Microsoft Windows XP Networking Inside Out
.pdf
5 Chapter
Part 2: Internet Networking
note If an entry written to the log file has no applicable information for a field, a hyphen (-) is placed in the field instead.
Table 5-1. Information Recorded in the ICF Log File
ICF Log Field |
Explanation |
Date |
Indicates the date when the action took place; listed as |
|
year, month, day. |
|
|
Time |
Indicates the time when the action took place; listed as |
|
hour, minute, second. |
|
|
Action |
Lists the action that took place, such as open, close, |
|
drop, or info-events-lost (which refers to a number of |
|
events that took place but were not recorded in the log). |
|
|
Protocol |
Lists the protocol that was in use for the connection, |
|
such as TCP, UDP, ICMP, and so on. |
|
|
Src-IP (Source IP) |
Lists the source IP address of the computer that attempted |
|
the communication. This can be your computer or a com- |
|
puter on the Internet. |
|
|
Dst-IP (Destination IP) |
Lists the destination IP address, which is the destination |
|
of the communication sent by the source. This can be a |
|
computer on the Internet or your computer. |
|
|
Src-port (Source Port) |
Indicates the source port that was used by the source |
|
computer. The port number can range from 1 to 65,535 |
|
and is only recorded for TCP or UDP protocols. |
|
|
Dst-port |
Indicates the port used by the destination computer. This |
(Destination Port) |
is also either a TCP or UDP port ranging from 1 to 65,535. |
|
|
Size |
Indicates the size of the packet in bytes. |
|
|
TCPflags |
Lists control flags in the header information of a packet. |
|
Common flags include Ack (Acknowledgment), Fin (no |
|
more data from sender), or Rst (reset). |
|
This field and the ones that follow are included for com- |
|
pleteness, but they require a greater knowledge of TCP/ |
|
IP to be useful. Search the Internet for RFC 793 to learn |
|
more about TCP/IP headers. |
|
|
TCPsyn |
Notes the TCP sequence number of the packet. |
|
|
128
2: Internet Networking
Chapter 5: Using Internet Connection Firewall
Table 5-1. (continued) |
|
ICF Log Field |
Explanation |
TCPack |
Notes the TCP acknowledgment number in the packet. |
|
|
TCPwin |
Notes the TCP window size (in bytes) in the packet. |
|
|
ICMPtype |
Notes the ICMP type field number, if an ICMP message. |
|
|
ICMPcode |
Notes the ICMP code field number, if an ICMP message. |
|
|
Info |
Contains information about the type of action that |
|
occurred, if applicable. |
|
|
Using the ICF Log as Big Brother
If several people use the Windows XP computer on which you have enabled ICF, you can use the ICF log file as a way to sample what other users are accessing on the Internet. ICF records one log file on the computer regardless of which user is accessing the Internet, so you can monitor all traffic using the single log file. Bear in mind that the ICF log is not designed as a snooper program, but it can be used to find out which Web sites have been accessed over the ICF-protected connection. If you are so inclined to know, follow these steps:
1 |
Log on with an account that has administrative privileges. |
|
2 |
Ensure that the firewall log has been configured to log successful connections. |
|
3 |
Open the firewall log. Locate an open connection and copy its destination IP |
|
|
address. |
|
4 |
Open Internet Explorer or another Web browser, paste the destination IP |
|
5 |
address into the Address bar, and press Enter. |
|
The browser will resolve the IP address, and the Web page will appear. Now |
5 |
|
6 |
For additional security, place the firewall log into an encrypted folder to |
Chapter |
|
you know which Web site was accessed. |
|
make sure other users cannot access and modify it. Also, anyone else logged on with an administrator account (including anyone who uses the computer while logged on under your administrator account) can turn off the log if they know how. They can then surf and turn the log back on afterward.
129
2: Internet Networking
Part 2: Internet Networking
Enabling Services
Because ICF blocks all incoming communication that is not explicitly requested, some services will not work with ICF unless you make further configurations. For example, if you are hosting a Web site on your computer and users try to access your Web site, the packets arriving at your computer will be dropped because they were not solicited. Or, if you want to access your computer from a remote location using Remote Desktop, ICF will not allow the communication because it is not solicited.
Because the blocking functions of ICF by default affect all protocols and ports, you might want to override the ICF behavior for certain services so that they will work with ICF. To enable a service to work with ICF, follow these steps:
1Open Network Connections.
2Right-click the ICF-protected connection and choose Properties.
3Select the Advanced tab and click the Settings button.
4On the Services tab, shown in Figure 5-4, select each service that you want to enable. Remote Desktop is enabled in this figure.
5 Chapter
Figure 5-4. Select each service you want to run over the ICF-protected connection.
130
2: Internet Networking
Chapter 5: Using Internet Connection Firewall
5When you first select a service, the Service Settings dialog box appears for that service, showing its default settings—including the name of the network computer on which the service is to be enabled. If you want to enable the service on a different computer on your network, type its name or IP address in the Name Or IP Address box. Click OK. You can adjust these settings at any time by selecting the service and clicking the Edit button.
6If you want to enable a service that is not listed, click the Add button and enter the service name, address, and port numbers.
7Click OK to close each dialog box when you’re done.
note Keep in mind that you do not need to enable any of these services unless you are providing the services from your computer. In other words, you do not need to enable Web Server to access Web servers on the Internet. You only need to enable these options if you are providing those services to the Internet.
The predefined services listed on the Services tab are the ones most often used. But what if you are using a custom service? For example, suppose your computer hosts a custom application for your company that other users access via the Internet. Can you use the custom application with ICF? Yes, but you’ll need to create a service entry and define some parameters for the service. Follow these steps:
1Open Network Connections.
2Right-click the ICF-protected connection and choose Properties.
3Select the Advanced tab and click the Settings button.
4On the Services tab, click the Add button.
5In the Service Settings dialog box that appears, shown in Figure 5-5, enter a friendly description and the name or IP address of the computer hosting the service (such as your computer or another computer on your network), and then enter the internal and external port numbers used for the service and protocol. If the internal and external port numbers are the same, you only need to enter the external port number.
6Click OK to add the service, and then close the remaining dialog boxes.
Chapter 5
131
2: Internet Networking
Part 2: Internet Networking
5 Chapter
132
Figure 5-5. You can create a custom service entry by configuring the Service Settings dialog box.
note Only user-defined entries can be deleted. You cannot delete any of the predefined entries that you see on the Services tab.
Enabling File and Printer Sharing with ICF
By default, ICF blocks all the ports that normally use the Server Message Block (SMB) protocol—the application-level protocol used for Windows file and printer sharing. This is usually not a concern for home users or on the Internet connection of a system using ICS. However, in insecure LAN/WAN environments or over VPN connections, it’s often necessary to use file and printer sharing with other Windows servers and workstations. How then can you protect yourself from other kinds of traffic and still allow SMB for file and printer sharing?
The key is to open the proper ports to allow SMB traffic through. To do so, apply the previously listed steps to add a service for each of the applicable external ports in the following list.
●If your computer needs direct-hosted SMB traffic only (that is, you do not rely on NetBIOS for communication in a pre-Active Directory Windows domain or for communication with pre-Windows 2000 systems), you need to create two services: one each for TCP port 445 and UDP port 445.
●If, on the other hand, you need to communicate with other Windows computers using NetBIOS, you’ll need to create services for each TCP port from 135 through 139 and for each UDP port from 135 through 139.
For more information on SMB, NetBIOS, and Active Directory, see Chapter 11, “Understanding Domain Connectivity.”
2: Internet Networking
Chapter 5: Using Internet Connection Firewall
Allowing ICMP Traffic
Internet Control Message Protocol (ICMP) is a protocol used for troubleshooting and for network diagnostics. Common IP network tools, such as ping and tracert, use ICMP. Using these tools, which you can learn more about in “Using Command-line Tools Included in Windows XP” on page 345, you can collect a great deal of helpful information about networking conditions and problems. However, by default, ICF prevents all unsolicited inbound ICMP traffic from reaching your computer because that traffic does not originate from your computer. This is usually a good thing because many types of attacks are initiated via ICMP. However, if someone wants to test your network connectivity, their diagnostic requests may fail because that traffic is unsolicited. To the remote user, it appears that your computer is not available on the network. (However, if you use these tools, the request will complete because the ICMP request originated from your computer.)
You can enable some or all of the ICMP information requests, depending on which features you want to make available. If you open the Advanced Settings dialog box of the ICF-protected connection’s properties dialog box once again and select the ICMP tab, you’ll see a list of options that enable you to specify the ICMP features you want to make available. See Figure 5-6.
Chapter 5
Figure 5-6. Select the ICMP traffic options you want to enable.
The following options are listed on the ICMP tab:
●Allow Incoming Echo Request. This option permits a ping test to complete. A message is sent to the computer and is echoed back to the sender. The ping utility is used to test for network connectivity. Enable this option if
133
2: Internet Networking
5 Chapter
134
Part 2: Internet Networking
you want others on the Internet to be able to successfully ping your computer. You do not need to enable this option for you to ping a computer.
●Allow Incoming Timestamp Request. This option enables data sent to the computer to be acknowledged with a timestamp.
●Allow Incoming Mask Request. This option enables the computer to listen for and respond to requests for more information about the public network to which it is connected.
●Allow Incoming Router Request. This option permits the computer to respond to requests for router information.
●Allow Outgoing Destination Unreachable. This option causes the computer to acknowledge and send a “destination unreachable” message when data does not reach the computer due to errors or transmission problems.
●Allow Outgoing Source Quench. This option permits the computer to send a “slow down” message when data is arriving at the computer and the computer cannot keep up.
●Allow Outgoing Parameter Problem. This option permits the computer to send a “bad header” message when data is received with an incorrect or problematic header. Bad headers are dropped.
●Allow Outgoing Time Exceeded. This option causes the computer to send a “time expired” message to the sender when data is incomplete because it took too long to send.
●Allow Redirect. This option enables data that is sent from the computer to be rerouted if the default path changes.
caution Although ICMP messages are great troubleshooting tools, they can also give a hacker information about your connection. Do not enable ICMP features unless they are absolutely necessary. You can learn more about the types of attacks that can be launched via ICMP in Chapter 20, “Maintaining Network Security.”
Using ICF with E-mail Services
ICF works seamlessly with most e-mail applications. This means that you usually do not need to configure the e-mail application to work with ICF. However, there is an instance in which ICF and an e-mail application can have problems, and that has to do with notification messages.
2: Internet Networking
Chapter 5: Using Internet Connection Firewall
If you are using Web-based mail such as Hotmail, where you log on to a mail server on the Internet, ICF will not interfere with your e-mail retrieval. If you are using an e-mail client, such as Microsoft Outlook Express, which polls its mail server to see if there is new mail (and the mail is downloaded if there is), ICF will also not interfere with this kind of communication.
However, if your e-mail client waits for an RPC from a mail server that tells the e-mail client that there is mail to download, ICF will block the RPC traffic because it will appear as unsolicited traffic. Outlook, when connecting to a Microsoft Exchange server (such as in the case of a domain-based mail system), is an example of an e-mail application that uses RPCs. If you are using Outlook in stand-alone mode, you’ll not have an RPC problem. If you are using Outlook and RPCs are used, you’ll need to configure Outlook to poll the Exchange server for new mail instead of having the Exchange server send RPCs to you. The odds are good, however, that if you are in an environment where Exchange server is used, you’ll not be using ICF anyway because the domain will probably use a proxy server or firewall server. Keep in mind that ICF is designed for the home and small office, so Outlook and the Exchange server issue usually isn’t a problem.
Testing ICF
One issue that worries many ICF users is the lack of an interface that tells you what is happening at the firewall. Unless the log file tells you about dropped packets, how do you know if ICF is really protecting you? ICF is designed to do its job in Windows XP behind the scenes, but you might wonder if it is really working.
You can rest assured that ICF is working if it is enabled, but if you are the curious type, you can test ICF using the ping command. To test ICF, follow these steps:
1On the ICF connection, open the Advanced Settings dialog box.
2On the Security Logging tab, ensure that logging is enabled for dropped packets.
3On the ICMP tab, make sure that no ICMP message options are selected.
4Ensure that the ICF connection is currently connected to the Internet.
5Open Network Connections.
6In the Network Connections window, right-click the connected Internet connection and choose Status.
7In the status dialog box, select the Details tab. Note the Client IP Address value, as shown in Figure 5-7.
Chapter 5
135
2: Internet Networking
Part 2: Internet Networking
Figure 5-7. Note the Client IP Address entry, which is 63.157.13.85 in this example. This value might change each time you connect, especially with a dial-up connection.
8From a different computer using a different connection to the Internet, choose Start, Run. Type cmd and click OK.
9At the command prompt, type ping ipaddress, where ipaddress is the Client IP Address value you noted from your status dialog box. For this example, type ping 63.157.13.85. Press Enter.
10Because ICF is blocking ICMP traffic, the request will time out, as shown in Figure 5-8.
5 Chapter
Figure 5-8. The ping request times out because ICF is dropping the
ICMP packets.
11Return to the computer that has the ICF-enabled Internet connection, and open the firewall log (located by default at C:\Windows\Pfirewall.log). You can see in the log that the ICMP traffic was dropped.
136
2: Internet Networking
Chapter 6
Managing |
137 |
Connectivity |
|
Setting |
|
Internet Explorer |
143 |
Security Levels |
|
Understanding |
|
Privacy and |
148 |
Content Settings |
|
Setting |
|
Additional |
|
Internet Explorer |
|
Features |
159 |
and Settings |
|
Customizing the |
|
Internet Explorer |
164 |
Interface |
|
Managing |
|
Internet Explorer |
|
with Local |
174 |
Group Policy |
Using
Internet Explorer
Advanced Features
To discover and use all the Internet has to offer you, your computer needs software that can read and display Web content. As in previous versions of Microsoft Windows, Microsoft Internet Explorer is the default Web browser in Microsoft Windows XP. Internet Explorer acts as your point of interface to the Internet or an intranet. Internet Explorer is available from your Start menu and is designed to work with any kind of Internet connection including a simple dial-up connection or a local area network (LAN) connection. As Internet and intranet usage, functions, and features have changed over the past few years, Internet Explorer has also grown and expanded to meet new browsing, security, and multimedia needs. Internet Explorer 6 does more and is more complex than earlier versions. There are a number of new and helpful features in Internet Explorer 6. This chapter explores the advanced features and functions Internet Explorer has to offer you in Windows XP. You’ll also learn how to resolve common problems and frustrations.
Note that Windows XP Service Pack 1 lets you change your default Web browser from Internet Explorer to another application. In fact, some newly purchased computers that have Windows XP Service Pack 1 preinstalled might not include Internet Explorer at all. For more information, see Appendix A, “Windows XP Service Pack 1.”
Managing Connectivity
Internet Explorer can access the Internet or a local intranet through virtually any type of network connection including dial-up, broadband, LAN, and even wireless connections. This
137
2: Internet Networking