NT4.0 Migration to Windows 2003:Firewall Compatibility Evaluator

猫猫1

Firewall Compatibility Evaluator
Overview
Windows Firewall Compatibility Evaluator (WFCE) is a console application that runs as a service.  When it is run, it logs all applications and services that have opened a port to allow unsolicited inbound traffic.  Since WFCE runs as a service, the console application returns immediately upon execution, but the service continues to run as a process under service control manager, identifying application issues even after the user logs off and another user logs on.
SECURITY NOTE: Log files contain sensitive data.  
There are several conditions that must be met in order to deploy WFCE.  These conditions include security checks that will stop execution rather than compromise a syste.
1.1.1           Supported Environments
The Windows Firewall Compatibility Evaluator is supported on the following operating systems:

• Windows XP Professional
  
• Windows Server 2003
  

1.1.2           Deploying Firewall Compatibility Evaluator
Windows Firewall Compatibility Evaluator (WFCE) is an executable (.exe) file that starts as a console application, but installs a service to detect port use.  When run, it will appear to return quickly, but a service has been created in Service Control Manager, which will continue to run for minutes, hours, or even days, depending on the completion time specified in your command-line arguments.  Because WFCE runs as a service, be aware of the following condtions:

• WFCE cannot be run from a network share.  You must copy it to a local folder of the computer from which you want to run it.  
  
• The folder to which you copy WFCE must be secure or it will exit if questionable access permissions are detected.  
  
• Only an administrator can start WFCE.  Once started, it will continue running as a service until your specified completion time, even if the administrator is no longer logged on.  
  
• Running WFCE results in a log file that is typically written to a network share that you designate.  The permissions on that share must include write access for the Everyone group so that the Local System account on client computers will have access to write the log to the network share.  Do not allow unnecessary access, such as read, execute, or modify, to the designated network share.  Every log file receives a unique name to eliminate the chance of one log copying over another.  
  

If you use a script to deploy WFCE, you must be aware of the following details.  The script must:
·         Be run as Administrator.  
·         Copy the WFCE.exe file to a secure folder on the client (such as Windows\System32).  

• Execute WFCE.exe and specify the destination path for the log results.  
  

NOTE: This destination path must be the same as the location where Analyzer is set to pick up logs.
As an option, you can also script WFCE.exe for deletion, but, you want to ensure that the deletion time is set after the completion time for the WFCE.  The WFCE.exe file cannot be deleted until the service completes.  The service will automatically remove itself from the Service Control Manager, so you need to delete only WFCE.exe to uninstall the WFCE.
1.1.3           Firewall Event Logs
If the Windows Firewall Compatibility Evaluator (WFCE) encounters a problem, it will exit with an error code and write an event to the computer's Application event log.
To view error messages for the WFCE using Event Viewer:

• Click Start, right-click My Computer, and then click Manage.  
  
• Under System Tools, expand Event Viewer.  
  
• In the right pane, double-click Applications.  
  

All error messages for WFCE will have a Source of MWACT.

• Double-click the error to view details.  
  

The following error codes are recorded in the WFCE event logs:

WFCE Event Log Error Codes
Error Message	Additional Information
Failed to get Collector component interface pointers.	Connecting to Collector component failed.
Collector component failed.	Unable to retrieve data.
Failed to get XML produced by inventory component.	Failed to get XML produced by Collector component.
Failed to save log file.	Failed to save issue log.
Failed to determine if user is logged on with administrative privileges.	You must be logged on as Administrator to run this tool.
Failed to determine file system security settings.	Failed to determine if the file system is secure.
Failed to determine directory security settings.	Unable to determine folder security settings.  Windows Firewall Compatibility Evaulator failed to install.
You must specify a number of hours between 0 and 999 after the /ct switch.	In the command line options, the /ct switch is set for an invalid number of hours.  The completion time must be between 0 and 999.
The folder where WFCE.exe is installed can be modified by users or groups without administrative privileges on the local system.	The folder where WFCE.exe is installed can be modified by users or groups without administrative privileges on the local system.
Failed to register a service with SCM.	Failed to register a service with SCM.
Failed to start a service.	Failed to start a service.
Changes to WFCE options failed.  Unable to open the service.	Changes to WFCE options failed.  Unable to open the service.
Failed to change settings in Service Control Manager (SCM).	Unable to reconfigure a service.
Failed to notify a service about reconfiguration.	Failed to notify a service about reconfiguration.
Failed to start service control dispatcher.	Failed to start service control dispatcher.
Failed to ensure synchronization between service and controller.	Failed to Create a SERVICE mutex.
Failed to start service control dispatcher.	Failed to start service control dispatcher.
Failed to format options string.	Failed to format options string.
WFCE evidence was not collected.	WFCE evidence was not collected.
WFCE internal log failed to update with new port information.	WFCE internal log failed to update with new port information.
Initialization of Collector components failed.	Initialization of Collector components sdbapis failed.
Failed to add checksum to internal log.	Internal log file corrupted.
Failed to ensure internal log directory.	Failed to create or find application data folder.
Failed to contact service control manager.	Error connecting to Service Control Manager.
Failed to assign inventory component properties.	Internal Collector component error.

1.1.4           Firewall Options
The Windows Firewall Compatibility Evaluator (WFCE) looks for specific settings in the configuration file and the argument string passed to it when it is called.  It exits if there are any invalid command line settings.  Settings in the argument string take precedence over settings in the configuration file.  
1.1.5           Firewall Command Line Options
The following command line options are available for Firewall Compatibility Evaluator:

Option	Description
/o	Output path.  Specifies a directory to save the log.  This is typically an internal network share.  You do not need to include a file name because a file name will be generated automatically.  If no destination path is specified, the log will go to the desktop of the current user.
/f	Filename.  Specifies a name for the log file.  If no file name is specified, the file will be named COMPUTERNAME.ISSUE.{GUID}.cab., where COMPUTERNAME equals the name of the computer on which WFCE.exe is running, ISSUE equals the issue name, and GUID is a globally unique identifier.  Typically, this option is used by testers who must have recognizable file names for their own use.(The word ISSUE is added after COMPUTERNAME to differentiate these log files from Collector logs.)
/ct	This option specifies a completion time.  The completion time must be less than 999.  It is written as a delta from the current time in hours.  The WFCE runs until this time, and then the test pass is complete.  If no completion time is specified, the test will complete as soon as startup operations have finished.
/q	This option specifies that when WFCE is run, the console window that it is hosted in will be hidden.
/clr	This setting causes WFCE to delete its internal log once testing is complete, after writing the data to the issue log.  The default is to keep the log so that WFCE can start where it last finished.

The following is a sample command that specifies running the WFCE for five days and sending the log file to \\servername\collector\logs:
WFCE.exe /o \\servername\collector\logs /ct 120
If WFCE is run while the Firewall Compatibility Evaluator service is already running, the service parameters will be updated to reflect the latest command-line arguments.  For example, if WFCE was originally started with a completion time of 100 hours, and it is run again with a completion time of 0 hours, the service will recognize the new completion time.  It will finish processing and send the log as quickly as possible.
1.1.6           Using Configuration (.ini) Files
Although Collector and the Compatibility Evaluators have different .ini file formats, it is possible (and recommended) to use a single .ini file for all three.  The advantage of using a single .ini file is that you reduce the possibility of data loss from occurring in your Analyzer database.  
For example: When WFCE is run, Collect.exe is automatically called.  When this Collector log is merged into Analyzer database, it will overwrite any data that was merged from a previous Collector log.  If Collector was previously run with a custom value set to gather the department name, the department name information will be lost from your Analyzer reports when the WFCE issue log (and its new Collect.exe log) is merged into the database.  However, if WFCE calls Collector with the same .ini file used for Collecor, and that file contains the settings that specify department name should be gathered, then this data loss will not occur.
The following is an example configuration file (.ini) for WFCE:
[wfce.exe]
CommandLine=/O c:\temp /CT 120
The following is an example log file name:
SALESDEPARTMENT1.ISSUE.{A445FF37-0BD5-4CAF-8848-73499A41CBB0}.cab
1.1.7           Firewall Logging
When Windows Firewall Compatibility Evaluator (WFCE) detects that a port is being opened for unsolicited inbound traffic, it logs the following evidence:
·         File evidence
·         The port number being opened
·         Whether the file opening a port is a service or an application
·         Whether the file is a service host
·         The name of every service that is being hosted
NOTE: While the log does contain evidence of every service that is being hosted, it is not possible to determine which service is actually opening the port.  Therefore, hosting services are not exposed as an issue through Analyzer.
The information is compressed into a .cab file and sent to the location specified in your command-line arguments.
NOTE: It is important that the output path for the WFCE log is the same as the location where Microsoft Application Analyzer is picking up logs for Collector.
When the completion time is reached, the service will run Collector before it sends the WFCE log to the network share.  This ensures that a log with a full inventory of the computer is processed by Application Analyzer before the WFCE log is processed.
1.1.8           Security Considerations
The log files created by WFCE contain sensitive data, such as application use of ports for listening.  Because the WFCE is often configured to send the logs to a netwark share, it is important to know that these logs are in clear text and could be read by network sniffing tools.
One way to protect your data is to secure the network connections (for example, using IPSec) from the client computers where the WFCE is run to the share that it copies logs to, and also from the share to the computer that Merger is running on.  For more information on IPSec, follow this link and read the article: What is IPSec?.
Alternatively, you can reduce the exposure of your sensitive data by having the WFCE write the logs locally, and employ a systems management application that uses encryption (such as SMS) to copy the files from the client computers. In this case, you would still need to secure the connection from Merger to the share containing the files copied by SMS.
1.1.9           Firewall Issue Detecting
When Windows Firewall Compatibility Evaluator (WFCE) detects that a port is being opened for unsolicited inbound traffic, it records the file evidence into the log.  When the log file is merged into the Analyzer database, any applications associated with that issue are updated.  For example, if several applications use a common component for reporting, all of those applications will be updated with the file evidence.
You can view the following firewall compatibility information using Microsoft Application Analyzer:
·         Issue title
·         Issue details
·         Resolution steps
·         Links to more information
Known firewall issues that are detectable with the current version of the WFCE include:
·         An Application Has Opened a Port for Unsolicited Inbound Traffic
·         A Service Has Opened a Port for Unsolicited Inbound Traffic
1.1.10      Firewall FAQ
　　Q   Can Windows Firewall Compatibility Evaluator (WFCE) detect all potential Firewall issues?
　　A   No.  There are some issues that it is not possible to detect on Windows XP with Service Pack 1 (SP1) or earlier, and therefore cannot be detected by the WFCE at this time.  For a complete list of all known Firewall issues, see the Windows XP Service Pack 2 Feature Documentation.
　　Q   How long should WFCE be run?
　　A   There is no hard and fast rule regarding the length of time that WFCE must be run however, you should run it long enough to ensure that each application on the client computer has been tested thoroughly, for example, during start up, normal use, and shut down.  Consider factors such as how many computers on which the tool is installed, and how often the applications on that computer are used.  For example, an accounting application that is used once a month may not be tested if you run WFCE only for a week.  
　　Q   Should this tool be run in a lab or in my production environment?
　　A   WFCE is much more likely to uncover issues if it is run in a production environment where all the standard behaviors of an application are in use.  
　　Q   On how many computers should I install WFCE?
　　A   Again, there is no required number of computers on which you must install the tool.  However, install it on as many computers in as many different departments as possible, to ensure that every application used within your organization is tested.  If there is an individual or a group within your organization for whom uninterrupted access is extremely important, allow yourself enough time to test all of those computers until all application issues have been logged.
　　Q   Why are applications running from my Z: drive not showing up in the WFCE log? I know that some do open ports?
　　A   It may be a mapped drive.  WFCE, DCOM Compatibility Evaluator, and Collector cannot retrieve information about files on mapped drives.  For example, an executable running from a virtual drive created with the SUBST command would not be included in the WFCE log.  
　　Q   WFCE is returning with no errors, but the log is not being written.  What could be causing this to happen?
　　A   WFCE returns as soon as the WFCE service has been successfully started.  If the WFCE service encounters an error, it writes to the Windows event log.  To see if any errors were reported by the WFCE service, open the Windows Event Viewer and look for entries in the Application event log with source MACT and catagory WFCE.  
　　Q   In the Windows Event Viewer I see that WFCE reported an error: Failed to compress output to cab file.  Access is denied.  What could cause this?
　　A   This error most likely means that the WFCE service could not access the output folder you specified.  The WFCE service is running in a system process and therefore it may not have access to the output folder even though you do have access.  If the folder is a network share, be sure the share grants write access to your computer's credentials.  For more information, browse to MSDN and search for LocalSystem Account.  
　　Q   What does the following WFCE error in the event log mean: Failed to open internal log for reading?
　　A   In most cases, this is not indicative of a problem that must be fixed.  WFCE is usualy be able to create the internal log and you can ignore this error.  The exception is the case where WFCE also fails to create a final issue log and there are no other WFCE errors in the event log.