       summary: Internet Connection Firewall (ICF) configuration for Windows XP
  last updated: Tuesday, July 16, 2002
   prepared by: wje
 test hardware: Gateway E3600
       test OS: XP professional, Version 2002 

------------
Overview
------------
The Internet provides access to a wealth of information and services
by connecting users and systems.  The availability and access to
data and systems has brought increased attention to computer and
network security. In an attempt to address these concerns, Microsoft
offers the option of the Internet Connection Firewall (ICF) in their
Windows XP operating system. 

ICF is software that you can use to set restrictions on the information
that is communicated between your PC and the Internet. ICF provides
protection from inbound traffic, unsolicited data coming from the
network to your PC. Commercial and Freeware firewall software is
available that provides protection for inbound and outbound traffic but
ICF does not fall into this category.

ICF is a "stateful" firewall that monitors all aspects of the
communications that cross its path and inspects the source and
destination address of each message that the firewall handles. ICF
maintains a table of all communications that have originated from the
PC running ICF. Any unsolicited traffic from the public side
of the network connection is then discarded. If enabled ICF will
create a security log so that all activity that is permitted or
rejected is tracked.

------------
Requirements
------------
ICF is not started by default. To enable or disable ICF, you must be
logged on as Administrator or a user that is a member of the
Administrators group.

-------------
Configuration
-------------
1.  From the Windows Desktop click: 
    Start -> Settings -> Control Panel -> Network Connections.
    
2.  Right Click on 'Local Area Connection' and choose Properties.

3.  In the 'Local Area Connection Properties' Box select the 'Advanced'
    tab.
    
4.  Activate ICF by checking the box that states 'Protect my computer and
    network by limiting or preventing access to this computer from the
    Internet'.
    
5.  Click on the 'Settings' box in the lower right.

6.  Under the 'Services' tab leave all boxes unchecked.

7.  Select the 'Security Logging' Tab.

8.  Under 'Logging Options' check both boxes - 'Log dropped packets' and
    'Log successful connections'.
    
9.  Under 'Log file options' use the default options of
    C:\WINDOWS\pfirewall.log for Name and 4096 KB for size limit.
    
10. Select the 'ICMP' tab.

11. Check the boxes for the following:

      Allow incoming echo requests
      Allow outgoing destination unreachables
      Allow outgoing time exceeded
      Allow outgoing parameter problem
      
12. Select 'OK' from the 'Advanced Settings' box.

13. Select 'OK' from the 'Local Area Connection Properties' box.

---------------
Troubleshooting
---------------
Enabling ICF effects connectivity from external hosts to the local PC.
To determine if the ICF is the source of a network problem, disable
the ICF. Follow these steps:

1.  From the Windows Desktop click: 
    Start -> Settings -> Control Panel -> Network Connections.
    
2.  Right Click on 'Local Area Connection' and choose Properties.

3.  In the 'Local Area Connection Properties' Box select the 'Advanced'
    tab.
    
4.  Activate ICF by checking the box that states 'Protect my computer and
    network by limiting or preventing access to this computer from the
    Internet'.

5.  Recreate the connection attempt by having a host initiate a
    connection to the local pc. If the connection is successful the 
    ICF might be misconfigured or too restrictive.

6.  Review the services and ICMP requests that were allowed and
    denied on the ICF to determine if the firewall was misconfigured
    or to restrictive.

-----
Notes 
-----
The ICF using the configuration above will prevent the host from
acting as a server and will prevent legacy Windows file/printer
sharing services from operating.  To enable file sharing or other
servers on the host, configuration changes to the ICF rules need
to be applied.  A future revision of this document will detail the
necessary changes to enable file/print sharing services.  Warning,
it is strongly recommend that unnecessary servers not be enabled
as they may make the PC more vulnerable to a network-based attack.
Reconfigure ICF at your own risk!

Please not that during testing of icf, it was discovered that the busy
search function for Groupwise does not function properly when icf is
enabled. Currently a workaround has not been released by the DePaul
INFOSEC team.. 

----------
References
----------
Use the Internet Connection Firewall to Secure Your Small Network
http://www.microsoft.com/windowsxp/pro/using/howto/networking/icf.asp

The Internet Connection Firewall Can Prevent Browsing and File Sharing
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q298804

Microsoft's Internet Connection Firewall Feature Overview
http://www.microsoft.com/windowsxp/pro/techinfo/planning/firewall/default.asp

-------
Changes
-------
2002-07-10  Document creation date
2002-07-11  Minor edits (jtk)
2002-07-16  Fixed ICMP rules, removed timestamp and added param prob
2002-11-15  Minor edits (wje) - Groupwise conflicts