Windows 10

Blocking intruders with Windows Firewall

Typically, the first line of defense in securing your computer is to protect it from attacks by outsiders. Once your computer is connected to the Internet, it becomes just another node on a huge global network. A firewall provides a barrier between your computer and the network to which it's connected by preventing the entry of unwanted traffic while allowing transparent passage to authorized connections.

Using a firewall is simple, essential, and often overlooked. You'll want to be sure that all network connections are protected by a firewall. You might be comforted by the knowledge that your portable computer is protected by a corporate firewall when you're at work and that you use a firewalled broadband connection at home. But what about the public hotspots you use when you travel?

And it makes sense to run a firewall on your computer even when you're behind a residential router or corporate firewall. Other people on your network might not be as vigilant as you are about defending against viruses, so if someone brings in a portable computer infected with a worm and connects it to the network, you're toast-unless your network connection has its own firewall protection.

Windows includes a two-way, stateful-inspection, packet-filtering firewall called, cleverly enough, Windows Firewall. Windows Firewall is enabled by default for all connections, and it begins protecting your computer as it boots. The following actions take place by default:

  • The firewall blocks all inbound traffic, with the exception of traffic sent in response to a request sent by your computer and unsolicited traffic that has been explicitly allowed by creating a rule.
  • All outgoing traffic is allowed unless it matches a configured rule.

You notice nothing if a packet is dropped, but you can (at your option) create a log of all such events.

Using Windows Firewall with different network types

Windows Firewall maintains a separate profile (that is, a complete collection of settings, including rules for various programs, services, and ports) for each of three network types:

  • Domain:
    Used when your computer is joined to an Active Directory domain. In this environment, firewall settings are typically (but not necessarily) controlled by a network administrator.
  • Private:
    Used when your computer is connected to a home or work network in a workgroup configuration.
  • Guest or public:
    Used when your computer is connected to a network in a public location, such as an airport or a library. It's common-indeed, recommended-to have fewer allowed programs and more restrictions when you use a public network.

If you're simultaneously connected to more than one network (for example, if you have a Wi-Fi connection to your home network while you're connected to your work domain through a virtual private network, or VPN, connection), Windows uses the appropriate profile for each connection with a feature called multiple active firewall profiles (MAFP).

You make settings in Windows Firewall independently for each network profile. The settings in a profile apply to all networks of the particular type to which you connect. (For example, if you allow a program through the firewall while connected to a public network, that program rule is then enabled whenever you connect to any other public network. It is not enabled when you're connected to a domain or private network unless you allow the program in those profiles.)

Managing Windows Firewall

Windows Firewall is a Control Panel application that provides a simple interface for monitoring firewall status and performing routine tasks, such as allowing a program through the firewall or blocking all incoming connections. To open Windows Firewall, type firewall in the search box or in Control Panel. Click Windows Firewall to display a window.

Enabling or disabling Windows Firewall

The main Windows Firewall application, is little more than a status window and launch pad for making various firewall settings. The first setting of interest is to enable or disable Windows Firewall. To do that, click Turn Windows Firewall On Or Off to open the screen shown next. From here you can enable (turn on) or disable (turn off) Windows Firewall for each network type. In general, the only reason to turn off Windows Firewall is if you have installed a third-party firewall that you plan to use instead of Windows Firewall. Most of those, however, perform this task as part of their installation.

As you'll discover throughout Windows Firewall, domain network settings are available only on computers that are joined to a domain. You can make settings for all network types-even those to which you're not currently connected. Settings for the domain profile, however, are often locked down by the network administrator using Group Policy.

The Block All Incoming Connections check box in Customize Settings provides additional safety. When it's selected, Windows Firewall rejects all unsolicited incoming traffic-even traffic from allowed programs or that would ordinarily be permitted by a rule. Invoke this mode when extra security against outside attack is needed. For example, you might block all connections when you're using a public wireless hotspot or when you know that your computer is actively under attack by others.

Note:
Selecting Block All Incoming Connections does not disconnect your computer from the Internet. Even in this mode, you can still use your browser to connect to the Internet. Similarly, other outbound connections-whether they're legitimate services or some sort of spyware-continue unabated. If you really want to sever your ties to the outside world, open Network And Sharing Center and disable each network connection. (Alternatively, use brute force: physically disconnect wired network connections and turn off wireless adapters or access points.)

Allowing connections through the firewall

In some situations, you want to allow other computers to initiate a connection to your computer. For example, you might use Remote Desktop, play multiplayer games, or chat via an instant messaging program; these types of programs typically require inbound connections so that others can contact you.

The simplest way to enable a connection is to click Allow An App Or Feature Through Windows Firewall, a link in the left pane of the main Windows Firewall window. The list of programs and features that initially appears in Allowed Apps, depends on which programs and services are installed on your computer; you can add others, as described in the following sections. In addition, program rules are created (but not enabled) when a program tries to set up an incoming connection. To allow connections for a program or service that's already been defined, simply select its check box for each network type on which you want to allow the program. (You'll need to click Change Settings before you can make changes.)

In each of these cases, you enable a rule in Windows Firewall that pokes a small hole in the firewall and allows a certain type of traffic to pass through it. Each rule of this type increases your security risk to some degree, so you should clear the check box for all programs you don't need. If you're confident you won't ever need a particular program, you can select it and then click Remove. (Many of the list items included with Windows don't allow deletion, but as long as their check boxes are not selected, these apps present no danger.)

The first time you run a program that tries to set up an incoming connection, Windows Firewall asks for your permission by displaying a dialog box. You can add the program to the allowed programs list by clicking Allow Access.

When such a dialog box appears, read it carefully:

  • Is the program one that you knowingly installed and ran?
  • Is it reasonable for the program to require acceptance of incoming connections?
  • Are you currently using a network type where it's okay for this program to accept incoming connections?

If the answer to any of these questions is no-or if you're unsure-click Cancel. If you later find that a needed program isn't working properly, you can open the allowed apps list in Windows Firewall and enable the rule.

Alternatively, you can set up the program from the Allowed Apps window without waiting for a Windows Security Alert dialog box to appear. Follow these steps:

  1. Click Allow Another App. The Add An App dialog box appears.
  2. In Add An App, select the program for which you want to allow incoming connections. Or click Browse and navigate to the program's executable file if it isn't shown in the Apps list.
  3. Click Network Types.

Restoring default settings

If you've played around a bit with Windows Firewall and perhaps allowed connections that you should not have, you can get back to a known secure state by clicking Restore Defaults in Windows Firewall. Be aware that doing so removes all rules that you've added for all programs. Although this gives you a secure setup, you might find that some of your network-connected programs no longer work properly. As that occurs, you can add again each legitimate program that needs to be allowed.

Advanced tools for managing Windows Firewall

If you have any experience at all configuring firewalls, you'll quickly realize that the Windows Firewall application in Control Panel covers only the most basic tasks. Don't take that as an indication that Windows Firewall is underpowered. To the contrary, you can configure all manner of firewall rules, allowing or blocking traffic based on program, port, protocol, IP address, and so on. In addition, you can enable, disable, and monitor rules; configure logging; and much more. With advanced tools, you can also configure Windows Firewall on remote workstations. Because the interface to these advanced features is rather daunting, Windows Firewall provides the simplified interface described earlier. It's adequate not only for less experienced users, but also for performing the routine firewall tasks needed by information technology (IT) professionals and others.

Nonetheless, our tour of security essentials would not be complete without a visit to Windows Firewall With Advanced Security, a snap-in and predefined console for Microsoft Management Console (MMC) that offers granular control over rules, exceptions, and profiles. To open it, in Windows Firewall click Advanced Settings. Windows Firewall With Advanced Security appears.

The initial view presents information similar to that shown in Windows Firewall. Go just a few steps farther into the cave, however, and you could be lost in no time. The "Windows Firewall with Advanced Security Getting Started Guide" can brighten your path; view it at https://technet.microsoft.com/en-us/library/cc748991.aspx. For additional details, see "Using Windows Firewall with Advanced Security" at https://msdn.microsoft.com/en-us/library/windows/desktop/aa366418(v=vs.85).aspx.

Open Windows Firewall With Advanced Security directly:
You don't need to open Windows Firewall to get to Windows Firewall With Advanced Security. In the search box, type wf.msc and press Ctrl+Shift+Enter to run it as an administrator.
[Previous] [Contents] [Next]

In this tutorial:

  1. Securing Windows 10
  2. What's new in Windows 10
  3. Monitoring your computer's security
  4. Blocking intruders with Windows Firewall
  5. Preventing unsafe actions with User Account Control
  6. Encrypting information
  7. Using Windows Defender to block malware