Firewall Profiles
You
can configure different settings for different profiles. As mentioned
earlier, there are three profiles: domain, private, and public. Figure 5
shows the Windows Firewall with Advanced Security Properties accessed
by right-clicking Windows Firewall with Advanced Security and selecting
Properties
from the menu. You can see the three profiles in this dialog box:
domain, private, and public. This is also where you can set IPsec
Settings (not to be confused with AD IPsec policy).
IPsec Settings
If
you click the IPsec Settings tab in the Windows Firewall with Advanced
Security Properties dialog box, you’ll be able to access the IPsec
settings, as shown in Figure 6.
The key exchange (using ISAKMP if you recall the earlier discussion of
IPsec basics) is the main mode. You can use the default settings or
customize these settings by clicking the radio button to the left of Advanced, then clicking the Customize
button, which will be enabled if you select Advanced. The quick mode
(for data protection) also has Default and Advanced settings and
advanced settings can be customized here. The Authentication Method can
be configured to authenticate the computer, user, computer and user,
computer certificate, or advanced. You can click the link at the bottom
of the dialog box to learn more about your options or to understand
what, exactly, the default settings are. In most cases, the default
values are fine and you should start with these first. As you probably
know, setting incorrect IPsec settings can interrupt communications.
Also keep in mind that IPsec policy from Active Directory will also
interact with these settings, so default settings is the best place to
start unless you have a specific need to modify these settings.
Though
the default settings are fine in most cases, we’ve included a few
screenshots of the advanced settings to give you an idea of just how
much you can customize these settings. Be sure to scan these just so
you’re familiar with them. Although you probably won’t see any
questions on the exam testing your specific knowledge of the Advanced settings, it’s good background knowledge to have in answering questions related to IPsec and firewall settings. Figure 7 shows the Advanced settings under the Main Mode (key exchange) section.
Figure 8
shows the Advanced settings for Quick Mode (data protection). As you
can see, you can configure data integrity algorithms as well as data
integrity and encryption algorithms in this area. You can add, remove,
and edit these settings as well as move the algorithms up (or down) in
the list. As stated in the dialog box, those algorithms higher in the
list are tried first.
The third area of Advanced settings you can configure are the Authentication Method settings. If you click the Advanced radio button then click Customize, you’ll see the settings shown in Figure 9.
Notice that you can set a first and second authentication method but
you cannot set a second authentication method if you specify a
preshared key as the first authentication method. It doesn’t matter
where in the list the preshared key method is in the first
authentication method list. If it’s in the first authentication method
list, you cannot specify a second authentication method.
Monitoring
The
monitoring folder under Windows Firewall with Advanced Security
provides access to firewall, connection security rules and security
associations monitoring features, shown in Figure 10.
By default, when you select this folder in the left pane of Server
Manager, you will see the three profiles in the center pane (domain,
private, public). Each section can be collapsed and expanded as needed
and the profile that is active will be shown as Active.
You can click Firewall
in the left pane and see all the rules and traffic filtering in place.
If you kept the All Programs Blocked rule we created earlier, you
should see this rule in the list with a red circle with a line through
it. Blocking rules show up with this red circle icon. Allow rules are
displayed with a green circle and white checkmark so you can quickly
locate Allow and Block rules.
If you click Connection Security Rules,
you can see all rules you created for connection security. If none are
present, you are not requiring secure connections even if you allow or
block secured traffic.
The
last folder in the Monitoring tree is the Security Associations folder.
It shows two modes: Main mode and Quick mode. Main mode lists all the
Main mode security associations (SA) with detailed information about
their settings and endpoints. You can view IP address of endpoints
here. Quick mode lists all the Quick mode SAs with detailed information
about them including IP addresses of endpoints. If you recall from our
earlier discussion of IPsec, you have two SAs—Main mode (key exchange)
and Quick mode (data protection).
Managing Windows Firewall with Advanced Security via Group Policy
In Microsoft operating systems prior to Windows Server 2008, local Group Policy was processed in the following order:
Computer policies processed when the computer boots up.
User policies processed when the user logs in.
Computer and user policies refreshed at intervals.
Windows Server 2008 also provides the following:
As
you can see, these two additional processes are extremely helpful in
maintaining a secure host through ensuring the computer has the most
recent Group Policy settings related to the specific configuration of
its connections.
To
configure Windows Firewall with Advanced Security using Group Policy,
access the Windows Firewall with Advanced Security snap-in from within
the Group Policy Management Console. Note that if you deploy Windows
Firewall with Advanced Security via Group Policy and block outbound
connections, you’ll have a problem unless you enable the Group Policy
outbound rules. Otherwise, you might prevent all computers that receive
the policy from updating the policy in the future, unless you manually
update them, which defeats the purpose of using Group Policy to
distribute settings.
Identifying Ports and Protocols
In
some cases, you can’t add the program or the service to the rules list.
In these cases, you’ll have to figure out which ports the program or
service uses and add the port(s) to the rules list. When you add a port
to the rules list, you have to specify the port number and protocol.
You can specify ports only using TCP and UDP protocols.
Exam Warning
Here’s
a key take away for working with Windows Firewall with Advanced
Security (and don’t be surprised to see a question related to this on
the exam). When you allow or block unsolicited traffic by creating a
TCP or UDP port rule, that action will be taken any time Windows
Firewall is running. This differs from creating a rule for a program in
which the action is taken only when the program is running. So, if you
create a rule to allow UDP 1443 traffic, that rule will be enabled when
the firewall is enabled (which should be all the time). Contrast that
to a program rule that specifies that it needs UDP 1443 traffic. In
that case, the firewall will allow only UDP 1443 traffic when the
program is running—a much more secure setting and the recommended
method, whenever possible.
Command Line Tools for Windows Firewall with Advanced Security
As
with just about any other server feature in Windows Server 2008, you
can use the command line to adjust firewall settings. Once you’ve
opened the command window (Start | Run | cmd), you use the netsh context with the advfirewall command. As with other commands, you can use the netsh advfirewall /?
command to get a list of available options and switches. We’ve listed a
few here for your convenience; all commands here begin with netsh advfirewall followed by the option shown.
Export. Exports the current firewall policy to a file.
Import. Imports a policy from a specified file.
Reset. Restores Windows Firewall with Advanced Security to default settings.
Show. Shows properties of a particular file including:
Show allprofiles
Show domainprofile
Show privateprofile
Show publicprofile
Help. Displays a list of available commands.
In
addition, you can use the subcontext commands as well. These are shown
with their full syntax as an example of how they can be used:
netsh advfirewall consec /? Shows the options available for the connection security settings within Windows Firewall with Advanced Security.
netsh advfirewall firewall /? Shows the options available for configuring firewall rules.
netsh advfirewall monitor /? Shows options available for configuring monitoring settings.
Warning
Whenever
you run server-type commands from the command line, you have must have
Administrator-equivalent rights. Depending on the server and its roles,
you may need Domain Administrator rights rather than local
Administrator rights. That said, keep in mind that best practices
suggest you log onto a server using a standard user account and log in
using the Administrator account only by using the Run As Administrator option. This helps maintain tight security on your network. If you see questions on the exam that use the Run As option, chances are good it’s a correct answer (or among possible correct answer candidates).
Windows
Firewall with Advanced Security is a stateful host-based firewall that
blocks incoming and outgoing traffic based on default profiles (domain,
private, public) and based on connections using the Network Awareness
API, which in Windows is called Network Location Awareness (NLA). You
can configure the firewall on the local server via the Server Manger
interface; advanced configuration must be done via the Microsoft
Management Console (MMC) Windows Firewall with Advanced Security
snap-in. IPsec is now integrated with firewall functions to help avoid
conflicting settings between these two protective features.