Windows 7 / Networking

Understanding Connection Security Rules

Connection security rules specify how and when Windows Firewall with Advanced Security uses IPsec to protect traffic passing between the local computer and other computers on the network. Connection security rules force two peer computers to authenticate before a connection can be established between them. Connection security rules can also ensure that communications between the computers is secure by encrypting all traffic passed between them. Connection security rules are typically used in the following types of scenarios:

  • Server isolation Server isolation involves configuring connection security rules on a server so that connection attempts from other computers on the network must be authenticated (and optionally, encrypted) before the server accepts these connection attempts. For example, a back-end database server might be configured to accept only authenticated connections from a front-end Web application server. For more information on how server isolation works and how to implement it, see http://technet.microsoft.com/en-us/network/bb545651.aspx. See also the Step-by-Step Guide: Deploying Windows Firewall and IPsec Policies at http://technet.microsoft.com/en-us/library/cc732400.aspx for a walkthrough of how to implement a basic server isolation scenario.
  • Domain isolation Domain isolation involves configuring connection security rules on both clients and servers so that domain members accept only authenticated (and optionally, encrypted) connection attempts from other domain members. By default, connection attempts from non-domain members are not accepted, but you can configure exception rules that allow unauthenticated connections from specific non-domain members. For more information on how domain isolation works and how to implement it, see http://technet.microsoft.com/en-us/network/bb545651.aspx. See also the Step-by-Step Guide: Deploying Windows Firewall and IPsec Policies at http://technet.microsoft.com/en-us/library/cc732400.aspx for a walkthrough of how to implement a basic domain isolation scenario.
  • Network Access Protection Network Access Protection (NAP) is a technology available in Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2 that enforces health requirements by monitoring and assessing the health of client computers when they try to connect or communicate on a network. Client computers that are found to be out of compliance with the health policy can then be provided with restricted network access until their configuration has been updated and brought into compliance with policy. Windows Firewall with Advanced Security can be used as part of a NAP implementation by creating connection security rules that require computer certificates for authentication. Specifically, client computers that are determined to be in compliance with health policy are provisioned with the computer certificate needed to authenticate. For more information on how NAP works and how to implement it, see http://www.microsoft.com/nap/.
  • DirectAccess DirectAccess is a new feature of Windows 7 and Windows Server 2008 R2 that provides users with the experience of being seamlessly connected to their corporate network any time they have Internet access. Using DirectAccess, users can securely access internal resources such as e-mail servers and intranet sites without the need of first establishing a VPN connection with their corporate network. DirectAccess uses IPv6 together with IPsec tunnels to establish secure, bidirectional communications between the client computer and the corporate network over the public Internet. DirectAccess also seamlessly integrates with server and domain isolation scenarios and NAP implementations enabling enterprises to create comprehensive end-to-end security, access, and health requirement solutions. For more information on how DirectAccess works and how to implement it, see http://www.microsoft.com/directaccess/.
[Previous] [Contents] [Next]

In this tutorial:

  1. Configuring Windows Firewall and IPsec
  2. Understanding Windows Firewall with Advanced Security
  3. Improvements to Windows Firewall Introduced Previously in Windows Vista
  4. Additional Improvements to Windows Firewall in Windows 7
  5. Understanding the Windows Filtering Platform
  6. Windows Firewall and the Startup Process
  7. Understanding Windows Service Hardening
  8. Understanding Service SIDs
  9. Windows Firewall and WSH
  10. Windows Firewall and Service Triggers
  11. Understanding Multiple Active Firewall Profiles
  12. Understanding Rules
  13. Understanding Firewall Rules
  14. Inbound vs . Outbound Rules
  15. Allow vs . Block Rules
  16. Allow If Secure Rules
  17. Authenticated Bypass Rules
  18. Filtering Conditions FOR Firewall RULES
  19. Understanding Connection Security Rules
  20. Types of Connection Security Rules
  21. Supported IPsec Settings for Connection Security Rules
  22. Default IPsec Settings for Connection Security Rules
  23. Windows Firewall and Windows PE
  24. Understanding Default Rules
  25. Understanding WSH Rules
  26. Understanding Rules Processing
  27. Managing Windows Firewall with Advanced Security
  28. Tools for Managing Windows Firewall with Advanced Security
  29. Managing Windows Firewall Using Control Panel
  30. Managing Windows Firewall Using the Windows Firewall with Advanced Security Snap-in
  31. Managing Windows Firewall Using Group Policy
  32. Considerations When Managing Windows Firewall Using Group Policy
  33. Managing Windows Firewall Using the Netsh Command
  34. Common Management Tasks
  35. Enabling or Disabling Windows Firewall
  36. Configuring Firewall Profiles and IPsec Settings by Using Group Policy
  37. Creating and Configuring Firewall Rules
  38. Creating and Configuring Connection Security Rules
  39. Monitoring Windows Firewall
  40. Troubleshooting Windows Firewall
  41. Troubleshooting Windows Firewall Using Firewall Logs
  42. Troubleshooting Windows Firewall Using Event Logs
  43. Troubleshooting Windows Firewall Using Auditing
  44. Troubleshooting IPsec Issues Using Netsh Wfp
  45. Troubleshooting Windows Filtering Platform and IPsec Issues Using Netsh Trace