Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Connection security rules are stored under the Software\Policies\Microsoft\WindowsFirewall\ConSecRules key.
Each value under the key is a connection security rule. The type of the value MUST be REG_SZ. The data of each value is a string that can be parsed by the following grammar. This grammar represents a connection security rule as defined in [MS-FASP] section 2.2.55, except for the wszRuleId field of the FW_CS_RULE structure which is instead represented by the name of the registry value.
-
CSRULE = "v" VERSION "|" 1*FIELD FIELD = TYPE-VALUE "|" TYPE-VALUE = "Action=" CS-ACTION-VAL TYPE-VALUE =/ "Profile=" PROFILE-VAL TYPE-VALUE =/ "Protocol=" 1*3DIGIT ; protocol is maximum 3 digits (255) TYPE-VALUE =/ "EP1Port=" PORT-VAL TYPE-VALUE =/ "EP2Port=" PORT-VAL TYPE-VALUE =/ "EP1Port2_10=" PORT_RANGE-VAL TYPE-VALUE =/ "EP2Port2_10=" PORT-RANGE-VAL TYPE-VALUE =/ "IF=" IF-VAL TYPE-VALUE =/ "IFType=" IFTYPE-VAL TYPE-VALUE =/ "Auth1Set=" STR-VAL TYPE-VALUE =/ "Auth2Set=" STR-VAL TYPE-VALUE =/ "Crypto2Set=" STR-VAL TYPE-VALUE =/ "EP1_4=" ( ADDRESSV4-RANGE-VAL / ADDRESSV4-SUBNET-VAL / ADDRESS-KEYWORD-VAL ) TYPE-VALUE =/ "EP2_4=" ( ADDRESSV4-RANGE-VAL / ADDRESSV4-SUBNET-VAL / ADDRESS-KEYWORD-VAL ) TYPE-VALUE =/ "EP1_6=" ( ADDRESSV6-RANGE-VAL / ADDRESSV6-SUBNET-VAL / ADDRESS-KEYWORD-VAL ) TYPE-VALUE =/ "EP2_6=" ( ADDRESSV6-RANGE-VAL / ADDRESSV6-SUBNET-VAL / ADDRESS-KEYWORD-VAL ) TYPE-VALUE =/ "Name=" STR-VAL TYPE-VALUE =/ "Desc=" STR-VAL TYPE-VALUE =/ "EmbedCtxt=" STR-VAL TYPE-VALUE =/ "Active=" BOOL-VAL TYPE-VALUE =/ "Platform=" PLATFORM-VAL TYPE-VALUE =/ "SkipVer=" VERSION TYPE-VALUE =/ "Platform2=" PLATFORM-OP-VAL TYPE-VALUE =/ "SecureInClearOut=" BOOL-VAL TYPE-VALUE =/ "ByPassTunnel=" BOOL-VAL TYPE-VALUE =/ "Authz=" BOOL-VAL TYPE-VALUE =/ "RTunnel4=" ADDRV4 TYPE-VALUE =/ "RTunnel6=" ADDRV6 TYPE-VALUE =/ "LTunnel4=" ADDRV4 TYPE-VALUE =/ "LTunnel6=" ADDRV6 TYPE-VALUE =/ "RTunnel4_2=" ADDRV4 TYPE-VALUE =/ "RTunnel6_2=" ADDRV6 TYPE-VALUE =/ "LTunnel4_2=" ADDRV4 TYPE-VALUE =/ "LTunnel6_2=" ADDRV6 TYPE-VALUE =/ "RTunnelFqdn=" STR-VAL TYPE-VALUE =/ "RTunEndpts4=" ( ADDRESSV4-RANGE-VAL / ADDRESSV4-SUBNET-VAL / ADDRESS-KEYWORD-VAL ) TYPE-VALUE =/ "RTunEndpts6=" ( ADDRESSV6-RANGE-VAL / ADDRESSV6-SUBNET-VAL / ADDRESS-KEYWORD-VAL ) TYPE-VALUE =/ "KeyMod=" KEY-MOD-VAL TYPE-VALUE =/ "KeyManagerDictate=" BOOL-VAL TYPE-VALUE =/ "KeyManagerNotify=" BOOL-VAL TYPE-VALUE =/ "FwdLifetime=" 1*10DIGIT TYPE-VALUE =/ "TransportMachineAuthzSDDL=" STR-VAL TYPE-VALUE =/ "TransportUserAuthzSDDL=" STR-VAL TYPE-VALUE =/ "SecurityRealmEnabled=" BOOL-VAL STR-VAL = 1*ALPHANUM BOOL-VAL = "TRUE" / "FALSE"
Action=: This token value represents the Action field of the FW_CS_RULE structure as defined in [MS-FASP] section 2.2.55. The CS-ACTION-VAL grammar rule represents the value contents of such field. This token MUST appear at most once in a rule string. The remaining token values in this list can be found in the same Protocol specification section except where noted.
Profile=: This token value represents the dwProfiles field of the FW_CS_RULE structure. The PROFILE-VAL grammar rule represents a value content of such field. If this token appears several times in a CSRULE grammar rule, then all the contents represented by the PROFILE-VAL rule appearing next to them are included. If the "Profile=" token never appears in the rule string, then it represents a value of FW_PROFILE_TYPE_ALL as defined in [MS-FASP] section 2.2.2.
Protocol=: This token value represents the wIpProtocol field of the FW_CS_RULE structure. The 1*3DIGIT grammar rule represents a value content of such field. Such value MUST NOT be greater than 255. The "Protocol" token MUST appear at most once in a CSRULE grammar rule. If a "Protocol" token does not appear in the rule string, then the meaning is the same as a value of 256 in the wIpProtocol field in [MS-FASP] section 2.2.55.
EP1Port=: This token value represents the Endpoint1Ports field of the FW_CS_RULE structure. As such defined Endpoint1Ports is of type FW_PORTS, which contains a Ports field of type FW_PORT_RANGE_LIST, which also contains a pPorts array of type FW_PORT_RANGE. The PORT-VAL grammar rule represents an entry in the pPorts field. If the "EP1Port" token appears multiple times in the rule string, then all the respective PORT_VAL rules of such appearances are allowed.
EP1Port2_10=: This token value represents the Endpoint1Ports field of the FW_CS_RULE structure. As in the case of the "EP1Port=" token, the PORT-RANGE-VAL grammar rule represents an entry in the pPorts field. If the "EP1Port2_10" token appears multiple times in the rule string, then all the respective PORT-RANGE-VAL rules of such appearances are allowed.
EP2Port=: This token value represents the Endpoint2Ports field of the FW_CS_RULE structure. As such defined Endpoint2Ports is of type FW_PORTS, which contains a Ports field of type FW_PORT_RANGE_LIST, which also contains a pPorts array of type FW_PORT_RANGE. The PORT-VAL grammar rule represents an entry in the pPorts field. If the EP2Port token appears multiple times in the rule string, then all the PORT-VAL rule of such are allowed.
EP2Port2_10=: This token value represents the Endpoint2Ports field of the FW_CS_RULE structure. As in the case of the "EP2Port=" token, the PORT-RANGE-VAL grammar rule represents an entry in the pPorts field. If the EP2Port2_10 token appears multiple times in the rule string, then all the respective PORT-RANGE-VAL rules of such appearances are allowed.
IF=: This token represents an entry in the LocalInterfaceIds field of the FW_CS_RULE structure.
IFType=: This token represents the dwLocalInterfaceType field of the FW_CS_RULE structure.
EP1_4=: This token value represents the Endpoint1 field of the FW_CS_RULE structure, specifically the v4 fields. As such defined Endpoint1 is of type FW_ADDRESSES, it contains the following 3 fields: a dwV4AddressKeyword field, a V4Ranges field of type FW_IPV4_RANGE_LIST, which also contains a pRanges array of type FW_IPV4_ADDRESS_RANGE, and lastly a V4SubNets field of type FW_IPV4_SUBNET_LIST, which also contains a pSubNets array of type FW_IPV4_SUBNET. The ADDRESSV4-RANGE-VAL grammar rule represents an entry in the pRanges field. The ADDRESSV4-SUBNET-VAL grammar rule represents an entry in the pSubNets field. The ADDRESS-KEYWORD-VAL grammar rule, however, represents the dwV4AddressKeywords field. If the "EP1_4" token appears multiple times in the rule string, then all the respective ADDRESSV4-RANGE-VAL, ADDRESSV4-SUBNET-VAL, and the ADDRESS-KEYWORD-VAL rules of such appearances are allowed.
EP2_4=: This token value represents the Endpoint2 field of the FW_CS_RULE structure, specifically the v4 fields. As such defined Endpoint2 is of type FW_ADDRESSES, it contains the following 3 fields: a dwV4AddressKeyword field, a V4Ranges field of type FW_IPV4_RANGE_LIST, which also contains a pRanges array of type FW_IPV4_ADDRESS_RANGE, and lastly a V4SubNets field of type FW_IPV4_SUBNET_LIST, which also contains a pSubNets array of type FW_IPV4_SUBNET. The ADDRESSV4-RANGE-VAL grammar rule represents an entry in the pRanges field. The ADDRESSV4-SUBNET-VAL grammar rule represents an entry in the pSubNets field. The ADDRESS-KEYWORD-VAL grammar rule, however, represents the dwV4AddressKeywords field. If the "EP2_4" token appears multiple times in the rule string, then all the respective ADDRESSV4-RANGE-VAL, ADDRESSV4-SUBNET-VAL, and the ADDRESS-KEYWORD-VAL rules of such appearances are allowed.
EP1_6=: This token value represents the Endpoint1 field of the FW_CS_RULE structure, specifically the v6 fields. As such defined Endpoint1 is of type FW_ADDRESSES, it contains the following 3 fields: a dwV6AddressKeyword field, a V6Ranges field of type FW_IPV6_RANGE_LIST, which also contains a pRanges array of type FW_IPV6_ADDRESS_RANGE, and lastly a V6SubNets field of type FW_IPV6_SUBNET_LIST, which also contains a pSubNets array of type FW_IPV6_SUBNET. The ADDRESSV6-RANGE-VAL grammar rule represents an entry in the pRanges field. The ADDRESSV6-SUBNET-VAL grammar rule represents an entry in the pSubNets field. The ADDRESS-KEYWORD-VAL grammar rule, however, represents the dwV6AddressKeywords field. If the "EP1_6" token appears multiple times in the rule string, then all the respective ADDRESSV6-RANGE-VAL, ADDRESSV6-SUBNET-VAL, and the ADDRESS-KEYWORD-VAL rules of such appearances are allowed.
EP2_6=: This token value represents the Endpoint2 field of the FW_CS_RULE structure, specifically the v6 field. As such defined Endpoint2 is of type FsW_ADDRESSES, it contains the following 3 fields: a dwV6AddressKeyword field, a V6Ranges field of type FW_IPV6_RANGE_LIST, which also contains a pRanges array of type FW_IPV6_ADDRESS_RANGE, and lastly a V6SubNets field of type FW_IPV6_SUBNET_LIST, which also contains a pSubNets array of type FW_IPV6_SUBNET. The ADDRESSV6-RANGE-VAL grammar rule represents an entry in the pRanges field. The ADDRESSV6-SUBNET-VAL grammar rule represents an entry in the pSubNets field. The ADDRESS-KEYWORD-VAL grammar rule, however, represents the dwV6AddressKeywords field. If the "EP2_6" token appears multiple times in the rule string, then all the respective ADDRESSV6-RANGE-VAL, ADDRESSV6-SUBNET-VAL, and the ADDRESS-KEYWORD-VAL rules of such appearances are allowed.
Name=: This token represents the wszName field of the FW_CS_RULE structure. The STR-VAL grammar rule represents a Unicode string that represents the contents of such field. This token MUST appear at most once in a rule string.
Desc=: This token represents the wszDescription field of the FW_CS_RULE structure. The STR-VAL grammar rule represents a Unicode string that represents the contents of such field. This token MUST appear at most once in a rule string.
EmbedCtxt=: This token represents the wszEmbeddedContext field of the FW_CS_RULE structure. The STR-VAL grammar rule represents a Unicode string that represents the contents of such field. This token MUST appear at most once in a rule string.
Active=: This token represents the FW_CS_RULE_FLAGS_ACTIVE flag (as defined in [MS-FASP] section 2.2.51) of the wFlags field of the FW_CS_RULE structure. The BOOL-VAL grammar rule represents the Boolean meaning of such flag as defined in section 2.2.2.14. If the "Active=" token does not appear in the rule, a Boolean value of false is assumed. This token MUST appear at most once in a rule string.
Platform=: This token value represents the PlatformValidityList field of the FW_CS_RULE structure. As such defined PlatformValidityList is of type FW_OS_PLATFORM_LIST, it contains a pPlatforms array of type FW_OS_PLATFORM. The PLATFORM-VAL grammar rule represents an entry in the pPlatforms field. If the Platform= token appears multiple times in the rule string, then all the respective PLATFORM-VAL grammar rules of such appearances are allowed.
SkipVer=: The VERSION grammar rule following this token represents the highest inherent version of the Firewall and Advanced Security components that can ignore this rule string completely. The inherent version of a Firewall and Advanced Security component is the highest version such component supports.
Platform2=: This token represents the operator to use on the last entry of the PlatformValidityList field of the FW_CS_RULE structure. Hence the PLATFORM-OP-VAL grammar rule represents the 5 most significant bits of the bPlatform field of the last FW_OS_PLATFORM structure entry (as defined in [MS-FASP] section 2.2.30) of the pPlatforms field of the FW_OS_PLATFORM_LIST structure as defined in [MS-FASP] section 2.2.31.
Auth1Set=: This token represents the wszPhase1AuthSet field of the FW_CS_RULE structure. The STR-VAL grammar rule represents a Unicode string that represents the contents of such field. This token MUST appear at most once in a rule string.
Auth2Set=: This token represents the wszPhase2AuthSet field of the FW_CS_RULE structure. The STR-VAL grammar rule represents a Unicode string that represents the contents of such field. This token MUST appear at most once in a rule string.
Crypto2Set=: This token represents the wszPhase2CryptoSet field of the FW_CS_RULE structure. The STR-VAL grammar rule represents a Unicode string that represents the contents of such field. This token MUST appear at most once in a rule string.
SecureInClearOut=: This token represents the FW_CS_RULE_OUTBOUND_CLEAR flag (as defined in [MS-FASP] section 2.2.51) of the wFlags field of the FW_CS_RULE structure. The BOOL-VAL grammar rule represents the Boolean meaning of such flag as defined in section 2.2.2.14. If the "SecureInClearOut=" token does not appear in the rule, a Boolean value of false is assumed. This token MUST appear at most once in a rule string.
ByPassTunnel=: This token represents the FW_CS_RULE_TUNNEL_BYPASS_IF_ENCRYPTED flag (as defined in [MS-FASP] section 2.2.51) of the wFlags field of the FW_CS_RULE structure. The BOOL-VAL grammar rule represents the Boolean meaning of such flag as defined in section 2.2.2.14. If the ByPassTunnel= token does not appear in the rule, a Boolean value of false is assumed. This token MUST appear at most once in a rule string.
Authz=: This token represents the FW_CS_RULE_FLAGS_APPLY_AUTHZ flag (as defined in [MS-FASP] section 2.2.51) of the wFlags field of the FW_CS_RULE structure. The BOOL-VAL grammar rule represents the Boolean meaning of such flag as defined in section 2.2.2.14. If the "Authz=" token does not appear in the rule, a Boolean value of false is assumed. This token MUST appear at most once in a rule string.
RTunnel4=: This token represents the dwLocalTunnelEndpointV4 field of the FW_CS_RULE structure. The ADDRV4-VAL grammar rule represents the contents of such field. This token MUST appear at most once in a rule string.
RTunnel6=: This token represents the LocalTunnelEndpointV6 field of the FW_CS_RULE structure. The ADDRV6-VAL grammar rule represents the contents of such field. This token MUST appear at most once in a rule string.
LTunnel4=: This token represents the dwRemoteTunnelEndpointV4 field of the FW_CS_RULE structure. The ADDRV4-VAL grammar rule represents the contents of such field. This token MUST appear at most once in a rule string.
LTunnel6=: This token represents the RemoteTunnelEndpointV6 field of the FW_CS_RULE structure. The ADDRV6-VAL grammar rule represents the contents of such field. This token MUST appear at most once in a rule string.
RTunnel4_2=: This token represents the dwRemoteTunnelEndpointV4 field of the FW_CS_RULE structure, with the additional meaning that it also represents a value of true in the FW_CS_RULE_FLAGS_DTM flag (as defined in [MS-FASP] section 2.2.51) of the wFlags field of the same FW_CS_RULE structure. The ADDRV4-VAL grammar rule represents the contents of the dwRemoteTunnelEndpointV4 field. This token MUST appear at most once in a rule string.
RTunnel6_2=: This token represents the RemoteTunnelEndpointV6 field of the FW_CS_RULE structure, with the additional meaning that it also represents a value of true in the FW_CS_RULE_FLAGS_DTM flag (as defined in [MS-FASP] section 2.2.51) of the wFlags field of the same FW_CS_RULE structure. The ADDRV6-VAL grammar rule represents the contents of the RemoteTunnelEndpointV6 field. This token MUST appear at most once in a rule string.
LTunnel4_2=: This token represents the dwLocalTunnelEndpointV4 field of the FW_CS_RULE structure, with the additional meaning that it also represents a value of true in the FW_CS_RULE_FLAGS_DTM flag (as defined in [MS-FASP] section 2.2.51) of the wFlags field of the same FW_CS_RULE structure. The ADDRV4-VAL grammar rule represents the contents of the dwLocalTunnelEndpointV4 field. This token MUST appear at most once in a rule string.
LTunnel6_2=: This token represents the LocalTunnelEndpointV6 field of the FW_CS_RULE structure, with the additional meaning that it also represents a value of true in the FW_CS_RULE_FLAGS_DTM flag (as defined in [MS-FASP] section 2.2.51) of the wFlags field of the same FW_CS_RULE structure. The ADDRV6-VAL grammar rule represents the contents of the LocalTunnelEndpointV6 field. This token MUST appear at most once in a rule string.
RTunnelFqdn=: This token represents the wszRemoteTunnelEndpointFqdn field of the FW_CS_RULE structure. The STR-VAL grammar rule represents a Unicode string that represents the contents of such field. This token MUST appear only once in a rule string.
RTunEndpts4=: This token value represents the RemoteTunnelEndpoints field of the FW_CS_RULE structure, specifically the v4 fields. As such defined RemoteTunnelEndpoints is of type FW_ADDRESSES, it contains the following three fields: a dwV4AddressKeyword field, a V4Ranges field of type FW_IPV4_RANGE_LIST, which also contains a pRanges array of type FW_IPV4_ADDRESS_RANGE, and lastly, a V4SubNets field of type FW_IPV4_SUBNET_LIST, which also contains a pSubNets array of type FW_IPV4_SUBNET. The ADDRESSV4-RANGE-VAL grammar rule represents an entry in the pRanges field. The ADDRESSV4-SUBNET-VAL grammar rule represents an entry in the pSubNets field. The ADDRESS-KEYWORD-VAL grammar rule, however, represents the dwV4AddressKeywords field. If the "RTunEndpts4=" token appears multiple times in the rule string, then all the respective ADDRESSV4-RANGE-VAL, ADDRESSV4-SUBNET-VAL, and ADDRESS-KEYWORD-VAL rules of such appearances are allowed.
RTunEndpts6=: This token value represents the RemoteTunnelEndpoints field of the FW_CS_RULE structure, specifically the v6 fields. As such defined RemoteTunnelEndpoints is of type FW_ADDRESSES, it contains the following three fields: a dwV6AddressKeyword field, a V6Ranges field of type FW_IPV6_RANGE_LIST, which also contains a pRanges array of type FW_IPV6_ADDRESS_RANGE, and lastly, a V4SubNets field of type FW_IPV6_SUBNET_LIST, which also contains a pSubNets array of type FW_IPV6_SUBNET. The ADDRESSV6-RANGE-VAL grammar rule represents an entry in the pRanges field. The ADDRESSV6-SUBNET-VAL grammar rule represents an entry in the pSubNets field. The ADDRESS-KEYWORD-VAL grammar rule, however, represents the dwV6AddressKeywords field. If the "RTunEndpts6=" token appears multiple times in the rule string, then all the respective ADDRESSV4-RANGE-VAL, ADDRESSV4-SUBNET-VAL, and ADDRESS-KEYWORD-VAL rules of such appearances are allowed.
KeyMod=: This token value represents the dwKeyModules field of the FW_CS_RULE structure. The KEY-MOD-VAL grammar rule represents a flag in the dwKeyModules field. If the "KeyMod=" token appears multiple times in the rule string, then all the respective KEY-MOD-VAL rules of such appearances are allowed.
KeyManagerDictate=: This token represents the FW_CS_RULE_FLAGS_KEY_MANAGER_ALLOW_DICTATE_KEY flag (as defined in [MS-FASP] section 2.2.51) of the wFlags field of the FW_CS_RULE structure. The BOOL-VAL grammar rule represents the Boolean meaning of such flag as defined in section 2.2.2.14. If the "KeyManagerDictate=" token does not appear in the rule, a Boolean value of false is assumed. This token MUST appear only once in a rule string.
KeyManagerNotify=: This token represents the FW_CS_RULE_FLAGS_KEY_MANAGER_ALLOW_NOTIFY_KEY flag (as defined in [MS-FASP] section 2.2.51) of the wFlags field of the FW_CS_RULE structure. The BOOL-VAL grammar rule represents the Boolean meaning of such flag as defined in section 2.2.2.14. If the "KeyManagerNotify=" token does not appear in the rule, a Boolean value of false is assumed. This token MUST appear only once in a rule string.
FwdLifetime=: This token represents the FwdPathSALifetime field of the FW_CS_RULE structure. Its decimal value MUST NOT be greater than 4,294,967,295. If the "FwdLifetime=" token does not appear in the rule, a value of zero is assumed. This token MUST appear only once in a rule string.
TransportMachineAuthzSDDL=: This token represents the wszTransportMachineAuthzSDDL field of the FW_CS_RULE structure. The STR-VAL grammar rule represents a Unicode string that represents the contents of such field. This token MUST appear only once in a rule string.
TransportUserAuthzSDDL=: This token represents the wszTransportUserAuthzSDDL field of the FW_CS_RULE structure. The STR-VAL grammar rule represents a Unicode string that represents the contents of such field. This token MUST appear only once in a rule string.
SecurityRealmEnabled=: This token<7> represents the FW_CS_RULE_FLAGS_SECURITY_REALM flag (as defined in [MS-FASP] section 2.2.51) of the wFlags field of the FW_CS_RULE structure. The BOOL-VAL grammar rule represents the Boolean meaning of such flag as defined in section 2.2.2.14. If the SecurityRealmEnabled= token does not appear in the rule, a Boolean value of FALSE is assumed. This token MUST appear only once in a rule string.
The semantic checks defined in [MS-FASP] section 2.2.55 are also applicable to the connection security rules described in this section after following the mapping in each of the preceding tokens.