Configuring Security Settings in Windows Firewall
Originally called the Internet Connection Firewall (ICF) in Windows XP prior to SP2, Windows Firewall is a personal firewall, stopping undesirable traffic from being accepted by the computer. Using a firewall can avoid security breaches as well as viruses that utilize port-based TCP or UDP traffic to enter the computer's operating system. For computers that use broadband Internet connections with dedicated IP addresses, Windows Firewall can help avoid attacks aimed at disrupting a home computer. When you take your laptop to a Wi-Fi-enabled public location such as an airport, hotel, or restaurant, the firewall protects you from individuals who might be probing the network to see what they can steal or infect. Even people with dial-up Internet connections can benefit from added protection. The Windows Firewall is enabled by default when you install Windows 7, as it was in Windows Vista.
Windows Firewall is a stateful host-based firewall that you can configure to allow or block specific network traffic. It includes a packet filter that uses an access control list (ACL) specifying parameters (such as IP address, port number, and protocol) that are allowed to pass through. When a user communicates with an external computer, the stateful firewall remembers this conversation and allows the appropriate reply packets to reach the user. Packets from an outside computer that attempts to communicate with a computer on which a stateful firewall is running are dropped unless the ACL contains rules permitting them.
Windows Vista introduced considerable improvements to its original implementation in Windows XP SP2, including outbound traffic protection, support for IP Security (IPSec) and IP version 6 (IPv6), improved configuration of exceptions, and support for command-line configuration. In Windows 7, Microsoft has improved Windows Firewall even further. The following are some of the important new features in the Windows 7 implementation:
- Support for multiple active profiles. If your computer is connected to more than one network, you can have each network adapter assigned to a different profile (public, private, or domain).
- Additional rules are available from the Windows Firewall with Advanced Security tool, including more specific disabling of its features.
- The ability to selectively disable features that might be in conflict with components of a third-party firewall.
- You can use Windows Firewall with Advanced Security to specify port numbers or protocols in connection security rules, as well as ranges of port numbers. In previous versions of Windows Firewall, you had to use the netsh command-line tool to perform this action.
- Creation of IPSec connection security rules has been simplified with the use of dynamic encryption.
- When securing tunnel-mode connections, you can specify the authorized users and computers that can set up an inbound tunnel to an IPSec gateway server.
- You can exempt DHCP traffic from IPSec requirements.
- You can specify that an outbound allow rule can override block rules when secured with an IPSec connection security rule.
- Additional options have been added for configuring authentication for an IPSec tunnel-mode rule.
- A new main mode configuration capability includes additional configuration options for specific origin and destination IP addresses or network location protocols. Network connections matching a main mode rule use these settings rather than the global defaults or those specified in connection security rules.
You can perform basic configuration of Windows Firewall from a Control Panel applet; you can also perform more advanced configuration of Windows Firewall, including the use of security policies from a Microsoft Management Console (MMC) snap-in. We shall look at each of these in turn.
Basic Windows Firewall Configuration
The Windows Firewall Control Panel applet, found in the System and Security category, enables you to set up firewall rules for each of the same network types introduced earlier in this tutorial for configuring network settings.
If your computer is joined to an AD DS domain, an additional location called Domain Networks is added. Settings in this location are configured through domain-based Group Policy and cannot be modified here.
You can enable or disable the Windows Firewall separately for each connection. In doing so, you are able to use Windows Firewall to protect a computer connected to the Internet via one adapter and not use Windows Firewall for the adapter connected to the private network. Use the following instructions to perform basic firewall configuration:
- Open the Windows Firewall applet by using any of the following methods:
- Click Start → Control Panel → System and Security → Windows Firewall.
- Click Start and type firewall in the Search field. From the list of programs displayed under Control Panel, click Windows Firewall.
- Click Start, right-click Network, and then click Properties. Select Windows Firewall from the bottom-left corner of the Network and Sharing Center.
- From the left pane of the Windows Firewall applet, select Turn Windows Firewall on or off. If you receive a UAC prompt, click Yes. This displays the Customize settings for each type of network dialog box.
- If you are connected to a corporate network with a comprehensive hardware firewall, select Turn off Windows Firewall (not recommended)
under the Home or Work (Private) Network Location Settings section. If you connect at any time to an insecure network, such as an airport or
restaurant Wi-Fi hot spot, select the Block all incoming connections, including those in the list of allowed programs option under Public
network location settings. This option disables all exceptions you've configured on the Exceptions tab.
The Customize settings for each type of network dialog box enables you to turn the firewall on or off and to block incoming connections.
Don't disable the firewall unless absolutely necessary, even on the Home or Work (Private) Network Location Settings section. Never select the Off option unless you're absolutely certain that your network is well protected with a good firewall. The only exception should be temporarily to troubleshoot a connectivity problem; after you've solved the problem, be sure to reenable the firewall immediately.
- To configure program exceptions, return to the Windows Firewall applet and click Allow a program or feature through Windows Firewall.
- From the list, select the programs or ports you want to have access to your computer on either of the Home/Work (Private) or Public profiles. Table describes the more important items in this list. Clear the check boxes next to any programs or ports to be denied access, or select the check boxes next to programs or ports to be granted access.
- To add a program not shown in the list, click Allow another program. From the Add a Program dialog box, select the
program to be added and then click Add. If necessary, click Browse to locate the desired program. You can also click Network location types
to choose which network type is allowed by the selected program.
The Allow programs to communicate through Windows Firewall dialog box enables you to specify which programs are allowed to communicate through the firewall.
The Add a Program dialog box enables you to allow specific programs access through the Windows Firewall.
- In the Allow programs to communicate through Windows Firewall dialog box, to view properties of any program or port on the list, select it and click Details.
- To remove a program from the list, select it and click Remove. You can do this only for programs you have added using step 6.
- If you need to restore default settings, return to the Windows Firewall applet previously and click Restore defaults. Then confirm your intention in the Restore Default Settings dialog box that appears.
- If you are experiencing networking problems, click Troubleshoot my network to access the troubleshooter.
- When you are finished, click OK.
When allowing additional programs to communicate through Windows Firewall, by default these programs are allowed to communicate through the Home/Work network profile only. You should retain this default unless you need a program to communicate through the Internet from a public location. From the Public column of the dialog box, you should select the boxes next to any connections that link to the Internet; you should clear the boxes next to any connections to a private network.
Windows Firewall Configurable Exceptions
Exception Description Enabled by Default? Core Each option works with the Yes; network discovery Networking other to enable your computer for home or work only to connect to other network computers or the Internet. Network Discovery Distributed Coordinates the update of No Transaction transaction-protected resources Coordinator such as databases, message queues, and file systems. File and Enables your computer to share Yes Printer resources such as files and Sharing printers with other computers on your network. HomeGroup Allows communication to other Yes, for home or work computers in the homegroup. only when joined to a homegroup. iSCSI Service Used for connecting to iSCSI No target servers and devices. Key Management Used for machine counting and No Service license compliance in enterprise environments. Media Center Allows Media Center Extenders No Extenders to communicate with a computer running Windows Media Center. Netlogon Maintains a secure channel Only on a computer Service between domain clients and a joined to an Active domain controller for Directory domain authenticating users and services. Network Allows computers to locate Yes, for home or Discovery other resources on the work only local network. Performance Allows remote management of No Logs and the Performance Alerts Logs and Alerts service. Remote Enables an expert user to Yes, for home or Assistance connect to the desktop of a work only user requiring assistance in a Windows Feature. Remote Enables a user to connect with No Desktop and work on a remote computer. Remote (item) Enables an administrator to No for all these tasks Management manage items on a remote computer, including event logs, scheduled tasks, services, and disk volumes. Routing and Enables remote users to connect No Remote to a server to access the Access (RRAS) corporate network (used on RRAS server computers only). Windows Easy Enables a user to copy files, Yes Transfer folders, and settings from an old computer running Windows 2000 or later to a new Windows 7 computer. Windows Enables you to manage a remote No Remote Windows computer. Management
Using the Windows Firewall with Advanced Security Snap-in
First introduced in Windows Vista and enhanced in Windows 7, the Windows Firewall with Advanced Security snap-in enables you to perform a comprehensive set of configuration actions. You can configure rules that affect inbound and outbound communication, and you can configure connection security rules and the monitoring of firewall actions. Inbound rules help prevent actions such as unknown access or configuration of your computer, installation of undesired software, and so on. Outbound rules help prevent utilities on your computer performing certain actions, such as accessing network resources or software without your knowledge. They can also help prevent other users of your computer from downloading software or inappropriate files without your knowledge.
To access the snap-in, type firewall in the Search field of the Start menu and then select Windows Firewall with Advanced Security from the Programs list. You can also click Advanced settings from the task list in the Windows Firewall applet. After accepting the UAC prompt (if you receive one).
When the snap-in first opens, it displays a summary of configured firewall settings. From the left pane, you can configure any of the following types of properties:
- Inbound Rules:
Displays a series of defined inbound rules. Enabled rules are shown with a green check mark icon. If the icon is dark in appearance, the rule is not enabled. To enable a rule, right-click it and select Enable Rule; to disable an enabled rule, right-click it and select Disable Rule. You can also create a new rule by right-clicking Inbound Rules and selecting New Rule. We discuss creation of new rules later in this section.
- Outbound Rules:
Displays a series of defined outbound rules, also with a green check mark icon for enabled rules. You can enable or disable rules, and create new rules, in the same manner as with inbound rules.
- Connection Security Rules:
By default, this branch does not contain any rules. Right-click it and choose New Rule to create rules that are used to determine limits applied to connections with remote computers.
Displays a summary of enabled firewall settings and provides links to active rules and security associations. This includes a domain profile for computers that are members of an AD DS domain. The following three links are available from the bottom of the left pane:
Displays enabled inbound and outbound rules
- Active Connection Security Rules:
Displays enabled connection security rules that you have created
- Security Associations:
Displays IPSec main mode and quick mode associations
Configuring Multiple Firewall Profiles
A profile is simply a means of grouping firewall rules so that they apply to the affected computers dependent on where the computer is connected. The Windows Firewall with Advanced Security snap-in enables you to define different firewall behavior for each of the following three profiles:
- Domain Profile:
Specifies firewall settings for use when connected directly to an AD DS domain. If the network is protected from unauthorized external access, you can specify additional exceptions that facilitate communication across the LAN to network servers and client computers.
- Private Profile:
Specifies firewall settings for use when connected to a private network location, such as a home or small office. You can open up connections to network computers and lock down external communications as required.
- Public Profile:
Specifies firewall settings for use when connected to an insecure public network, such as a Wi-Fi access point at a hotel, restaurant, airport, or other location where unknown individuals might attempt to connect to your computer. By default, network discovery and file and printer sharing are turned off, inbound connections are blocked, and outbound connections are allowed.
To configure settings for these profiles from the Windows Firewall with Advanced Security snap-in, right-click Windows Firewall with Advanced Security at the top-left corner and choose Properties.
You can configure the following properties for each of the three profiles individually from this dialog box:
Enables you to turn the firewall on or off for the selected profile and block or allow inbound and outbound connections. For inbound connections, you can either block connections with the configured exceptions or block all connections. Click Customize to specify which connections you want Windows Firewall to help protect.
Enables you to customize firewall settings for the selected profile. Click Customize to specify whether to display notifications to users when programs are blocked from receiving inbound connections or allow unicast responses. You can also view but not modify how rules created by local administrators are merged with Group Policy-based rules.
Enables you to configure logging settings. Click Customize to specify the location and size of the log file and whether dropped packets or successful connections are logged.
In addition, you can configure IPSec settings from the IPSec Settings tab, including defaults and exemptions. IPSec authentication rules enable you to configure bypass rules for specific computers that enable these computers to bypass other Windows Firewall rules. Doing so enables you to block certain types of traffic while enabling authenticated computers to receive these types of traffic.
Configuring New Firewall Rules
By clicking New Rule under Inbound Rules or Outbound Rules in the Windows Firewall with Advanced Security snap-in, you can create rules that determine programs or ports that are allowed to pass through the firewall. Use the following procedure to create a new rule:
- Right-click the desired rule type in the Windows Firewall with Advanced Security snap-in and choose New Rule. This starts the New (Inbound or Outbound) Rule Wizard. (We chose a new inbound rule, so our example shows the New Inbound Rule Wizard.)
- Select the type of rule you want to create:
Enables you to define a rule that includes all programs or a specified program path.
Enables you to define rules for specific remote ports using either the TCP or UDP protocol.
Enables you to select from a large quantity of predefined rules covering the same exceptions described previously in Table. Select the desired exception from the drop-down list.
Enables you to create rules that apply to combinations of programs and ports. This option combines settings provided by the other rule-type options.
- After you've selected your rule type, click Next.
- The content of the next page of the wizard varies according to which option you've selected. On this page, define the program path, port number, and protocol, or the predefined rule that you want to create, and then click Next.
- On the Action page, specify the action to be taken when a connection matches the specified conditions.
- If you choose the Allow the Connection if it is secure option, click Customize to display the dialog box. From this dialog box, select the required option as explained on the dialog box and click OK. If you desire that encryption be enforced in addition to authentication and integrity protection, select the Require the connections to be encrypted option and also select the check box provided if you want to allow unencrypted data to be sent while encryption is being negotiated.
- Click Next to display the Profile page. On this page, select the profiles (Domain, Private, and Public) to which the rule is to be applied. Then click Next.
- On the Name page, specify a name and optional description for your new rule. Click Finish to create the rule, which will then appear in the right pane of the Windows Firewall with Advanced Security snap-in.
Creating a new connection security rule is similar to that for inbound or outbound rules, but the options are slightly different. From the Windows Firewall with Advanced Security dialog box previously, right-click Connection Security Rules and choose New Rule to display the New Connection Security Rule Wizard. Connection security rules manage authentication of two machines on the network and the encryption of network traffic sent between them using IPSec. Security is also achieved with the use of key exchange and data integrity checks. You can create the following types of connection security rules:
Enables you to limit connections according to authentication criteria that you define. For example, you can use this rule to isolate domain-based computers from external computers such as those located across the Internet. You can request or require authentication and specify the authentication method that must be used.
- Authentication exemption:
Enables specified computers, such as DHCP and DNS servers, to be exempted from the need for authentication. You can specify computers by IP address ranges or subnets, or you can include a predefined set of computers.
Enables you to create a secured connection between computers in two endpoints that are defined according to IP address ranges.
Enables you to secure communications between two computers by means of IPSec tunnel mode. This encapsulated network packets that are routed between the tunnel endpoints. You can choose from several types of tunnels; you can also exempt IPSec-protected computers from the defined tunnel.
Enables you to create a rule that requires special settings not covered explicitly in the other options. All wizard pages except those used to create only tunnel rules are available.
Modifying Rule Properties
You can modify any Windows Firewall rule from its Properties dialog box, accessed by right-clicking the rule in the center pane of the Windows Firewall with Advanced Security snap-in and choosing Properties. You can configure the following properties:
- General tab:
Enables you to edit the name and description of the rule or change the action.
- Programs and Services tab:
Enables you to define which programs and services are affected by the rule.
- Computers tab:
Enables you to specify which computers are authorized to allow connections according to the rule or enables you to specify computers for which the rule will be skipped.
- Protocols and Ports tab:
Enables you to specify the protocol type and the local and remote ports covered by the rule.
- Scope tab:
Enables you to specify the local and remote IP addresses of connections covered by the rule. You can specify Any Address or select a subnet or IP address range.
- Advanced tab:
Enables you to specify the profiles (domain, private, or public) to which the rule applies. You can also specify the interface types (local area network, remote access, and/or wireless) and whether edge traversal (traffic routed through a NAT device) is allowed or blocked.
- Users tab:
Enables you to specify which users or groups are authorized to allow connections according to the rule or enables you to specify users or groups for which the rule will be skipped.
You can configure the Windows Firewall with Advanced Security snap-in to display notifications when a program is blocked from receiving inbound connections according to the default behavior of Windows Firewall. When you have selected this option and no existing block or allow rule applies to this program, a user is notified when a program is blocked from receiving inbound connections.
To configure this option:
- Right-click Windows Firewall with Advanced Security at the top of the left pane in the Windows Firewall with Advanced Security snap-in and then choose Properties.
- Select the tab that corresponds to the profile you want to configure and then click the Customize command button in the Settings section.
- From the Customize Settings for the (selected) Profile dialog box shown, select Yes under Display a Notification and then click OK twice.
Group Policy and Windows Firewall
Group Policy in Windows Firewall enables you to configure similar policies to those configured with the Windows Firewall with Advanced Security snap-in. Use the following procedure to configure Group Policy for Windows Firewall:
- Click Start, type gpedit, and then click gpedit.msc in the Programs list. If you receive a UAC prompt, click Yes.
- Navigate to the Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\ Windows Firewall with Advanced Security - Local Group Policy Object node. The right pane displays the Windows Firewall with Advanced Security settings.
- Scroll the right pane to select links for inbound rules, outbound rules, and connection security rules. These links open subnodes in the console tree.
- Unlike the Group Policy with Windows Firewall snap-in, no default rules are present. To add rules, right-click in the details pane and select New Rule. This starts the New Rule Wizard, which enables you to create rules using the same options already discussed in this section.
After you have added firewall rules in Group Policy, you can filter the view according to profile (domain, private, or public) or by state (enabled or disabled).
A Group Policy feature first introduced in Windows Vista and continued in Windows 7 enables you to configure common policy settings for all user accounts on a computer used by more than one user. This includes Windows Firewall as discussed here, as well as UAC and all other policy settings. In addition, you can configure separate policies for administrators or nonadministrators. If necessary, you can even configure local group policies on a per-user basis.