope are defined the “Defining the Scope for an Entry in the Windows Firewall INF File” section of this article.

mode – An entry can be added to Windows Firewall’s default exceptions lists as either enabled or disabled. The two permitted values for this element are enabled and disabled. If a port’s entry is enabled, the port will be statically opened in Windows Firewall. If a port’s entry is disabled, the port will not be statically opened in Windows Firewall.

port’s friendly name – This is the description that will be used to represent the entry in the Windows Firewall Control Panel applet. It should provide an indication of why the port is statically opened, such as "Web Server (TCP 80)" or "Telnet Server (TCP 23)".
Here is a simple python script to help you generate your firewall rules.  Rules are written to 'fw.txt'.  Copy the lines and paste them under the appropriate profile in %windir%\Inf\Netfw.inf.

To apply the changes, run:
netsh firewall reset
Note: This will take a very long time.

You can verify your rules by running:
netsh firewall show config


No comments:

Post a Comment