Additional Improvements to Windows Firewall in Windows 7

Beginning with Windows 7, Windows Firewall with Advanced Security has been further improved with the addition of the following new and enhanced features:

• Multiple Active Firewall Profiles In Windows Vista, only one firewall profile could be active at any one time. This means that if the computer is simultaneously connected to multiple networks, the firewall profile that has the most restrictive rules is applied to all the network connections. Beginning with Windows 7, however, each network connection is assigned its own firewall profile independently of all other connections on the computer. For more information concerning this feature, see the section titled "Understanding Multiple Active Firewall Profiles" later in this tutorial.
• Authorization exceptions In Windows 7, when you create inbound firewall rules that specify which computers or users are authorized to access the local computer over the network, you can now also specify exceptions that should be denied access to the local computer. This enables you to create rules of the form "everyone except a, b, and c," which block network traffic from the users or computers you specify while allowing traffic from other users or computers. For more information, see the section titled "Configuring Firewall Profiles and IPsec Settings by Using Group Policy" later in this tutorial.
• Support for specifying port ranges for rules Firewall and connection security rules in Windows 7 can now specify ranges of port numbers, making it easier to create rules for applications who need access to a range of ports.
• User interface support for specifying port numbers and protocols for connection security rules In Windows Vista, you had to use the Netsh command if you wanted to specify port numbers and protocols for connection security rules. In Windows 7, however, you can now use the New Connection Security Rule Wizard to do this.
• Support for dynamic encryption Connection security rules in Windows 7 now support dynamic encryption, which allows a computer to receive inbound packets from another computer that are authenticated but not encrypted. Once the connection is established, a new quick mode security association is then negotiated to require encryption.
• Dynamic tunnel endpoints Tunnel connection security rules in Windows 7 now support having an address specified for only one endpoint of the tunnel. This helps simplify policy creation for scenarios in which there are multiple IPsec gateways and clients on multiple remote networks.
• Tunnel mode authorization In Windows 7, you can now specify groups of users or computers that are authorized to establish a tunnel to the IPsec gateway tunnel termination point. This is important when used in conjunction with dynamic tunnel endpoints to ensure that only authorized users can establish a connection with the computer. Windows 7 also supports exceptions to tunnel mode authorization similar to the authentication exceptions described previously.
• New edge traversal options In Windows Vista, you could only block or allow edge traversal. Beginning with Windows 7, however, two new options have been added for configuring edge traversal that can be used to allow users or applications to decide whether they can receive unsolicited traffic. For more information, see http://msdn.microsoft.com/en-us/library/dd775221.aspx.
• Easier configuration of Suite B algorithms In Windows Vista, you had to use the Netsh command if you wanted to create connection security rules that used the Suite B set of algorithms specified in RFC 4869. In Windows 7, however, you can now use the New Connection Security Rule Wizard to do this. For more information concerning Suite B algorithms support in Windows, see http://support.microsoft.com/kb/949856/.
• Support for certificates issued by intermediate CAs In Windows Vista, connection security rules could only use certificates issued by root certification authorities (CAs). In Windows 7, however, these rules can now use certificates issued by intermediate CAs as well.
• Support for multiple main mode configurations In Windows Vista, you could create only one global main mode configuration for IPsec communications involving the local computer. While the Windows Firewall with Advanced Security Microsoft Management Console (MMC) snap-in in Windows 7 still allows you to configure only a single main mode configuration for the computer, you can now use the Netsh command- line tool in Windows 7 and Windows Server 2008 R2 to create additional main mode configurations that you can use for secure connections to different computers on the network based on the security requirements associated with those endpoints.
• New tunnel rule types In Windows 7, you now have two additional tunnel rule types that you can configure: Gateway-to-Client and Client-to-Gateway.
• Force Diffie-Hellman In Windows 7, you now have the option of forcing the use of Diffie-Hellman for key exchange.