Microsoft Firewall

How do I set the Microsoft Firewall so that all the ports are blocked and I won't be seen? I have tried a few tests and I am not in Stealth mode at all. Which means I am vulnerable....

 

If by "stealth mode ", you mean that ICMP traffic is disabled, then Windows Firewall is capable of stealth mode and is enabled for stealth mode by default (unless the file and printer sharing exception is enabled, in which case ICMP echo traffic is allowed).

If you are referring to a GRC "Shiels UP" sort of testing, you need to be behind a NAT router to return "stealth ". Without a NAT router in front of your internet connection, the test shows that your ports are "closed. "

This is to be expected, and you are perfectly safe.

 

What do you mean NAT router? I have a WRT54G Linksys Router.

 

Not trying to answer for Bill, but I found this on Google.

 

I guess that I do have a NAT Router then. Thanks James, and Bill. So then if all the blocks in Sheils Up come up blue, I am still safe. right, even if it says my machine failed? I am just not as familiar with network as I would like to be.

 

The WRT54G is a NAT router.

In its configuration page, enable the feature to block WAN requests.

Test again.

But you are perfectly safe no matter what Steve Gibson might think at ShieldsUp.

 

One of the router's side functions in addition to the purpose of allowing you to share your internet connection is to give "NAT" function.
(NAT stands for Network Adress Translation) What this means is that all that is seen in the internet side is your one ip. It is like a door to a hallway.
Intruders know that there is a door. But they do not know what is behind it or the addresses of the doors behind the first door. A first measure of security.
As well you may want to ensure that the firewall function in the control panel of your Linksys router is turned on.
You enter the control panel by entering
http://192.168.1.1 into your browser.
Proxy has to be turned off in your internet settings.
Default password to get into the router control panel is
user: admin
pw is blank


From the GRC site ( where you can do a security scan) :

What does a NAT router do?
A NAT router creates a local area network (LAN) of private IP addresses and interconnects that LAN to the wide area network (WAN) known as the Internet. The "Network Address Translation" (NAT) performed by the router allows multiple computers (machines) connected to the LAN behind the router to communicate with the external Internet.
The most common use for NAT routers is serving as an "interface" between the global public WAN Internet and a private non-public LAN:


One of the key benefits of NAT routers (and the main reason for their purchase by residential and small office users) is that the router appears to the Internet as a single machine with a single IP address. This effectively masks the fact that many computers on the LAN side of the router may be simultaneously sharing that single IP. This is good for the Internet since it helps to conserve the Net's limited IP space.

http://askmarvin.ca/router.html

A friend desperately wanted a product called "Alphashield" which has a wonderfull description on its box as the ultimate internet protection device.
I run a number of tests early one morning on a cable broadband connection with combinations of Windows XP SP2 , Alphashield , Linksys WRT54G router and a cheaper Gigiafast router.
I ran tests with the GRC and Symantec/Norton online security attack tests.
The summary is :

- The Linksys WRT54G and the Windows XP firewall protected all ports fully
- The Alphashield and the Windows XP firewall protected all ports and basically covered the same thing.
- The Gigafast Router with the Windows firewall left one port open ( believe port 58).

The one advantage of the Alphashield product is that it has zero configuration that is you just plug it in.
If a person was technically inexperienced and did not have anyone to setup a router for protection of the NAT the Alphashield product would do the same security protection. I do not know if the device would be termed to use NAT or not. There still would be the one ip showing. The ip is not being split on the computer side.
Especially if a computer user had a single computer with a DSL connection this would afford simple setup without paying or begging someone to come and set up the device.
Interestingly though the Alphashield has confusing power switch buttons.
The device can have its three lights on so you would think it is working but be in the off position. You have to hit the other large switch of the two on top of the Alphashield.

 

My Router is the new Linksys WRT54G, ver6. The updated firmware from Linksys has been downloaded and installed. I have a friend who has one that was a ver2 when he bought it and now on his last update it change to a WRT54GL. He has on the setup for Block Wan Requests, this: Firewall Protection, enable or disable, my new router does not have that under Block Wan Requests, so I am assuming that it is no able to be disabled. Under Block Wan Requests I have them all checked except for "Filter Internet NAT Direction. I don't see any real settings to enter on Microsoft Firewall.

 

Control Panel, Security Center, Firewall settings, Advanced tab, ICMP settings button.

Uncheck every entry there.

If your mail service stops accepting sent mail, you will have to enable incoming router requests.

But no matter what you do, you are perfectly safe. At this point between changing router defaults and changing firewall defaults you could easily end up without email and internet access.

You are not at risk.
Your ShieldsUP shows the status of closed on all ports. Why do you want to create the less secure stealthed choice? I am not even sure that under the new WRT54G that choice is even possible.

If an ICMP request is made to a port and it answer nothing -- the port is closed. If it refuses the request affirmatively, the port is stealthed. For IP scanning hackers a "stealth" returns says "there is a router here, this is a valid IP to attack" whereas the "closed" result suggests this is not a valid IP address.

 

Question then, why when it shows all ports closed, does it say it failed the test? I also would think if all ports are closed, it would be safer too. BTW was unable to uncheck the top box.

 

My honest answer is that the Gibson site test stinks.

Even if you changed no settings whatsoever, but added the WRT54G and left XP at default settings for its firewall, you are perfectly safe.

Test here:
Symantec Security: http://security.symantec.com
DSL Reports Port Scanner: http://www.dslreports.com/scan

And look at the Gibson site and see how many times it has been dropped by DDoS attacks. And you are thinking of trusting his advice?

He has no credibility in the security community.

 

This is not a ICMP specific issue. ICMP doesn't require ports as it doesn't have higher protocols to identify via a port number. It will affect other network communications that run on IP such as UDP, but in particular TCP.

Any TCP/IP communication will work up through the protocol stack from bottom to top. By the time you get to the port level (layer 4 - transport layer) you have completed checks at lower layers including IP (layer 3 - network layer) so the receiving node will already have assessed that the IP address is correct for example.

TCP is by design a connection orientated protocol; that means it actively tries to maintain connections and reports back on problems encountered. If the port specified is closed it reports back to the sending node via a TCP packet with a TCP flag set as 010100 (0x14). This tells the sender that communication has failed because the specific port was closed.

However, if you are a malicious attacker, it also tells you that they've hit an active IP and while the port they first tried is inactive, there may be other ports worth trying.

So a status of closed mean connections will fail, and connection orientated communications will respond to failed connection attempts.

Modern firewall suppress the TCP response. When a connection comes in to a port that is closed, rather than returning a TCP packet with the TCP flags set at 010100, the system sends nothing back. This is stealth mode. This can make debugging a connection problem more difficult and is an infringement of TCP RFCs, but makes it more difficult for malicious system to identify active IP addresses via basic scans.

Therefore, having closed ports is good, but stealth ports are better.

 

This is the key point. While getting stealth for all ports is nice to have, having all ports closed is still a good position to be in.

 

Thanks ReggieB,

That is an excellent correction to my mis-statements about using ICMP to port test, and the whole issue of "closed" vs. "stealth "

Great stuff.

I did too want to correct the DSL Reports link I gave earlier, as this tool is down at the moment.

Other alternatives:

http://www.hackerwatch.org/probe/

See the links and discussion here: http://cybercoyote.org/security/tests.shtml

 

DSL Reports Port Scanner is close, and Symantec Security also gave me the same reports as closed but not Stealthed. It also says that I am protected but Stealth is better.

 

See the comments by ReggieB and my subsequent comments.

But I hold by my first comment in this thread:

 

M$ Firewall settings are:
Under the Exceptions Tab: File and Printer Sharing, and these ports are open:
TCP 139 Subnet, TCP 445 Subnet, UDP 137 Subnet & UDP 138....

UPnP Framework is blocked.
Should I close the ones under File and Printer Sharing?

 

It will not make a difference.

XP's firewall distinguishes the scope of any exception. In other words, any port you can specify that allows all traffic from your subnet (your LAN) is permitted, will block by its scope anything outside the IP range and Subnet specifications of your LAN.

Since you are behind a NAT router, you are using on each workstation an IP that is not routable on the internet.

By default XP will only use your subnet when you choose file and printer sharing as an exception. It will never permit a WAN-side access to these ports.

Blocking UPnP is up to you; it seems you have read some Steve Gibson. All I can tell you is that UPnP is not enabled by default, and if enabled is restricted to your subnet, and if you move to Windows Vista it is UPnP and SSDP discovery that replaces NETBIOS for hostname resolution. But in your setting whatever you do with UPnP and Windows XP SP2 firewall will make no difference in your testing results.

And I wish Stevie would drop the UPnP nonsense. He was wrong when he wrote it, and has been completely wrong since Service Pack 1 of XP. That was five years ago. Ask in Mr. Gibson's Forum for an example where UPnP was ever exploited.

 

Actually, that was not from Steve, I was just looking around in there, and was hoping I would come up with something that would set up Stealth. If I am safe as is, then I guess I should let it go, but do like to tweak some. I know there is a difference in Routers from the older versions to the newest, and that did make sense on maybe not being able to go stealth on this new one. There may be a new firmware in the future that will allow it, who knows. Thanks Bill for all the info.

 

Steve Gibson is the Rush Limbaugh of security. As long as he bashes Microsoft he will have a following.

My concern is not Steve, but what you carry away from the Forums about UPnP and SSDP. These client services are core elements in the future plans for Windows Networking in non-Domain settings. They are safe, reliable, and relative to NETBIOS -- of low overhead.

Ignore the advice.