Protecting Clients from Network Attacks
Malicious users or attackers on the Internet create worms and viruses that can reveal or destroy valuable data, and they run tools that attempt to break into your computer. To do this, the tools, viruses, and worms send messages to your client computer, addressed to the ports that various programs use to receive legitimate messages. If the malicious code is able to make contact at a particular port, it may be able gain entrance to your computer. To limit this security threat, you can enable firewall software, which blocks all ports except the ones you intentionally open. Internet Connection Firewall (ICF) is firewall software that is supplied with Microsoft® Windows XP®.
The steps in this document explain how to:
1. Decide which computers to protect
2. Identify ports that must remain open
3. Enable ICF
4. Open
additional ports as necessary
5. Enable
security logging as necessary
By following steps in this document, you change your system by
enabling ICF and configuring it. Thereafter, ICF runs and helps prevent the computer from responding to the
unsolicited messages that malicious code uses to spread and to damage systems
and data.
Understand How Applications Use Ports
A port is a connection point that a program uses to communicate with other programs, especially programs running on other computers. Each port is identified by the combination of a transport and a number. The transport can be either Transmission Control Protocol (TCP) or User Datagram Protocol (UDP). Specific ports are associated with each type of application or service. For example, the standard port for a Web server is TCP port 80, the standard port for a File Transfer Protocol (FTP) server is TCP port 21, and the Windows Server service that provides file and print sharing receives messages at four ports: UDP ports 137 and 138, and TCP ports 139 and 445.
When you enable ICF, by default it blocks all ports from receiving unsolicited inbound messages. This protects your computer because it blocks the messages that malicious code typically uses to gain access to your computer. ICF does not interfere with most legitimate business software because, as a general rule, that software does not send unsolicited messages to clients. However, there are exceptions to this rule, and if ICF prevents legitimate communication, you configure ICF to open the ports that the legitimate software uses.
Most services use one or more specific ports, but some services and many applications also pick one or more ports at random from a range that varies depending on the application. If such an application is designed to notify ICF about the ports it picks, then the application will work with ICF. Otherwise, you usually must choose to run the application or ICF but not both. Although it is possible to open every port in the application's range, it is often impractical to open a range that contains more than a small number of ports. Even if it were easy, it would rarely be a wise decision, because increasing the range of open ports generally decreases the security of the computer.
Deciding Which Computers to Protect
It is recommended that you enable ICF on all client computers, including desktop computers that connect only to the organization network. Most organization networks include hardware or software firewalls that screen each connection between the network and the Internet, and in this case it might seem redundant to enable firewalls on the network clients. However, malicious code can bypass the network firewall by infecting an unprotected mobile computer that connects directly to the Internet, and that later connects to the organization network. By enabling ICF on client computers, you help limit the ability of malicious code to spread through your network and damage your systems.
The clients that are most at risk from attack are those that connect directly to the Internet, particularly mobile devices such as laptops. If you choose to protect only a subset of the client computers, it is recommended that you protect the mobile devices.
Consider enabling ICF on server computers, but be aware of these complications:
● Firewalls are much more likely to interfere with server software than with client software, because the purpose of server software is to receive unsolicited inbound messages.
● If the firewall interferes with server software the resulting problems can be harder to troubleshoot.
● Each conflict that occurs between the firewall and the server software can affect large numbers of clients.
An example of a conflict between the firewall and server software is an application that requires a port that is blocked by the firewall, as described later in this document.
Identifying Ports That Must Remain Open
To minimize the possibility that ICF will interfere with legitimate software, identify the ports that must remain open before you enable ICF. The programs that most commonly require access to ports are listed in the user interface of ICF, and you can select them by name without needing to research the ports that each one uses:
● FTP Server
● E-mail servers that use IMAP3, IMAP4, SMTP, or POP3
● Remote desktop
● Standard and secure web servers
● Telnet server
The next most common programs that require open ports are:
● Internet file sharing or music sharing software.
● Multiplayer games.
● Business software that relies on the server to notify the client when something happens. E-mail servers usually notify clients when new e-mail arrives, and some e-mail servers do this by sending messages to the clients. Database servers can notify clients when a particular database field changes.