Top Banner
Page 1 of 70 Windows Hardware Certification Requirements Filter Driver December 2011 This document is provided “as-is”. Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. © 2011 Microsoft. All rights reserved. Microsoft, Windows and Windows Server are trademarks of the Microsoft group of companies. UPnP™ is a certification mark of the UPnP™ Implementers Corp. All other trademarks are property of their respective owners.
70
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Windows8 Hardware Cert Requirements Filter Driver

Page 1 of 70

Windows Hardware Certification Requirements

Filter Driver

December 2011

This document is provided “as-is”. Information and views expressed in this document, including

URL and other Internet Web site references, may change without notice.

This document does not provide you with any legal rights to any intellectual property in any

Microsoft product. You may copy and use this document for your internal, reference purposes. ©

2011 Microsoft. All rights reserved.

Microsoft, Windows and Windows Server are trademarks of the Microsoft group of companies.

UPnP™ is a certification mark of the UPnP™ Implementers Corp. All other trademarks are property

of their respective owners.

Page 2: Windows8 Hardware Cert Requirements Filter Driver

Page 2 of 70

Microsoft Corporation Technical Documentation License Agreement

READ THIS! THIS IS A LEGAL AGREEMENT BETWEEN MICROSOFT CORPORATION ("MICROSOFT") AND THE RECIPIENT OF THESE

MATERIALS, WHETHER AN INDIVIDUAL OR AN ENTITY ("YOU"). IF YOU HAVE ACCESSED THIS AGREEMENT IN THE PROCESS OF

DOWNLOADING MATERIALS ("MATERIALS") FROM A MICROSOFT WEB SITE, BY CLICKING "I ACCEPT", DOWNLOADING, USING OR

PROVIDING FEEDBACK ON THE MATERIALS, YOU AGREE TO THESE TERMS. IF THIS AGREEMENT IS ATTACHED TO MATERIALS, BY

ACCESSING, USING OR PROVIDING FEEDBACK ON THE ATTACHED MATERIALS, YOU AGREE TO THESE TERMS.

For good and valuable consideration, the receipt and sufficiency of which are acknowledged, You and Microsoft agree as follows:

1. You may review these Materials only (a) as a reference to assist You in planning and designing Your product, service or technology

("Product") to interface with a Microsoft Product as described in these Materials; and (b) to provide feedback on these Materials to

Microsoft. All other rights are retained by Microsoft; this agreement does not give You rights under any Microsoft patents. You may not (i)

remove this agreement or any notices from these Materials, or (ii) give any part of these Materials, or assign or otherwise provide Your

rights under this agreement, to anyone else.

2. These Materials may contain preliminary information or inaccuracies, and may not correctly represent any associated Microsoft Product

as commercially released. All Materials are provided entirely "AS IS." To the extent permitted by law, MICROSOFT MAKES NO WARRANTY

OF ANY KIND, DISCLAIMS ALL EXPRESS, IMPLIED AND STATUTORY WARRANTIES, AND ASSUMES NO LIABILITY TO YOU FOR ANY DAMAGES

OF ANY TYPE IN CONNECTION WITH THESE MATERIALS OR ANY INTELLECTUAL PROPERTY IN THEM.

3. If You are an entity and (a) merge into another entity or (b) a controlling ownership interest in You changes, Your right to use these

Materials automatically terminates and You must destroy them.

4. You have no obligation to give Microsoft any suggestions, comments or other feedback ("Feedback") relating to these Materials.

However, any Feedback you voluntarily provide may be used in Microsoft Products and related specifications or other documentation

(collectively, "Microsoft Offerings") which in turn may be relied upon by other third parties to develop their own Products. Accordingly, if

You do give Microsoft Feedback on any version of these Materials or the Microsoft Offerings to which they apply, You agree: (a) Microsoft

may freely use, reproduce, license, distribute, and otherwise commercialize Your Feedback in any Microsoft Offering; (b) You also grant

third parties, without charge, only those patent rights necessary to enable other Products to use or interface with any specific parts of a

Microsoft Product that incorporate Your Feedback; and (c) You will not give Microsoft any Feedback (i) that You have reason to believe is

subject to any patent, copyright or other intellectual property claim or right of any third party; or (ii) subject to license terms which seek to

require any Microsoft Offering incorporating or derived from such Feedback, or other Microsoft intellectual property, to be licensed to or

otherwise shared with any third party.

5. Microsoft has no obligation to maintain confidentiality of any Microsoft Offering, but otherwise the confidentiality of Your Feedback,

including Your identity as the source of such Feedback, is governed by Your NDA.

6. This agreement is governed by the laws of the State of Washington. Any dispute involving it must be brought in the federal or state

superior courts located in King County, Washington, and You waive any defenses allowing the dispute to be litigated elsewhere. If there is

litigation, the losing party must pay the other party’s reasonable attorneys’ fees, costs and other expenses. If any part of this agreement is

unenforceable, it will be considered modified to the extent necessary to make it enforceable, and the remainder shall continue in effect.

This agreement is the entire agreement between You and Microsoft concerning these Materials; it may be changed only by a written

document signed by both You and Microsoft.

Page 3: Windows8 Hardware Cert Requirements Filter Driver

Page 3 of 70

Introduction ............................................................................................................................................ 6

Features .................................................................................................................................................. 6

Filter.Driver.AntiVirus ......................................................................................................................... 6

Filter.Driver.AntiVirus.Functionality ............................................................................................... 7

Filter.Driver.AntiVirus.IcarDetection .............................................................................................. 8

Filter.Driver.AntiVirus.MiniFilter ..................................................................................................... 9

Filter.Driver.AntiVirus.NamedPipeAndMailSlots ............................................................................ 9

Filter.Driver.AntiVirus.RegistryAndProcess .................................................................................. 11

Filter.Driver.AntiVirus.Winsock ..................................................................................................... 12

Filter.Driver.EarlyLaunchAntiMalware .............................................................................................. 13

Filter.Driver.EarlyLaunchAntiMalware.BackupDriver ................................................................... 13

Filter.Driver.EarlyLaunchAntiMalware.MVIMembership ............................................................. 14

Filter.Driver.EarlyLaunchAntiMalware.Performance .................................................................... 15

Filter.Driver.EarlyLaunchAntiMalware.SignatureData .................................................................. 16

Filter.Driver.FileSystem ..................................................................................................................... 17

Filter.Driver.FileSystem.Functionality ........................................................................................... 17

Filter.Driver.FileSystem.MiniFilter ................................................................................................ 18

Filter.Driver.FileSystem.NamedPipeAndMailSlots ........................................................................ 19

Filter.Driver.FileSystem.RegistryAndProcess ................................................................................ 20

Filter.Driver.Fundamentals ............................................................................................................... 22

Filter.Driver.Fundamentals.DriverQuality ..................................................................................... 22

Filter.Driver.Network.LWF ................................................................................................................ 23

Filter.Driver.Network.LWF.Base ................................................................................................... 23

Filter.Driver.Network.LWF.MTUSize ............................................................................................. 24

Filter.Driver.Network.VMSwitchExtension ....................................................................................... 24

Filter.Driver.Network.VMSwitchExtension.VMSwitchExtension .................................................. 25

Filter.Driver.Security ......................................................................................................................... 27

Filter.Driver.Security.TdiAndLsp ................................................................................................... 28

Filter.Driver.WindowsFilteringPlatform ............................................................................................ 29

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.AppContainers.SupportModernAppl

ications .......................................................................................................................................... 30

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.CleanUninstall .............................. 31

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.ConnectionProxying.NoDeadlocks32

Page 4: Windows8 Hardware Cert Requirements Filter Driver

Page 4 of 70

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.FwpmFilters.MaintainOneTerminati

ng................................................................................................................................................... 32

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.FwpmProviders.AssociateWithObje

cts .................................................................................................................................................. 33

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.FwpmProviders.MaintainIdentifying

...................................................................................................................................................... 35

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.FwpmSublayers.UseOwnOrBuiltIn

...................................................................................................................................................... 36

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.NetworkDiagnosticsFramework.Hel

perClass ......................................................................................................................................... 36

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.NoAccessViolations ...................... 38

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.NoTamperingWith3rdPartyObjects

...................................................................................................................................................... 38

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.PacketInjection.NoDeadlocks ....... 39

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.StreamInjection.NoStreamStarvatio

n .................................................................................................................................................... 40

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.SupportPowerManagedStates ..... 41

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.WFPObjectACLs ............................ 41

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.Winsock ........................................ 42

Filter.Driver.WindowsFilteringPlatform.Firewall.DisableWindowsFirewallProperly.................... 43

Filter.Driver.WindowsFilteringPlatform.Firewall.NotOnlyPermitAllFilters................................... 44

Filter.Driver.WindowsFilteringPlatform.Firewall.Support5TupleExceptions................................ 45

Filter.Driver.WindowsFilteringPlatform.Firewall.SupportApplicationExceptions ........................ 46

Filter.Driver.WindowsFilteringPlatform.Firewall.SupportMACAddressExceptions ...................... 46

Filter.Driver.WindowsFilteringPlatform.Firewall.UseWindowsFilteringPlatform ........................ 47

Filter.Driver.WindowsFilteringPlatform.NetworkingFundamental.SupportARP .......................... 48

Filter.Driver.WindowsFilteringPlatform.NetworkingFundamental.SupportDynamicAddressing 49

Filter.Driver.WindowsFilteringPlatform.NetworkingFundamental.SupportIPv4 ......................... 50

Filter.Driver.WindowsFilteringPlatform.NetworkingFundamental.SupportIPv6 ......................... 51

Filter.Driver.WindowsFilteringPlatform.NetworkingFundamental.SupportNameResolution ..... 52

Filter.Driver.WindowsFilteringPlatform.Scenario.Support6to4 ................................................... 53

Filter.Driver.WindowsFilteringPlatform.Scenario.SupportAutomaticUpdates ............................ 54

Filter.Driver.WindowsFilteringPlatform.Scenario.SupportBasicWebsiteBrowsing ...................... 55

Filter.Driver.WindowsFilteringPlatform.Scenario.SupportFileAndPrinterSharing ....................... 56

Filter.Driver.WindowsFilteringPlatform.Scenario.SupportICMPErrorMessages .......................... 57

Filter.Driver.WindowsFilteringPlatform.Scenario.SupportInternetStreaming ............................. 58

Page 5: Windows8 Hardware Cert Requirements Filter Driver

Page 5 of 70

Filter.Driver.WindowsFilteringPlatform.Scenario.SupportMediaExtenderStreaming ................. 59

Filter.Driver.WindowsFilteringPlatform.Scenario.SupportMobileBroadBand ............................. 60

Filter.Driver.WindowsFilteringPlatform.Scenario.SupportPeerNameResolution ........................ 61

Filter.Driver.WindowsFilteringPlatform.Scenario.SupportRemoteAssistance ............................. 62

Filter.Driver.WindowsFilteringPlatform.Scenario.SupportRemoteDesktop ................................. 63

Filter.Driver.WindowsFilteringPlatform.Scenario.SupportTeredo ............................................... 64

Filter.Driver.WindowsFilteringPlatform.Scenario.SupportVirtualPrivateNetworking .................. 66

Filter.Driver.WindowsFilteringPlatform.Scenario.vSwitch.InteropWithOtherExtensions ............ 67

Filter.Driver.WindowsFilteringPlatform.Scenario.vSwitch.NoEgressModification....................... 68

Filter.Driver.WindowsFilteringPlatform.Scenario.vSwitch.SupportLiveMigration ....................... 68

Filter.Driver.WindowsFilteringPlatform.Scenario.vSwitch.SupportRemoval ............................... 69

Filter.Driver.WindowsFilteringPlatform.Scenario.vSwitch.SupportReordering ........................... 70

Page 6: Windows8 Hardware Cert Requirements Filter Driver

Page 6 of 70

Introduction This release to web (RTW) document contains the Windows Hardware Certification requirements for

Windows 8 filter drivers. These requirements are Microsoft®’s guidelines for designing Windows

Filtering Platform Drivers (WFP), File Systems Filter Drivers, Antivirus Filter Drivers, and Early Launch

Anti-Malware (ELAM Filter Drivers). Successfully following this guidance will allow a partner to

receive certification and signing for their filter drivers.

The requirements are organized by feature using a Camel Case naming convention, which facilitates

grouping related requirements and communicating their relationship to the Windows feature they

are intended to support. Tests assessing compliance with the features are exposed during testing

with the Hardware Certification Kit and can be related directly back to these requirements.

Some requirements have passed forward from Logo requirements for earlier Windows versions

which used a category based structure. We have included the older LogoPoint ID in the comments

section for your convenience.

If Implemented Requirements

The Windows Hardware Certification program declares requirements which must be met by any filter driver addressing certain features or technologies in the PC ecosystem. However, additional functionality is built into Windows which is optional, and can offer a competitive edge for manufacturers should they chose to implement the feature. In these cases, there are requirements which must be met only if the additional functionality is implemented. Because these additional requirements apply only if the relevant functionality is implemented, they are referred to as “if-implemented” requirements in this document.

The Hardware Certification Kit detects features exposed by a product automatically. The detected features the will be tested for compliance whether they were mandatory to successfully be certified as a defined product type or if the feature is optional. The title of the requirement or the exception field will indicate when a requirement applies.

Features

Filter.Driver.AntiVirus Description:

Antivirus requirements for Filter drivers

Related Requirements:

Filter.Driver.AntiVirus.Functionality

Filter.Driver.AntiVirus.IcarDetection

Filter.Driver.AntiVirus.MiniFilter

Filter.Driver.AntiVirus.NamedPipeAndMailSlots

Filter.Driver.AntiVirus.RegistryAndProcess

Filter.Driver.AntiVirus.Winsock

Page 7: Windows8 Hardware Cert Requirements Filter Driver

Page 7 of 70

Filter.Driver.AntiVirus.Functionality

Target Feature: Filter.Driver.AntiVirus

Title: Kernel Mode Filter Drivers must be architected to maximize the reliability and functionality

of Windows File Systems, as well as interact accurately with the core components of the operating

system

Applicable OS Versions:

Windows 8 Server x64

Windows 8 Client x64

Windows 8 Client x86

Windows Server 2008 Release 2 x64

Windows 7 Client x64

Windows 7 Client x86

Description:

Kernel Mode Filter Drivers must be architected to maximize the reliability and functionality of

Windows File Systems, as well as interact accurately with the core components of the operating

system. Some areas of particular interest are:

Local File Systems

NT API, Win32 API and Win32 Mapped IO API usage

Object ID functionality

Reparse Points

Oplocks

System Cache usage

Transactional capability

Remote File Systems

Oplock semantics over SMB

Information about File System Behavior:

http://download.microsoft.com/download/4/3/8/43889780-8d45-4b2e-9d3a-

c696a890309f/File%20System%20Behavior%20Overview.pdf.

Information about Oplock semantics over SMB, see the [MS-SMB2] protocol document at:

http://msdn.microsoft.com/en-us/library/cc246482(PROT.13).aspx

Exceptions: Not Specified

Business Justification:

Page 8: Windows8 Hardware Cert Requirements Filter Driver

Page 8 of 70

Ensures Kernel Mode Filter Drivers are architected to maximize the reliability and functionality of the

Windows file system.

Scenarios: Not Specified

Success Metric: Pass/Fail

Enforcement Date: 12/1/2010

Comments:

Taken from Filter-0003

Filter.Driver.AntiVirus.IcarDetection

Target Feature: Filter.Driver.AntiVirus

Title: Anti-Virus Filter Drivers must be architected to exercise basic Anti-virus functionality, as well

as interact accurately with the core components of the operating system

Applicable OS Versions:

Windows 8 Server x64

Windows 8 Client x64

Windows 8 Client x86

Windows 7 Client x86

Windows 7 Client x64

Windows Server 2008 Release 2 x64

Description:

Anti-Virus Filter Drivers must be architected to exercise basic Anti-virus functionality, as well as

interact accurately with the core components of the operating system. Some areas of particular

interest are:

File Systems

Anti-virus functionality

Exceptions: Not Specified

Business Justification:

Ensures AV filter drivers interact correctly with core components of the operating system.

Scenarios: Not Specified

Success Metric: Pass/Fail

Enforcement Date: 12/1/2010

Comments:

Page 9: Windows8 Hardware Cert Requirements Filter Driver

Page 9 of 70

Taken from Filter-0003

Filter.Driver.AntiVirus.MiniFilter

Target Feature: Filter.Driver.AntiVirus

Title: A File System Filter Driver must be a Mini-Filter driver using the File Systems Filter Manager

Applicable OS Versions:

Windows 8 Server x64

Windows 8 Client x64

Windows 8 Client x86

Description:

This requirement will be tested implicitly. The driver detection mechanism of the Windows

Hardware Certification Kit (WHCK) will be written such that legacy file system filter drivers are not

enumerated. Only minifilter drivers will be enumerated and surfaced in the WHCK.As such, a user

will be unable to select a legacy filter driver for logo testing via the WHCK.

Information about Filter Manger and Minifilter Drivers available here:

http://msdn.microsoft.com/en-us/library/ff540402(v=VS.85).aspx

http://msdn.microsoft.com/en-us/windows/hardware/gg462968.aspx

Exceptions: Not Specified

Business Justification:

Drivers should leverage Filter Manager to provide the best end-user experience.

Scenarios: Not Specified

Success Metric: Pass/Fail

Enforcement Date: Windows 8 RC

Comments:

Taken from FILTER-001

Filter.Driver.AntiVirus.NamedPipeAndMailSlots

Target Feature: Filter.Driver.AntiVirus

Title: Kernel Mode Filter Drivers must be architected to maximize the reliability and functionality

of Named Pipe and Mail Slots, as well as interact accurately with the core components of the

operating system

Applicable OS Versions:

Windows 8 Server x64

Page 10: Windows8 Hardware Cert Requirements Filter Driver

Page 10 of 70

Windows 8 Client x64

Windows 8 Client x86

Description:

Kernel Mode Filter Drivers must be architected to maximize the reliability and functionality of

Named Pipe and Mail Slots, as well as interact accurately with the core components of the operating

system. Some areas of particular interest are:

Named Pipe File System

Functionality and stress for common APIs

Anonymous pipes

Pipe modes

Open modes

Invalid pipe names

Flushing pipe

Max pipe instance

Pipe direction (in/out/duplex)

Input and output buffer sizes

Various call semantics, such as reconnecting a pipe that has been disconnected at

the server end.

Behavior validation of all named pipes operations for each distinct state of a pipe

instance.

Performance for named pipe creation and connection.

Throughput for different in/out buffer sizes and number of clients.

Scalability of increasing number of clients to time it takes for connection to a named

pipe instance

Mail Slot File System

Functionality and stress for common APIs

Information about Named Pipe and Mail Slots can be found at:

http://msdn.microsoft.com/en-us/library/aa365574(v=VS.85).aspx

Exceptions: Not Specified

Business Justification:

Page 11: Windows8 Hardware Cert Requirements Filter Driver

Page 11 of 70

Ensures Kernel Mode Filter drivers are architected to maximize the reliability and functionality of

Named Pipe and Mail Slots.

Scenarios: Not Specified

Success Metric: Pass/Fail

Enforcement Date: Windows 8 RC

Comments:

New

Filter.Driver.AntiVirus.RegistryAndProcess

Target Feature: Filter.Driver.AntiVirus

Title: Kernel Mode Filter Drivers must be architected to maximize the reliability and functionality

of the Windows Registry and Processes, as well as interact accurately with the core components of

the operating system

Applicable OS Versions:

Windows 8 Server x64

Windows 8 Client x64

Windows 8 Client x86

Windows 7 Client x64

Windows 7 Client x86

Windows Server 2008 Release 2 x64

Description:

Kernel Mode Filter Drivers must be architected to maximize the reliability and functionality of the

Windows Registry and Processes, as well as interact accurately with the core components of the

operating system. Some areas of particular interest are:

Registry

NT API and Win32 API usage

Key Functions

Transaction Registry Operations

Symbolic Link behavior

Process

General Module Management

Race conditions at thread/process termination

Process management callback functionality

Page 12: Windows8 Hardware Cert Requirements Filter Driver

Page 12 of 70

Thread and Process handle operations

Exceptions: Not Specified

Business Justification:

Ensures that Kernel Mode Filter driver are architected to maximize the reliability and functionality of

the Windows Registry and Processes.

Scenarios: Not Specified

Success Metric: Pass/Fail

Enforcement Date: 12/1/2010

Comments:

Taken from Filter-0003

Filter.Driver.AntiVirus.Winsock

Target Feature: Filter.Driver.AntiVirus

Title: Kernel Mode Filter Drivers must be architected to maximize the reliability and functionality

of Windows Sockets, as well as interact accurately with the core components of the operating

system

Applicable OS Versions:

Windows 8 Server x64

Windows 8 Client x64

Windows 8 Client x86

Windows 7 Client x64

Windows 7 Client x86

Windows Server 2008 Release 2 x64

Description:

Kernel Mode Filter Drivers must be architected to maximize the reliability and functionality of

Windows Sockets, as well as interact accurately with the core components of the operating system.

Some areas of particular interest are:

Winsock

Winsock API functionality

Information about Winsock APIs can be found at:

http://msdn.microsoft.com/en-us/library/ms740673(VS.85).aspx

Exceptions: Not Specified

Business Justification:

Page 13: Windows8 Hardware Cert Requirements Filter Driver

Page 13 of 70

Ensures that Kernel Mode Filter drivers are architected to maximize the reliability and functionality

of Windows sockets.

Scenarios: Not Specified

Success Metric: Pass/Fail

Enforcement Date: 12/1/2010

Comments:

Taken from Filter-0003

Filter.Driver.EarlyLaunchAntiMalware Description:

The Early Launch Anti-Malware (AM) software feature provides a Microsoft supported mechanism

for AM software to start before all other 3rd party components. AM drivers are initialized first and

allowed to control the initialization of boot drivers. Unknown boot drivers are potentially not

initialized. Once the boot process has initialized boot drivers and access to persistent storage is

available in an efficient way, existing AM software may continue block malware from executing.

Related Requirements:

Filter.Driver.EarlyLaunchAntiMalware.BackupDriver

Filter.Driver.EarlyLaunchAntiMalware.MVIMembership

Filter.Driver.EarlyLaunchAntiMalware.Performance

Filter.Driver.EarlyLaunchAntiMalware.SignatureData

Filter.Driver.EarlyLaunchAntiMalware.BackupDriver

Target Feature: Filter.Driver.EarlyLaunchAntiMalware

Title: Early Launch Anti-malware drivers include a backup copy in case of corruption

Applicable OS Versions:

Windows 8 Client x86

Windows 8 Client x64

Windows 8 Server x64

Windows 8 Client ARM

Description:

The AM driver is critical to the boot success of the computer. If the driver gets corrupted, then the

boot may not succeed. To provide the best user experience, it is required that when the AM driver is

installed, it also installs a copy in the driver backup store. This ensures a smooth remediation

experience in the case that the primary driver gets corrupted.

The location of the ELAM backup store is defined by Windows, and stored in the registry:

Page 14: Windows8 Hardware Cert Requirements Filter Driver

Page 14 of 70

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\EarlyLaunch ! BackupPath

Design Notes:

The early launch anti-malware (AM) drivers are started soon after the NTOS kernel starts. For each

subsequent boot driver the AM driver receives a callback from the PnP manager to determine

whether the boot driver should be initialized. The AM driver evaluates the boot driver and must

return good, bad, or unknown. Based on the returned classification and defined policy, the PnP

manager decides whether to initialize the boot driver.

Exceptions: Not Specified

Business Justification:

As the early launch AM driver is in the boot path, this requirement ensures that if the driver is

corrupted, the boot experience is smooth and can automatically recover without user intervention.

Scenarios: Not Specified

Success Metric: Driver present in the driver backup store

Enforcement Date: Windows 8 RC

Comments:

NEW

Filter.Driver.EarlyLaunchAntiMalware.MVIMembership

Target Feature: Filter.Driver.EarlyLaunchAntiMalware

Title: Early Launch Anti-malware Drivers May Only Be Created by MVI Members

Applicable OS Versions:

Windows 8 Client x86

Windows 8 Client x64

Windows 8 Server x64

Windows 8 Client ARM

Description:

Any Early Launch Anti-malware driver may only be created by Microsoft Virus Initiative (MVI)

members.

Design Notes:

The early launch anti-malware (AM) drivers are started soon after the NTOS kernel starts. For each

subsequent boot driver the AM driver receives a callback from the PnP manager to determine

whether the boot driver should be initialized. The AM driver evaluates the boot driver and must

return good, bad, or unknown. Based on the returned classification and defined policy, the PnP

manager decides whether to initialize the boot driver.

Page 15: Windows8 Hardware Cert Requirements Filter Driver

Page 15 of 70

Exceptions: Not Specified

Business Justification:

MVI membership indicates a commitment to providing high quality anti-malware software.

Scenarios: Not Specified

Success Metric: ISV is an MVI member.

Enforcement Date: Windows 8 RC

Comments:

NEW

Filter.Driver.EarlyLaunchAntiMalware.Performance

Target Feature: Filter.Driver.EarlyLaunchAntiMalware

Title: Early Launch Anti-malware Drivers Must Be Performant

Applicable OS Versions:

Windows 8 Client x86

Windows 8 Client x64

Windows 8 Server x64

Windows 8 Client ARM

Description:

Callback Latency:

The AM driver is required to return a result for each callback within 0.5 ms of receiving the callback.

Memory Allocation:

The AM driver, including both the driver image as well as its configuration (signature) data, is

required to have a limited memory footprint of 128KB or less.

Unload Blocking:

Each AM driver will receive a synchronous callback after the last boot driver has been initialized

indicating that the AM driver will be unloaded. At this point the AM driver must cleanup and save

any persistent status information. This must occur within 0.5 ms as measured from the time when

the kernel issues the callback to the driver to the time the AM driver returns the callback.

Design Notes:

The early launch anti-malware (AM) drivers are started soon after the NTOS kernel starts. For each

subsequent boot driver, the AM driver receives a callback from the PnP manager to determine

whether the boot driver should be initialized. The AM driver evaluates the boot driver and must

return good, bad, or unknown. Based on the returned classification and defined policy, the PnP

manager decides whether to initialize the boot driver.

Page 16: Windows8 Hardware Cert Requirements Filter Driver

Page 16 of 70

Exceptions: Not Specified

Business Justification:

As the early launch AM driver is in the boot path, any evaluation it makes must be performant so as

to not add significant delay to the overall boot time. On a typical system there are at least 30 boot

drivers that must be evaluated so there is an additive effect each time the PnP manager calls back to

the AM driver. The machine is booted and before each boot driver is initialized it is evaluated to

ensure it is trustworthy. If the AM driver determines it is trustworthy, then the Kernel PnP manager

will initialize the boot driver, otherwise it will skip it.

Scenarios: Not Specified

Success Metric: Each callback is less than .5ms and the overall driver footprint + data is less than or

equal to 128KB.

Enforcement Date: Windows 8 RC

Comments:

NEW

Filter.Driver.EarlyLaunchAntiMalware.SignatureData

Target Feature: Filter.Driver.EarlyLaunchAntiMalware

Title: Early Launch Anti-malware Drivers Only Use Signature Data Stored in the Microsoft-specific

Location

Applicable OS Versions:

Windows 8 Client x86

Windows 8 Client x64

Windows 8 Server x64

Windows 8 Client ARM

Description:

The AM driver must get its malware signature data from a single, well-known location and no other.

The signature data shall be stored in the registry in a new ELAM hive under HKLM that is loaded by

Winload, and will therefore be available to the AM driver prior to the file system being initialized.

Each AM driver will have a unique key in which to store their signature blob. The registry path and

key shall be of the format HKLM\ELAM\<Vendor Name>\Measured : Binary = <blob>.

Design Notes:

The early launch anti-malware (AM) drivers are started soon after the NTOS kernel starts. For each

subsequent boot driver the AM driver receives a callback from the PnP manager to determine

whether the boot driver should be initialized. The AM driver evaluates the boot driver and must

return good, bad, or unknown. Based on the returned classification and defined policy, the PnP

manager decides whether to initialize the boot driver.

Page 17: Windows8 Hardware Cert Requirements Filter Driver

Page 17 of 70

Exceptions: Not Specified

Business Justification:

This requirement ensures end user performance and stability.

Scenarios: Not Specified

Success Metric: Not Specified

Enforcement Date: Windows 8 RC

Comments:

NEW

Filter.Driver.FileSystem Description: Not Specified

Related Requirements:

Filter.Driver.FileSystem.Functionality

Filter.Driver.FileSystem.MiniFilter

Filter.Driver.FileSystem.NamedPipeAndMailSlots

Filter.Driver.FileSystem.RegistryAndProcess

Filter.Driver.FileSystem.Functionality

Target Feature: Filter.Driver.FileSystem

Title: Kernel Mode Filter Drivers must be architected to maximize the reliability and functionality

of Windows File Systems, as well as interact accurately with the core components of the operating

system

Applicable OS Versions:

Windows 8 Server x64

Windows 8 Client x64

Windows 8 Client x86

Windows 7 Client x86

Windows 7 Client x64

Windows Server 2008 Release 2 x64

Description:

Kernel Mode Filter Drivers must be architected to maximize the reliability and functionality of

Windows File Systems, as well as interact accurately with the core components of the operating

system. Some areas of particular interest are:

Local File Systems

Page 18: Windows8 Hardware Cert Requirements Filter Driver

Page 18 of 70

NT API, Win32 API and Win32 Mapped IO API usage

Object ID functionality

Reparse Points

Oplocks

System Cache usage

Transactional capability

Remote File Systems

Oplock semantics over SMB

Information about File System Behavior:

http://download.microsoft.com/download/4/3/8/43889780-8d45-4b2e-9d3a-

c696a890309f/File%20System%20Behavior%20Overview.pdf.

Information about Oplock semantics over SMB, see the [MS-SMB2] protocol document at:

http://msdn.microsoft.com/en-us/library/cc246482(PROT.13).aspx

Exceptions: Not Specified

Business Justification:

Ensures that Kernel Mode Filter Drivers are architected to maximize the reliability and functionality

of the Windows file system.

Scenarios: Not Specified

Success Metric: Pass/Fail

Enforcement Date: 12/1/2010

Comments:

Taken from Filter-0003

Filter.Driver.FileSystem.MiniFilter

Target Feature: Filter.Driver.FileSystem

Title: A File System Filter Driver must be a Mini-Filter driver using the File Systems Filter Manager

Applicable OS Versions:

Windows 8 Server x64

Windows 8 Client x64

Windows 8 Client x86

Description:

Page 19: Windows8 Hardware Cert Requirements Filter Driver

Page 19 of 70

This requirement will be tested implicitly. The gatherer will be written such that it enumerates and

surfaces only mini-filter drivers for the Windows Hardware Certification Kit (WHCK). Hence, a user

will be unable to select a legacy filter driver for certification testing.

Information about Filter Manger and Mini-Filter Drivers available here:

http://msdn.microsoft.com/en-us/library/ff540402(v=VS.85).aspx

Exceptions: Not Specified

Business Justification:

Drivers should leverage Filter Manager to provide the best end-user experience.

Scenarios: Not Specified

Success Metric: Pass/Fail

Enforcement Date: Windows 8 RC

Comments:

Taken from FILTER-001

Filter.Driver.FileSystem.NamedPipeAndMailSlots

Target Feature: Filter.Driver.FileSystem

Title: Kernel Mode Filter Drivers must be architected to maximize the reliability and functionality

of Named Pipe and Mail Slots, as well as interact accurately with the core components of the

operating system

Applicable OS Versions:

Windows 8 Server x64

Windows 8 Client x64

Windows 8 Client x86

Description:

Kernel Mode Filter Drivers must be architected to maximize the reliability and functionality of

Named Pipe and Mail Slots, as well as interact accurately with the core components of the operating

system. Some areas of particular interest are:

Named Pipe FS

Functionality and stress for common APIs

Anonymous pipes

Pipe modes

Open modes

Page 20: Windows8 Hardware Cert Requirements Filter Driver

Page 20 of 70

Invalid pipe names

Flushing pipe

Max pipe instance

Pipe direction (in/out/duplex)

Input and output buffer sizes

Various call semantics, such as reconnecting a pipe that has been disconnected at

the server end.

Behavior validation of all named pipes operations for each distinct state of a pipe

instance.

Performance for named pipe creation and connection.

Through put for different in/out buffer sizes and number of clients.

Scalability of increasing number of clients to time it takes for connection to a named

pipe instance

Mail Slot FS

Functionality and stress for common APIs

Information about Named Pipe and Mail Slots can be found at:

http://msdn.microsoft.com/en-us/library/aa365574(v=VS.85).aspx

Exceptions: Not Specified

Business Justification:

Ensures Kernel Mode Filter drivers are architected to maximize the reliability and functionality of

Named Pipe and Mail Slots.

Scenarios: Not Specified

Success Metric: Pass/Fail

Enforcement Date: Windows 8 RC

Comments:

New

Filter.Driver.FileSystem.RegistryAndProcess

Target Feature: Filter.Driver.FileSystem

Page 21: Windows8 Hardware Cert Requirements Filter Driver

Page 21 of 70

Title: Kernel Mode Filter Drivers must be architected to maximize the reliability and functionality

of Windows Registry and Processes, as well as interact accurately with the core components of the

operating system

Applicable OS Versions:

Windows 8 Server x64

Windows 8 Client x64

Windows 8 Client x86

Windows 7 Client x64

Windows 7 Client x86

Windows Server 2008 Release 2 x64

Description:

Kernel Mode Filter Drivers must be architected to maximize the reliability and functionality of

Windows Registry and Processes, as well as interact accurately with the core components of the

operating system. Some areas of particular interest are:

Registry

NT API and Win32 API usage

Key Functions

Transaction Registry Operations

Symbolic Link behavior

Process

General Module Management

Race conditions at thread/process termination

Process management callback functionality

Thread and Process handle operations

Exceptions: Not Specified

Business Justification:

Ensures Kernel Mode Filter Drivers are architected to maximize the reliability and functionality of the

Windows Registry and Processes.

Scenarios: Not Specified

Success Metric: Pass/Fail

Enforcement Date: 12/1/2010

Page 22: Windows8 Hardware Cert Requirements Filter Driver

Page 22 of 70

Comments:

Taken from Filter-0003

Filter.Driver.Fundamentals Description:

Corresponds to Device Driver Fundamentals, but for Filter Drivers.

Related Requirements:

Filter.Driver.Fundamentals.DriverQuality

Filter.Driver.Fundamentals.DriverQuality

Target Feature: Filter.Driver.Fundamentals

Title: A Filter Driver must be of high quality

Applicable OS Versions:

Windows 8 Server x64

Windows 8 Client x64

Windows 8 Client x86

Windows 8 Client ARM

Description:

Driver components must not cause the system to crash or leak resources. These resources include

but are not limited to the following:

Memory

Graphics Device Interface (GDI) or user objects

Kernel objects such as files, mutex, semaphore, and device handles

Critical sections

Disk space

Printer handles

Design Notes:

Device Path Exerciser Test This consists of a set of tests, each of which concentrates on a different

entry point or I/O interface. These tests are designed to assess the robustness of a driver, not its

functionality.

This test will be run with Driver Verifier enabled with standard settings.

Page 23: Windows8 Hardware Cert Requirements Filter Driver

Page 23 of 70

In addition Driver Verifier will be enabled on all applicable kit tests.

Exceptions: Not Specified

Business Justification:

System crashes, memory leaks, driver installation/uninstallation failures, poor power

management/usage, PNP errors as well as IO related errors contribute to a poor end user

experience. These tests help isolate some common driver problems.

Scenarios: Not Specified

Success Metric: Not Specified

Enforcement Date: Windows 8 RC

Comments:

Taken from FILTER-001

Filter.Driver.Network.LWF Description:

LAN requirements

Related Requirements:

Filter.Driver.Network.LWF.Base

Filter.Driver.Network.LWF.MTUSize

Filter.Driver.Network.LWF.Base

Target Feature: Filter.Driver.Network.LWF

Title: All light weight filters must be NDIS 6.30 or greater

Applicable OS Versions:

Windows 8 Client x86

Windows 8 Client x64

Windows 8 Server x64

Windows 8 Client ARM

Description:

All light weight filters must be NDIS 6.30 or greater and be compliant to the NDIS specification on

MSDN.

Exceptions: Not Specified

Business Justification:

Page 24: Windows8 Hardware Cert Requirements Filter Driver

Page 24 of 70

To ensure networking devices function properly.

Scenarios: Not Specified

Success Metric: Not Specified

Enforcement Date: Windows 8

Comments: Not Specified

Filter.Driver.Network.LWF.MTUSize

Target Feature: Filter.Driver.Network.LWF

Title: All light weight filters must be able to accept arbitrary packet sizes which might be greater

than the miniport’s MTU.

Applicable OS Versions:

Windows 8 Client x86

Windows 8 Client x64

Windows 8 Server x64

Windows 8 Client ARM

Description:

All light weight filters must be NDIS 6.30 or greater. All light weight filters must be able to accept

arbitrary packet sizes which might be greater than the miniports MTU.

Exceptions: Not Specified

Business Justification:

To ensure networking devices function properly.

Scenarios: Not Specified

Success Metric: Not Specified

Enforcement Date: Windows 8

Comments: Not Specified

Filter.Driver.Network.VMSwitchExtension Description:

LAN requirements

Related Requirements:

Filter.Driver.Network.VMSwitchExtension.VMSwitchExtension

Page 25: Windows8 Hardware Cert Requirements Filter Driver

Page 25 of 70

Filter.Driver.Network.VMSwitchExtension.VMSwitchExtension

Target Feature: Filter.Driver.Network.VMSwitchExtension

Title: Filter drivers that implement VM Switch Extensibility must support required functionalities,

modes, and protocols

Applicable OS Versions:

Windows 8 Client x86

Windows 8 Client x64

Windows 8 Server x64

Windows 8 Client ARM

Description:

Ethernet devices that implement VM Switch Extensibility must support required functionalities,

modes, and protocols.

Requirements

An extension must pass NDIS Filter logo requirements

An extension must have a valid INF

An extension must make only NDIS, WDF, or WDM calls; any calls to other kernel

mode components are not allowed

An extension must support Hyper-V Live Migration

Do not break LM, Save/Restore, Export/Import

Do not block saved data from another extension

Do not block other extension interactions

An extension must co-exist with other Hyper-V Inbox features and functionality

An un-configured extension must not break connectivity between the host and external

network

A capture extension must not break connectivity between vSwitch ports

An extension must pass the following switch/port/NIC configuration OIDs down the stack of

an extension

OID_SWITCH_PARAMETERS

OID_SWITCH_PORT_ARRAY

OID_SWITCH_PORT_TEARDOWN

OID_SWITCH_PORT_DELETE

Page 26: Windows8 Hardware Cert Requirements Filter Driver

Page 26 of 70

OID_SWITCH_NIC_ARRAY

OID_SWITCH_NIC_CONNECT

OID_SWITCH_NIC_DISCONNECT

OID_SWITCH_NIC_DELETE

OID_SWITCH_NIC_REQUEST

An extension must pass the following policy/status OIDs that it does not consume down the

stack

OID_SWITCH_PORT_PROPERTY_ADD

OID_SWITCH_PORT_PROPERTY_UPDATE

OID_SWITCH_PORT_PROPERTY_DELETE

OID_SWITCH_PROPERTY_ADD

OID_SWITCH_PROPERTY_UPDATE

OID_SWITCH_PROPERTY_DELETE

OID_SWITCH_PORT_FEATURE_STATUS_QUERY

OID_SWITCH_FEATURE_STATUS_QUERY

An extension must pass the following policy OIDs down the stack

OID_SWITCH_PORT_PROPERTY_ENUM

OID_SWITCH_PROPERTY_ENUM

An extension must pass the following up the stack

NDIS_SWITCH_NIC_STATUS_INDICATION

A capture extension must not call any of the following functions:

SetNetBufferListSource;

AddNetBufferListDestination;

GrowNetBufferListDestinations;

UpdateNetBufferListDestinations;

CopyNetBufferListInfo

ReportFilteredNetBufferLists;

A filter extension must not call any of the following functions:

Page 27: Windows8 Hardware Cert Requirements Filter Driver

Page 27 of 70

AddNetBufferListDestination

GrowNetBufferListDestinations;

A "filter" extension must never add a new destination to a NET_BUFFER_LIST.

A "forwarding" extension must only add destinations on ingress.

New packets generated by extensions must always be sent on ingress.

Calls to the following API must specify a NIC that is in connected state

(OID_SWITCH_NIC_CONNECT issued, OID_SWITCH_NIC_DISCONNECT not yet issued).

SetNetBufferListSource

AddNetBufferListDestination

UpdateNetBufferListDestinations (when adding new destinations)

ReferenceSwitchNic

Calls to the following API must specify a Port that is in Created state

(OID_SWITCH_PORT_CREATE issued, OID_SWITCH_PORT_TEARDOWN not yet issued).

ReferenceSwitchPort

An extension must be capable of being enabled and disabled correctly

Exceptions: Not Specified

Business Justification:

To support virtualization scenarios.

Scenarios:

Virtualization

Success Metric: Not Specified

Enforcement Date: Windows 8 RC

Comments: Not Specified

Filter.Driver.Security Description:

Additional filter driver requirements related to security

Related Requirements:

Filter.Driver.Security.TdiAndLsp

Page 28: Windows8 Hardware Cert Requirements Filter Driver

Page 28 of 70

Filter.Driver.Security.TdiAndLsp

Target Feature: Filter.Driver.Security

Title: No TDI or LSP Filters are installed by the driver or associated software packages during

installation or usage

Applicable OS Versions:

Windows 8 Client x86

Windows 8 Client x64

Windows 8 Server x64

Description:

There can be no use of TDI or LSP Filters by either kernel mode software or drivers, or user mode

software or drivers.

Design Notes:

Transport Driver Interface (TDI) is a protocol understood by the upper edge of the Transport layer of

the Microsoft Windows kernel network stack commonly used to communicate with the various

network transport protocols. ISVs should not simply port their old code to WFP. Instead, they must

redesign their architecture to use the Windows Filter Platform (WFP).

Layered Service Provider (LSP) is a feature of the Microsoft Windows Winsock 2 Service Provider

Interface (SPI) which it uses to insert itself in the form of a DLL into the TCP/IP stack. ISVs should not

simply port their old code to WFP. Instead, they must redesign their architecture to use the

Windows Filter Platform (WFP), specifically the ALE layer.

Exceptions: Not Specified

Business Justification:

Use of TDI and LSP filters increase attack surface, and will therefore no longer be supported for

future OS releases. 3rd party TDI and LSP are the number 1 causes of support cases regarding

network issues. TDI and LSPs are not supported on all platforms. TDI has been slated for deprecation

since Vista.

Scenarios: Not Specified

Success Metric: Not Specified

Enforcement Date: Windows 8 RC

Comments:

Filter-0002

Page 29: Windows8 Hardware Cert Requirements Filter Driver

Page 29 of 70

Filter.Driver.WindowsFilteringPlatform Description: Not Specified

Related Requirements:

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.AppContainers.SupportModernA

pplications

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.CleanUninstall

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.ConnectionProxying.NoDeadlock

s

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.FwpmFilters.MaintainOneTermin

ating

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.FwpmProviders.AssociateWithO

bjects

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.FwpmProviders.MaintainIdentify

ing

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.FwpmSublayers.UseOwnOrBuiltI

n

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.NetworkDiagnosticsFramework.

HelperClass

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.NoAccessViolations

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.NoTamperingWith3rdPartyObjec

ts

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.PacketInjection.NoDeadlocks

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.StreamInjection.NoStreamStarva

tion

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.SupportPowerManagedStates

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.WFPObjectACLs

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.Winsock

Filter.Driver.WindowsFilteringPlatform.Firewall.DisableWindowsFirewallProperly

Filter.Driver.WindowsFilteringPlatform.Firewall.NotOnlyPermitAllFilters

Filter.Driver.WindowsFilteringPlatform.Firewall.Support5TupleExceptions

Filter.Driver.WindowsFilteringPlatform.Firewall.SupportApplicationExceptions

Filter.Driver.WindowsFilteringPlatform.Firewall.SupportMACAddressExceptions

Filter.Driver.WindowsFilteringPlatform.Firewall.UseWindowsFilteringPlatform

Filter.Driver.WindowsFilteringPlatform.NetworkingFundamental.SupportARP

Filter.Driver.WindowsFilteringPlatform.NetworkingFundamental.SupportDynamicAddressing

Filter.Driver.WindowsFilteringPlatform.NetworkingFundamental.SupportIPv4

Filter.Driver.WindowsFilteringPlatform.NetworkingFundamental.SupportIPv6

Filter.Driver.WindowsFilteringPlatform.NetworkingFundamental.SupportNameResolution

Filter.Driver.WindowsFilteringPlatform.Scenario.Support6to4

Filter.Driver.WindowsFilteringPlatform.Scenario.SupportAutomaticUpdates

Filter.Driver.WindowsFilteringPlatform.Scenario.SupportBasicWebsiteBrowsing

Filter.Driver.WindowsFilteringPlatform.Scenario.SupportFileAndPrinterSharing

Page 30: Windows8 Hardware Cert Requirements Filter Driver

Page 30 of 70

Filter.Driver.WindowsFilteringPlatform.Scenario.SupportICMPErrorMessages

Filter.Driver.WindowsFilteringPlatform.Scenario.SupportInternetStreaming

Filter.Driver.WindowsFilteringPlatform.Scenario.SupportMediaExtenderStreaming

Filter.Driver.WindowsFilteringPlatform.Scenario.SupportMobileBroadBand

Filter.Driver.WindowsFilteringPlatform.Scenario.SupportPeerNameResolution

Filter.Driver.WindowsFilteringPlatform.Scenario.SupportRemoteAssistance

Filter.Driver.WindowsFilteringPlatform.Scenario.SupportRemoteDesktop

Filter.Driver.WindowsFilteringPlatform.Scenario.SupportTeredo

Filter.Driver.WindowsFilteringPlatform.Scenario.SupportVirtualPrivateNetworking

Filter.Driver.WindowsFilteringPlatform.Scenario.vSwitch.InteropWithOtherExtensions

Filter.Driver.WindowsFilteringPlatform.Scenario.vSwitch.NoEgressModification

Filter.Driver.WindowsFilteringPlatform.Scenario.vSwitch.SupportLiveMigration

Filter.Driver.WindowsFilteringPlatform.Scenario.vSwitch.SupportRemoval

Filter.Driver.WindowsFilteringPlatform.Scenario.vSwitch.SupportReordering

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.AppContainers.SupportMod

ernApplications

Target Feature: Filter.Driver.WindowsFilteringPlatform

Title: WFP–based products must not block App Container apps operating within their declared

network intentions by default, and should only do so when following specific user/admin intention

or protecting the system against a specific threat

Applicable OS Versions:

Windows 8 Client x86

Windows 8 Client x64

Windows 8 Client ARM

Description:

WFP based products must not block App Container apps operating within their declared network

intentions by default, and should only do so when following specific user/admin intention or

protecting the system against a specific threat

Exceptions: Not Specified

Business Justification:

To function properly with Windows Filtering Platform.

Scenarios: Not Specified

Success Metric: Not Specified

Enforcement Date: 06/01/2009

Page 31: Windows8 Hardware Cert Requirements Filter Driver

Page 31 of 70

Comments:

NETWORK-0270

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.CleanUninstall

Target Feature: Filter.Driver.WindowsFilteringPlatform

Title: WFP-based products stop cleanly and clean up all running state upon uninstall

Applicable OS Versions:

Windows 8 Client x86

Windows 8 Client x64

Windows 7 Client x86

Windows 7 Client x64

Description:

This is to ensure that host firewalls do not leave unused objects upon uninstall, thereby potentially

causing diagnostic issues if another separate host firewall is installed on the same PC.

The following WFP objects need to be cleaned up: Provider, providerContext, Filter, subLayer, or

callout

In addition, additional installation requirements for applications (via the Software logo program)

must be met.

Design Notes:

Applications can use either an MSI, or other installer that meets this requirement to ensure a

satisfactory install/uninstall experience on a Windows based PC.

The installation requirements for applications (in the Application Certification Program) are located

in the following link:

http://go.microsoft.com/fwlink/?LinkId=236930&clcid=0x409

Exceptions: Not Specified

Business Justification:

This requirement ensures a clean host firewall uninstallation experience for the home user.

Scenarios: Not Specified

Success Metric: Not Specified

Enforcement Date: 06/01/2009

Comments:

NETWORK-0270

Page 32: Windows8 Hardware Cert Requirements Filter Driver

Page 32 of 70

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.ConnectionProxying.NoDea

dlocks

Target Feature: Filter.Driver.WindowsFilteringPlatform

Title: WFP-based products which redirect or proxy at redirect layers (connect redirect), must use

the new proxy API so that other WFP-based products can determine that the connection has been

proxy.

Applicable OS Versions:

Windows 8 Client x86

Windows 8 Client x64

Windows 7 Client x86

Windows 7 Client x64

Description:

WFP-based products which redirect or proxy at redirect layers (connect redirect), must use the new

proxy API so that other WFP-based products can determine that the connection has been proxy.

Exceptions: Not Specified

Business Justification:

This requirement ensures a connection proxy experience for the home user.

Scenarios: Not Specified

Success Metric: Not Specified

Enforcement Date: 06/01/2009

Comments:

NETWORK-0270

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.FwpmFilters.MaintainOneT

erminating

Target Feature: Filter.Driver.WindowsFilteringPlatform

Title: WFP-based products must create and maintain at least 1 terminating FWPM_FILTER object.

Applicable OS Versions:

Windows 8 Client x86

Windows 8 Client x64

Windows 7 Client x86

Windows 7 Client x64

Description:

Page 33: Windows8 Hardware Cert Requirements Filter Driver

Page 33 of 70

A terminating filter is one that returns a permit / block decision. It may exist as a static filter or

within a callout. The intent behind this requirement is to ensure premium host firewalls perform at

least one permit or block decision and not simply maintain filters only for inspection purposes,

whereas basic host firewalls may do so through WFP or through other means such as TDI, NDIS,

WinSock LSP filters.

Design Notes:

The definition for the FWPM_FILTER object can be found in the following

URL:http://go.microsoft.com/fwlink/?LinkID=116902&clcid=0x409

.

Exceptions: Not Specified

Business Justification:

The intent behind this requirement is to ensure premium host firewalls perform at least one permit

or block decision and not simply maintain filters only for inspection purposes, whereas basic host

firewalls may do so through WFP or through other means such as TDI, NDIS, WinSock LSP filters

Scenarios: Not Specified

Success Metric: Not Specified

Enforcement Date: 06/01/2009

Comments:

NETWORK-0263

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.FwpmProviders.AssociateW

ithObjects

Target Feature: Filter.Driver.WindowsFilteringPlatform

Title: WFP-based products must associate all of their Provider Contexts, Filters, Sublayers, and

Callouts with their corresponding identifying provider object

Applicable OS Versions:

Windows 8 Client x86

Windows 8 Client x64

Windows 7 Client x86

Windows 7 Client x64

Description:

For examples that illustrate the code behavior expected for various types of objects please see

below:

Reference the name & product of the company within an identifying provider object:

Page 34: Windows8 Hardware Cert Requirements Filter Driver

Page 34 of 70

const PWSTR pCompanyName = LMicrosoft Corporation;

const PWSTR pProductName = LWindows Firewall;

FWPM_PROVIDER0 myProvider;

myProvider.displayData.name = pCompanyName;

myProvider.displayData.description = pProductName;

Initialize the provider object:

FWPM_PROVIDER_CONTEXT0 myProviderContext;

FWPM_PROVIDER0 myProvider;

myProviderContext.providerKey = &(myProvider.providerKey);

Initialize the subLayer object & associate it to your respective provider object

FWPM_SUBLAYER0 mySubLayer;

FWPM_PROVIDER0 myProvider;

mySubLayer.providerKey = &(myProvider.providerKey);

Initialize the callout object & associate it to your respective provider object

FWPM_CALLOUT0 myCallout;

FWPM_PROVIDER0 myProvider;

myCallout.providerKey = &(myProvider.providerKey);

Initialize the Filter object & associate it to your respective provider object

FWPM_FILTER0 myFilter;

FWPM_PROVIDER0 myProvider;

myFilter.providerKey = &(myProvider.providerKey);

Exceptions: Not Specified

Business Justification:

This ensures better ability to diagnose host firewalls on a per vendor basis.

Scenarios: Not Specified

Success Metric: Not Specified

Enforcement Date: 06/01/2009

Comments:

NETWORK-0265

Page 35: Windows8 Hardware Cert Requirements Filter Driver

Page 35 of 70

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.FwpmProviders.MaintainId

entifying

Target Feature: Filter.Driver.WindowsFilteringPlatform

Title: WFP-based products must create and maintain at least 1 identifying FWPM_PROVIDER

provider object

Applicable OS Versions:

Windows 8 Client x86

Windows 8 Client x64

Windows 7 Client x86

Windows 7 Client x64

Description:

An identifying provider object must reference the name & product of the company as shown in the

example below.

FWPM_PROVIDER0

1. All vendors must create and maintain at least 1 provider.

2. The provider.displayData.Name must contain the name of the company

3. The provider.displayData.Description must contain the name of the product

All objects created & owned by the vendor must reference only their provider(s)

const PWSTR pCompanyName = LMicrosoft Corporation;

const PWSTR pProductName = LWindows Firewall;

FWPM_PROVIDER0 myProvider;

myProvider.displayData.name = pCompanyName;

myProvider.displayData.description = pProductName;

Design Notes:

The definition of the FWPM_PROVIDER object can be found in the following URL:

http://go.microsoft.com/fwlink/?LinkID=116844&clcid=0x409

Exceptions: Not Specified

Business Justification:

This requirement ensures better ability to diagnose host firewalls on a per vendor basis.

Scenarios: Not Specified

Success Metric: Not Specified

Enforcement Date: 06/01/2009

Comments:

Page 36: Windows8 Hardware Cert Requirements Filter Driver

Page 36 of 70

NETWORK-0262

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.FwpmSublayers.UseOwnOr

BuiltIn

Target Feature: Filter.Driver.WindowsFilteringPlatform

Title: WFP-based products must use only their own sublayer or one of the built-in sublayers

Applicable OS Versions:

Windows 8 Client x86

Windows 8 Client x64

Windows 7 Client x86

Windows 7 Client x64

Description:

A host firewalls own sublayer may be used to ensure that its filters must not be bypassed by a higher

weight filter from another host firewall. In addition, a host firewall must not override filters

belonging to another host firewall.

Design Notes:

The definition for the FWPM_SUBLAYERobject can be found in the following URL:

http://go.microsoft.com/fwlink/?LinkID=116845&clcid=0x409

Exceptions: Not Specified

Business Justification:

A host firewalls own sublayer may be used to ensure that its filters must not be bypassed by a higher

weight filter from another host firewall. In addition, a host firewall must not override filters

belonging to another host firewall.

Scenarios: Not Specified

Success Metric: Not Specified

Enforcement Date: 06/01/2009

Comments:

NETWORK-0264

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.NetworkDiagnosticsFrame

work.HelperClass

Target Feature: Filter.Driver.WindowsFilteringPlatform

Title: WFP-based products must include a Network Diagnostics Framework (NDF) helper class that

extends the Filtering Platform helper class (FPHC)

Page 37: Windows8 Hardware Cert Requirements Filter Driver

Page 37 of 70

Applicable OS Versions:

Windows 8 Client x86

Windows 8 Client x64

Windows 7 Client x86

Windows 7 Client x64

Description:

The Windows Filtering Platform (WFP) includes a Network Diagnostics Framework (NDF) helper

class, called the Filtering Platform helper class (FPHC). FPHC can help identify the root causes of

connectivity issues caused by WFP. A host firewall can invoke its own NDF helper class. FPHC

extensibility allows these third-party helper classes to be invoked during diagnostics.

FPHC can identify WFP as the cause of a connectivity issue. If available, FPHC can also identify the

provider that created the filter that is blocking network traffic. FPHC passes this information to NDF,

which in turn can then notify the user that WFP is causing the connectivity problem and give the

name of the provider blocking traffic.

However, the FPHC cannot suggest a corrective action to the user, nor can it provide the reason that

the filter is blocking traffic to the user. Only a FPHC extension can perform those tasks.

Host firewalls must be able to successfully diagnose the inbound/outbound connection failures

caused due to the host firewall, and provide an appropriate response to the end-user based on the

diagnosis. (eg. Repair mechanism, message explaining to the user the reason why the connection

failed, etc.)

Design Notes:

More information regarding NDF and FPHC can be found in the following links:

NDF : http://go.microsoft.com/fwlink/?LinkID=125463&clcid=0x409

FPHC : http://go.microsoft.com/fwlink/?LinkID=125464&clcid=0x409

Exceptions: Not Specified

Business Justification:

To function properly with Windows Filtering Platform.

Scenarios: Not Specified

Success Metric: Not Specified

Enforcement Date: 06/01/2009

Comments:

NETWORK-0288

Page 38: Windows8 Hardware Cert Requirements Filter Driver

Page 38 of 70

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.NoAccessViolations

Target Feature: Filter.Driver.WindowsFilteringPlatform

Title: WFP-based products must not be the resulting cause of any Access Violation under high load

or during driver load/unload

Applicable OS Versions:

Windows 8 Client x86

Windows 8 Client x64

Windows 7 Client x86

Windows 7 Client x64

Description:

WFP-based products must not be the resulting cause of any Access Violation under high load or

during driver load/unload (while under network load or not).

Exceptions: Not Specified

Business Justification:

This requirement ensures that host firewalls not cause unstable behavior and access violations on

the PC.

Scenarios: Not Specified

Success Metric: Not Specified

Enforcement Date: 06/01/2009

Comments:

NETWORK-0269

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.NoTamperingWith3rdParty

Objects

Target Feature: Filter.Driver.WindowsFilteringPlatform

Title: WFP-based products must not attempt to remove or alter another WFP-based product’s

WFP objects and built-in objects

Applicable OS Versions:

Windows 8 Client x86

Windows 8 Client x64

Windows 7 Client x86

Windows 7 Client x64

Description:

Page 39: Windows8 Hardware Cert Requirements Filter Driver

Page 39 of 70

This ensures interoperability between multiple host firewalls WFP objects within the Operating

System.

Exceptions: Not Specified

Business Justification:

This ensures interoperability between multiple host firewalls WFP objects within the Operating

System.

Scenarios: Not Specified

Success Metric: Not Specified

Enforcement Date: 06/01/2009

Comments:

NETWORK-0261

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.PacketInjection.NoDeadloc

ks

Target Feature: Filter.Driver.WindowsFilteringPlatform

Title: WFP-based products must not continually modify network packets that have already been

modified and re-injected, so as to create potential deadlocks

Applicable OS Versions:

Windows 8 Client x86

Windows 8 Client x64

Windows 7 Client x86

Windows 7 Client x64

Description:

Firewalls may use callouts to modify and re-inject network packets, when filtering at any layer. One

or many host firewalls may be present on the same system. In the case where only one host firewall

is present on the system, continually modifying & re-injecting the same packets may result in

reduced performance and is to be avoided. In the case where multiple host firewalls (with callouts)

are present on the system, the same network packet(s) may continually be modified by multiple

callouts, When a host firewall continually modifies and re-injects the same packet it may result in the

network packet never getting processed and could potentially create a deadlock, which is to be

avoided.

Host firewalls must not modify and re-inject the same network packet more than 2 times per layer. If

such a situation occurs, host firewalls may choose to let the packet go through, or drop the network

packet.

Exceptions: Not Specified

Page 40: Windows8 Hardware Cert Requirements Filter Driver

Page 40 of 70

Business Justification:

Host firewalls may use callouts to modify and re-inject network packets, when filtering at any layer.

One or many host firewalls may be present on the same system. In the case where only one host

firewall is present on the system, continually modifying & re-injecting the same packets may result in

reduced performance and is to be avoided. In the case where multiple host firewalls (with callouts)

are present on the system, the same network packet(s) may continually be modified by multiple

callout.

Scenarios: Not Specified

Success Metric: Not Specified

Enforcement Date: 06/01/2009

Comments:

NETWORK-0287

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.StreamInjection.NoStreamS

tarvation

Target Feature: Filter.Driver.WindowsFilteringPlatform

Title: WFP-based product callouts at FWPM_LAYER_STREAM must not starve the data throughput

Applicable OS Versions:

Windows 8 Client x86

Windows 8 Client x64

Windows 7 Client x86

Windows 7 Client x64

Description:

To Not Starve means Stream layer callout indications should not be pended to queue up more than

8MB of data.

Exceptions: Not Specified

Business Justification:

This requirement ensures that the host firewall drivers not cause starvation of resources on the PC.

Scenarios: Not Specified

Success Metric: Not Specified

Enforcement Date: 06/01/2009

Comments:

NETWORK-0267

Page 41: Windows8 Hardware Cert Requirements Filter Driver

Page 41 of 70

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.SupportPowerManagedStat

es

Target Feature: Filter.Driver.WindowsFilteringPlatform

Title: WFP-based products must ensure network connectivity upon recovering from power

managed states

Applicable OS Versions:

Windows 8 Client x86

Windows 8 Client x64

Windows 7 Client x86

Windows 7 Client x64

Description:

Tests must be run on a machine that supports all the power states (standby, hibernate, hybrid,

shutdown, restart). Host Firewalls allow the system to enter into and recover from the above

mentioned power managed states. Upon resuming from those particular power managed states

requirements from WFP, should be met.

Firewalls should never pend packets such that a power state change refuses to work due to the

pended packets

Exceptions: Not Specified

Business Justification:

This is to make sure that host firewalls do not break network connectivity on PC upon resume from

various power management states.

Scenarios: Not Specified

Success Metric: Not Specified

Enforcement Date: 06/01/2009

Comments:

NETWORK-0268

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.WFPObjectACLs

Target Feature: Filter.Driver.WindowsFilteringPlatform

Title: WFP-based products must ACL all of their objects in a way that any other WFP-based

product can at least enumerate those objects using the corresponding WFP enumeration APIs

Applicable OS Versions:

Windows 8 Client x86

Page 42: Windows8 Hardware Cert Requirements Filter Driver

Page 42 of 70

Windows 8 Client x64

Windows 7 Client x86

Windows 7 Client x64

Description:

WFP-based products must ACL all of their objects in a way that any other WFP-based product can at

least enumerate those objects using the corresponding WFP enumeration APIs.

This is to make sure that all WFP objects on the system can be enumerated by any Host firewall or

application for diagnostic purposes.

Design Notes:

As an example, Filter objects must be able to be enumerated by the FwpmFilterEnum function

documented in the following URL:

http://go.microsoft.com/fwlink/?LinkID=116839&clcid=0x409

Similarly, enumeration functions for other objects (provider, sublayer etc) can be found in the

following URL: http://go.microsoft.com/fwlink/?LinkID=116840&clcid=0x409

Exceptions: Not Specified

Business Justification:

This is to make sure that all WFP objects on the system can be enumerated by any Host firewall or

application for diagnostic purposes.

Scenarios: Not Specified

Success Metric: Not Specified

Enforcement Date: 06/01/2009

Comments:

NETWORK-0260

Filter.Driver.WindowsFilteringPlatform.ArchitecturalDesign.Winsock

Target Feature: Filter.Driver.WindowsFilteringPlatform

Title: Kernel Mode Filter Drivers are architected to maximize the reliability and functionality of

Windows Sockets, as well as interact accurately with the core components of the operating system

Applicable OS Versions:

Windows 8 Server x64

Windows 8 Client x64

Windows 8 Client x86

Windows 7 Client x64

Page 43: Windows8 Hardware Cert Requirements Filter Driver

Page 43 of 70

Windows 7 Client x86

Windows Server 2008 Release 2 x64

Description:

Kernel Mode Filter Drivers are architected to maximize the reliability and functionality of Windows

Sockets, as well as interact accurately with the core components of the operating system. Some

areas of particular interest are:

Winsock

Winsock API functionality

Information about Winsock APIs can be found at:

http://msdn.microsoft.com/en-us/library/ms740673(VS.85).aspx

Exceptions: Not Specified

Business Justification:

To function properly with Windows Filtering Platform.

Scenarios: Not Specified

Success Metric: Pass/Fail

Enforcement Date: 12/1/2010

Comments:

Taken from Filter-0003

Filter.Driver.WindowsFilteringPlatform.Firewall.DisableWindowsFirewallProperly

Target Feature: Filter.Driver.WindowsFilteringPlatform

Title: Host firewalls must disable Windows Firewall using only the supported method.

Applicable OS Versions:

Windows 8 Client x86

Windows 8 Client x64

Windows 7 Client x86

Windows 7 Client x64

Description:

Host firewalls are provided the ability to selectively turn parts of Windows Firewall on or off. These

parts specify different types of rules (and subsequently filter sets), and may also be referred to as

categories. Filter sets that may be selectively turned off are Boot-Time Filters, Firewall Filters,

Connection Security Filters, and Stealth Filters.

Page 44: Windows8 Hardware Cert Requirements Filter Driver

Page 44 of 70

The Register interface is supported by the HNetCfg.FwProducts COM object. The put_DisplayName()

call must be used to fill in your product information.

Before turning off the firewall rules category, vendor firewalls must ensure that all filters must be

installed.

This requirement ensures better interoperability with Windows. In addition, if all installed host

firewalls on the system are uninstalled for any reason, Windows Firewall is aware of this, and will

automatically turn on the firewall filters, ensuring that the system is always protected.

The Connection Security filters need to remain enabled to keep Windows scenarios protected.

Specifically, the Connection Security filters ensure that the system supports communications which

require authentication and encryption

Design Notes:

This requirement ensures that firewall vendors disable Windows Firewall per documented

guidelines.

Exceptions: Not Specified

Business Justification:

To function properly with Windows Filtering Platform.

Scenarios: Not Specified

Success Metric: Not Specified

Enforcement Date: 06/01/2009

Comments:

NETWORK-0271

Filter.Driver.WindowsFilteringPlatform.Firewall.NotOnlyPermitAllFilters

Target Feature: Filter.Driver.WindowsFilteringPlatform

Title: Host firewalls must not have only “permit_all” filters

Applicable OS Versions:

Windows 8 Client x86

Windows 8 Client x64

Windows 7 Client x86

Windows 7 Client x64

Description:

Host firewalls must not circumvent the intent of the Windows Filtering Platform API tests, by simply

maintaining all permit_all filters for all kinds of network traffic, which essentially is not meaningful

Page 45: Windows8 Hardware Cert Requirements Filter Driver

Page 45 of 70

filtering of network traffic. This applies to both, static as well as callout filters. Similarly, Host

firewalls must not maintain only block_all filters. However, that will be addressed when testing for

consumer scenarios

Exceptions: Not Specified

Business Justification:

Host firewalls must not circumvent the intent of the Windows Filtering Platform API tests, by simply

maintaining all permit_all filters for all kinds of network traffic, which essentially is not meaningful

filtering of network traffic. This applies to both, static as well as callout filters

Scenarios: Not Specified

Success Metric: Not Specified

Enforcement Date: 06/01/2009

Comments:

NETWORK-0266

Filter.Driver.WindowsFilteringPlatform.Firewall.Support5TupleExceptions

Target Feature: Filter.Driver.WindowsFilteringPlatform

Title: All host based firewalls must be able to Block/Allow by 5-Tuple Parts (including Port (ICMP

Type and Code, UDP and TCP) IP Address, Protocol (e.g. UDP/TCP/ICMP)

Applicable OS Versions:

Windows 8 Client x86

Windows 8 Client x64

Windows 7 Client x86

Windows 7 Client x64

Description:

All host based firewalls must be able to Block/Allow by 5-Tuple Parts (including Port (ICMP Type and

Code, UDP and TCP) IP Address, Protocol (e.g. UDP/TCP/ICMP)

Exceptions: Not Specified

Business Justification:

To function properly with Windows Filtering Platform.

Scenarios: Not Specified

Success Metric: Not Specified

Enforcement Date: 06/01/2009

Page 46: Windows8 Hardware Cert Requirements Filter Driver

Page 46 of 70

Comments: Not Specified

Filter.Driver.WindowsFilteringPlatform.Firewall.SupportApplicationExceptions

Target Feature: Filter.Driver.WindowsFilteringPlatform

Title: WFP-based products must support exceptions from corresponding applications

Applicable OS Versions:

Windows 8 Client x86

Windows 8 Client x64

Windows 7 Client x86

Windows 7 Client x64

Description:

In addition to supporting scenarios based on applications within Windows it is important to support

applications (installed by the home user), that are registered with the host firewall for filtering

purposes. Firewalls may use parameters such as path, ports, etc., as basis to permit or block

application specific traffic. This scenario will need to work with native IPv4, native IPv6, 6to4 and

Teredo packets.

The word support refers to the host firewalls capability to ensure exceptions from applications work

with the host firewall, if the application/user/network needs it. The host firewall must also have

properly configured objects such as filters, etc., to support the required functionality, even though

the functionality may not be enabled by default in the UI

Exceptions: Not Specified

Business Justification:

In addition to supporting scenarios based on applications within Windows it is important to support

applications (installed by the home user), that are registered with the host firewall for filtering

purposes. Firewalls may use parameters such as path, ports, etc., as basis to permit or block

application specific traffic. This scenario will need to work with native IPv4, native IPv6, 6to4 and

Teredo packets. Overall, this requirements reduces the probability of 3rd party application

experiences breaking with Windows for a home user.

Scenarios: Not Specified

Success Metric: Not Specified

Enforcement Date: 06/01/2009

Comments:

NETWORK-0253

Filter.Driver.WindowsFilteringPlatform.Firewall.SupportMACAddressExceptions

Target Feature: Filter.Driver.WindowsFilteringPlatform

Page 47: Windows8 Hardware Cert Requirements Filter Driver

Page 47 of 70

Title: All host based firewalls which have filters in L2 (Native/Mac) layers must be able to Block or

Allow by Mac Address

Applicable OS Versions:

Windows 8 Client x86

Windows 8 Client x64

Windows 7 Client x86

Windows 7 Client x64

Description:

All host based firewalls which have filters in L2 (Native/Mac) layers must be able to Block or Allow by

Mac Address

Exceptions: Not Specified

Business Justification:

To function properly with Windows Filtering Platform.

Scenarios: Not Specified

Success Metric: Not Specified

Enforcement Date: 06/01/2009

Comments: Not Specified

Filter.Driver.WindowsFilteringPlatform.Firewall.UseWindowsFilteringPlatform

Target Feature: Filter.Driver.WindowsFilteringPlatform

Title: Firewalls must comply with Windows Filtering Platform based APIs for filtering network

traffic on home user solutions

Applicable OS Versions:

Windows 8 Client x86

Windows 8 Client x64

Windows 7 Client x86

Windows 7 Client x64

Description:

There must be no TDI, NDIS, WinSock LSP filters present upon installation of the host firewall on the

PC. Only Windows Filtering Platform (WFP) based static filters / callouts must be used on home user

products.

Design Notes:

Page 48: Windows8 Hardware Cert Requirements Filter Driver

Page 48 of 70

For more information on Windows Filtering Platform, please see the following link:

http://go.microsoft.com/fwlink/?LinkID=116899&clcid=0x409

Exceptions: Not Specified

Business Justification:

There must be no TDI, NDIS, WinSock LSP filters present upon installation of the host firewall on the

PC. Only Windows Filtering Platform (WFP) static filters or callouts must be used on home user

products.

Scenarios: Not Specified

Success Metric: Not Specified

Enforcement Date: 06/01/2009

Comments:

NETWORK-0259

Filter.Driver.WindowsFilteringPlatform.NetworkingFundamental.SupportARP

Target Feature: Filter.Driver.WindowsFilteringPlatform

Title: WFP-based products must support allowing for successful ARP exchanges

Applicable OS Versions:

Windows 8 Client x86

Windows 8 Client x64

Windows 7 Client x86

Windows 7 Client x64

Description:

WFP-based products must support ARP exchanges.

Firewalls allow for the system to send out ARP requests and replies, as well as receive ARP requests

and replies

The word support refers to the host firewalls capability to make ARP work, if the

application/user/network needs it. The host firewall must also have properly configured objects such

as filters, etc., to support the required functionality, even though the functionality may not be

enabled by default in the UI.

Design Notes:

Host firewalls should allow the PC to send out ARP request on behalf of another node rather than

only on behalf of itself, when ICS running on the host.

Page 49: Windows8 Hardware Cert Requirements Filter Driver

Page 49 of 70

As part of Internet Connection Sharing (ICS) DHCP functionality, ICS DHCP can send out ARP requests

on behalf of another node in the subnet.

Exceptions: Not Specified

Business Justification:

ARP is a fundamental protocol that allows only a specific machine within a subnet to receive packets.

This capability should not be broken by the host firewall.

Scenarios: Not Specified

Success Metric: Not Specified

Enforcement Date: 06/01/2009

Comments:

NETWORK-0247

Filter.Driver.WindowsFilteringPlatform.NetworkingFundamental.SupportDynamicAddre

ssing

Target Feature: Filter.Driver.WindowsFilteringPlatform

Title: WFP-based products support allowing for successful DHCP exchanges over both IPv4 and

IPv6

Applicable OS Versions:

Windows 8 Client x86

Windows 8 Client x64

Windows 7 Client x64

Windows 7 Client x86

Description:

Host Firewalls support allowing successful DHCP exchanges over both IPv4 and IPv6.

DHCP DISCOVER, DHCP REQUEST & DHCP INFORM packets can be transmitted over Outbound UDP

Source Port 68 to Destination Port 67. DHCP OFFER & DHCP ACK & DHCP NACK packets can be

received over Inbound UDP Source Port 67 to Destination Port 68. DHCPv6 packets can be

transmitted over Outbound UDP Source Port 546 to Destination Port 547. DHCPv6 packets can be

received over Inbound UDP Source Port 547 to Destination Port 546.

The word support refers to the host firewalls capability to allow successful DHCP exchanges, if the

application/user/network needs it. The host firewall must also have properly configured objects such

as filters, etc. to support the required functionality, even though the functionality may not be

enabled by default in the UI.

Design Notes:

Page 50: Windows8 Hardware Cert Requirements Filter Driver

Page 50 of 70

Details can be found in the following URL:

http://go.microsoft.com/fwlink/?LinkID=116834&clcid=0x409

Host firewalls should allow DHCP inbound and outbound as the server over the wireless interface

when a service like ICS is running on the host.

Internet Connection Sharing (ICS) acts as a DHCP server and expects to receive incoming DHCP

clients.

DHCP DISCOVER, DHCP REQUEST & DHCP INFORM packets can be received over Inbound UDP

Source Port 68 to Destination Port 67.

DHCP OFFER & DHCP ACK & DHCP NACK packets can be transmitted over Outbound UDP Source Port

67 to Destination Port 68.

Exceptions: Not Specified

Business Justification:

DHCP is a fundamental Networking protocol, we want to make sure that the machine is always

capable of being connected, and this experience should not be broken by the host firewall.

Scenarios: Not Specified

Success Metric: Not Specified

Enforcement Date: 06/01/2009

Comments:

NETWORK-0245

Filter.Driver.WindowsFilteringPlatform.NetworkingFundamental.SupportIPv4

Target Feature: Filter.Driver.WindowsFilteringPlatform

Title: WFP-based products must support IPv4 traffic

Applicable OS Versions:

Windows 8 Client x86

Windows 8 Client x64

Windows 7 Client x64

Windows 7 Client x86

Description:

This is to ensure that consumer host firewalls or other filtering components do not cause loss of

basic IPv4 connectivity on the PC.

The word support refers to the host firewalls capability to make IPv4 work, if the

application/user/network needs it. The host firewall must also have properly configured objects such

Page 51: Windows8 Hardware Cert Requirements Filter Driver

Page 51 of 70

as filters, etc., to support the required functionality, even though the functionality may not be

enabled by default in the UI.

Design Notes:

More information about IPv4 RFCs can be found in the following link:

http://go.microsoft.com/fwlink/?LinkID=116835&clcid=0x409

Exceptions: Not Specified

Business Justification:

To function properly with Windows Filtering Platform.

Scenarios: Not Specified

Success Metric: Not Specified

Enforcement Date: 06/01/2009

Comments:

NETWORK-0243

Filter.Driver.WindowsFilteringPlatform.NetworkingFundamental.SupportIPv6

Target Feature: Filter.Driver.WindowsFilteringPlatform

Title: WFP-based products must support IPv6 traffic

Applicable OS Versions:

Windows 8 Client x86

Windows 8 Client x64

Windows 7 Client x64

Windows 7 Client x86

Description:

Windows has IPv6 enabled by default. Host firewalls should not break native IPv6 connectivity (and

therefore, Windows scenarios based on IPv6) for customers.

The word support refers to the host firewalls capability to make IPv6 work, if the

application/user/network needs it. The host firewall must also have properly configured objects such

as filters, etc., to support the required functionality, even though the functionality may not be

enabled by default in the UI.

Design Notes:

More information about IPv6 can be found in the following link:

http://go.microsoft.com/fwlink/?LinkID=116832&clcid=0x409

Exceptions: Not Specified

Page 52: Windows8 Hardware Cert Requirements Filter Driver

Page 52 of 70

Business Justification:

Host firewalls should not break native IPv6 connectivity (and therefore, Windows scenarios based on

IPv6) for customers.

Scenarios: Not Specified

Success Metric: Not Specified

Enforcement Date: 06/01/2009

Comments:

NETWORK-0244

Filter.Driver.WindowsFilteringPlatform.NetworkingFundamental.SupportNameResoluti

on

Target Feature: Filter.Driver.WindowsFilteringPlatform

Title: WFP-based products must support allowing for successful DNS client queries

Applicable OS Versions:

Windows 8 Client x86

Windows 8 Client x64

Windows 7 Client x64

Windows 7 Client x86

Description:

DNS QUERY packet can be sent out over [Outbound UDP Destination Port 53 (Domain Name Server)]

and DNS QUERY RESPONSE packet to be received over [Inbound UDP Source Port 53 (Domain Name

Server)]. Host firewalls should allow successful DNS client queries over both IPv4 and IPv6.

The word support refers to the host firewalls capability to allow successful DNS client queries, if the

application/user/network needs it. The host firewall must also have properly configured objects such

as filters, etc., to support the required functionality, even though the functionality may not be

enabled by default in the UI.

Design Notes:

More information about DNS RFCs can be found in the following link:

http://go.microsoft.com/fwlink/?LinkID=116835&clcid=0x409

Host firewalls should allow this type of DNS traffic (Host as a server) over the wireless interface

when a service like ICS is running on the host.

This requirement applies to Internet Connection Sharing that acts as a DNS server (proxy) and

expects receiving incoming DNS requests from clients on destination UDP port 53, and respond to

the DNS client with DNS response with destination UDP port 53.

Page 53: Windows8 Hardware Cert Requirements Filter Driver

Page 53 of 70

Exceptions: Not Specified

Business Justification:

DNS is a fundamental networking protocol that allows machines to have friendly names for

discoverability. This experience should not be broken by host firewalls.

Scenarios: Not Specified

Success Metric: Not Specified

Enforcement Date: 06/01/2009

Comments:

NETWORK-0246

Filter.Driver.WindowsFilteringPlatform.Scenario.Support6to4

Target Feature: Filter.Driver.WindowsFilteringPlatform

Title: WFP-based products must support 6to4

Applicable OS Versions:

Windows 8 Client x86

Windows 8 Client x64

Windows 7 Client x86

Windows 7 Client x64

Description:

In certain markets, 6to4 technologies may help certain customers move to IPv6 connectivity. The

following guidelines may help meet this requirement:

Host firewalls allow for the system to send and receive IPv6 packets over IPv4

protocol 41.

The word support refers to the host firewalls capability to 6to4 work, if the application/user/network

needs it. The host firewall must also have properly configured objects such as filters, etc., to support

the required functionality, even though the functionality may not be enabled by default in the UI.

Design Notes:

Please refer to the following article below for further information on 6to4:

http://go.microsoft.com/fwlink/?LinkID=116837&clcid=0x409

Exceptions: Not Specified

Business Justification:

Page 54: Windows8 Hardware Cert Requirements Filter Driver

Page 54 of 70

Same justification as Teredo, 6to4 is another transition technology connectivity mechanism that

ensures complete connectivity for major scenarios on the PC.

Scenarios: Not Specified

Success Metric: Not Specified

Enforcement Date: 06/01/2009

Comments:

NETWORK-0249

Filter.Driver.WindowsFilteringPlatform.Scenario.SupportAutomaticUpdates

Target Feature: Filter.Driver.WindowsFilteringPlatform

Title: WFP-based products must support Automatic Updates in Windows

Applicable OS Versions:

Windows 8 Client x86

Windows 8 Client x64

Windows 7 Client x86

Windows 7 Client x64

Description:

This is related to Automatic Updates / Windows Update (WU), which is a key scenario through which

important patches are installed on your PC to keep it up to date. The following guideline may help

meet this requirement:

Host firewalls allow outbound TCP connections to Destination Ports 80 & 443.

The word support refers to the host firewalls capability to make Automatic Updates work, if the

application/user/network needs it. The host firewall must also have properly configured objects such

as filters, etc., to support the required functionality, even though the functionality may not be

enabled by default in the UI.

Design Notes:

For more information on Windows Updates/ Automatic Updates, please see the following link:

http://go.microsoft.com/fwlink/?LinkID=116898&clcid=0x409

Exceptions: Not Specified

Business Justification:

This is related to Automatic Updates / Windows Update (WU), which is a key scenario through which

important patches are installed on your PC to keep it up to date.

Scenarios: Not Specified

Page 55: Windows8 Hardware Cert Requirements Filter Driver

Page 55 of 70

Success Metric: Not Specified

Enforcement Date: 06/01/2009

Comments:

NETWORK-0257

Filter.Driver.WindowsFilteringPlatform.Scenario.SupportBasicWebsiteBrowsing

Target Feature: Filter.Driver.WindowsFilteringPlatform

Title: WFP-based products must support basic internet browsing experiences

Applicable OS Versions:

Windows 8 Client x86

Windows 8 Client x64

Windows 7 Client x86

Windows 7 Client x64

Description:

This is to ensure that basic internet browsing experiences are supported upon installation of a host

firewall on a Windows based computer.

Host firewalls must allow TCP packets over Ports 80 and 443 to support this scenario. This scenario

must work with native IPv4, native IPv6, 6to4 and Teredo packets.

The word support refers to the host firewalls capability to ensure a successful internet browsing

experience, if the application/user/network needs it. The host firewall must also have properly

configured objects such as filters, etc., to support the required functionality, even though the

functionality may not be enabled by default in the UI.

Exceptions: Not Specified

Business Justification:

This is to ensure that basic internet browsing experiences are supported upon installation of a host

firewall on a Windows based computer. Internet connectivity is among the top 10 support buckets of

issues for major OEMs.

Scenarios: Not Specified

Success Metric: Not Specified

Enforcement Date: 06/01/2009

Comments:

NETWORK-0251

Page 56: Windows8 Hardware Cert Requirements Filter Driver

Page 56 of 70

Filter.Driver.WindowsFilteringPlatform.Scenario.SupportFileAndPrinterSharing

Target Feature: Filter.Driver.WindowsFilteringPlatform

Title: WFP-based products must support file and printer sharing

Applicable OS Versions:

Windows 8 Client x86

Windows 8 Client x64

Windows 7 Client x86

Windows 7 Client x64

Description:

This is to ensure that home-users will be able to share content to and from other PCs inside of their

home network, in addition to printing content on shared printers.

Host firewalls must allow UDP packets specific to protocol 17 over Ports 137 / 138, and TCP packets

specific to protocol 6 over ports 139/445. This scenario must work with native IPv4, native IPv6, 6to4

and Teredo packets.

TCP packets should be allowed over ports 5357/5358 & UDP packets should be allowed over port

3702. This scenario should work with native IPv4, native IPv6, 6to4 and Teredo packets.

The word support refers to the host firewalls capability to make file and printer sharing work, if the

application/user/network needs it. The host firewall must also have properly configured objects such

as filters, etc., to support the required functionality, even though the functionality may not be

enabled by default in the UI.

Design Notes:

Please refer to the following link for more information:

http://go.microsoft.com/fwlink/?LinkID=116838&clcid=0x409

In Windows 7, HomeGroup enables users to easily share files and printers between computers.

Please refer to the Application Compatibility (http://technet.microsoft.com/en-

us/appcompat/default.aspx) site for more information about the following:

HomeGroup Firewall Requirements

Network Location Dialog

PNRP

Exceptions: Not Specified

Business Justification:

Page 57: Windows8 Hardware Cert Requirements Filter Driver

Page 57 of 70

This is to ensure that home-users may be able to share content to and from other PCs inside of their

home network, in addition to printing content on shared printers.

Scenarios: Not Specified

Success Metric: Not Specified

Enforcement Date: 06/01/2009

Comments:

NETWORK-0252

Filter.Driver.WindowsFilteringPlatform.Scenario.SupportICMPErrorMessages

Target Feature: Filter.Driver.WindowsFilteringPlatform

Title: WFP-based products must support ICMP error messages and discovery functions

Applicable OS Versions:

Windows 8 Client x86

Windows 8 Client x64

Windows 7 Client x86

Windows 7 Client x64

Description:

This is to ensure that host firewalls support ICMP error messages (per IETF RFCs 4890 and RFC 2979),

for inbound/outbound packets that must not be dropped. Important discovery functions must also

be supported. The specific error messages that need to be supported for both ICMPv4 and ICMPv6

are: Destination Unreachable, Time Exceeded and Parameter Problem. In addition, for ICMPv6,

Packet too big, Router solicitation, Neighbor solicitation, Router advertisement, and neighbor

advertisement discovery functions must be supported.

The word support refers to the host firewalls capability to make ICMP work, if the

application/user/network needs it. The host firewall must also have properly configured objects such

as filters, etc., to support the required functionality, even though the functionality may not be

enabled by default in the UI.

Design Notes:

For more information please see http://go.microsoft.com/fwlink/?LinkID=116835&clcid=0x409

Exceptions: Not Specified

Business Justification:

This is to ensure that host firewalls support ICMP error messages (per IETF RFCs 4890 and RFC 2979),

as a core networking fundamental.

Scenarios: Not Specified

Page 58: Windows8 Hardware Cert Requirements Filter Driver

Page 58 of 70

Success Metric: Not Specified

Enforcement Date: 06/01/2009

Comments:

NETWORK-0250

Filter.Driver.WindowsFilteringPlatform.Scenario.SupportInternetStreaming

Target Feature: Filter.Driver.WindowsFilteringPlatform

Title: WFP-based products must support Internet streaming and Media sharing for media player

network sharing services

Applicable OS Versions:

Windows 8 Client x86

Windows 8 Client x64

Windows 7 Client x86

Windows 7 Client x64

Description:

This requirement ensures that a home user can use a media player for media streaming or media

sharing purposes. The following guidelines may help meet this requirement:

Host firewalls allow inbound/outbound packets as follows: SSDP packets over UDP port 1900, SSDP

packets over TCP port 2869, HTTP packets over TCP ports 10243/10245, and TCP / UDP packets for

qWAVE (bandwidth estimation) over port 2177.

The word support refers to the host firewalls capability to make Automatic Updates work, if the

application/user/network needs it. The host firewall must also have properly configured objects such

as filters, etc., to support the required functionality, even though the functionality may not be

enabled by default in the UI.

Design Notes:

For more information on Windows Updates/ Automatic Updates, please see the following link:

http://go.microsoft.com/fwlink/?LinkID=116898&clcid=0x409

Exceptions: Not Specified

Business Justification:

This is related to Automatic Updates / Windows Update (WU), which is a key scenario through which

important patches are installed on your PC to keep it up to date.

Scenarios: Not Specified

Success Metric: Not Specified

Page 59: Windows8 Hardware Cert Requirements Filter Driver

Page 59 of 70

Enforcement Date: 06/01/2009

Comments:

NETWORK-0256

Filter.Driver.WindowsFilteringPlatform.Scenario.SupportMediaExtenderStreaming

Target Feature: Filter.Driver.WindowsFilteringPlatform

Title: WFP-based products must support media streaming scenarios based on extender

technologies

Applicable OS Versions:

Windows 8 Client x86

Windows 8 Client x64

Windows 7 Client x86

Windows 7 Client x64

Description:

Extender technology is built into home entertainment devices such as TVs, DVD players, and cool,

quiet components that allow you to keep your PC where it makes sense and use it as a "hub" to

provide your digital entertainment to TVs throughout your house. These devices are called extender

devices.

For example: With the new Extenders for Windows Media Center, you can stream the digital media

you have on your Windows Media Center PC in as many as five rooms in your house. Home-users

may access the live and recorded TV, music, movies, videos, sports, Internet TV and other online

content on Windows PCs through wired or wireless home networks. Windows Media Center

Extenders use network ports to communicate with Windows PCs. The following exceptions tabled

below may be useful in meeting this requirement:

Media Center Extender SPECIFIC

Binary Port Direction Scope

svchost.exe (ssdpsrv) UDP 1900 Inbound Local Subnet

svchost.exe (termservice) TCP 3390 Inbound Local Subnet

svchost.exe (QWave) TCP 2177 Outbound, Inbound Local Subnet

svchost.exe (QWave) UDP 2177 Outbound, Inbound Local Subnet

System TCP 10244 Outbound, Inbound Local Subnet

ehshell.exe TCP 554 Outbound, Inbound Local Subnet

ehshell.exe UDP 5004, 5005 Outbound, Inbound Local Subnet

ehshell.exe TCP 8554-8558 Outbound, Inbound Local Subnet

ehshell.exe UDP 50004-50013 Outbound, Inbound Local Subnet

ehshell.exe UDP 7777-7781 Outbound, Inbound Local Subnet

mcrmgr.exe random Outbound Internet

mc2prov.exe random Outbound Internet

Svchost.exe (mcs2svc) random Outbound Local Subnet

Page 60: Windows8 Hardware Cert Requirements Filter Driver

Page 60 of 70

Media Center Binaries/Ports

ehrecvr.exe random Outbound Internet

ehrec.exe random Outbound Internet

ehexthost.exe random Outbound, Inbound Internet

mcupdate.exe random Outbound Internet

Digital Cable Receiver Device (OCUR)

ehprivjob.exe UDP 5001-5006 Inbound Local Subnet

svchost.exe UDP 1900 Outbound, Inbound Local Subnet

System TCP 2869 Outbound, Inbound Local Subnet

ehprivjob.exe TCP 554 Outbound Local Subnet

ehprivjob.exe UDP 5757-5772 Outbound Local Subnet

The word support refers to the host firewalls capability to make internet streaming & media sharing

for media player network sharing services, work, if the application/user/network needs it. The host

firewall must also have properly configured objects such as filters, etc., to support the required

functionality, even though the functionality may not be enabled by default in the UI

Exceptions: Not Specified

Business Justification:

To function properly with Windows Filtering Platform.

Scenarios: Not Specified

Success Metric: Not Specified

Enforcement Date: 06/01/2009

Comments:

NETWORK-0285

Filter.Driver.WindowsFilteringPlatform.Scenario.SupportMobileBroadBand

Target Feature: Filter.Driver.WindowsFilteringPlatform

Title: WFP-based products must allow mobile broadband devices that are compliant with

Windows mobile broadband driver model to function correctly

Applicable OS Versions:

Windows 8 Client x86

Windows 8 Client x64

Windows 7 Client x86

Windows 7 Client x64

Description:

WFP-based products must allow mobile broadband devices that are compliant with Windows mobile

broadband driver model to function correctly.

Page 61: Windows8 Hardware Cert Requirements Filter Driver

Page 61 of 70

This is to ensure that host firewall functionality does not block the mobile broadband connectivity

and the firewall functionality works with MB devices.

Windows provides native support for mobile broadband (MB) data cards & embedded modules to

work with Windows. The MB devices need to implement their driver as per Windows mobile

broadband driver model. The MB driver model defines how the devices should be exposed to

Windows and network packet format in which MB devices should exchange data between network

and system.

Design Notes:

Following links provide more information about the Windows 7 mobile broadband driver model

http://go.microsoft.com/fwlink/?LinkId=236932&clcid=0x409

http://go.microsoft.com/fwlink/?LinkId=236933&clcid=0x409

http://go.microsoft.com/fwlink/?LinkId=236934&clcid=0x409

Exceptions: Not Specified

Business Justification:

To function properly with Windows Filtering Platform.

Scenarios: Not Specified

Success Metric: Not Specified

Enforcement Date: 06/01/2010

Comments:

NETWORK-0295

Filter.Driver.WindowsFilteringPlatform.Scenario.SupportPeerNameResolution

Target Feature: Filter.Driver.WindowsFilteringPlatform

Title: WFP-based products must support Peer Name Resolution Protocol and the Peer-to-Peer

Grouping Protocol

Applicable OS Versions:

Windows 8 Client x86

Windows 8 Client x64

Windows 7 Client x86

Windows 7 Client x64

Description:

Host firewalls support the Peer Name Resolution Protocol (PNRP) and the Peer-to-Peer Grouping

Protocol, which are required by some Peer-to-Peer applications. The Peer Name Resolution Protocol

Page 62: Windows8 Hardware Cert Requirements Filter Driver

Page 62 of 70

provides secure, serverless name resolution, and the Peer-to-Peer Grouping Protocol provides

secure, reliable multi-party communication. The following guidelines may be useful in meeting this

requirement:

1. Host firewalls support native IPv6 (NETWORK-0244) as well as Teredo (NETWORK-0248) and

IPv6 packets to IPv4 protocol 41 (^to4)(NETWORK-0249).

2. Host firewalls can allow for the system to send outbound, and receive inbound, UDP packets

over port 3540.

3. Host firewalls can allow for the system to send outbound, and receive inbound, TCP packets

over port 3587.

The word support refers to the host firewalls capability to allow successful DHCP exchanges, if the

application/user/network needs it. The host firewall must also have properly configured objects such

as filters, etc., to support the required functionality, even though the functionality may not be

enabled by default in the UI.

Design Notes:

In Windows 7, HomeGroup enables users to easily share content and stream media between

computers. P2P and PNRP are key components of HomeGroup.

Please refer to the Application Compatibility (http://technet.microsoft.com/en-

us/appcompat/default.aspx) site for more information about the following:

HomeGroup Firewall Requirements

Network Location Dialog

PNRP

Exceptions: Not Specified

Business Justification:

Host firewalls support the Peer Name Resolution Protocol (PNRP) and the Peer-to-Peer Grouping

Protocol, which are required by some Peer-to-Peer applications. The Peer Name Resolution Protocol

provides secure, serverless name resolution, and the Peer-to-Peer Grouping Protocol provides

secure, reliable multi-party communication.

Scenarios: Not Specified

Success Metric: Not Specified

Enforcement Date: 06/01/2009

Comments:

NETWORK-0284

Filter.Driver.WindowsFilteringPlatform.Scenario.SupportRemoteAssistance

Target Feature: Filter.Driver.WindowsFilteringPlatform

Page 63: Windows8 Hardware Cert Requirements Filter Driver

Page 63 of 70

Title: WFP-based products must support Remote Assistance scenarios

Applicable OS Versions:

Windows 8 Client x86

Windows 8 Client x64

Windows 7 Client x86

Windows 7 Client x64

Description:

The Remote Assistance scenario is used for a helper to connect to a computer and to show the user

a solution to the problem. The following guidelines may help meet this requirement:

Host firewalls allow the computer to be reached by native IPv4, native IPv6, Teredo, and 6to4 (pass

the corresponding tests) and also allow traffic from the Remote Assistance application within

Windows (msra.exe) through the firewall.

The word support refers to the host firewalls capability to make Remote Assistance work, if the

application/user/network needs it. The host firewall must also have properly configured objects such

as filters, etc., to support the required functionality, even though the functionality may not be

enabled by default in the UI.

Design Notes:

For information on how Remote Assistance works in general please see the article below:

http://go.microsoft.com/fwlink/?LinkID=116842&clcid=0x409

Exceptions: Not Specified

Business Justification:

The Remote Assistance scenario is used for a helper to connect to a computer and to show the user

a solution to the problem.

Scenarios: Not Specified

Success Metric: Not Specified

Enforcement Date: 06/01/2009

Comments:

NETWORK-0255

Filter.Driver.WindowsFilteringPlatform.Scenario.SupportRemoteDesktop

Target Feature: Filter.Driver.WindowsFilteringPlatform

Title: WFP-based products must support Remote desktop

Applicable OS Versions:

Page 64: Windows8 Hardware Cert Requirements Filter Driver

Page 64 of 70

Windows 8 Client x86

Windows 8 Client x64

Windows 7 Client x86

Windows 7 Client x64

Description:

Remote Desktop Connection is a technology that allows you to connect to a remote computer in a

different location. Remote desktop is a key Windows scenario that would be relevant for consumers

with multiple PCs at home trying to access content that exists on one PC, from another PC.

The following guideline may help meet this requirement:

Host firewalls allow inbound TCP packets over Destination Port 3389 to support this scenario. This

scenario will need to work with native IPv4, native IPv6, 6to4 and Teredo packets.

The word support refers to the host firewalls capability to make remote desktop work, if the

application/user/network needs it. The host firewall must also have properly configured objects such

as filters, etc., to support the required functionality, even though the functionality may not be

enabled by default in the UI.

Design Notes:

For more information on remote desktop please see the article below:

http://go.microsoft.com/fwlink/?LinkID=116841&clcid=0x409

Exceptions: Not Specified

Business Justification:

Remote Desktop Connection is a technology that allows you to connect to a remote computer in a

different location. Remote desktop is a key Windows scenario that would be relevant for consumers

with multiple PCs at home trying to access content that exists on one PC, from another PC.

Scenarios: Not Specified

Success Metric: Not Specified

Enforcement Date: 06/01/2009

Comments:

NETWORK-0254

Filter.Driver.WindowsFilteringPlatform.Scenario.SupportTeredo

Target Feature: Filter.Driver.WindowsFilteringPlatform

Title: WFP-based products must support Teredo

Applicable OS Versions:

Page 65: Windows8 Hardware Cert Requirements Filter Driver

Page 65 of 70

Windows 8 Client x86

Windows 8 Client x64

Windows 7 Client x86

Windows 7 Client x64

Description:

Teredo may be used as a connectivity mechanism to support certain Windows scenarios such as

remote assistance, instant messaging and others. Hence preserving Teredo connectivity is critical to

supporting Windows consumer scenarios.

For this requirement, the following must be met:

1. Host firewalls allow DNS resolution of teredo.ipv6.microsoft.com.

2. To allow client to Teredo server communication, Host firewalls must allow for the system to

send outbound UDP/IPv4 packets to UDP port 3544.

3. To allow Teredo connectivity, host firewalls must allow inbound and outbound UDP/IPv4

traffic over the Teredo client system ports. These ports can be obtained using the

FWPMSystemPortsGet notification to determine the system port numbers used for

communication using the Teredo interface.

4. Host firewalls support ICMP error messages & discovery functions (NETWORK-0250 logo

requirement)

5. Host firewalls allow UPnP framework packets over UDP port 1900, and UPnP

frameworkpackets over TCP port 2869

The word support refers to the host firewalls capability to make Teredo work, if the

application/user/network needs it. The host firewall must also have properly configured objects such

as filters, etc., to support the required functionality, even though the functionality may not be

enabled by default in the UI.

Design Notes:

Please refer to the following article below for further information on Teredo

http://go.microsoft.com/fwlink/?LinkID=116836&clcid=0x409

Exceptions: Not Specified

Business Justification:

As an IPv6 transition technology over IPv4 networks, Teredo may be used as a connectivity

mechanism in certain Windows consumer scenarios, including Remote Assistance, Live Messenger,

and others. Host firewalls must properly support Teredo so as to allow connectivity for these

scenarios.

Scenarios: Not Specified

Page 66: Windows8 Hardware Cert Requirements Filter Driver

Page 66 of 70

Success Metric: Not Specified

Enforcement Date: 06/01/2009

Comments:

NETWORK-0248

Filter.Driver.WindowsFilteringPlatform.Scenario.SupportVirtualPrivateNetworking

Target Feature: Filter.Driver.WindowsFilteringPlatform

Title: WFP-based products must support VPN scenarios in Windows

Applicable OS Versions:

Windows 8 Client x86

Windows 8 Client x64

Windows 7 Client x86

Windows 7 Client x64

Description:

The following protocols and ports must be allowed:

IP protocol 50: Allow ESP traffic

IP protocol 51: Allow AH traffic

UDP Port 500 / 4500: Allow ISAKMP traffic

TCP / UDP Port 88: Allow Kerberos traffic

This ensures that firewalls support IPsec scenarios, such as IPsec VPN, which are used on client PCs

to connect securely over the internet.

In addition, host firewalls should allow successful IPsec communication over both IPv4 and IPv6.

Host firewalls should also allow UDP packets over port 1701, and TCP packets over port 443 to

support this scenario. It is also recommended that host firewalls allow TCP packets specific over port

1723. IP protocol 47 based packets should also be allowed by the host firewall.

The word support refers to the host firewalls capability to make the VPN scenarios work, if the

application/user/network needs it. The host firewall must also have properly configured objects such

as filters, etc., to support the required functionality, even though the functionality may not be

enabled by default in the UI.

Design Notes:

Please refer to the following article for further information:

http://go.microsoft.com/fwlink/?LinkID=116843&clcid=0x409

Exceptions: Not Specified

Page 67: Windows8 Hardware Cert Requirements Filter Driver

Page 67 of 70

Business Justification:

This ensures that firewalls support IPsec scenarios, such as IPsec VPN, which are used on client PCs

to connect securely over the internet.

Scenarios: Not Specified

Success Metric: Not Specified

Enforcement Date: 06/01/2009

Comments:

NETWORK-0258

Filter.Driver.WindowsFilteringPlatform.Scenario.vSwitch.InteropWithOtherExtensions

Target Feature: Filter.Driver.WindowsFilteringPlatform

Title: WFP must not block traffic from another vSwitch extension (WFP or LWF) by default, and

should only do so when following specific user/admin intention or protecting the system against a

specific threat.

Applicable OS Versions:

Windows 8 Client x86

Windows 8 Client x64

Windows 7 Client x86

Windows 7 Client x64

Description:

WFP must not block traffic from another vmSwitch extension (WFP or LWF) by default, and should

only do so when following specific user/admin intention or protecting the system against a specific

threat.

Exceptions: Not Specified

Business Justification:

To function properly with Windows Filtering Platform.

Scenarios: Not Specified

Success Metric: Not Specified

Enforcement Date: 06/01/2009

Comments:

NETWORK-0270

Page 68: Windows8 Hardware Cert Requirements Filter Driver

Page 68 of 70

Filter.Driver.WindowsFilteringPlatform.Scenario.vSwitch.NoEgressModification

Target Feature: Filter.Driver.WindowsFilteringPlatform

Title: WFP-based products that operate in the vmSwitch must not modify packets on the Egress

path of the vmSwitch.

Applicable OS Versions:

Windows 8 Client x86

Windows 8 Client x64

Windows 7 Client x86

Windows 7 Client x64

Description:

WFP-based products that operate in the vmSwitch must not modify packets on the Egress path of

the vmSwitch.

Exceptions: Not Specified

Business Justification:

To function properly with Windows Filtering Platform.

Scenarios: Not Specified

Success Metric: Not Specified

Enforcement Date: 06/01/2009

Comments:

NETWORK-0270

Filter.Driver.WindowsFilteringPlatform.Scenario.vSwitch.SupportLiveMigration

Target Feature: Filter.Driver.WindowsFilteringPlatform

Title: WFP-based products that operate in the vSwitch must present a minimal MOF for Live

Migration.

Applicable OS Versions:

Windows 8 Client x86

Windows 8 Client x64

Windows 7 Client x86

Windows 7 Client x64

Description:

WFP-based products that operate in the vmSwitch must present a minimal MOF for Live Migration.

In the MOF it must declare itself Logo compliant for Live Migration and allow itself to be migrated or

Page 69: Windows8 Hardware Cert Requirements Filter Driver

Page 69 of 70

not block migration by default. The total time for migrations for Live Migration cannot be longer

than 2 seconds.

Exceptions: Not Specified

Business Justification:

To ensure vmSwitch functions properly with WFP.

Scenarios: Not Specified

Success Metric: Not Specified

Enforcement Date: 06/01/2009

Comments:

NETWORK-0270

Filter.Driver.WindowsFilteringPlatform.Scenario.vSwitch.SupportRemoval

Target Feature: Filter.Driver.WindowsFilteringPlatform

Title: WFP-based products that operate in the vmSwitch must present be allowed to be removed

when the admin disabled WFP for the vmSwitch instance.

Applicable OS Versions:

Windows 8 Client x86

Windows 8 Client x64

Windows 7 Client x86

Windows 7 Client x64

Description:

WFP-based products that operate in the vSwitch must be allowed to be removed when the admin

disabled WFP for the vmSwitch instance.

Exceptions: Not Specified

Business Justification:

To function properly with Windows Filtering Platform.

Scenarios: Not Specified

Success Metric: Not Specified

Enforcement Date: 06/01/2009

Comments:

NETWORK-0270

Page 70: Windows8 Hardware Cert Requirements Filter Driver

Page 70 of 70

Filter.Driver.WindowsFilteringPlatform.Scenario.vSwitch.SupportReordering

Target Feature: Filter.Driver.WindowsFilteringPlatform

Title: WFP-based products that operate in the vSwitch must respond to WFP vmSwitch reorder

events.

Applicable OS Versions:

Windows 8 Client x86

Windows 8 Client x64

Windows 7 Client x86

Windows 7 Client x64

Description:

WFP-based products that operate in the vmSwitch must respond to WFP vmSwitch reorder events.

Exceptions: Not Specified

Business Justification:

To function properly with Windows Filtering Platform.

Scenarios: Not Specified

Success Metric: Not Specified

Enforcement Date: 06/01/2009

Comments:

NETWORK-0270