Stealth mode is an important security feature. Disabling it can make the computer vulnerable to attack, even in managed corporate domain networks and behind edge firewalls. Therefore, we strongly recommend that you keep Stealth mode active and disable it only if it is required.
For ports on which no application listens, the Stealth mode feature blocks the outgoing Internet Control Message Protocol (ICMP) unreachable packet and Transmission Control Protocol (TCP) reset messages.
Stealth mode also applies to the endpoints that are in a paused state because of an overrun in the listen backlog parameter.
Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, back up the registry for restoration in case problems occur.
Stealth mode is a core security feature. For any given configuration, Stealth mode should stay enabled unless there is a strong, valid argument for disabling it.
Stealth mode can be disabled by using either of the following methods:
- An Independent software vendor (ISV) can use the Windows Filtering Platform (WFP) API to replace the stealth filters with proprietary filters.
- Disable the firewall for all profiles. (We do not recommend this method.)
- You can add a "disable" value to either of the following sets of registry subkeys:
In either set, add the following value:
Value: DisableStealthModeType: REG_DWORDData: 0x00000000 (default - StealthMode enabled) 0x00000001 (StealthMode disabled)
Stealth mode cannot be deactivated by disabling the firewall service (MpsSvc). This is an unsupported configuration. For more information, see:
Several applications rely on the behavior that is described in RFC 793, Reset Generation, Page 35f. These applications require then TCP RST packet or ICMP unreachable packet as a response if they knock on a port that has no listener. If they don’t receive this response, the applications might not be able to run correctly on Windows Server 2008 R2 or Windows 7.
Typically, the effect of this dependency is that Stealth mode may cause a 20-second delay for regular TCP applications to reconnect if the remote peer loses the connection state and that notification packet doesn’t reach the client.
One example of this behavior is Lotus Notes Client. The client can be configured to use different Lotus Notes servers. If the service is not running on the first configured server, the client switches immediately to the second server if it receives a TCP RSEST command. If Stealth mode is enabled, no TCP RESET is received by the client. The client then waits for the last SYN retransmit to time out before it tries the next server in the list.
Third-party information disclaimer
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.