Windows Firewall
Windows Vista and Windows 7 have an enhanced version of the Windows Firewall that was first included in Windows XP SP2. The Windows Firewall combines the functionality of a bidirectional host firewall and Internet Protocol security (IPsec) into a single, unified utility with a consistent user interface. Unlike a perimeter firewall, the Windows Firewall runs on each computer running Windows Vista or Windows 7 and provides local protection from network attacks that might pass through your perimeter network or originate inside your organization. It also provides computer-to-computer connection security that allows you to require authentication and data protection for all communications.
The Windows Firewall is a stateful firewall, so it inspects and filters all TCP/IP version 4 (IPv4) and TCP/IP version 6 (IPv6) traffic. Unsolicited incoming traffic is dropped unless it is a response to a request by the host (solicited traffic) or it is specifically allowed (that is, it has been added to the exceptions list or is permitted by an inbound rule). Outgoing traffic from interactive applications is allowed by default, but outgoing traffic from services is limited by the firewall to that which is required according to each service's profile in Windows Service Hardening. You can specify traffic to be added to the exceptions list and create inbound and outbound rules according to application name, service name, port number, destination network, domain membership, or other criteria by configuring Windows Firewall with Advanced Security settings.
For traffic that is allowed, the Windows Firewall also allows you to request or require that computers authenticate each other before communicating and to use data integrity and data encryption while exchanging traffic.
In Windows Vista, the Windows Firewall has many new features, including the following:
- Management integration with IPsec Windows XP and earlier operating systems used two separate interfaces, even though the Windows Firewall and IPsec had a significant amount of feature overlap. Now you can manage both using a single interface.
- New user and command-line interfaces Improved interfaces simplify management and enable automated, scripted control over firewall settings.
- Full IPv6 support If your organization uses IPv6, you can now take advantage of Windows Firewall.
- Outbound filtering You can filter traffic being sent from a client computer as well as traffic being received by the computer. This enables you to restrict which applications can send traffic and where they can send it. For example, you might filter management alerts so that they can be sent only to your internal network. The outbound filtering feature in the Windows Firewall is not intended to prevent an infected computer from communicating, which is generally not possible (the malware might simply disable the firewall). Rather, outbound filtering allows administrators to assign policies to machines to prohibit known behavior, such as preventing unauthorized peer-to-peer software from communicating.
- Windows Service Hardening This feature limits the actions a service can take and also limits how the service communicates on the network, reducing the damage caused during a security compromise.
- Full Group Policy integration This feature enables you to centrally configure the Windows Firewall on all computers in your Active Directory Domain Services (AD DS) domain.
- Filtering traffic by new properties The Windows Firewall can filter traffic by using the following:
- AD DS groups (authorized users and authorized computers)
- Internet Control Message Protocol (ICMP) extensions
- IP address lists
- Port lists
- Service names
- Authenticated by IPsec
- Encrypted by IPsec
- Interface type
- IP address authentication The Windows Firewall supports IP address authentication with the ability to have two rounds of authentication with different credentials in each, including user credentials if desired.
- Application-based IPsec policies The Windows Firewall now supports applicationbased IPsec policies.
- Simplified IPsec policy This type of policy makes it much easier to deploy Server and Domain Isolation. When configured with a simplified policy, client computers make two connections to a destination: one unprotected connection and one connection with IPsec. The client computer will drop whichever connection does not receive a reply. With a single rule, then, client computers can adapt themselves to communicate with IPsec or in clear-text, whichever the destination supports.
Note One of the biggest challenges of protecting computers is that security settings can degrade over time. For example, support desk personnel might change a security setting while troubleshooting a problem and forget to correct it. Even if you enable Automatic Updates, a mobile computer might fail to download updates while disconnected from the network. To help you detect security vulnerabilities, use the Microsoft Baseline Security Analyzer (MBSA), available at http://www.microsoft.com/mbsa. MBSA can audit security settings on multiple computers on your network. MBSA is also a great way to verify security settings on new computers before deploying them.
In this tutorial:
- Windows 7 Security
- Addressing Specific Security Concerns
- Help Desk Calls Related to Malware
- Protecting Against Bundling and Social Engineering
- Protecting Against Browser Exploit Malware Installations
- Protecting Against Network Worms
- Data Theft
- Security Features Previously Introduced in Windows Vista
- Windows Defender
- Windows Firewall
- Encrypting File System
- Credential Manager Enhancements
- New Security Features of Windows 7