Application Compatibility: Networking: Turning Off the Windows Firewall
Networking: Turning Off the Windows Firewall
Feature Impact
High
Brief Description
In order to avoid the situation where a user–installed firewall (which is compatible with Windows XP®, but is incompatible with Windows Vista® and Windows Server® 2008) attempts to turn off the Windows Firewall in Windows Vista and Windows Server 2008, Microsoft has deprecated the Windows Firewall Windows XP Service Pack 2 INetFwProfile.put_FirewallEnabled(VARIANT_FALSE) function in Windows Vista and Windows Server 2008. When called on Windows Vista and Windows Server 2008, this function will:
Return an error code of E_NOTIMPL.
Show a message to the user.
Log an appropriate event in the Windows event log.
Manifestation
Applications using the Windows XP Service Pack 2 INetFwProfile.put_FirewallEnabled(VARIANT_FALSE) function to turn-off the Windows Firewall on Windows Vista and Windows Server 2008 will receive an error code.
Remedies
Applications (typically firewalls) replacing the Windows Firewall with their own firewall solution must carefully consider the following security-related points:
Windows Vista and Windows Server 2008 support IPv6 and IPv4 out-of-the-box and will automatically have an IPv6 address; therefore, it is essential that your firewall solution filters both IPv4 and IPv6.
Windows Vista and Windows Server 2008 also support additional IP protocols (for example, GRE, L2TP, PGM, and ICMPv6); therefore, it is essential that your firewall solution filters arbitrary protocol filtering (IANA Protocol 0-255) and ICMP type and code filtering.
In Windows Vista and Windows Server 2008, there are listening processes in both user mode and kernel mode (for example, system process, http.sys, and smb.sys); therefore, it is essential to filter both user-mode and kernel-mode network traffic.
Microsoft further recommends that these applications:
Do not replace the Windows Firewall unless your application addresses all of the security-related points specified above.
Check the firewall status before your application turns off or disables Windows Firewall with Advanced Security so that it can be restored later if necessary.
Do not turn off the firewall service (mpssvc) since this is the service that enforces Windows Service Hardening restrictions. Instead, use the Windows Firewall APIs to modify the firewall state to "off" so that the firewall is effectively disabled, but the Windows Service Hardening restrictions are still in place.
To protect users, you should disable Windows Firewall with Advanced Security only after:
You have successfully turned on your firewall solution with the recommended settings.
You have notified the user that Windows Firewall with Advanced Security is going to be disabled.
Links to Other Resources
Blogs
Additional Resources
Windows Vista Application Compatibility Development Center
Videos
Feature introductions:
Application Compatibility with Hatem Zeine (watch video)
Application Toolkit with John Melton (watch video)
Error Reporting with Jeff Braunstein and Jason Hardester (watch video)
Introduction to Default Programs with Ed Averett (watch video)
Kernel Mode Signing with Ramesh Chinta (watch video)
Networking with Neeraj Garg (watch video)
Windows Filtering Platform with Madhurima Pawar and Salahuddin Khan (watch video)
Windows Resource Protection with RoseMarie FitzSimons (watch video)
Windows Vista Logo Programs with Brad Sullivan (watch video) and Venkat Krishnamachari (watch video)
User Account Control with Chris Corio (watch video)
Windows Vista and Windows Server 2008: Understanding, Enhancing, and Extending Security:
Part 1: watch video (23:23 minutes)
Part 2: watch video (7:33 minutes)
Part 3: watch video (19:16 minutes)
Part 4: watch video (2:50 minutes)
Part 5: watch video (15:12 minutes)