Harsh Shah's eBlog

Sharing views on Windows Embedded Technologies and Devices

Removing Windows Firewall from SP2 Configuration to reduce footprint

Hello All,

Are you looking for low footprint SP2 Image? Here is one way to reduce the footprint, if you don't need "Windows Firewall" in your configuration (Note: In general keeping windows firewall in runtime is recommended):

1. Create a new SP2 configuration and import PMQ for your system.
2. Add any other components that you want in your configuration with the following exceptions:
    A) If you add "Retail Point of Sale Terminal" macro, go to settings of this component and uncheck "Windows Firewall/Internet Connection Sharing (ICS)".
    B) If you add "Home Gateway" macro, go to settings of this component and uncheck "Windows Firewall/Internet Connection Sharing (ICS)".
    C) If you add "Networking Application Compatibility" macro, go to settings of this component and uncheck following:
 "Windows Firewall/Internet Connection Sharing (ICS)"
 "Windows Firewall Control Panel"
 "Core Networking"
 "Connection Manager Runtime"
    D) If you add any of the following components manually in your runtime, Windows Firewall will be brought in your runtime:
 Connection Manager Runtime
 Security Center
 Windows Firewall Control Panel
 Windows .Net Messenger
3. Manually add "Core Networking" component in your configuration. Go to settings of this component and uncheck "Windows Firewall/Internet Connection Sharing (ICS)".
4. Run dependency check and build image.

Published Tuesday, October 12, 2004 4:32 PM by harshs
Filed under:

Comments

 

Peter da Silva said:

How would you arrange unbind commonly exploited services (like most of Windows Networking) from an internet interface at this stage, to alleviate the exposure from removing the firewall? Or even if you're leaving the firewall component in place so the user wouldn't inadvertently expose themselves to attack if they disabled the firewall for some reason?
October 12, 2004 6:49 PM
 

Harsh said:

Hi Peter,

Including Windows Firewall in configuration and keeping it always on is highly recommended, unless you have footprint concerns. Firewall component brings lot of dependencies in runtime and so to be able to remove that from the configuration is helpful in some scenarios. You can use some third party firewall solution for XPE with low footprint, as an alternative to Windows Firewall. However, if you don't have any kind of firewall in runtime, your system is not protected against attacks and exploitation. In that case, you have to make sure that you are not including/using commonly exploited components/services like telnet server, IIS Web Server, IIS FTP server etc. in configuration.
October 15, 2004 3:55 PM
 

Peter da Silva said:

"you have to make sure that you are not including/using commonly exploited components/services"

Like Messenger, SMS Client, Server, Workstation, ...?

Is there any way to configure Windows so that these can be bound to "Localhost" only?
October 28, 2004 1:35 PM
 

Harsh said:

If you have windows firewall in the configuration, you can specify this in "windows firewall/ICS" settings - you can specify authorized apps/opened ports with the scope (local subnet only). What do you mean by bounding services to "localhost" only? Do you mean local subnet/network? If you are looking for low footprint - try sygate security agent (http://www.sygate.com/solutions/xpe-solutions.php)- the footprint hit is about 4MB with it.

If you don't have any kind of firewall on your XPE devices, you can use NAT firewall solution and put all your XPE devices on private network - this way you can still be able to bound ports/apps. If you give me more details on your scenario (and footprint numbers), I can probably suggest some specific solution.
October 28, 2004 2:38 PM
 

Updating from SP1 to SP2 the Target Grows UP!!!! | keyongtech said:

PingBack from http://www.keyongtech.com/3244700-updating-from-sp1-to-sp2

January 21, 2009 9:40 PM
 

Harsh Shah s eBlog Removing Windows Firewall from SP2 Configuration | Paid Surveys said:

PingBack from http://paidsurveyshub.info/story.php?title=harsh-shah-s-eblog-removing-windows-firewall-from-sp2-configuration

May 29, 2009 12:50 PM
 

Harsh Shah s eBlog Removing Windows Firewall from SP2 Configuration | internet marketing tools said:

PingBack from http://einternetmarketingtools.info/story.php?id=11822

June 16, 2009 1:20 AM
Anonymous comments are disabled

This Blog

Syndication

News

This posting is provided "AS IS" with no warranties, and confers no rights.

© 2009 Microsoft Corporation. All rights reserved. Terms of Use  |  Trademarks  |  Privacy Statement
Microsoft
Page view tracker