WindowsXP SP2 防火墙设置说明Word文件下载.docx

WindowsXP SP2 防火墙设置说明Word文件下载.docx

《WindowsXP SP2 防火墙设置说明Word文件下载.docx》由会员分享，可在线阅读，更多相关《WindowsXP SP2 防火墙设置说明Word文件下载.docx（60页珍藏版）》请在冰豆网上搜索。

TheinformationcontainedinthisdocumentrepresentsthecurrentviewofMicrosoftCorporationontheissuesdiscussedasofthedateofpublication.BecauseMicrosoftmustrespondtochangingmarketconditions,itshouldnotbeinterpretedtobeacommitmentonthepartofMicrosoft,andMicrosoftcannotguaranteetheaccuracyofanyinformationpresentedafterthedateofpublication.

Thisdocumentisforinformationalpurposesonly.MICROSOFTMAKESNOWARRANTIES,EXPRESSORIMPLIED,ASTOTHEINFORMATIONINTHISDOCUMENT.

Complyingwithallapplicablecopyrightlawsistheresponsibilityoftheuser.Withoutlimitingtherightsundercopyright,nopartofthisdocumentmaybereproduced,storedinorintroducedintoaretrievalsystem,ortransmittedinanyformorbyanymeans（electronic,mechanical,photocopying,recording,orotherwise）,orforanypurpose,withouttheexpresswrittenpermissionofMicrosoftCorporation.

Microsoftmayhavepatents,patentapplications,trademarks,copyrights,orotherintellectualpropertyrightscoveringsubjectmatterinthisdocument.ExceptasexpresslyprovidedinanywrittenlicenseagreementfromMicrosoft,thefurnishingofthisdocumentdoesnotgiveyouanylicensetothesepatents,trademarks,copyrights,orotherintellectualproperty.

Theexamplecompanies,organizations,products,peopleandeventsdepictedhereinarefictitious.Noassociationwithanyrealcompany,organization,product,personoreventisintendedorshouldbeinferred.

©

2004MicrosoftCorporation.Allrightsreserved.

Microsoft,Windows,WindowsNT,andActiveDirectoryareeitherregisteredtrademarksortrademarksofMicrosoftCorporationintheUnitedStatesand/orothercountries.

Thenamesofactualcompaniesandproductsmentionedhereinmaybethetrademarksoftheirrespectiveowners.

Contents

Overview1

NewFeaturesofWindowsFirewall1

EnabledbyDefaultforAlloftheConnectionsoftheComputer1

NewGlobalConfigurationOptionsthatApplytoAllConnections2

NewWindowsFirewallComponentofControlPanel2

NewOperatingMode3

StartupSecurity3

IncomingTrafficScoping3

ExceptedTrafficCanBeSpecifiedbyProgramFilename3

Built-inSupportforIPv64

NewConfigurationOptions4

ConfigurationUsingGroupPolicySettings5

WindowsXPSP2andtheImpacttoEnterpriseNetworks5

AllowingUserstoInstallWindowsXPSP2fromWindowsUpdate7

UsingWindowsXPSP2WindowsFirewallandIPSec7

DeployingWindowsFirewallSettingsWithGroupPolicy9

Step1:

UpdatingYourGroupPolicyObjectsWiththeNewWindowsFirewallSettings9

Step2:

SpecifyingWindowsFirewallSettingsforYourGroupPolicyObjects11

RecommendedSettingsforWindowsFirewallGroupPolicySettings13

GroupPolicySettingsinMixedWindowsXPEnvironments13

DeployingWindowsFirewallSettingsWithoutGroupPolicy15

AppendixA:

WindowsFirewallGroupPolicySettings17

WindowsFirewall:

AllowAuthenticatedIPSecBypass17

ProtectAllNetworkConnections19

DoNotAllowExceptions20

DefineProgramExceptions21

AllowLocalProgramExceptions23

AllowRemoteAdministrationException24

AllowFileandPrintSharingException25

AllowICMPExceptions27

AllowRemoteDesktopException28

AllowUPnPFrameworkException29

ProhibitNotifications30

AllowLogging31

ProhibitUnicastResponsetoMulticastorBroadcastRequests32

DefinePortExceptions33

AllowLocalPortExceptions35

AppendixB:

NetshCommandSyntaxfortheNetshFirewallContext37

addallowedprogram37

setallowedprogram38

deleteallowedprogram39

seticmpsetting39

setmulticastbroadcastresponse40

setnotifications41

setlogging41

setopmode42

addportopening42

setportopening43

deleteportopening44

setservice45

showcommands46

reset46

AppendixC:

DeployingWindowsFirewallSettingsinaWindowsNT4.0Domain47

AppendixD:

AllowingRemoteAssistanceSupport48

EnablingSolicitedRemoteAssistance48

EnablingOffer-basedRemoteAssistance48

AppendixE:

ExampleofUsingtheUnattend.txtFile49

AppendixF:

ExampleofUsingtheNetfw.infFile51

AppendixG:

PortNumbersforMicrosoftApplicationsandServices52

Summary53

RelatedLinks54

Overview

WindowsXPServicePack2（SP2）includestheWindowsFirewall,areplacementforthefeaturepreviouslyknownastheInternetConnectionFirewall（ICF）.WindowsFirewallisastatefulhostfirewallthatdropsallunsolicitedincomingtrafficthatdoesnotcorrespondtoeithertrafficsentinresponsetoarequestofthecomputer（solicitedtraffic）orunsolicitedtrafficthathasbeenspecifiedasallowed（exceptedtraffic）.ThisbehaviorofWindowsFirewallprovidesalevelofprotectionfrommalicioususersandprogramsthatuseunsolicitedincomingtraffictoattackcomputers.WiththeexceptionofsomeInternetControlMessageProtocol（ICMP）messages,WindowsFirewalldoesnotdropoutgoingtraffic.

NewFeaturesofWindowsFirewall

InWindowsXPSP2,therearemanynewfeaturesfortheWindowsFirewall,includingthefollowing:

Enabledbydefaultforalloftheconnectionsofthecomputer

Newglobalconfigurationoptionsthatapplytoallconnections

NewWindowsFirewallcomponentofControlPanel

Newoperatingmode

Startupsecurity

IncomingtrafficscopingforIPv4

Exceptedtrafficcanbespecifiedbyprogramfilename

Built-insupportforIPv6

Newconfigurationoptions

Configurationusinggrouppolicysettings

EnabledbyDefaultforAlloftheConnectionsoftheComputer

InWindowsXPwithServicePack1（SP1）andWindowsXPwithnoservicepacksinstalled,ICFisdisabledbydefaultforallconnections,unlessenabledforanInternetconnectionbytheNetworkSetupWizardorInternetConnectionWizard.YoucanmanuallyenableICFthroughasinglecheckboxontheAdvancedtabofthepropertiesofaconnection,fromwhichyoucanalsoconfigurethesetofexceptedtrafficbyspecifyingTransmissionControlProtocol（TCP）orUserDatagramProtocol（UDP）ports.

WindowsFirewallinWindowsXPSP2isgloballyenabledbydefault.Thismeansthat,bydefault,alltheconnectionsofacomputerrunningWindowsXPwithSP2haveWindowsFirewallenabled,includingLAN（wiredandwireless）,dial-up,andvirtualprivatenetwork（VPN）connections.NewconnectionsalsohaveWindowsFirewallenabledbydefault.

AlthoughthisprovidesmoreprotectionforWindowsXP-basedcomputers,thisdefaultbehaviorcanhaveconsequencesfortheinformationtechnology（IT）departmentofanorganizationnetworkwithregardstoapplicationcompatibilityandtheabilitytomanagethecomputersonthenetwork.Formoreinformation,see"

WindowsXPSP2andtheImpacttoEnterpriseNetworks"

inthisarticle.

NewGlobalConfigurationOptionsthatApplytoAllConnections

WindowsFirewallinWindowsXPSP2allowsyoutoconfiguresettingsthatapplytoalltheconnectionsofthecomputer（globalconfiguration）.InWindowsXPwithSP1andWindowsXPwithnoservicepacksinstalled,ICFsettingsareconfiguredperconnection,whichmeansthatifyouwanttoenableICFonmultipleconnectionsandconfigureexceptedtraffic,youmustconfigureeachconnectionseparately.WhenyouchangeaglobalWindowsFirewallsetting,thechangeisappliedtoalltheconnectionsonwhichWindowsFirewallisenabled.

WindowsFirewallinWindowsXPSP2alsoallowsper-connectionconfiguration.Connection-specificconfigurationoverridesglobalconfiguration.

NewWindowsFirewallComponentofControlPanel

ThesettingsforICFinWindowsXPwithSP1andWindowsXPwithnoservicepacksinstalledconsistoftheProtectmycomputerandnetworkbylimitingorpreventingaccesstothiscomputerfromtheInternetcheckboxontheAdvancedtabofthepropertiesofaconnection,andaSettingsbuttonfromwhichyoucanconfigureexceptedtraffic,loggingsettings,andexceptedICMPtraffic.

InWindowsXPSP2,thecheckboxontheAdvancedtabofthepropertiesofaconnectionhasbeenreplacedwithaSettingsbutton,whichlaunchesthenewWindowsFirewallcomponentinControlPanel,fromwhichyoucanconfiguregeneralsettings,exceptionsforprograms（applicationsandservices）,connection-specificsettings,logsettings,andexceptedICMPtraffic.ThefollowingfigureshowsthenewWindowsFirewalldialogbox.

YoucanalsoconfigureWindowsFirewallfromthenewSecurityCenter.

ForadetaileddescriptionofthesettingsandoptionsofthenewWindowsFirewallcomponentinControlPanel,seeManuallyConfiguringWindowsFirewallinWindowsXP