Configuring Windows Firewall with Advanced Security
Windows Firewall with Advanced Security is a stateful
firewall and as such, it inspects all packets for all IP traffic (IPv4
and IPv6). The default setting is that all incoming traffic is blocked
automatically unless it is a response to a host request (called solicited traffic)
or unless it specifically has been allowed. Specific traffic can be
allowed by configuring firewall rules to allow specific traffic by
configuring the port number, application name, service name, and other
settings.
Figure 2
shows the Windows Firewall with Advanced Security as viewed from within
Server Manager. You can see the three profiles (Domain, Private, and
Public) are all “on,” but keep in mind that only one profile at a time
is applied based on the connection type. The default settings for each
profile are often adequate to start with. Notice in the right pane
under Actions, you can import and export policies as well as restore
defaults, a handy feature in the event you tweak your settings and
create a problem that you can’t pinpoint.
Notice
also that you can access Inbound Rules, Outbound Rules, Connection
Security Rules, as well as Monitoring (with additional options beneath
Monitoring) from this screen. Keep in mind that the Windows Firewall
with Advanced Security settings here are server-specific, meaning,
these settings are applied to this server’s connections. You can
configure additional options by accessing the Windows Firewall with
Advanced Security snap-in via the MMC console. We’ll discuss that later
in this chapter.
Warning
Microsoft
recommends enabling Windows Firewall with Advanced Security for all
three profiles. You may see an exam question on this topic implying
that you can enable only one profile at a time. You can configure these
profiles by right-clicking Windows Firewall with Advanced Security in the left pane of Server Manager, then clicking Properties. You can also access the properties from the Action menu item, the Action pane on the right, or the center pane, when the folder is selected. All three profiles should be enabled, but only one will be applied based on the Network Awareness API functionality.
Incoming and Outgoing Traffic Filtering
Firewall
rules are configured for incoming and outgoing traffic to determine
which packets will be allowed and which will be blocked. When incoming
traffic is blocked, an entry is made into the firewall log and the
packet is discarded. The firewall options are numerous and we’ll look
briefly at these options.
In
each profile (domain, private, and public), you can set rules regarding
action taken for inbound and outbound connections. However, this is not
the same thing as inbound and outbound rules for the firewall, though
they certainly work together to provide security.
Firewall Rules
Rules can be configured for inbound or outbound
traffic, for computers, users, programs, services, ports, and
protocols. You can also specify which types of network adapters rules
will apply to—local area connections, wireless, remote (VPN), and so
on. You can also create a rule that is applied when a specific profile
is used.
Inbound
and outbound rules explicitly allow or block traffic that matches the
criteria of the rule. For inbound traffic, you can configure rules that
allow inbound traffic secured by IPsec, for example, but block traffic
that is not secured by IPsec. You can also configure Windows Firewall
with Advanced Security to take a specific action (to block or allow
connections) when no inbound rules apply. Inbound traffic is blocked by
default and must explicitly be allowed after installing Windows
Firewall with Advanced Security.
Outbound
rules can be used to block outbound traffic from a particular computer
or group of computers, for example, or to block particular traffic
types or
through specific ports. Outbound traffic is allowed by default, so you
must create an outbound rule to block any outgoing traffic.
By
default, Windows Firewall with Advanced Security blocks all incoming
unsolicited TCP/IP traffic. That’s a good thing for security but
usually creates connectivity problems of some sort in many networks.
You may need to create rules for programs and services that act as
servers, listeners, or peers. Program, port, and service rules have to
be actively managed as server roles and configurations change.
Therefore, less is more when creating rules. Create only the rules you
need to get the job done and note which are likely to require on-going
monitoring and maintenance versus those that you can set and forget.
The
default behavior of Windows Firewall with Advanced Security is to
dynamically open and close ports required by various programs. The
recommended method, then, for allowing unsolicited incoming TCP/IP
traffic through the firewall is to add programs to the rules list. That
way, when a program is running, the needed traffic is allowed in. When
the program is not running, traffic for that program is blocked. In Exercise 10.5,
you can step through creating new inbound and outbound rules. Be sure
to become familiar with setting up Windows Firewall with Advanced
Security. Some of the new features are highly likely to end up as exam
questions.
In
this exercise, we’ll walk through creating a new inbound and outbound
rule. Begin by accessing the Windows Firewall with Advanced Security
folder in the left pane of Server Manager (located under Configuration
if the tree is collapsed). Expand the Windows Firewall node and
right-click on Inbound Rules (or click New Rules in the Actions pane to
the right) and select New Rule. The New Inbound Rule Wizard will launch.
1. | The first screen gives you four options for a new rule: Program, Port, Predefined, and Custom. Select Program and click Next.
| 2. | The
Program screen prompts you to create a rule for all programs or for a
particular program. If you want to set a rule for a particular program,
click This program path: and the click Browse to locate the program file. We’ll select All programs and click Next.
| 3. | The
next screen defines the Action to be taken. The choices are: Allow the
connection; Allow the connection if it is secure (require the
connection to be encrypted, override block rules), and Block the
Connection. If you Allow the connection, all connections for all
programs will be allowed. If you Allow the connection if it is secure,
you can require IPsec be used but you’ll have to separately enable
IPsec I the Connection Security rule node (more on that in a moment).
You can require the connection be encrypted—this provides privacy along
with data integrity and authentication. You can also specify that the
rule override block rules. This can be helpful in using remote
administration tools that might otherwise be blocked. However, to use
this option, you must also specify an authorized computer or computer
group. Select Block the connection (we’re assuming your Windows Server 2008 is on a test network and not a live network for all exercises), then click Next.
| 4. | In
the Profile screen, you can apply this rule to any of the three
profiles (domain, public, and private). The default setting selects all
three profiles. Accept this setting by clicking Next.
| 5. | The
final screen of the New Inbound Rule Wizard is to create a name for the
rule. Tip: Using a short descriptive name will help immensely if you
want to manage the firewall rules via the command line netsh commands.
For this rule, type All Programs Blocked in the Name: text box and leave the description blank. Click Finish to create this rule. Figure 3
shows the resulting new rule added to the Inbound Rules section. Notice
that you can Disable Rule, Delete, check Properties, and get Help for
the inbound rule you just created.
|
|
When
you configure a new rule and select Port (instead of Program), you’ll
be prompted to create a rule for a specific TCP or UDP port. Once you
select TCP or UDP, you can apply the rule to all local ports or just
specific ports by entering port number(s). The Wizards for creating
inbound and outbound rules have the same options and they’re pretty
straightforward. Keep in mind that you should start out with the
default rules and add rules as you need them.
Connection Security Rules
Connection
security rules are different than inbound and outbound traffic rules.
Firewall rules allow traffic through the firewall based on rules you’ve
configured, but they do not enforce connection security. To secure
traffic with IPsec, you must create connection security rules. Note
that the creation of connection security rules does not allow the
traffic to pass through the firewall. These are two separate but
interrelated concepts. Connection security rules are not applied to
programs or services, they are applied only between the two computers
trying to communicate.
Connection security rules work in conjunction with inbound and outbound rules. To create a new rule, click the Connection security rules node in the left pane and choose New Rule from the right pane (or click Action on the menu and select New Rule or right-click Connection security rules and select New Rule from the shortcut menu). When the New Connection Security Rule Wizard starts, you’ll have several options. Figure 4 shows the Rule Type screen.
Your options on this screen are:
Isolation. Restrict connections based on authentication criteria, such as domain membership or health status.
Authentication exemption. Do not authenticate connections from specific computers.
Server-to-server. Authenticate connections between the specified computers.
Tunnel. Authenticate connections between gateway computers.
Custom. Create a custom rule.
Remember,
connection security rules specify how and when authentication and
security occurs, but they do not allow or block connections; this is
managed through inbound and outbound rules.
The
options for the remaining screens of the wizard change depending on the
option selected on the Rule Type screen. However, once you’ve made the
Rule Type selection, the remaining configuration options are fairly
straightforward (and vary depending on your Rule Type selection). If
you choose to create a custom rule, you’ll be prompted to provide
Endpoint information for the computers creating the connection.