How to disable Stealth mode in Windows

Applies to: Windows Server 2008 R2 DatacenterWindows Server 2008 R2 EnterpriseWindows Server 2008 R2 Foundation More

Introduction


For ports on which no application listens, the Stealth mode feature blocks the outgoing Internet Control Message Protocol (ICMP) unreachable packet and Transmission Control Protocol (TCP) reset messages.

Stealth mode also applies to the endpoints that are in a paused state because of an overrun in the listen backlog parameter.

Resolution


Important
Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it,
back up the registry for restoration in case problems occur.

Stealth mode is a core security feature. For any given configuration, Stealth mode should stay enabled unless there is a strong, valid argument for disabling it.

Stealth mode can be disabled by using either of the following methods:

  • An Independent software vendor (ISV) can use the Windows Filtering Platform (WFP) API to replace the stealth filters with proprietary filters.
  • Disable the firewall for all profiles. (We do not recommend this method.)
  • You can add a "disable" value to either of the following sets of registry subkeys:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\DomainProfileHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\PublicProfileHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfileHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PrivateProfileHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\PublicProfileHKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile


    In either set, add the following value:

    Value:  DisableStealthModeType:   REG_DWORDData:   0x00000000 (default - StealthMode enabled)        0x00000001 (StealthMode disabled)

More Information


Several applications rely on the behavior that is described in RFC 793, Reset Generation, Page 35f. These applications require then TCP RST packet or ICMP unreachable packet as a response if they knock on a port that has no listener. If they don’t receive this response, the applications might not be able to run correctly on Windows Server 2008 R2 or Windows 7.

Typically, the effect of this dependency is that Stealth mode may cause a 20-second delay for regular TCP applications to reconnect if the remote peer loses the connection state and that notification packet doesn’t reach the client.

One example of this behavior is Lotus Notes Client. The client can be configured to use different Lotus Notes servers. If the service is not running on the first configured server, the client switches immediately to the second server if it receives a TCP RSEST command. If Stealth mode is enabled, no TCP RESET is received by the client. The client then waits for the last SYN retransmit to time out before it tries the next server in the list.