Full Version: Finding other firewalls
I can use the netsh command "netsh firewall show state" to see whether the Windows XP filewall is on or off, but if it is off how can I find out if there is another firewall product running?
In XP what version do you have..and what SP version ?
go to start..control panel..click on the security center and that should tell you about what firewall and the status.
FYI..win xp pro has the Windows ICF firewall installed by default
win xp home did not..you had to manually go back to your win xp home CD and install it..
But the came SP2 for win home..and it then installed the win ICF firewall ( XP firewall) for everyone who upgraded to that Service Pack version.
I have made a screenshot of this Security Center on WinXP
Profile names.
You can configure the firewall to behave one way when it's inside your intranet and differently when it's outside on the public Internet. Those two behaviors are called profiles, and the final version of SP2 calls them domain and standard. (Earlier versions called them domain and mobile or corporate and other.) The command line and Group Policy refer to these profiles by the same name, unlike earlier versions. You can ask the firewall which profile it's currently using by typing
netsh firewall show state
at a command line. . . .
An exception may not show up in the Windows Firewall graphical user interface if you create the exception by modifying the registry
http://support.microsoft.com/kb/897663
WORKAROUND
To work around this behavior use one of the following methods.
Back to the top
Method 1: Append a name to the registry value
To work around this behavior, append a name to the registry value. For example, change 12345:TCP:*:Enabled to 12345:TCP:*:Enabled:exception name.
Back to the top
Method 2: Use the netsh firewall command
To work around this behavior, you can see the exceptions that you have created in the registry by using the netsh firewall command. To do this, follow these steps: 1. Click Start, click Run, type cmd, and then click OK.
2. Type netsh firewall show state verbose = enable, and then press ENTER.
3. Search the output text for the following text:
Ports currently open on all network interfaces
The ports and programs that are listed in the Ports currently open on all network interfaces section are unblocked. Additionally, these unblocked ports and programs represent enabled program or port exceptions.
Windows Firewall Tools and Settings
http://technet2.microsoft.com/WindowsServe...33.mspx?pf=true
go to start..control panel..click on the security center and that should tell you about what firewall and the status.
FYI..win xp pro has the Windows ICF firewall installed by default
win xp home did not..you had to manually go back to your win xp home CD and install it..
But the came SP2 for win home..and it then installed the win ICF firewall ( XP firewall) for everyone who upgraded to that Service Pack version.
I have made a screenshot of this Security Center on WinXP
Profile names.
You can configure the firewall to behave one way when it's inside your intranet and differently when it's outside on the public Internet. Those two behaviors are called profiles, and the final version of SP2 calls them domain and standard. (Earlier versions called them domain and mobile or corporate and other.) The command line and Group Policy refer to these profiles by the same name, unlike earlier versions. You can ask the firewall which profile it's currently using by typing
netsh firewall show state
at a command line. . . .
An exception may not show up in the Windows Firewall graphical user interface if you create the exception by modifying the registry
http://support.microsoft.com/kb/897663
WORKAROUND
To work around this behavior use one of the following methods.
Back to the top
Method 1: Append a name to the registry value
To work around this behavior, append a name to the registry value. For example, change 12345:TCP:*:Enabled to 12345:TCP:*:Enabled:exception name.
Back to the top
Method 2: Use the netsh firewall command
To work around this behavior, you can see the exceptions that you have created in the registry by using the netsh firewall command. To do this, follow these steps: 1. Click Start, click Run, type cmd, and then click OK.
2. Type netsh firewall show state verbose = enable, and then press ENTER.
3. Search the output text for the following text:
Ports currently open on all network interfaces
The ports and programs that are listed in the Ports currently open on all network interfaces section are unblocked. Additionally, these unblocked ports and programs represent enabled program or port exceptions.
Windows Firewall Tools and Settings
http://technet2.microsoft.com/WindowsServe...33.mspx?pf=true
Have you every tried using..
Process Explorer for Windows v10.21
to determine what is running ?
http://www.microsoft.com/technet/sysintern...ssExplorer.mspx
Troubleshooting Windows Firewall in Microsoft Windows XP Service Pack2
http://www.microsoft.com/downloads/details...;displaylang=en
Process Explorer for Windows v10.21
to determine what is running ?
http://www.microsoft.com/technet/sysintern...ssExplorer.mspx
Troubleshooting Windows Firewall in Microsoft Windows XP Service Pack2
http://www.microsoft.com/downloads/details...;displaylang=en
Besides Process Explorer, which looks for active tasks, look in LSP / Winsock for unknown drivers. Autoruns, another SysInternals product, is good here.
http://nitecruzr.blogspot.com/2005/12/lsp-...g-log-from.html
http://nitecruzr.blogspot.com/2005/12/lsp-...g-log-from.html
Excellent information Hunter. Thanks.
I'm not sure if I asked the question that well, as it didn't quite hit the spot. Then again, from the tools links, I gather the answer might be that it can't be done. Let me explain a bit more.
I want to interrogate (friendly) personal computers that connect to my server to check that they are running a personal firewall product. I can do that for the Windows XP SP2 firewall by running the "netsh firewall show state" command. But if I find the Windows XP SP2 firewall is off, this doesn't seem to mean that there is no firewall, it might just mean that another firewall product (Symantic, Norton, etc. etc.) has taken over.
I wanted to know if there is anyway to ask Windows XP what firewall product (image?) is running. A brute force approach where I search for every firewall process running seems inefficient and problematic. Is this possible, or do these other products just turn the XP firewall off without leaving information in any consistent place that they have taken over?
I'm not sure if I asked the question that well, as it didn't quite hit the spot. Then again, from the tools links, I gather the answer might be that it can't be done. Let me explain a bit more.
I want to interrogate (friendly) personal computers that connect to my server to check that they are running a personal firewall product. I can do that for the Windows XP SP2 firewall by running the "netsh firewall show state" command. But if I find the Windows XP SP2 firewall is off, this doesn't seem to mean that there is no firewall, it might just mean that another firewall product (Symantic, Norton, etc. etc.) has taken over.
I wanted to know if there is anyway to ask Windows XP what firewall product (image?) is running. A brute force approach where I search for every firewall process running seems inefficient and problematic. Is this possible, or do these other products just turn the XP firewall off without leaving information in any consistent place that they have taken over?
Some people run both the ICF and a commercial firewall product. I do not know any commercial firewall that turns off the ICF firewall when installed. The user must do that or someone with admin priveleges on that machine. ICF is a stateful packet filter. The tracking of state allows ICF to make better decisions and support a more comprehensive ruleset than traditional packet filters. By default, the ICF ruleset is very secure and denies all traffic from the Internet, including ICMP echo requests (ping packets). This makes your computer virtually invisible to attackers attempting to probe your machine.
Approaching from the standpoint that you are trying to do..being a member of a computer user group :)
This article might give you some ideas on what you could do since they are friendly.
Windows ICF: Can't Live With it, Can't Live Without it
http://www.securityfocus.com/infocus/1620
David mentions some tools..but I do not think you will ever be able to find out which firewall product they use unless you have more control over their PC than you really want to have in this case. But I will look some more.
That article is a good read in anycase to uderstand just what this ICF can really do. and it's limitations.
Nevertheless the question begs to be asked.
Why do you even what to do something like this in the first place ? Can you explain the specific circumstance where this would benefit you and the user even if you could do this? Are you responsible for the Security of these users ?
Approaching from the standpoint that you are trying to do..being a member of a computer user group :)
This article might give you some ideas on what you could do since they are friendly.
Windows ICF: Can't Live With it, Can't Live Without it
http://www.securityfocus.com/infocus/1620
David mentions some tools..but I do not think you will ever be able to find out which firewall product they use unless you have more control over their PC than you really want to have in this case. But I will look some more.
That article is a good read in anycase to uderstand just what this ICF can really do. and it's limitations.
Nevertheless the question begs to be asked.
Why do you even what to do something like this in the first place ? Can you explain the specific circumstance where this would benefit you and the user even if you could do this? Are you responsible for the Security of these users ?
Hmm..I could be wrong about what other commercial firewall might do to ICF
Messages About Or Problems With Windows Firewall
Messages that say Windows cannot display the Windows Firewall Settings or problems opening Windows Firewall occur when some other program or service (usually another firewall) has disabled the utility. If you don’t think you have a firewall, it’s possible your security suite includes one of which you are not aware. Find out and don’t try to open Windows Firewall if you are protected elsewhere.
If you do not have firewall protection and are getting a similar message, you should be able to restart Windows Firewall. From the Start menu, select Run, type Services.msc in the Open box, and click OK. From the list of services, locate and right-click Windows Firewall/Internet Connection Sharing (ICS). Select Properties, and under Startup Type click the drop-down menu and select Automatic. Under Service Status, click the Start button.
If this doesn’t work, select Run from the Start menu and type Rundll32 Setupapi,InstallHinfSection Ndi-Steelhead 132 %windir%\inf\netrass.inf in the Open box and click OK. Restart WinXP, return to the Run command and type NETSH FIREWALL RESET, click OK, and follow the prompts. This should restart Windows
Messages About Or Problems With Windows Firewall
Messages that say Windows cannot display the Windows Firewall Settings or problems opening Windows Firewall occur when some other program or service (usually another firewall) has disabled the utility. If you don’t think you have a firewall, it’s possible your security suite includes one of which you are not aware. Find out and don’t try to open Windows Firewall if you are protected elsewhere.
If you do not have firewall protection and are getting a similar message, you should be able to restart Windows Firewall. From the Start menu, select Run, type Services.msc in the Open box, and click OK. From the list of services, locate and right-click Windows Firewall/Internet Connection Sharing (ICS). Select Properties, and under Startup Type click the drop-down menu and select Automatic. Under Service Status, click the Start button.
If this doesn’t work, select Run from the Start menu and type Rundll32 Setupapi,InstallHinfSection Ndi-Steelhead 132 %windir%\inf\netrass.inf in the Open box and click OK. Restart WinXP, return to the Run command and type NETSH FIREWALL RESET, click OK, and follow the prompts. This should restart Windows
Hunter, thanks for another excellent article - Windows ICF: Can't Live With it, Can't Live Without it - especially in its acknowledgment that despite how good ICF is, it may still not be satisfactory in corporate situations.
> Why do you even what to do something like this in the first place ? Can you explain the specific circumstance where this would benefit you and the user even if you could do this? Are you responsible for the Security of these users ?
I am leading a team that is deploying a new global application in a corporation. Our corporation, like most, is somewhat paranoid about security. Our application gives access to corporate resources that were not previously made available outside our network.
Our users, who happen to be employees (friendly), but not necessarily on the same corporate SOE around the globe, might unwittingly be using workstations that have been compromised and therefore present a threat to the corporate resources that we are exposing. Our corporation wants to to ensure that the users are running a firewall and an antivirus as minimal protection from being compromised. We are unable to force that our users adopt the corporate SOE firewall and antivirus, so we are trying to detect that they are running *any* firewall and antivirus product. [Don't want to get into a debate about how sensible or otherwise this is.]
So I was hoping that there was a way we could easily track down what firewall product a workstation might be using, or in some manner confirm that a firewall is enabled. [The same requirement goes for antivirus products, but at least most of them seem to have a process name that says antivirus somewhere.]
> Why do you even what to do something like this in the first place ? Can you explain the specific circumstance where this would benefit you and the user even if you could do this? Are you responsible for the Security of these users ?
I am leading a team that is deploying a new global application in a corporation. Our corporation, like most, is somewhat paranoid about security. Our application gives access to corporate resources that were not previously made available outside our network.
Our users, who happen to be employees (friendly), but not necessarily on the same corporate SOE around the globe, might unwittingly be using workstations that have been compromised and therefore present a threat to the corporate resources that we are exposing. Our corporation wants to to ensure that the users are running a firewall and an antivirus as minimal protection from being compromised. We are unable to force that our users adopt the corporate SOE firewall and antivirus, so we are trying to detect that they are running *any* firewall and antivirus product. [Don't want to get into a debate about how sensible or otherwise this is.]
So I was hoping that there was a way we could easily track down what firewall product a workstation might be using, or in some manner confirm that a firewall is enabled. [The same requirement goes for antivirus products, but at least most of them seem to have a process name that says antivirus somewhere.]
I thought so..and I am with you 100% in your actions and desires..so many small and large business have the same set up and policy with those needs. Some in your position have told me they physically control even every laptop that comes into their facility..and makes the user drops it off for the IT department to check out before they are able to even come close to their network.
That sure is a time consuming and expensive proposition. Going to look into this further. Thanks Robert wiill post what I find.
That sure is a time consuming and expensive proposition. Going to look into this further. Thanks Robert wiill post what I find.
This is also interesting from the Q and A exchange with the people who developed the ICF at Microsoft.
Q: When the Firewall pops up and says it's blocking activity, is there a reason it doesn't tell us what *kind* of activity, such as "Trying to listen on on 1234/tcp"? Even with a [Details] tab?
A: We felt that such info wasn't of significant interest as most applications don't run on fixed ports and isn't directly answering the question of whether you want to trust the program. This information is available in the security event log if you enable such events in your local security policy. It's also available at the command line with "netsh firewall show state verbose=enable".
Q: When the Firewall pops up and says it's blocking activity, is there a reason it doesn't tell us what *kind* of activity, such as "Trying to listen on on 1234/tcp"? Even with a [Details] tab?
A: We felt that such info wasn't of significant interest as most applications don't run on fixed ports and isn't directly answering the question of whether you want to trust the program. This information is available in the security event log if you enable such events in your local security policy. It's also available at the command line with "netsh firewall show state verbose=enable".
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.