7 Appendix B: Product Behavior

The information in this specification is applicable to the following Microsoft products or supplemental software. References to product versions include released service packs.

  • Windows Vista operating system

  • Windows Server 2008 operating system

  • Windows 7 operating system

  • Windows Server 2008 R2 operating system

  • Windows 8 operating system

  • Windows Server 2012 operating system

  • Windows 8.1 operating system

  • Windows Server 2012 R2 operating system

  • Windows 10 operating system

  • Windows Server 2016 operating system

Exceptions, if any, are noted below. If a service pack or Quick Fix Engineering (QFE) number appears with the product version, behavior changed in that service pack or QFE. The new behavior also applies to subsequent service packs of the product unless otherwise specified. If a product edition appears with the product version, behavior is different in that product edition.

Unless otherwise specified, any statement of optional behavior in this specification that is prescribed using the terms "SHOULD" or "SHOULD NOT" implies product behavior in accordance with the SHOULD or SHOULD NOT prescription. Unless otherwise specified, the term "MAY" implies that the product does not follow the prescription.

<1> Section 1.7: Policy versions are mapped to Windows product versions as follows:

Windows Client Version

Windows Server Version

Policy Version

Windows Vista

0x0200

Windows Vista operating system with Service Pack 1 (SP1)

Windows Server 2008

0x0201

Windows 7

Windows Server 2008 R2

0x020A

Windows 8

Windows Server 2012

0x0214

Windows 8.1

Windows Server 2012 R2

0x0216

Windows 10

0x0218, 0x0219

Windows 10 v1607 operating system

Windows Server 2016

0x021A

Windows 10 v1703 operating system

0x021B

<2> Section 2.2.6: For Windows Vista SP1, Windows Server 2008, Windows 7, and Windows Server 2008 R2, unspecified addresses are allowed. Unspecified addresses are also allowed on Windows Vista if the Security Update for Windows Vista specified in [MSKB-935807] is applied.

<3> Section 2.2.31: During server initialization, Windows uses default values to initialize the Phase 1 and Phase 2 primary AuthenticationSet objects if these objects are not already present in LocalStore and GroupPolicyRSoPStore. The same defaults are used for both LocalStore and GroupPolicyRSoPStore. These defaults are as follows:

  
 #define FW_DEFAULT_P1_PRIMARY_AUTH_SET_NAME_STR           
                          L"Default Phase1 Primary AuthSet"
 #define FW_DEFAULT_P2_PRIMARY_AUTH_SET_NAME_STR           
                          L"Default Phase2 Primary AuthSet"
 #define RTL_NUMBER_OF(A)   (sizeof(A)/sizeof((A)[0]))
 FW_AUTH_SUITE g_DefaultPrimaryAuthSuitePhase1[] = 
 {
     { FW_AUTH_METHOD_MACHINE_KERB, {0} }
 };
 FW_AUTH_SET g_DefaultPrimaryAuthSetPhase1 = 
 {
     NULL,
     0x0200,
     FW_IPSEC_PHASE_1,
     L"{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE3}",
     FW_DEFAULT_P1_PRIMARY_AUTH_SET_NAME_STR,
     FW_DEFAULT_P1_PRIMARY_AUTH_SET_NAME_STR,
     NULL,
     RTL_NUMBER_OF(g_DefaultPrimaryAuthSuitePhase1),
     g_DefaultPrimaryAuthSuitePhase1,
     FW_RULE_ORIGIN_HARDCODED,
     NULL,
     FW_RULE_STATUS_OK,
     0
 };
  
 FW_AUTH_SET g_DefaultPrimaryAuthSetPhase2 = 
 {
     NULL,
     0x0200,
     FW_IPSEC_PHASE_2,
     L"{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE4}",
     FW_DEFAULT_P2_PRIMARY_AUTH_SET_NAME_STR,
     FW_DEFAULT_P2_PRIMARY_AUTH_SET_NAME_STR,
     NULL,
     0,
     NULL,
     FW_RULE_ORIGIN_HARDCODED,
     NULL,
     FW_RULE_STATUS_OK,
     0
 };
  
  

During server initialization, Windows uses default values to initialize the Phase 1 and Phase 2 primary CryptoSet objects if these objects are not already present in LocalStore or GroupPolicyRSoPStore. The same defaults are used for both LocalStore and GroupPolicyRSoPStore. These defaults are as follows:

 #define FW_DEFAULT_P1_PRIMARY_CRYPTO_SET_NAME_STR           
                        L"Default Phase1 Primary CryptoSet"
 #define FW_DEFAULT_P2_PRIMARY_CRYPTO_SET_NAME_STR           
                        L"Default Phase2 Primary CryptoSet"
  
 FW_PHASE1_CRYPTO_SUITE g_DefaultPrimaryCryptoSuitesPhase1[] = 
 {
     {FW_CRYPTO_KEY_EXCHANGE_DH2, 
      FW_CRYPTO_ENCRYPTION_AES128, 
      FW_CRYPTO_HASH_SHA1},
     {FW_CRYPTO_KEY_EXCHANGE_DH2, 
      FW_CRYPTO_ENCRYPTION_3DES, 
      FW_CRYPTO_HASH_SHA1}
 };
  
 FW_CRYPTO_SET g_DefaultPrimaryCryptoSetPhase1 =
 {
     NULL,
     0x0200,
     FW_IPSEC_PHASE_1,
     L"{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE1}",
     FW_DEFAULT_P1_PRIMARY_CRYPTO_SET_NAME_STR,
     FW_DEFAULT_P1_PRIMARY_CRYPTO_SET_NAME_STR,
     NULL,
     {
         0, // flags
         0, // RTL_NUMBER_OF(g_DefaultPrimaryCryptoSuitesPhase1),
         0, // g_DefaultPrimaryCryptoSuitesPhase1,
         0, //480,
         0
     },
     FW_RULE_ORIGIN_HARDCODED, 
     NULL,
     FW_RULE_STATUS_OK,
     0
 };
  
  
 FW_PHASE2_CRYPTO_SUITE g_DefaultPrimaryCryptoSuitesPhase2[] = 
 {
     {FW_CRYPTO_PROTOCOL_ESP, 
      FW_CRYPTO_HASH_NONE, 
      FW_CRYPTO_HASH_SHA1, 
      FW_CRYPTO_ENCRYPTION_NONE, 
      FW_DEFAULT_CRYPTO_PHASE2_TIMEOUT_MINUTES, 
      FW_DEFAULT_CRYPTO_PHASE2_TIMEOUT_KBYTES},
     {FW_CRYPTO_PROTOCOL_ESP, 
      FW_CRYPTO_HASH_NONE, 
      FW_CRYPTO_HASH_SHA1, 
      FW_CRYPTO_ENCRYPTION_AES128, 
      FW_DEFAULT_CRYPTO_PHASE2_TIMEOUT_MINUTES, 
      FW_DEFAULT_CRYPTO_PHASE2_TIMEOUT_KBYTES},
     {FW_CRYPTO_PROTOCOL_ESP, 
      FW_CRYPTO_HASH_NONE, 
      FW_CRYPTO_HASH_SHA1, 
      FW_CRYPTO_ENCRYPTION_3DES, 
      FW_DEFAULT_CRYPTO_PHASE2_TIMEOUT_MINUTES, 
      FW_DEFAULT_CRYPTO_PHASE2_TIMEOUT_KBYTES},
     {FW_CRYPTO_PROTOCOL_AH, 
      FW_CRYPTO_HASH_SHA1, 
      FW_CRYPTO_HASH_NONE, 
      FW_CRYPTO_ENCRYPTION_NONE, 
      FW_DEFAULT_CRYPTO_PHASE2_TIMEOUT_MINUTES, 
      FW_DEFAULT_CRYPTO_PHASE2_TIMEOUT_KBYTES}
 };
  
 FW_CRYPTO_SET g_DefaultPrimaryCryptoSetPhase2 =
 {
     NULL,
     0x0200,
     FW_IPSEC_PHASE_2,
     L"{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE2}",
     FW_DEFAULT_P2_PRIMARY_CRYPTO_SET_NAME_STR,
     FW_DEFAULT_P2_PRIMARY_CRYPTO_SET_NAME_STR,
     NULL,
     {
         {
             0, // FW_PHASE2_CRYPTO_PFS_DISABLE,
             0, // RTL_NUMBER_OF(g_DefaultPrimaryCryptoSuitesPhase2),
             0, // g_DefaultPrimaryCryptoSuitesPhase2
         }
     },
     FW_RULE_ORIGIN_HARDCODED, 
     NULL,
     FW_RULE_STATUS_OK,
     0
 };
  
 void FwDefaultPrimaryCryptoSetsInit()
 {
     // Init Phase 1 Crypto.
     g_DefaultPrimaryCryptoSetPhase1.dwNumPhase1Suites = 
                         RTL_NUMBER_OF(g_DefaultPrimaryCryptoSuitesPhase1);
     g_DefaultPrimaryCryptoSetPhase1.pPhase1Suites = 
                         g_DefaultPrimaryCryptoSuitesPhase1;
     g_DefaultPrimaryCryptoSetPhase1.dwTimeOutMinutes = 480;
  
     //Init Phase 2 Crypto
     g_DefaultPrimaryCryptoSetPhase2.Pfs = 
                         FW_PHASE2_CRYPTO_PFS_DISABLE;
     g_DefaultPrimaryCryptoSetPhase2.dwNumPhase2Suites = 
                         RTL_NUMBER_OF(g_DefaultPrimaryCryptoSuitesPhase2);
     g_DefaultPrimaryCryptoSetPhase2.pPhase2Suites = 
                         g_DefaultPrimaryCryptoSuitesPhase2;
 }
  

<4> Section 2.2.36: Windows uses the three fields of the FW_OS_PLATFORM data type to identify Windows platform types. The fields in this data type correspond to the fields of the Windows OSVERSIONINFOEX data type (for more information, see [MSDN-OSVERSIONINFOEX]). The bPlatform field in this specification corresponds to the dwPlatformId field in MSDN. The bMajorVersion field in this specification corresponds to the dwMajorVersion field in MSDN. The bMinorVersion field in this specification corresponds to the dwMinorVersion field in MSDN. The Windows firewall and advanced security components extract the OSVERSIONINFOEX values and use them to enforce PlatformValidityList conditions in FW_RULE (section 2.2.36) and FW_CS_RULE (section 2.2.54) rules.

<5> Section 2.2.36: Rules with wSchemaVersion less than 0x000200 but greater than or equal to 0x000100 are not allowed to be written to the local store.

<6> Section 2.2.36: On Windows 7 and Windows Server 2008 R2 the wszRuleId size cannot be greater than or equal to 512 characters. On Windows Vista and Windows Server 2008 it cannot be greater than or equal to 1000 characters.

<7> Section 2.2.37: When Windows is operating in stealth mode, it blocks the following outbound packets:

  • ICMP Destination Unreachable

  • ICMP Parameter Problem for IPv6 only

  • TCP Reset (RST) packets sent because no application is listening on the destination port

<8> Section 2.2.37: In Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 operating system, the FW_PROFILE_CONFIG_LOG_IGNORED_RULES option is ignored.

<9> Section 2.2.37: When an application is blocked from listening on a port and inbound notifications are not disabled, Windows displays a notification to the user only when there is not an FW_RULE object in the Group Policy RSoP, local, or dynamic policy stores with a wszLocalApplication field that matches the application.

<10> Section 2.2.42: Windows selects a default value for the profile configuration options and the global configurations options. These configurations default values are secure, and it is recommended to use these values as default values. Profile configuration options default values:

  
 FW_PROFILE_CONFIG_ENABLE_FW .- TRUE.
 FW_PROFILE_CONFIG_DISABLE_STEALTH_MODE .- FALSE.
 FW_PROFILE_CONFIG_SHIELDED .- FALSE.
 FW_PROFILE_CONFIG_DISABLE_UNICAST_RESPONSES_TO_MULTICAST_BROADCAST 
                                                            .- FALSE.
 FW_PROFILE_CONFIG_LOG_DROPPED_PACKETS .- FALSE.
 FW_PROFILE_CONFIG_LOG_SUCCESS_CONNECTIONS .- FALSE.
 FW_PROFILE_CONFIG_LOG_IGNORED_RULES .- TRUE.
 FW_PROFILE_CONFIG_LOG_MAX_FILE_SIZE .- 1024.
 FW_PROFILE_CONFIG_LOG_FILE_PATH .- L"".
 FW_PROFILE_CONFIG_DISABLE_INBOUND_NOTIFICATIONS .- FALSE.
 FW_PROFILE_CONFIG_AUTH_APPS_ALLOW_USER_PREF_MERGE .- TRUE.
 FW_PROFILE_CONFIG_GLOBAL_PORTS_ALLOW_USER_PREF_MERGE .- TRUE.
 FW_PROFILE_CONFIG_ALLOW_LOCAL_POLICY_MERGE .- TRUE.
 FW_PROFILE_CONFIG_ALLOW_LOCAL_IPSEC_POLICY_MERGE .- TRUE.
 FW_PROFILE_CONFIG_DISABLED_INTERFACES .- {0}.
 FW_PROFILE_CONFIG_DEFAULT_OUTBOUND_ACTION .- 0 (0 is allow).
 FW_PROFILE_CONFIG_DEFAULT_INBOUND_ACTION.- 1 (1 is block).
  

Global configuration options default values:

  
 FW_GLOBAL_CONFIG_POLICY_VERSION_SUPPORTED .- 0x0200 
 on Windows Vista.
 FW_GLOBAL_CONFIG_POLICY_VERSION_SUPPORTED .- 0x0201 
 on Windows Vista SP1 and Windows Server 2008.
 FW_GLOBAL_CONFIG_CURRENT_PROFILE .- FW_PROFILE_TYPE_PUBLIC.
 FW_GLOBAL_CONFIG_DISABLE_STATEFUL_FTP .- FALSE.
 FW_GLOBAL_CONFIG_DISABLE_STATEFUL_PPTP .- FALSE.
 FW_GLOBAL_CONFIG_SA_IDLE_TIME .- 300.
 FW_GLOBAL_CONFIG_PRESHARED_KEY_ENCODING 
                    .- FW_GLOBAL_CONFIG_PRESHARED_KEY_ENCODING_UTF_8.
 FW_GLOBAL_CONFIG_IPSEC_EXEMPT 
                    .- FW_GLOBAL_CONFIG_IPSEC_EXEMPT_NEIGHBOR_DISC.
 FW_GLOBAL_CONFIG_CRL_CHECK .- 0.
 FW_GLOBAL_CONFIG_IPSEC_THROUGH_NAT 
             .- FW_GLOBAL_CONFIG_IPSEC_THROUGH_NAT_SERVER_BEHIND_NAT.
 FW_GLOBAL_CONFIG_POLICY_VERSION .- 0x0200.
 FW_GLOBAL_CONFIG_BINARY_VERSION_SUPPORTED .- 0x201. This value is 
 present only in Windows Vista SP1 and Windows Server 2008.
  

<11> Section 2.2.54: Windows uses the three fields of the FW_OS_PLATFORM data type to identify Windows platform types. The fields in this data type correspond to the fields of the Windows OSVERSIONINFOEX data type (for more information, see [MSDN-OSVERSIONINFOEX]). The bPlatform field in this specification corresponds to the dwPlatformId field in MSDN. The bMajorVersion field in this specification corresponds to the dwMajorVersion field in MSDN. The bMinorVersion field in this specification corresponds to the dwMinorVersion field in MSDN. The Windows firewall and advanced security components extract the OSVERSIONINFOEX values and use them to enforce PlatformValidityList conditions in FW_RULE (section 2.2.36) and FW_CS_RULE (section 2.2.54) rules.

<12> Section 2.2.54: On Windows 7 and Windows Server 2008 R2 the wszRuleId size is less than 512 characters. On Windows Vista and Windows Server 2008 it is less than 1000 characters.

<13> Section 2.2.54: On Windows 7 and Windows Server 2008 R2 the wszPhase1AuthSet, wszPhase2AuthSet, and wszPhase2CryptoSet sizes are less than 255 characters. On Windows Vista and Windows Server 2008 they are less than 1000 characters.

<14> Section 2.2.63: On Windows Vista and Windows Server 2008, the only duplicate check performed is for the anonymous method.

<15> Section 2.2.63: On Windows Vista and Windows Server 2008, the only duplicate check performed is for the anonymous method.

<16> Section 2.2.64: On Windows Vista and Windows Server 2008, the only duplicate check performed is for the anonymous method.

<17> Section 2.2.64: On Windows Vista and Windows Server 2008, the only duplicate check performed is for the anonymous method.

<18> Section 2.2.82: Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 set TransportFilterId to the filter key of the Windows Filtering Platform filter used to enforce the security association (for more information, see [MSWFPSDK]).

<19> Section 2.2.84: Windows uses the three fields of the FW_OS_PLATFORM data type to identify Windows platform types. The fields in this data type correspond to the fields of the Windows OSVERSIONINFOEX data type (for more information, see [MSDN-OSVERSIONINFOEX]). The bPlatform field in this specification corresponds to the dwPlatformId field in MSDN. The bMajorVersion field in this specification corresponds to the dwMajorVersion field in MSDN. The bMinorVersion field in this specification corresponds to the dwMinorVersion field in MSDN. The Windows firewall and advanced security components extract the OSVERSIONINFOEX values and use them to enforce PlatformValidityList conditions in FW_RULE (section 2.2.36) and FW_CS_RULE (section 2.2.54) rules.

<20> Section 2.2.95: By default, Windows uses the IKEv1 and AuthIP keying modules.

<21> Section 2.2.96: In schema version 0x0214, the value for the FW_TRUST_TUPLE_KEYWORD_MAX flag is 0x0004.

<22> Section 3.1.3: During server initialization, Windows uses default values to initialize the Phase 1 and Phase 2 primary AuthenticationSet objects if these objects are not already present in LocalStore or GroupPolicyRSoPStore. The same defaults are used for both LocalStore and GroupPolicyRSoPStore. These defaults are as follows:

 #define FW_DEFAULT_P1_PRIMARY_AUTH_SET_NAME_STR
                                  L"Default Phase1 Primary AuthSet"
 #define FW_DEFAULT_P2_PRIMARY_AUTH_SET_NAME_STR
                                  L"Default Phase2 Primary AuthSet"
 #define RTL_NUMBER_OF(A)   (sizeof(A)/sizeof((A)[0]))
 FW_AUTH_SUITE g_DefaultPrimaryAuthSuitePhase1[] = 
 {
     { FW_AUTH_METHOD_MACHINE_KERB, {0} }
 };
 FW_AUTH_SET g_DefaultPrimaryAuthSetPhase1 = 
 {
     NULL,
     0x0200,
     FW_IPSEC_PHASE_1,
     L"{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE3}",
     FW_DEFAULT_P1_PRIMARY_AUTH_SET_NAME_STR,
     FW_DEFAULT_P1_PRIMARY_AUTH_SET_NAME_STR,
     NULL,
     RTL_NUMBER_OF(g_DefaultPrimaryAuthSuitePhase1),
     g_DefaultPrimaryAuthSuitePhase1,
     FW_RULE_ORIGIN_HARDCODED,
     NULL,
     FW_RULE_STATUS_OK,
     0
 };
  
 FW_AUTH_SET g_DefaultPrimaryAuthSetPhase2 = 
 {
     NULL,
     0x0200,
     FW_IPSEC_PHASE_2,
     L"{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE4}",
     FW_DEFAULT_P2_PRIMARY_AUTH_SET_NAME_STR,
     FW_DEFAULT_P2_PRIMARY_AUTH_SET_NAME_STR,
     NULL,
     0,
     NULL,
     FW_RULE_ORIGIN_HARDCODED,
     NULL,
     FW_RULE_STATUS_OK,
     0
 };
  

<23> Section 3.1.3: During server initialization, Windows uses default values to initialize the Phase 1 and Phase 2 primary CryptoSet objects if these objects are not already present in LocalStore or GroupPolicyRSoPStore. The same defaults are used for both LocalStore and GroupPolicyRSoPStore. These defaults are as follows:

 #define FW_DEFAULT_P1_PRIMARY_CRYPTO_SET_NAME_STR           
                        L"Default Phase1 Primary CryptoSet"
 #define FW_DEFAULT_P2_PRIMARY_CRYPTO_SET_NAME_STR           
                        L"Default Phase2 Primary CryptoSet"
  
 FW_PHASE1_CRYPTO_SUITE g_DefaultPrimaryCryptoSuitesPhase1[] = 
 {
     {FW_CRYPTO_KEY_EXCHANGE_DH2, 
      FW_CRYPTO_ENCRYPTION_AES128, 
      FW_CRYPTO_HASH_SHA1},
     {FW_CRYPTO_KEY_EXCHANGE_DH2, 
      FW_CRYPTO_ENCRYPTION_3DES, 
      FW_CRYPTO_HASH_SHA1}
 };
  
 FW_CRYPTO_SET g_DefaultPrimaryCryptoSetPhase1 =
 {
     NULL,
     0x0200,
     FW_IPSEC_PHASE_1,
     L"{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE1}",
     FW_DEFAULT_P1_PRIMARY_CRYPTO_SET_NAME_STR,
     FW_DEFAULT_P1_PRIMARY_CRYPTO_SET_NAME_STR,
     NULL,
     {
         0, //flags
         0, //RTL_NUMBER_OF(g_DefaultPrimaryCryptoSuitesPhase1),
         0, //g_DefaultPrimaryCryptoSuitesPhase1,
         0, // 480,
         0
     },
     FW_RULE_ORIGIN_HARDCODED, 
     NULL,
     FW_RULE_STATUS_OK,
     0
 };
  
  
 FW_PHASE2_CRYPTO_SUITE g_DefaultPrimaryCryptoSuitesPhase2[] = 
 {
     {FW_CRYPTO_PROTOCOL_ESP, 
      FW_CRYPTO_HASH_NONE, 
      FW_CRYPTO_HASH_SHA1, 
      FW_CRYPTO_ENCRYPTION_NONE, 
      FW_DEFAULT_CRYPTO_PHASE2_TIMEOUT_MINUTES, 
      FW_DEFAULT_CRYPTO_PHASE2_TIMEOUT_KBYTES},
     {FW_CRYPTO_PROTOCOL_ESP, 
      FW_CRYPTO_HASH_NONE, 
      FW_CRYPTO_HASH_SHA1, 
      FW_CRYPTO_ENCRYPTION_AES128, 
      FW_DEFAULT_CRYPTO_PHASE2_TIMEOUT_MINUTES, 
      FW_DEFAULT_CRYPTO_PHASE2_TIMEOUT_KBYTES},
     {FW_CRYPTO_PROTOCOL_ESP, 
      FW_CRYPTO_HASH_NONE, 
      FW_CRYPTO_HASH_SHA1, 
      FW_CRYPTO_ENCRYPTION_3DES, 
      FW_DEFAULT_CRYPTO_PHASE2_TIMEOUT_MINUTES, 
      FW_DEFAULT_CRYPTO_PHASE2_TIMEOUT_KBYTES},
     {FW_CRYPTO_PROTOCOL_AH, 
      FW_CRYPTO_HASH_SHA1, 
      FW_CRYPTO_HASH_NONE, 
      FW_CRYPTO_ENCRYPTION_NONE, 
      FW_DEFAULT_CRYPTO_PHASE2_TIMEOUT_MINUTES, 
      FW_DEFAULT_CRYPTO_PHASE2_TIMEOUT_KBYTES}
 };
  
 FW_CRYPTO_SET g_DefaultPrimaryCryptoSetPhase2 =
 {
     NULL,
     0x0200,
     FW_IPSEC_PHASE_2,
     L"{E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE2}",
     FW_DEFAULT_P2_PRIMARY_CRYPTO_SET_NAME_STR,
     FW_DEFAULT_P2_PRIMARY_CRYPTO_SET_NAME_STR,
     NULL,
     {
         {
             0, // FW_PHASE2_CRYPTO_PFS_DISABLE,
             0, // RTL_NUMBER_OF(g_DefaultPrimaryCryptoSuitesPhase2),
             0, // g_DefaultPrimaryCryptoSuitesPhase2
         }
     },
     FW_RULE_ORIGIN_HARDCODED, 
     NULL,
     FW_RULE_STATUS_OK,
     0
 };
  
 void FwDefaultPrimaryCryptoSetsInit()
 {
     // Init Phase 1 Crypto.
     g_DefaultPrimaryCryptoSetPhase1.dwNumPhase1Suites = 
                         RTL_NUMBER_OF(g_DefaultPrimaryCryptoSuitesPhase1);
     g_DefaultPrimaryCryptoSetPhase1.pPhase1Suites = 
                         g_DefaultPrimaryCryptoSuitesPhase1;
     g_DefaultPrimaryCryptoSetPhase1.dwTimeOutMinutes = 480;
  
     //Init Phase 2 Crypto
     g_DefaultPrimaryCryptoSetPhase2.Pfs = 
                         FW_PHASE2_CRYPTO_PFS_DISABLE;
     g_DefaultPrimaryCryptoSetPhase2.dwNumPhase2Suites = 
                         RTL_NUMBER_OF(g_DefaultPrimaryCryptoSuitesPhase2);
     g_DefaultPrimaryCryptoSetPhase2.pPhase2Suites = 
                         g_DefaultPrimaryCryptoSuitesPhase2;
 }
  

<24> Section 3.1.3: Windows selects a default value for the ProfileConfiguration option and the GlobalConfiguration option. These configuration default values are secure, and it is recommended to use these values as default values. ProfileConfiguration option default values:

  
 FW_PROFILE_CONFIG_ENABLE_FW .- TRUE.
 FW_PROFILE_CONFIG_DISABLE_STEALTH_MODE .- FALSE.
 FW_PROFILE_CONFIG_SHIELDED .- FALSE.
 FW_PROFILE_CONFIG_DISABLE_UNICAST_RESPONSES_TO_MULTICAST_BROADCAST 
                                                            .- FALSE.
 FW_PROFILE_CONFIG_LOG_DROPPED_PACKETS .- FALSE.
 FW_PROFILE_CONFIG_LOG_SUCCESS_CONNECTIONS .- FALSE.
 FW_PROFILE_CONFIG_LOG_IGNORED_RULES .- TRUE.
 FW_PROFILE_CONFIG_LOG_MAX_FILE_SIZE .- 1024.
 FW_PROFILE_CONFIG_LOG_FILE_PATH .- L"".
 FW_PROFILE_CONFIG_DISABLE_INBOUND_NOTIFICATIONS .- FALSE.
 FW_PROFILE_CONFIG_AUTH_APPS_ALLOW_USER_PREF_MERGE .- TRUE.
 FW_PROFILE_CONFIG_GLOBAL_PORTS_ALLOW_USER_PREF_MERGE .- TRUE.
 FW_PROFILE_CONFIG_ALLOW_LOCAL_POLICY_MERGE .- TRUE.
 FW_PROFILE_CONFIG_ALLOW_LOCAL_IPSEC_POLICY_MERGE .- TRUE.
 FW_PROFILE_CONFIG_DISABLED_INTERFACES .- {0}.
 FW_PROFILE_CONFIG_DEFAULT_OUTBOUND_ACTION .- 0 (0 is allow).
 FW_PROFILE_CONFIG_DEFAULT_INBOUND_ACTION.- 1 (1 is block).
  

GlobalConfiguration options default values:

  
 FW_GLOBAL_CONFIG_POLICY_VERSION_SUPPORTED .- 0x0200 
 on Windows Vista.
 FW_GLOBAL_CONFIG_POLICY_VERSION_SUPPORTED .- 0x0201 
 on Windows Vista SP1 and Windows Server 2008.
 FW_GLOBAL_CONFIG_CURRENT_PROFILE .- FW_PROFILE_TYPE_PUBLIC.
 FW_GLOBAL_CONFIG_DISABLE_STATEFUL_FTP .- FALSE.
 FW_GLOBAL_CONFIG_DISABLE_STATEFUL_PPTP .- FALSE.
 FW_GLOBAL_CONFIG_SA_IDLE_TIME .- 300.
 FW_GLOBAL_CONFIG_PRESHARED_KEY_ENCODING 
                    .- FW_GLOBAL_CONFIG_PRESHARED_KEY_ENCODING_UTF_8.
 FW_GLOBAL_CONFIG_IPSEC_EXEMPT 
                    .- FW_GLOBAL_CONFIG_IPSEC_EXEMPT_NEIGHBOR_DISC.
 FW_GLOBAL_CONFIG_CRL_CHECK .- 0.
 FW_GLOBAL_CONFIG_IPSEC_THROUGH_NAT 
             .- FW_GLOBAL_CONFIG_IPSEC_THROUGH_NAT_SERVER_BEHIND_NAT.
 FW_GLOBAL_CONFIG_POLICY_VERSION .- 0x0200.
 FW_GLOBAL_CONFIG_BINARY_VERSION_SUPPORTED .- 0x201. This value is 
 present only in Windows Vista SP1 and Windows Server 2008.
  

<25> Section 3.1.4: In Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, security principals are identified by SIDs (see [MS-DTYP] section 2.4.2). The authorized clients are represented by the S-1-5-32-544 and the S-1-5-32-556 SIDs. If the client's identity token (see [MS-DTYP] section 2.5.2) does not contain at least one of these SIDs, the server fails the call.

<26> Section 3.1.4.6: Path validations were not performed in Windows Vista and Windows Server 2008 at edit time.

<27> Section 3.1.4.47: Path validations were not performed in Windows Vista and Windows Server 2008 at edit time.

<28> Section 3.1.6.5: Windows determines whether it is operating in common criteria mode by calling the BCryptGetFipsAlgorithmMode API. For more information, see [MSDN-BCryptGetFipsAlgorithmMode].

<29> Section 3.1.6.6: Windows enforces the effective firewall policy by converting the settings to Windows Filtering Platform filters. For more information, see [MSWFPSDK].

Show: