Stopping the Windows Authenticating Firewall Service and the boot time policy

Lately, I have been seeing a number of issues/concerns from people where they manually stop the Firewall service and lose connectivity to the machine. They always seem surprised when I explain that it is by design.

Stopping the firewall Service should only be a test

Microsoft does not support stopping the firewall service (or a third-party firewall service) except for troubleshooting even if you are behind another edge/perimeter firewall. If another machine on the local subnet gets infected, a machine that is not running a host firewall is vulnerable.

A little History

In versions of Windows XP prior to Windows XP SP2, there is a window of time between when the network stack starts and when the Windows Firewall Service (ICF) starts to provide protection. The firewall driver does not start to filter TCP/IP packets until the service is loaded and the appropriate policy is applied. The firewall service depends on several functions and must wait until those functions clear before the service pushes the policy to the driver. During this window of time, a packet could be received and delivered to a service without being filtered. This could potentially leave the computer vulnerable to an attack by exposing ports that would otherwise be protected by the firewall.

Note: The time period is based on the speed of the computer.

In Windows XP SP2, the firewall driver has a new static policy rule called the boot-time policy. The boot-time policy performs stateful filtering and eliminates the window of vulnerability when the computer is starting. The boot-time policy enables the computer to open ports so that basic networking tasks such as Domain Name System (DNS) and Dynamic Host Configuration Protocol (DHCP) can occur. The boot-time policy also enables the computer to communicate with a domain controller to obtain appropriate policies. As soon as the firewall service is running, the run-time policy is loaded, applied, and the boot-time filters are removed. The boot-time policy cannot be configured.

There was another security feature added so that if the firewall service is stopped or crashes, the boot-time filters are again loaded to protect the computer. This would prevent an attacker from crashing the firewall service and exposing the machine.

This can cause confusion if you are not aware of it and try to simply stop the firewall service to eliminate it as a potential cause while troubleshooting a connectivity issue.

In Windows Vista the boot-time policy functions the same as it does in Windows XP SP2 except that the service is MPSSVC.

Manually stopping the Windows Authenticating Firewall Service

There are multiple ways to manually stop the Windows Firewall:

  • In the Firewall CPL in control panel
  • In the Advanced Firewall MMC
  • In the Services Manger MMC
  • Netsh Firewall set opmode disable
  • Net stop MPSSVC or net stop sharedaccesss (Depending on the OS)

One of the more common methods to use to stop the firewall service as a test is to use Net stop MPSSVC (for Windows Vista) or Net stop SharedAccess (for Windows XP) but both of these will cause the boot-time filters to load. The proper way to completely stop the firewall is by setting the service to disabled in Services Manager and then stopping the service through one of the GUIs or Netsh. This will prevent the boot-time filters from loading when the firewall service is stopped.


Figure 1. Setting the firewall service to disabled in Services manger.

Additional considerations for Windows Vista

IPSec and Windows Vista

It is worth noting that when you stop the MPSSVC service, IPSec policies are no longer in effect.

This could be a potential issue for third-party firewall services that want to replace the Windows Firewall but don’t provide IPSec functionality. The recommended way to resolve this situation is to set the firewall to allow all traffic and leave the service running. Microsoft provides an API call that third-party services can use to stop the Firewall Service. This call sets the firewall to allow all traffic while leaving the service running so IPsec can still function and is the expected method for third-parties to use.

Windows 7 and Windows Server 2008 R2

In Windows 7 and Windows Server 2008 R2, you first need to disable and stop the “Base Filtering Engine” service. Only stopping the Firewall service as described above will put you in block mode.

Another option is to stop the “Network List Service”. This will not allow the Firewall service to associate a profile and therefore it will be unable to block any traffic.

You will also want to investigate this MSDN link:
I Need to Disable Windows Firewall   

– David Pracht