Windows as a Firewall
Overview
Since Windows NT 4, Windows has supported basic packet filtering to block ports and to help
secure servers against attacks. Windows 2000 significantly improved the filtering to allow outbound
filtering as well and to add support for Network Address Translation. Windows Server versions also
support routing and PPTP VPN tunneling. Windows 2000 adds support for IPSec transport mode
and for L2TP.
Despite the array of firewall features supported by Windows, the core TCP/IP stack is not
sufficiently hardened to withstand serious attack from the Internet. Although many of the most
egregious denial of service attacks have been patched against, any sustained flood attack will− −
cause cascading failure that will at least render the server inoperable for a period of time.
Microsoft's Proxy Server products are also not hardened enough to compete as true firewalls. The
new Internet Security Server appears to be much stronger, but is too new to have much real world
information on.
This chapter covers the firewalling features of Windows, but you should always consider them to be
supplemental protection for servers that are primarily defended by a true firewall.
Windows NT 4
The Windows NT 4 operating system is not a firewall. Windows NT supports simple packet and
PPTP filtering, but not Network Address Translation or application proxy services without additional
software. In addition, its TCP/IP stack is not hardened completely against malformed packets,
although an NT 4 installation with all the latest patches will not fall pray to the most virulent attacks.
Windows NT was not designed to operate as a firewall; rather, it was designed for higher network
performance. The consistency checks that firewalls must perform on each received TCP/IP packet
require a considerable compute load, which would be too much for a heavily loaded server to deal
with. This is one reason why firewalls should be isolated on dedicated machines.
A Windows NT default installation's TCP/IP stack is not hardened and is vulnerable to a number of
well known exploits. For example, prior to the release of Service Pack 3, Windows NT did not−
check for the presence of a proper 0th packet in a fragment; rather, when a packet arrived with its
end of fragment bit set, NT would simply conjoin the data it had already received, regardless of− −
fragment numbering, and pass the data up. This meant that any hacker with a copy of Linux could
build his TCP/IP stack to make every IP packet claim to be the 1st packet instead of the 0th packet.

• Packet filtering
• Encrypted tunneling
• Encrypted authentication
Unlike most modern firewalls, Windows NT cannot easily share firewall policy with other servers, but
sophisticated NT administrators can create registry scripts that can be applied across a range of
machines by clicking the script on each machine. Nonetheless, this minimal functionality makes it
difficult to configure security consistently across a range of machines.
Windows NT's firewalling features are most appropriate in the role for which they were created:
additional security on multipurpose servers. You can (and should) configure all your Windows NT
servers to allow only those TCP protocols for services you intend to provide.
Packet Filtering
Windows NT provides a stateless packet filter. Stateless packet filters make their decisions based
only on information contained within each packet; they do not retain information about connections
or other higher level constructions.−
The packet filter is capable of blocking TCP, UDP, or IP protocols individually for each interface.
The filter can only be configured to pass all protocols or to pass specific protocols. It cannot be
configured to block specific protocols. The packet filter blocks only inbound packets. All outbound
packets are transmitted.
Packet filters are configured by opening the network Control Panel to the TCP/IP protocol and
clicking the Advanced button in the IP address panel. PPTP filtering, which blocks all packets
except PPTP packets, can be enabled by checking the Enable PPTP filtering option.
300
Enabling all other forms of packet filtering is performed by checking the Enable Security option and
then clicking the Configure button. You can then select the Allow Only radio button and enter the
protocols you want to allow for each transport. Figure 15.1 shows the Windows NT packet filtering
dialogs.
Figure 15.1: Windows NT Packet Filter Configuration
Tunneling
Microsoft included the Point to Point Tunneling Protocol (PPTP) with Windows NT to allow secure− −
remote access. Microsoft provides two levels of security with PPTP corresponding to the U.S.

Client Requirements There are two sets of requirements for connecting remote computers to your
LAN via PPTP. If you set up a class of service with the ISP that the client computer will be using
and that service includes establishing a PPTP tunnel, the client computer needs only to dial up the
ISP using the PPP protocol. The client computer will then be able to do anything that it would be
able to do if it had dialed directly into the RAS server on your LAN. Before the client can connect in
this manner, however, you will have to negotiate with the ISP to set up the service.
On the other hand, if the ISP does not offer the PPTP service (or if you don't want to use the ISP's
service), the client computer must support the PPTP protocol itself. Microsoft provided client
software for all versions of Windows and the Mac OS that allows these operating systems to
connect to an RAS server via PPTP.
The client computer must also have a connection to an Internet service provider. This connection
can be a temporary connection made via a regular modem, ISDN, or xDSL, or it can be a
permanent connection made by a cable modem or a leased line. In summary, the requirements for
a remote client are as follows:
• Windows (95 or later), or Mac OS
• PPTP capable dial in software− −
• A temporary or permanent Internet connection
Establishing and Securing the VPN To establish a VPN, you need the RAS software and the
PPTP protocol on at least one server computer in each LAN. The RAS and PPTP software can be
found in the i386 (or Alpha) directory of the Windows NT 4 Server installation CD ROM. You should−
add RAS from the Services tab and PPTP from the Protocols tab of the Network Control Panel
program.
When you add PPTP to the services supported by NT, you must specify how many Virtual Private
Networks RAS will support. You can enter a number from 1 to 256. This number should equal the
number of other LANs this RAS server will maintain connections to, in addition to the maximum
number of simultaneous remote computer users.
In Remote Access Setup, you will need to add the VPN ports that will appear in the RAScapable
devices list. The number of VPN ports that will appear will match the number of PPTP connections
that you selected (to be supported).
By default, all of the VPN ports will be configured to only accept connections. To establish a

Disable LAN Manager authentication on both the PPTP client(s) and server(s). (In
Windows 98 LAN Manager authentication is disabled by default.)
Microsoft's 40−Bit Encryption Is Weak and Flawed
With Windows 95, 98, and NT you have the option of using 40 bit encryption or 128 bit encryption− −
for authentication and encrypted communication. In addition to being weak (the 40 bit key makes−
the encrypted communication relatively easy to crack using brute force cryptanalysis), the 40 bit− −
protocol used by Microsoft does not salt (modify with a random number provided by the server) the
key used to establish the session. The key is simply generated from the LAN Manager hash of the
user's password, and since the password will not change from one session to the next, neither will
the key.
On the other hand, the 128 bit encryption does salt the key with a number provided by the server,−
thereby resulting in a different key for each session. Note, however, that the key is still based on a
hash of the user's password, and most passwords contain much less than 128 bits of randomness
(unguessability). Passwords with non alphanumeric characters in them are much more difficult to−
crack than short, alphanumeric passwords.
Tip
Use only 128 bit encryption on PPTP clients and servers. Require passwords−
with non alphanumeric characters for PPTP users.−
303
PPTP Clients Are Vulnerable to Internet Attack
The remote PPTP clients to your network have two network connections—one network connection
to their ISP and another (through the ISP) to your network. You must make sure that hackers can't
penetrate the client computer through the IP connection at the ISP and then come in through the
PPTP connection established by that client (or establish a PPTP connection of their own after
having captured the passwords and network configuration information stored on the client).
A properly secured client will not export network services that can be compromised by network
intruders, such as web or FTP servers. By no means should the client have file and print sharing
enabled; Internet users would be able to see the NetBIOS ports as well as the members of your
VPN. The Internet client software (web browsers and mail software) should be kept up to date; bug
fixes and security updates should be applied promptly.