Windows Firewall with Advanced Security in Windows Server 2008 (part 2)

Configuring Windows Firewall with Advanced Security

Windows Firewall with Advanced Security is a stateful firewall and as such, it inspects all packets for all IP traffic (IPv4 and IPv6). The default setting is that all incoming traffic is blocked automatically unless it is a response to a host request (called solicited traffic) or unless it specifically has been allowed. Specific traffic can be allowed by configuring firewall rules to allow specific traffic by configuring the port number, application name, service name, and other settings.

Figure 2 shows the Windows Firewall with Advanced Security as viewed from within Server Manager. You can see the three profiles (Domain, Private, and Public) are all “on,” but keep in mind that only one profile at a time is applied based on the connection type. The default settings for each profile are often adequate to start with. Notice in the right pane under Actions, you can import and export policies as well as restore defaults, a handy feature in the event you tweak your settings and create a problem that you can’t pinpoint.

Figure 2. Windows Firewall with Advanced Security—Server Manager View

Notice also that you can access Inbound Rules, Outbound Rules, Connection Security Rules, as well as Monitoring (with additional options beneath Monitoring) from this screen. Keep in mind that the Windows Firewall with Advanced Security settings here are server-specific, meaning, these settings are applied to this server’s connections. You can configure additional options by accessing the Windows Firewall with Advanced Security snap-in via the MMC console. We’ll discuss that later in this chapter.

Incoming and Outgoing Traffic Filtering

Firewall rules are configured for incoming and outgoing traffic to determine which packets will be allowed and which will be blocked. When incoming traffic is blocked, an entry is made into the firewall log and the packet is discarded. The firewall options are numerous and we’ll look briefly at these options.

In each profile (domain, private, and public), you can set rules regarding action taken for inbound and outbound connections. However, this is not the same thing as inbound and outbound rules for the firewall, though they certainly work together to provide security.

Firewall Rules

Rules can be configured for inbound or outbound traffic, for computers, users, programs, services, ports, and protocols. You can also specify which types of network adapters rules will apply to—local area connections, wireless, remote (VPN), and so on. You can also create a rule that is applied when a specific profile is used.

Inbound and outbound rules explicitly allow or block traffic that matches the criteria of the rule. For inbound traffic, you can configure rules that allow inbound traffic secured by IPsec, for example, but block traffic that is not secured by IPsec. You can also configure Windows Firewall with Advanced Security to take a specific action (to block or allow connections) when no inbound rules apply. Inbound traffic is blocked by default and must explicitly be allowed after installing Windows Firewall with Advanced Security.

Outbound rules can be used to block outbound traffic from a particular computer or group of computers, for example, or to block particular traffic types or through specific ports. Outbound traffic is allowed by default, so you must create an outbound rule to block any outgoing traffic.

By default, Windows Firewall with Advanced Security blocks all incoming unsolicited TCP/IP traffic. That’s a good thing for security but usually creates connectivity problems of some sort in many networks. You may need to create rules for programs and services that act as servers, listeners, or peers. Program, port, and service rules have to be actively managed as server roles and configurations change. Therefore, less is more when creating rules. Create only the rules you need to get the job done and note which are likely to require on-going monitoring and maintenance versus those that you can set and forget.

The default behavior of Windows Firewall with Advanced Security is to dynamically open and close ports required by various programs. The recommended method, then, for allowing unsolicited incoming TCP/IP traffic through the firewall is to add programs to the rules list. That way, when a program is running, the needed traffic is allowed in. When the program is not running, traffic for that program is blocked. In Exercise 10.5, you can step through creating new inbound and outbound rules. Be sure to become familiar with setting up Windows Firewall with Advanced Security. Some of the new features are highly likely to end up as exam questions.

Exercise : Create New Inbound and Outbound Rules In this exercise, we’ll walk through creating a new inbound and outbound rule. Begin by accessing the Windows Firewall with Advanced Security folder in the left pane of Server Manager (located under Configuration if the tree is collapsed). Expand the Windows Firewall node and right-click on Inbound Rules (or click New Rules in the Actions pane to the right) and select New Rule. The New Inbound Rule Wizard will launch. 1. The first screen gives you four options for a new rule: Program, Port, Predefined, and Custom. Select Program and click Next. 2. The Program screen prompts you to create a rule for all programs or for a particular program. If you want to set a rule for a particular program, click This program path: and the click Browse to locate the program file. We’ll select All programs and click Next. 3. The next screen defines the Action to be taken. The choices are: Allow the connection; Allow the connection if it is secure (require the connection to be encrypted, override block rules), and Block the Connection. If you Allow the connection, all connections for all programs will be allowed. If you Allow the connection if it is secure, you can require IPsec be used but you’ll have to separately enable IPsec I the Connection Security rule node (more on that in a moment). You can require the connection be encrypted—this provides privacy along with data integrity and authentication. You can also specify that the rule override block rules. This can be helpful in using remote administration tools that might otherwise be blocked. However, to use this option, you must also specify an authorized computer or computer group. Select Block the connection (we’re assuming your Windows Server 2008 is on a test network and not a live network for all exercises), then click Next. 4. In the Profile screen, you can apply this rule to any of the three profiles (domain, public, and private). The default setting selects all three profiles. Accept this setting by clicking Next. 5. The final screen of the New Inbound Rule Wizard is to create a name for the rule. Tip: Using a short descriptive name will help immensely if you want to manage the firewall rules via the command line netsh commands. For this rule, type All Programs Blocked in the Name: text box and leave the description blank. Click Finish to create this rule. Figure 3 shows the resulting new rule added to the Inbound Rules section. Notice that you can Disable Rule, Delete, check Properties, and get Help for the inbound rule you just created. Figure 3. New Inbound Rule

When you configure a new rule and select Port (instead of Program), you’ll be prompted to create a rule for a specific TCP or UDP port. Once you select TCP or UDP, you can apply the rule to all local ports or just specific ports by entering port number(s). The Wizards for creating inbound and outbound rules have the same options and they’re pretty straightforward. Keep in mind that you should start out with the default rules and add rules as you need them.

Connection Security Rules

Connection security rules are different than inbound and outbound traffic rules. Firewall rules allow traffic through the firewall based on rules you’ve configured, but they do not enforce connection security. To secure traffic with IPsec, you must create connection security rules. Note that the creation of connection security rules does not allow the traffic to pass through the firewall. These are two separate but interrelated concepts. Connection security rules are not applied to programs or services, they are applied only between the two computers trying to communicate.

Connection security rules work in conjunction with inbound and outbound rules. To create a new rule, click the Connection security rules node in the left pane and choose New Rule from the right pane (or click Action on the menu and select New Rule or right-click Connection security rules and select New Rule from the shortcut menu). When the New Connection Security Rule Wizard starts, you’ll have several options. Figure 4 shows the Rule Type screen.

Figure 4. New Connection Security Rule Wizard

Your options on this screen are:

• Isolation. Restrict connections based on authentication criteria, such as domain membership or health status.

• Authentication exemption. Do not authenticate connections from specific computers.

• Server-to-server. Authenticate connections between the specified computers.

• Tunnel. Authenticate connections between gateway computers.

• Custom. Create a custom rule.

Remember, connection security rules specify how and when authentication and security occurs, but they do not allow or block connections; this is managed through inbound and outbound rules.

The options for the remaining screens of the wizard change depending on the option selected on the Rule Type screen. However, once you’ve made the Rule Type selection, the remaining configuration options are fairly straightforward (and vary depending on your Rule Type selection). If you choose to create a custom rule, you’ll be prompted to provide Endpoint information for the computers creating the connection.