HOWTO: Configure SP2 firewall via the registry

[Vann]

I just noticed that the Unattended guide at MSFN recommends using winnt.sif to manage firewall settings. However, ref.chm is pretty opaque and the registry settings to add or remove ports or programs are very simple. So simple, in fact, I'm reluctant to call this a "HOWTO." Nevertheless, here it is.

The key we're interested in is

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\

This key contains values that control the general firewall options, e.g., whether or not the firewall is enabled or to notify the user if a program blocks something.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=dword:00000001
"DoNotAllowExceptions"=dword:00000000
"DisableNotifications"=dword:00000001

This enables the firewall and disables notifications when an application blocks something.

The next key is a subkey of the above.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:[b]Disabled[/b]:@xpsp2res.dll,-22019"

This gibberish is the "Remote Assistance" rule, which of course I don't care about. The key is the part that says Disabled. The existence of a properly formatted value adds an entry to the list of programs in the firewall, and as you'd expect, the box is checked if it is set to "Enabled" and disabled if it is set to "Disabled" as it is above.

Finally, you can allow additional ports. On our computers we run TightVNC so we need to open up the VNC service port, and also the little http daemon that VNC runs.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"5800:TCP"="5800:TCP:*:Enabled:VNC HTTP"
"5900:TCP"="5900:TCP:*:Enabled:VNC"

The format is obvious. Enable port 5800 and 5900. They appear with the text "VNC HTTP" and "VNC" respectively.

And that is that, really. I obtained all this using regshot and it seems the firewall configuration is this simple all around so if something is not covered here feel free to explore yourself. Also note that these are global options. A per-connection configuration is best suited for winnt.sif since after installation each connection has a random ID that you need to configure it via the registry. Of course, if you only have one connection then this is all you'd need.