XP2 Windows Firewall: How does except traffic by program work?

[Franz Schenk]

Haven't found any information about this subject, how this feature works:

Suppose an external Website requests communication to a program or a process
that is always running on an XP SP2 machine, Windows Firewall pops up a
window, the users selects "yes allow - do not ask again" what will happen?

- Which ports will be open then? Is it possible to view which ports are open
by a exception program?
- Will this or another Website always be able to communicate with the XP SP2
machine?
- Will Windows Firewall prompts the user again when the Website tries to
communicate with the XP SP2 machine to the same application over additional,
other ports?
- Is the communication restricted to the process of the specified
application?
- What happen when the specified application is updated or replaced? Is the
exception in the windows firewall still valid and in operation?

Thank you all in advance for hints and explications!
Franz

 

[Torgeir Bakken \(MVP\)]

Haven't found any information about this subject, how this feature works:

I'll try to address your questions below, but first some
documentation links for more information about this feature:

Description of the Windows Firewall feature in Windows XP
Service Pack 2
http://support.microsoft.com/default.aspx?kbid=843090

See page 3 here:

Understanding Windows Firewall\Introduction
http://www.microsoft.com/windowsxp/using/security/internet/sp2_wfintro.mspx


For more detailed information, see the Windows Firewall chapter
(page 25 to 42 for me) in the document 02_CIF_Network_Protection.DOC,
downloadable from
http://www.microsoft.com/downloads/...d7-b791-40b6-8364-685b84158c78&DisplayLang=en

Note: WinXPSP2_Documentation.zip contains all the .doc downloads...

Suppose an external Website requests communication to a program or a process
that is always running on an XP SP2 machine, Windows Firewall pops up a
window, the users selects "yes allow - do not ask again" what will happen?

This popup cannot be triggered by an application outside your computer,
only by an local application that tries to set up a TCP listener or UDP
bind to a non-wildcard port.

- Which ports will be open then?

Whatever port the application needs to open.

Is it possible to view which ports are open
by a exception program?
Yes.


- Will this or another Website always be able to communicate
with the XP SP2 machine?

Again, for applications (a local one that is) on the exception list,
the firewall will only open ports that this application is actively
listening to. This means that your application needs to be running
for an external application to be able to communicate with it.

- Will Windows Firewall prompts the user again when the Website tries to
communicate with the XP SP2 machine to the same application over additional,
other ports?

Again, this is not relevant, it is the local app that controls this.

- Is the communication restricted to the process of the specified
application?

I think so.

- What happen when the specified application is updated or replaced? Is the
exception in the windows firewall still valid and in operation?

The local application is added to the exception list with a full path
to it. You can update and replace the app as long as the name and
path is the same.

 

[aldousd666]

The local application is added to the exception list with a full path
to it. You can update and replace the app as long as the name and
path is the same.

I don't know if I like that feature -- think of a user logged on with
admin privs who opens an email attachment that overwrites outlook.exe
with a virus of the same name. It will have unrestricted access to
the internet then, and that's no good. The application exception
feature sounds like a disaster waiting to happen, and it actually
funnels virus writers into naming their virus files after valid
windows programs, and writing them at normal path locations.

Truly the firewall does limit some traffic, and that's bettern than we
were doing before -- but it waves a white flag over valid apps
installed at standard paths, like outlook, in the face of the virus
writers that wasn't there before.

Is there a way to wildcard a port exception from a particular server,
like the exchange server, so that I don't have to open all traffic to
say, 'outlook.exe'?

I think that opening a pipe to a particular server is a smaller whole
than opening it for a file of a particular name and path on the client
machine.

Let me know
--dave

-- btw torgier, my hats off to you, I use more of your information on
the newsgroups probably than other MVP out there. I'm a fan for sure.

 

[Torgeir Bakken \(MVP\)]

The local application is added to the exception list with a full path
to it. You can update and replace the app as long as the name and
path is the same.

I don't know if I like that feature -- think of a user logged on with
admin privs who opens an email attachment that overwrites outlook.exe
with a virus of the same name. It will have unrestricted access to
the internet then, and that's no good.
[snip]

(sorry for the late followup, been away on a short vacation)

In theory, yes, this looks a bit "shaky", but as most Microsoft
executables are protected files, if you replace one of them, the
file protection system will kick in and put back the good file.

-- btw torgier, my hats off to you, I use more of your information on
the newsgroups probably than other MVP out there. I'm a fan for sure.

Thanks