Windows 7

Configuring Windows Firewall Options

Now that we have talked about disks, let's discuss one way to protect those disks from illegal access. Before we can start talking about firewall options, you must first understand what a firewall does. A firewall is a software or hardware device that checks the information that is received from an outside (Internet) or external network and uses that information to determine whether the packet should be accepted or declined.

Depending on the firewall, you have the ability to check all potential remote users against Active Directory to verify that the remote user has an authorized domain account. This process is called Active Directory account integration.

Microsoft Windows Server 2012 has a built-in firewall. The following are some of the configuration options included in the Windows Firewall Settings dialog box:

  • Domain Profile Tab:
    On the Domain Profile tab, you have the ability to turn the firewall on or off by using the Firewall State drop-down menu. When setting the Firewall State in this tab, it's for turning the firewall on or off for the domain only. When turning the firewall on, you also have the ability to block inbound and outbound connections. Administrators also have the ability to control the Windows Firewall behavior along with setting up logging.
  • Private Profile Tab:
    On the Private Profile tab, you have the ability to turn the firewall on or off by using the Firewall State drop-down menu. When setting the Firewall State in this tab, it's for turning the firewall on or off for the Private Profile only. When turning the firewall on, you also have the ability to block inbound and outbound connections. Administrators also have the ability to control the Windows Firewall Private Profile behavior along with setting up logging.
  • Public Profile:
    On the Public Profile tab, you have the ability to turn the firewall on or off by using the Firewall State drop-down menu. When setting the Firewall State in this tab, it's for turning the firewall on or off for the Public Profile only. When turning the firewall on, you also have the ability to block inbound and outbound connections. Administrators also have the ability to control the Windows Firewall Public Profile behavior along with setting up logging.
  • IPsec Settings:
    Tab The IPsec Setting tab allows you to set up the IPsec defaults, IPsec exemptions, and IPsec tunnel authorization. The IPsec defaults button allows you to specify settings used by IPsec to establish secured connections. The IPsec exemptions allow you to set up ICMP exemptions from IPsec. Finally, you can set up IPsec tunnel authorization, which allows you to specify the users and computers that are authorized to establish an IPSec tunnel.

Windows Server 2012 takes firewalls a step further than just the normal firewall settings in Control Panel. An MMC snap-in called Windows Firewall with Advanced Security can block all incoming and outgoing connections based on its configuration.

One of the major advantages to using the Windows Firewall with Advanced Security snap-in is the ability to set firewall configurations on remote computers using group policies. Another advantage to using this MMC is the ability to set up firewalls using IPsec security. The Windows Firewall with Advanced Security snap-in allows an administrator to set more in-depth rules for Microsoft Active Directory users and groups, source and destination Internet Protocol (IP) addresses, IP port numbers, ICMP settings, IPsec settings, specific types of interfaces, and services.

You can configure more advanced settings by configuring Windows Firewall with Advanced Security. To access Windows Firewall with Advanced Security, click the Windows key and choose Control Panel → Large Icons View → Windows Firewall, and then click the Advanced Settings link.

The scope pane to the left shows that you can set up specific inbound and outbound rules, connection security rules, and monitoring rules. The central area shows an overview of the firewall's status as well as the current profile settings.

Inbound and Outbound Rules

Inbound and outbound rules consist of many preconfigured rules that can be enabled or disabled. Obviously, inbound rules monitor inbound traffic, and outbound rules monitor outbound traffic. By default, many are disabled. Double-clicking a rule will bring up its Properties dialog box.

You can filter the rules to make them easier to view. Filtering can be performed based on the profile the rule affects or whether the rule is enabled or disabled or based on the rule group.

If you can't find a rule that is appropriate to your needs, you can create a new rule by right-clicking Inbound Rules or Outbound Rules in the scope pane and then selecting New Rule. The New Inbound (or Outbound) Rule Wizard will launch, and you will be asked whether you want to create a rule based on a particular program, protocol or port, predefined category, or custom settings.

The steps needed to create a new inbound rule that will allow only encrypted TCP traffic. In this section, you will have the ability to create a custom rule and then specify which authorized users and computers can connect using this rule.

Configuring Windows Firewall

  1. Press the Windows Key → Control Panel → Large Icon View → Windows Firewall.
  2. Click Advanced Settings on the left-hand side.
  3. Right-click Inbound Rules and select New Rule.
  4. Choose a rule type. For this section, choose Custom so that you can see all of the options available to you; then click Next.
  5. Choose the programs or services that are affected by this rule. For this section, choose All Programs; then click Next.
  6. Choose the protocol type as well as the local and remote port numbers that are affected by this rule. For this section, choose TCP, and make sure that All Ports is selected for both Local Port and Remote Port. Click Next to continue.
  7. Choose the local and remote IP addresses that are affected by this rule. Choose Any IP Address for both local and remote; then click Next.
  8. Specify whether this rule will allow the connection, allow the connection only if it is secure, or block the connection. Select the option Allow The Connection If It Is Secure; then click Next.
  9. Specify whether connections should be allowed only from certain users. You can experiment with these options if you want. Then click Next to continue.
  10. Specify whether connections should be allowed only from certain computers. Again you can experiment with these options if you want. Then click Next to continue.
  11. Choose which profiles will be affected by this rule. Select one or more profiles, and click Next to continue.
  12. Give your profile a name and description; then click Finish. Your custom rule will appear in the list of Inbound Rules, and the rule will be enabled.
  13. Double-click your newly created rule. Notice that you can change the options that you previously configured.
  14. Disable the rule by right-clicking the rule and choosing Disable Rule.
  15. Close Windows Firewall.

Now let's take a look at setting up Connection Security Rules through Windows Firewall with Advanced Security.

Configuring Windows Firewall with a GPO

If you wanted to configure Windows Firewall on all of your client machines, you have two options. You can either manually configure each machine or set up a GPO to configure your Windows Firewall. To set up a GPO for Windows Firewall, configure the Computer section image Windows Settings image Security image Windows Firewall With Advanced Security.

Import/Export Policies

One advantage of configuring Windows Firewall is the ability to export and import policy settings. For example, set up a policy for 35 machines; I created the policy on one of the 35 machines and then exported the policy. Then imported the policy to the other 34 machines, so I did not have to re-create the policy over and over again. To export a policy, right-click Windows Firewall With Advanced Security and choose Export Policy. Choose Import Policy on the other machines to import the policy.

IPsec Policy Settings in Windows Firewall

When configuring options for Windows Firewall with Advanced Security, you have the ability to configure some IPsec policies. The three options are:

  • IPsec Defaults:
    Specify settings used by IPsec to establish secure connections.
  • IPsec Exemptions:
    Exempting ICMP from all IPsec requirements can simplify troubleshooting of network connectivity issues.
  • IPsec Tunnel Authorization:
    Specify the computers or users that are authorized to establish IPsec tunnel connections to this computer.

Monitoring

The Monitoring section shows detailed information about the firewall configurations for the Domain Profile, Private Profile, and Public Profile settings. These network location profiles determine which settings are enforced for private networks, public networks, and networks connected to a domain.

[Previous] [Contents]