How to monitor the SP2 Firewall exceptions made by the users?

[Berni]

Hi Guys,

We are testing XP SP2 in our environment and due that we don't know all
applications that are installed on all systems, we will allow program
exceptions on the test systems.
Is there any way to monitor the exceptions made by the users?
We want to document the exceptions made by the users in order to later apply
a GPO with that exceptions.
At the same time I have a question about ICMP traffic, I have run "netsh
firewall show icmpsetting" but it didn't show anything. ICMP is blocked on
the standard profile over GPO and is not blocked in the domain profile that
is also applied by GPO.
How can I verify (if I don't know the GPO settings) if ICMP traffic is
allowed or not? Or is this a bug of the netsh command?

Thanks in advance for any infos.

Cheers,

Berni

 

[gary]

you sure don't know much about security of your network if
you are relying on the xp firewall.

 

[Torgeir Bakken \(MVP\)]

We are testing XP SP2 in our environment and due that we don't know all
applications that are installed on all systems, we will allow program
exceptions on the test systems.
Is there any way to monitor the exceptions made by the users?

Hi

This command will list the allowed program exceptions:

netsh.exe firewall show allowedprogram


In registry, the exceptions will be listed here (note that the entries
that are enabled there have :Enabled: in the entry data):

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List