Export (0) Print
Expand All
Expand Minimize

Advanced Configuration of Internet Connection Firewall in Windows XP Embedded with Service Pack 1 Images

 

Neil Marlowe
Microsoft Corporation

April 2004

Applies to:
     Microsoft® Windows® XP Embedded with Service Pack 1

Summary: This technical article is a continuation of the Enable Internet Connection Firewall in Windows XP Embedded with Service Pack 1 Images technical article. The first article discussed how to enable Internet Connection Firewall (ICF). This article discusses how to configure and enable ports to allow services running on the device to receive unsolicited requests. If the appropriate port mappings are not configured and enabled for each service, ICF drops the unsolicited network traffic.

This technical article is written for Microsoft partners who develop and deploy Windows XP Embedded images to networked devices. It assumes a fundamental understanding of ICF and a proficiency in using Microsoft Windows Embedded Studio (Component Designer, Component Database Manager, and Target Designer). For in-depth help with ICF and the Windows Embedded Studio tools and concepts, see the For More Information section at the end of this article.

Contents

Introduction
Enable Internet Connection Firewall
Create a Custom Component
Add the Custom Component to Your Configuration
Deploy and Test the Run-Time Image
Other Considerations
For More Information

Introduction

As discussed in the Enable Internet Connection Firewall in Windows XP Embedded with Service Pack 1 Images technical article, Microsoft® Windows® XP Embedded with Service Pack 1 (SP1) includes Internet Connection Firewall (ICF) technology in the Internet Connection Sharing/Personal Firewall component. The default state of the firewall, when deployed, is "disabled," with all ICF service port mappings disabled.

ICF is a software security layer that helps screen out network attacks. ICF is a "stateful" firewall, meaning that it monitors and tracks all incoming and outgoing network communication as well as address information. The source address information for all incoming traffic is analyzed and compared against the address information for the outgoing target. If a corresponding outgoing message is found, ICF allows the incoming message through. If not, ICF automatically drops the message. For example, when a user goes to a Web site, Microsoft Internet Explorer initiates the communication with the target Web server by submitting an outgoing Hypertext Transfer Protocol (HTTP) request. When the target Web server responds, the source address information for the incoming response matches the address information for the outgoing target, and ICF passes the incoming response to Internet Explorer.

The ICF service port mappings (one per service) allow services, which run transparently on the device in support of other programs, to respond to specific incoming requests. For example, Terminal Services, which enables multiple users to be connected interactively to a device through the Remote Desktop Protocol (RDP), waits for and services RDP requests. With ICF enabled, the service never receives the RDP request from remote computers and therefore never responds. To permit the RDP request traffic to flow through ICF to the service, you must add the service's ICF service port mappings to the list. Each ICF service port mapping consists of the following elements:

  • Service name. This value should be an easily recognizable name for the service. For the RDP service, the service name is "Remote Desktop."
  • External port. This is the port number that external computers use to contact the service. For the RDP service, the external port number is 3389.
  • Internal port. This is the port that the service uses. For the RDP service, the internal port number is 3389.
  • Target name or Internet Protocol (IP) address. This is the name or the IP address of the computer that is hosting the service on your network. In most scenarios, the service is running on each device. By using the default local host constant (localhost or 127.0.0.1), ICF automatically resolves the device's computer name.
  • Protocol. This is either Transmission Control Protocol (TCP) or User Datagram Protocol (UDP).

After you install the run-time image, you can configure ICF and the ICF service port mappings on each device by using the Network Connection Manager user interface (UI). However, there are disadvantages to this approach:

  • The required Network Connection Manager components increase the image's footprint.
  • Each ICF service port mapping must be configured manually on each device.
  • The run-time image does not respond to remote calls that were made before the ICF service port mappings were configured.

The previous article, Enable Internet Connection Firewall in Windows XP Embedded with Service Pack 1 Images, outlined how to programmatically enable ICF during initial startup by First Boot Agent (FBA). This article discusses how to programmatically add or enable ICF service port mappings during initial startup also by FBA. The steps are as follows:

  1. Enable Internet Connection Firewall by downloading and installing the ICF tool (ICFUtil.exe) that is referred to in the Enable Internet Connection Firewall in Windows XP Embedded with Service Pack 1 Images technical article.
  2. Create a custom component.
  3. Add the custom component to your configuration.
  4. Deploy and test the run-time image.

Enable Internet Connection Firewall

Use the ICF tool in an FBA Generic command to configure or enable ICF service port mappings. The tool accepts the following command-line arguments.

Argument Description
/ENABLE By providing the /ENABLE (not case sensitive) command-line argument, the ICF tool enables the firewall on each network connection.
/STATUS By providing the /STATUS (not case sensitive) command-line argument, the ICF tool provides the status of the ICF on each network connection.
/? By providing the /? command-line argument, the ICF tool provides usage information.
/CLOSESERVICES By providing the /CLOSESERVICES (not case sensitive) command-line argument, the tool disables all ICF service port mappings on all network connections, including network connections made through remote access.
/ADDSERVICE By providing the /ADDSERVICE (not case sensitive) command-line argument, the tool adds a new ICF service port mapping to all network connections, and either enables or disables the added ICF service port mapping depending on the first of the additional command-line arguments. If the ICF service port mapping already exists, this function either enables or disables the existing ICF service port mapping. The tool accepts the following additional command-line arguments:
  • Enable/Disable
  • Service Name
    Note   The tool will not accept a zero-length string.
  • External Port
    Note   The tool accepts only numbers in the range 1 through 65535.
  • Internal Port
    Note   The tool accepts only numbers in the range 1 through 65535.
  • Target Name or IP Address
    Note   The tool accepts only IP addresses in the range 1.1.1.1 through 249.249.249.249.
  • Protocol
    Note   The values are either TCP or UDP.
/Q By providing the /Q (not case sensitive) command-line argument, the tool provides the option of a quiet mode and all UI output is suppressed. The quiet mode consists of the /Q switch in conjunction with the optional logging /L path_name switch.

Note   One of the features of ICF is to warn users of possible unauthorized changes to ICF. ICF therefore displays a warning message every time that the firewall is enabled, except when the /Q switch is provided.

/L path_name By providing the /L path_name (not case sensitive) command-line argument, the tool logs all actions to the file that the path name indicates. If the log file does not exist, one is created silently. If the log file does exist, the actions are added to the end of the file. If the path name is not provided, the log file is created in a default location. This switch is ignored unless it appears with the /Q switch.

Create a Custom Component

The new custom component does not replace the Internet Connection Sharing/Personal Firewall component or the component that is discussed in the Enable Internet Connection Firewall in Windows XP Embedded with Service Pack 1 Images article. The component that is discussed in this article is used with these components.

Note   If you followed the first article (Enable Internet Connection Firewall in Windows XP Embedded with Service Pack 1 Images), you were instructed to create a custom component to enable ICF. Instead of creating a second component to add or enable the ICF service port mappings, you can skip the first four steps and add the ICF service port mappings' FBA Generic commands to the component that you created in the Enable Internet Connection Firewall in Windows XP Embedded with Service Pack 1 Images article.

The following steps describe how to Component Designer to create a custom component:

  1. Create and save a new component definition file (.sld) file.
    Note   Create a flat file structure for the location of this .sld file and the ICF repository that you create in the next step.
  2. Create a new physical repository for the component definition.

    The repository must contain the ICF tool.

    For example, create a new physical repository called "ICF Service Port Mapping Repository."

    Note   The repository source path should be the same as the path to the .sld file that you saved in the previous step.
  3. Add a new component to the component definition file. When you add the new component, consider the following information:
    • When defining the component's repository, make sure that you select the physical repository that contains the ICF tool. For example, select the "ICF Service Port Mapping Repository" that you created in step 2.
    • To simplify the image development process, you can create a macro component that creates dependencies on all components that are required for ICF. To create a macro component, set the component's Prototype property to Selector Prototype Component in Component Designer. You can find this prototype under Software\Test & Development.

    This component is used to enable ICF. You can name it "ICF Service Port Mapping Component."

  4. Add the ICF tool to the component.

    By default, the destination path of the file is the file's current path. To change the destination path, use parameters to define the path value. For example, change the destination path to the \Windows folder by using the path value %10%.

  5. Add a new FBA Generic Command resource to the configuration.

    After this resource is fully configured, it creates or enables one ICF service port mapping during the FBA phase. If you need to add or enable additional ICF service port mappings, you need to create a new FBA Generic command for each ICF service port mapping.

    To enable the Remote Desktop ICF service port mapping, you can create an FBA Generic command called "FBA Generic Command – Enable Remote Desktop" with the following extended properties:

    • Arguments. This property passes the arguments to the application that is defined in the FilePath property. To enable the Remote Desktop ICF service port mapping, set this property to /addservice enable "Remote Desktop" 3389 3389 localhost tcp /Q. Note that the quiet mode (/Q) switch is optional.
    • FilePath. Set this property to the parameterized path of the application, namely %10%\ICFUtil.exe (\Windows\ICFUtil.exe).
    • Phase. This numeric property defines when the FBA Generic command runs in the FBA sequence. Set the property to 4502 or higher. Note that all ICF service port mapping FBA commands can have the same phase number, namely 4502. If more than one ICF service port mapping exists with the same name, the last ICF service port mapping that is run supersedes the previous ICF service port mappings with the same name.
  6. Add an additional FBA Generic command for each ICF service port mapping that requires it.
  7. After you define the component, save it and import it into the component database.

Add the Custom Component to Your Configuration

To add the custom component to your configuration:

  1. In Target Designer, create a new configuration or open an existing one.
  2. If your image does not already have the Internet Connection Sharing/Personal Firewall component, add the component to your configuration. The component is located in the Software\System\Networking & Communications folder in the component browser.
  3. If you did not combine the FBA Generic command that is discussed in this article with the "ICF Component" custom component that you created during the previous article, you may want to add "ICF Component" to your configuration to enable ICF on the run-time image.
  4. Add the new custom component called "ICF Service Port Mappings Component" to your configuration.
  5. After you add the component, check and resolve all component dependencies, and then build the image.

Deploy and Test the Run-Time Image

After you resolve dependencies and build the run-time image, the run-time image is ready to be deployed. When the reference device starts for the first time, First Boot Agent (FBA) runs. Depending on your configuration, the device may restart one or more times. When FBA runs the FBA Generic command that you created previously, expect to see the application run in a Windows command shell. The following sample output is an example of the output from the "FBA Generic Command – Enable Remote Desktop" command.

C:\Windows\ICFUtil.exe /addservice enable "Remote Desktop" 3389 3389 
localhost tcp /Q
ICFUtil: Firewall service "Remote Desktop" added.
Note   One of the features of ICF is to warn users of possible unauthorized changes to ICF. ICF therefore displays a warning message every time that ICF is configured, except when the /Q switch is provided.

To confirm that the FBA Generic command was run successfully, review the FBA log file (Fbalog.txt) that is located in the \Windows\FBA directory. You should find entries similar to the following entry:

17:23:33 PM -  [FBASetProgressText] Installing Components... 
17:23:33 PM -  [FBALaunch] C:\WINDOWS\icfutil.exe /enable /Q (ExitCode: 
0x0) 
17:23:33 PM -  [FBALaunch] C:\WINDOWS\ICFUtil.exe /addservice enable 
"Remote Desktop" 3389 3389 localhost tcp /Q (ExitCode: 0x0) 
17:27:57 PM -  [FBASetProgressText] Replacing System Hives... 

At this point, the Remote Desktop ICF service port mapping is enabled and users can connect to the device through RDP.

Other Considerations

Servicing or environmental considerations may affect your run-time image after the image is deployed. When you design or build your configuration, consider the topics in the following sections.

Group Policy

Group Policy enables policy-based administration. Group Policy uses the Active Directory® directory service and security group membership to provide flexibility and to support extensive configuration information. Unlike profile settings, which are often specified by a user, policy settings are specified by an administrator.

If your device has a group policy applied to it, your device inherits the ICF settings that are defined by the policy. If the group policy dictates that ICF or ICF service port mappings should be disabled, the group policy settings supersede the ICF settings that are discussed in this article. If this is the case, you may need to update the group policy.

Device Update Agent

After a run-time image that includes Device Update Agent (DUA) is deployed on a device, you can configure ICF with DUA scripts (assuming that the Internet Connection Sharing/Personal Firewall component is included in the run-time image). DUA, which runs as a service on each device, has many configuration options. Based on these options, DUA periodically looks for files that are in a predefined location (local or remote HTTP). If files exist in the folder, DUA copies the files to its DUA working folder (user-defined location) and runs the command file if one exists. DUA command files contain DUA script commands, which provide a flexible way to update devices. The following example procedure outlines the basic DUA commands that you need to configure ICF:

  1. DUA has copied your command file and ICFUtil.exe to its working folder. Use a DUA COPYFILE command to copy the ICF tool from the DUA working folder to the C:\Windows folder. There are many optional parameters to this command, but the optional parameters to note are the following optional parameters:
    • SrcFilePath. In this example, set the source file path value to c:\DUA\ICFUtil.exe.
    • DstFilePath. In this example, set the destination file path value to c:\Windows\ICFUtil.exe.
    • FailifExists. In this example, if ICFUtil.exe already exists in the C:\Windows folder, ensure that DUA replaces it with the file in the DUA working folder (C:\DUA\ICFUtil.exe). To ensure that the file is replaced, set the FailIfExists parameter to DANO (0).

    The script that you should use in this example is the following script.

    COPYFILE,,,c:\DUA\ICFUtil.exe,,c:\Windows\ICFUtil.exe,DANO
    
  2. After DUA copies ICFUtil.exe to the C:\Windows folder, use the EXECUTEPROCESS command to instruct DUA to enable the firewall. This command runs the ICF tool with the appropriate command-line arguments. There are many optional parameters to this command, but the optional parameters to note are the following optional parameters:
    • ApplicationName. This optional string value specifies the module that needs to run. The string can specify the full path and file name of the module, or it can specify a partial name. If there is a partial name, the command uses the current drive and directory to complete the specification. In this example, set this value to c:\WINDOWS\icfutil.exe.
    • CommandLine. This optional string value represents the command-line arguments to be passed to the executable module. In this example, set this value to /enable /Q /L, which instructs the ICF tool to enable the firewall in quiet mode and to log the output to file.

    The script that you should use in this example is the following script.

    EXECUTEPROCESS,,,,c:\WINDOWS\icfutil.exe,,/enable /Q /L,,,, ,,,, ,,,,,, 
    ,,,
    
  3. After DUA enables the firewall, use the EXECUTEPROCESS command to instruct DUA to create or enable ICF service port mappings. There are many optional parameters to this command, but the optional parameters to note are the following optional parameters:
    • ApplicationName. In this example, set this value to c:\WINDOWS\icfutil.exe.
    • CommandLine. To enable the Remote Desktop service port mapping, set this value to /addservice enable "Remote Desktop" 3389 3389 localhost tcp /Q /L. The ICF tool enables the ICF service port mapping in quiet mode and logs the output to file.

    The script that you should use in this example is the following script.

    EXECUTEPROCESS,,,,c:\WINDOWS\icfutil.exe,,/addservice enable "Remote 
    Desktop" 3389 3389 localhost tcp /Q /L, , ,, ,,,, ,,,,,, ,,,
    

For More Information

For more information, see the following Microsoft Web sites:

Security and Privacy

Internet Connection Sharing and Internet Connection Firewall Reference

Component Designer Guide

Creating an .SLD file

Adding a New Repository

Creating a Macro Component

Adding a File to a Configuration

Adding a Resource to a Configuration

FBA Generic Command

Importing Components into the Database

Adding a Component to a Configuration

Checking Dependencies

Designing a Run-Time Image

Target Designer Guide

Step 7: Deploying the Windows XP Embedded Run-Time Image

Group Policy

Device Update Agent

Show:
© 2014 Microsoft