Windows 7 / Networking

Additional Improvements to Windows Firewall in Windows 7

Beginning with Windows 7, Windows Firewall with Advanced Security has been further improved with the addition of the following new and enhanced features:

  • Multiple Active Firewall Profiles In Windows Vista, only one firewall profile could be active at any one time. This means that if the computer is simultaneously connected to multiple networks, the firewall profile that has the most restrictive rules is applied to all the network connections. Beginning with Windows 7, however, each network connection is assigned its own firewall profile independently of all other connections on the computer. For more information concerning this feature, see the section titled "Understanding Multiple Active Firewall Profiles" later in this tutorial.
  • Authorization exceptions In Windows 7, when you create inbound firewall rules that specify which computers or users are authorized to access the local computer over the network, you can now also specify exceptions that should be denied access to the local computer. This enables you to create rules of the form "everyone except a, b, and c," which block network traffic from the users or computers you specify while allowing traffic from other users or computers. For more information, see the section titled "Configuring Firewall Profiles and IPsec Settings by Using Group Policy" later in this tutorial.
  • Support for specifying port ranges for rules Firewall and connection security rules in Windows 7 can now specify ranges of port numbers, making it easier to create rules for applications who need access to a range of ports.
  • User interface support for specifying port numbers and protocols for connection security rules In Windows Vista, you had to use the Netsh command if you wanted to specify port numbers and protocols for connection security rules. In Windows 7, however, you can now use the New Connection Security Rule Wizard to do this.
  • Support for dynamic encryption Connection security rules in Windows 7 now support dynamic encryption, which allows a computer to receive inbound packets from another computer that are authenticated but not encrypted. Once the connection is established, a new quick mode security association is then negotiated to require encryption.
  • Dynamic tunnel endpoints Tunnel connection security rules in Windows 7 now support having an address specified for only one endpoint of the tunnel. This helps simplify policy creation for scenarios in which there are multiple IPsec gateways and clients on multiple remote networks.
  • Tunnel mode authorization In Windows 7, you can now specify groups of users or computers that are authorized to establish a tunnel to the IPsec gateway tunnel termination point. This is important when used in conjunction with dynamic tunnel endpoints to ensure that only authorized users can establish a connection with the computer. Windows 7 also supports exceptions to tunnel mode authorization similar to the authentication exceptions described previously.
  • New edge traversal options In Windows Vista, you could only block or allow edge traversal. Beginning with Windows 7, however, two new options have been added for configuring edge traversal that can be used to allow users or applications to decide whether they can receive unsolicited traffic. For more information, see http://msdn.microsoft.com/en-us/library/dd775221.aspx.
  • Easier configuration of Suite B algorithms In Windows Vista, you had to use the Netsh command if you wanted to create connection security rules that used the Suite B set of algorithms specified in RFC 4869. In Windows 7, however, you can now use the New Connection Security Rule Wizard to do this. For more information concerning Suite B algorithms support in Windows, see http://support.microsoft.com/kb/949856/.
  • Support for certificates issued by intermediate CAs In Windows Vista, connection security rules could only use certificates issued by root certification authorities (CAs). In Windows 7, however, these rules can now use certificates issued by intermediate CAs as well.
  • Support for multiple main mode configurations In Windows Vista, you could create only one global main mode configuration for IPsec communications involving the local computer. While the Windows Firewall with Advanced Security Microsoft Management Console (MMC) snap-in in Windows 7 still allows you to configure only a single main mode configuration for the computer, you can now use the Netsh command- line tool in Windows 7 and Windows Server 2008 R2 to create additional main mode configurations that you can use for secure connections to different computers on the network based on the security requirements associated with those endpoints.
  • New tunnel rule types In Windows 7, you now have two additional tunnel rule types that you can configure: Gateway-to-Client and Client-to-Gateway.
  • Force Diffie-Hellman In Windows 7, you now have the option of forcing the use of Diffie-Hellman for key exchange.
[Previous] [Contents] [Next]

In this tutorial:

  1. Configuring Windows Firewall and IPsec
  2. Understanding Windows Firewall with Advanced Security
  3. Improvements to Windows Firewall Introduced Previously in Windows Vista
  4. Additional Improvements to Windows Firewall in Windows 7
  5. Understanding the Windows Filtering Platform
  6. Windows Firewall and the Startup Process
  7. Understanding Windows Service Hardening
  8. Understanding Service SIDs
  9. Windows Firewall and WSH
  10. Windows Firewall and Service Triggers
  11. Understanding Multiple Active Firewall Profiles
  12. Understanding Rules
  13. Understanding Firewall Rules
  14. Inbound vs . Outbound Rules
  15. Allow vs . Block Rules
  16. Allow If Secure Rules
  17. Authenticated Bypass Rules
  18. Filtering Conditions FOR Firewall RULES
  19. Understanding Connection Security Rules
  20. Types of Connection Security Rules
  21. Supported IPsec Settings for Connection Security Rules
  22. Default IPsec Settings for Connection Security Rules
  23. Windows Firewall and Windows PE
  24. Understanding Default Rules
  25. Understanding WSH Rules
  26. Understanding Rules Processing
  27. Managing Windows Firewall with Advanced Security
  28. Tools for Managing Windows Firewall with Advanced Security
  29. Managing Windows Firewall Using Control Panel
  30. Managing Windows Firewall Using the Windows Firewall with Advanced Security Snap-in
  31. Managing Windows Firewall Using Group Policy
  32. Considerations When Managing Windows Firewall Using Group Policy
  33. Managing Windows Firewall Using the Netsh Command
  34. Common Management Tasks
  35. Enabling or Disabling Windows Firewall
  36. Configuring Firewall Profiles and IPsec Settings by Using Group Policy
  37. Creating and Configuring Firewall Rules
  38. Creating and Configuring Connection Security Rules
  39. Monitoring Windows Firewall
  40. Troubleshooting Windows Firewall
  41. Troubleshooting Windows Firewall Using Firewall Logs
  42. Troubleshooting Windows Firewall Using Event Logs
  43. Troubleshooting Windows Firewall Using Auditing
  44. Troubleshooting IPsec Issues Using Netsh Wfp
  45. Troubleshooting Windows Filtering Platform and IPsec Issues Using Netsh Trace