Windows Firewall Stealth

Eran Yariv

Principal Development Manager

Windows Firewall comes with an always-on, non-configurable stealth feature. The purpose of this feature is to prevent fingerprinting attacks that remotely attempt to figure out which ports are open on the computer, which services are running, the update state of the computer, and so on.

When a remote computer tries to connect to a non-listening TCP port (a TCP port that is not used on the local computer), the TCP/IP stack sends back a special TCP packet called TCP Reset (RST). However, if an application is listening on that port but a firewall is blocking it from receiving traffic, the remote computer will simply time out. This is a common technique to fingerprint the computer and see which ports are unused and which are used but blocked by the firewall. With the stealth feature of Windows Firewall, all TCP RST outbound packets are blocked so that the remote computer will time out when it connects to a port that is not allowed through the firewall, regardless of whether this port is in use.

For UDP ports and non-TCP/UDP sockets, a similar mechanism is used. Unlike TCP, these are not session-based protocols, so when a remote computer tries to connect to a non-listening UDP port (or a non-TCP/UDP socket), the stack replies back with an ICMP packet saying "nobody's home." For IPv4 traffic, the response is ICMPv4 (protocol 1)/type 3/code 3 (Destination Unreachable/Port Unreachable) or ICMPv4 (protocol 1)/type 3/code 2 (Destination Unreachable/Protocol Unreachable). For IPv6 UDP traffic, the response is ICMPv6 (protocol 58)/type 1.

With the stealth feature on, Windows Firewall blocks these outbound responses so that the remote computer can't tell the difference between a non-listening UDP port (or non-TCP/UDP socket) and one that is listening but is blocked by the firewall.

Windows Firewall and Service Triggers

Windows 7 now allows services to register to be started or stopped whenever a trigger event occurs, a new feature known as Trigger Start services. This eliminates the need for services to start when the system starts, which can improve boot performance . It also eliminates the need for services to poll or actively wait for an event to occur. In other words, services can now start when they are needed instead of having to starting automatically regardless of whether there is work for the service to do .

Beginning with Windows 7, the WFP and Windows Firewall with Advanced Security now work together to implement service triggers based on WFP filters. This helps stop unneeded services on the computer and only start them when Windows Firewall with Advanced Security has been configured to allow traffic for such services . For more information on how Windows Firewall uses service triggers, see the sidebar titled "Direct from the Source: Service Demand-Start on Firewall Triggers" in this chapter. For additional information concerning Trigger Start services, see the section titled "Services Enhancements in Windows 7" in Chapter 17, "Managing Devices and Services ."

Was this article helpful?

+1 0


  • dahlak
    How to stealth Windows 7 ports?
    3 years ago

Post a comment