Hello All,

Are you looking for low footprint SP2 Image? Here is one way to reduce the footprint, if you don't need "Windows Firewall" in your configuration (Note: In general keeping windows firewall in runtime is recommended):

1. Create a new SP2 configuration and import PMQ for your system.
2. Add any other components that you want in your configuration with the following exceptions:
    A) If you add "Retail Point of Sale Terminal" macro, go to settings of this component and uncheck "Windows Firewall/Internet Connection Sharing (ICS)".
    B) If you add "Home Gateway" macro, go to settings of this component and uncheck "Windows Firewall/Internet Connection Sharing (ICS)".
    C) If you add "Networking Application Compatibility" macro, go to settings of this component and uncheck following:
 "Windows Firewall/Internet Connection Sharing (ICS)"
 "Windows Firewall Control Panel"
 "Core Networking"
 "Connection Manager Runtime"
    D) If you add any of the following components manually in your runtime, Windows Firewall will be brought in your runtime:
 Connection Manager Runtime
 Security Center
 Windows Firewall Control Panel
 Windows .Net Messenger
3. Manually add "Core Networking" component in your configuration. Go to settings of this component and uncheck "Windows Firewall/Internet Connection Sharing (ICS)".
4. Run dependency check and build image.

Computer Associates released eTrust Antivirus software for XP Embedded yesterday. It promises minimal footprint starting at under 6MB and compatability with XP Embedded SP2.  It provides protection against viruses and a variety of other network-based threats and essential updates of virus signatures for ongoing security. Check it out at:

http://ca.com/channel/oem/eav.htm

Hi All:

Windows XP Embedded SP2 is coming and one of the major feature that has changed is windows firewall. Firewall is enabled by default in SP2 and you will need to open ports used by your applications. Here is how you can configure Windows Firewall in XPE SP2:

To Configure Firewall Pre-FBA (offline) you can do one of the following:

1. In TD configuration, go to "Windows Firewall/Internet Connection Sharing (ICS)" component and modify settings.

2. If you have already built image and want to change firewall options without rebuilding image, you can do one of the following:

                A) You can use firewall configuration information file (netfw.inf). This file is located in your image folder under "windows\inf" directory.

This file has two sections:

[ICF.AddReg.DomainProfile] - change settings under this section to change firewall settings for all domain accounts (domain firewall policy)

[ICF.AddReg.StandardProfile] - change settings under this section to only affect local system account(s).

Following settings are available under each of the above sections (The value shown for each setting s the default value):

HKLM,"System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile","EnableFirewall",0x00010001,1

- EnableFirewall = Enable Firewall?                Values: 0 = Firewall Off,  1= Firewall On (default)

HKLM,"System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile","DoNotAllowExceptions",0x00010001,0

-DoNotAllowExceptions = Don’t allow any exceptions?               Values: 0 = Allow Exceptions (default),  1 = No Exceptions

NOTE:

- If you want to turn on the firewall w/o any exceptions, set EnableFirewall = 1 and DoNotAllowExceptions = 1

- If you want to turn on the firewall with exceptions, set EnableFirewall = 1 and DoNotAllowExceptions = 0

- If you want to turn off the firewall, set EnableFirewall = 0. (The value that you set for DoNotAllowExceptions does not matter until you turn on the firewall in runtime. At this point the default starting value for exceptions will be the one that you set using DoNotAllowExceptions)

HKLM,"System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile","DisableNotifications",0x00010001,0

- DisableNotifications = Disable Firewall Notifications when a program is blocked?           Values: 0 = Notify when a program is blocked (default),  1=DON’T notify when a program is blocked.

All ICMP settings can be found here under IcmpSettings subkey (default setting is to NOT allow any ICMP requests).

For e.g.

HKLM,"System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\IcmpSettings","AllowInboundTimeStampRequest",0x00010001,0

- AllowInboundTimeStampRequst = Allow incoming timestamp request?              Values: 0 = No (default), 1= Yes

List of Authorized Applications:

HKLM,"System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List","%windir%\system32\sessmgr.exe",0x00000000,"%windir%\system32\sessmgr.exe:*:Enabled:Remote Assistance"

The last part of the entry is formatted as:

"%windir%\system32\sessmgr.exe:*:Enabled:Remote Assistance"

(Path to program executable): (Scope – LocalSubnet or * (for any source) ): (Enabled/Disabled): (Program Name) 

There is only one application that is authorized by default – remote assistance. You can, however, add more entries here. Here is an example of how you will add your application – myapp.exe in authorized application list and enable it for local subnet.

HKLM,"System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List","C:\Program Files\Applications\myapp.exe",0x00000000,"C:\Program Files\Applications\myapp.exe: LocalSubnet: Enabled: My Application"

List of Port Openings:

HKLM,"System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List","137:UDP",0x00000000,"137:UDP:LocalSubnet:Disabled:NetBIOS Name Service"

The last part of this entry is formatted as:

"137:UDP:LocalSubnet:Disabled:NetBIOS Name Service"

(Port Number(1-65535) : Protocol(UDP/TCP) : Scope(LocalSubnet/*) : Enabled/Disabled : Port Name

Port openings can be added either as enabled or disabled. If port opening entry is disabled, that port is effectively blocked by firewall, until it is enabled in the runtime. There are 7 entries for port opening by default and all of them are disabled. You can edit those entries to enable some port opening(s) or you can add new entries. For example, you can edit the above port to enable it for any source.

HKLM,"System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List","137:UDP",0x00000000,"137:UDP:*:Enabled:NetBIOS Name Service"

                B) Alternatively you can open regedit and load system hive from image folder located at windows\system32\config\system.sav. Go to the following sub tree under this hive:

CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile

Or

CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\GlobalProfile

Add/Edit/Delete the registry keys according to the settings explained above in (A). All ICMP related settings will be under “ICMPSettings” subkey.  All authorized application settings will be under “Authorized Applications\List” subkey. All port opening settings will be under “GloballyOpenPorts\List” subkey.

To configure Firewall Post-FBA you can do one of the following:

1. If you added “Windows Firewall Control Panel” component in the configuration, you can run firewall.cpl to change all firewall related settings.
2. If you don’t have control panel access, but if your runtime has access to netsh shell you can use it to change firewall settings.

Using netsh:

        netsh>Firewall

        netsh firewall> show state (to check the current status of firewall)

netsh firewall>set opmode [enable/disable] [enable/disable]

Where first parameter is state of the firewall (enable=on, disable=off) and second parameter is whether you want to allow exceptions (enable=allow exceptions, disable=don’t allow exceptions). You can also specify interface and/or profile. Please use netsh shell help for details.

netsh firewall>set notifications [enable/disable]

enable = notify when program is blocked, disable = do not notify when program is blocked

You can also change ICMP settings, create port openings and authorized application/service using the following netsh commands.

        netsh firewall>set icmpsetting                          (to change ICMP Settings)

        netsh firewall>set service                                 (to create authorized applications)

        netsh firewall>set portopening                         (to create port openings)

3. If you have access to regedit in runtime, edit the related registry keys directly as explained above.

Sygate Technologies announced that their improved security agent 4.0 for XP Embedded devices will be available by end of this month. It promises advanced protection against worm, viruses and application hijacking. Check out the following article:

http://biz.yahoo.com/prnews/040913/nym073_1.html

First, a little bit about myself: I joined Microsoft and XP Embedded team about 8 months back. Before coming to Microsoft, I did my Masters in Computer Engineering at University of Southern California and I also worked there as a Systems Analyst for about a year and a half. Even though, I have been in XP Embedded team for a short time, I have worked on several bits and pieces of XPE SP2 and I wanted to share some useful information that I have learned. So, here I am, blogging for the first time, in the hope that someone out there will find this useful.

I will use this blog primarily to talk about common XP Embedded issues raised in newsgroups and also to share news on embedded features and cool devices.  I am planning to post articles on how to configure some features offline (Windows Firewall, Dr. Watson, Pop-UP blocking etc.) and tweaking registry settings. Also, whenever possible, I am planning to post some scripts and tools that I am working on. I have written scripts to backup, restore and remove XPE database which can be useful as a starting point for anyone who wants to write his/her own custom database scripts. I have also written tools to diff SLDs and SLXs.

Stay Tuned......