Overview

The increasing ease and efficiency of network connectivity and the growing number of network-aware programs have delivered a new level of productivity for businesses, organizations, and individuals. New breakthroughs in wireless and other connectivity choices have also brought to the mobile worker more options than ever.

Heightened network connectivity also increases risk. The ease of connection that allows authorized users to access resources from almost anywhere at any time can also allow unauthorized users and malicious programs to attack a network with relative speed and anonymity.

Protecting your network and information assets requires a layered, defense-in-depth security model. You must protect the computers on your network from unauthorized users and programs not only on the Internet but also on the local intranet. A layered defense can provide protection from unauthorized, unmanaged, and unhealthy computers no matter how they connect to the network.

Windows Firewall with Advanced Security is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a computer, Windows Firewall with Advanced Security blocks unauthorized network traffic flowing into or out of the local computer. Windows Firewall with Advanced Security also works with Network Awareness so that it can apply security settings based on the type of network to which the computer is connected. Now that Windows Firewall and Internet Protocol Security (IPsec) configuration settings are integrated into a single Microsoft Management Console (MMC) named Windows Firewall with Advanced Security, Windows Firewall also becomes an important part of your network’s isolation strategy.

Business and Technical Benefits

Windows Firewall with Advanced Security helps your business face the challenges of providing more secure networking with a scalable and tightly-integrated solution that is also simple to use.

Connected computers face the following challenges:

·         Mobile workers and devices complicate a network’s physical topology, making it difficult to prevent unauthorized access to trusted network assets.

·         Viruses, worms, and denial of service (DoS) attacks are increasing in complexity, making it more difficult to mitigate the risk of malware threats and DoS attacks.

·         Regulatory burdens are increasing, making it more difficult to achieve and maintain compliance with legislative regulations.

·         Data is a critical asset for almost every employee in most organizations, making it difficult to limit access to authorized users while still providing ease of access.

To help address these challenges, Windows Firewall with Advanced Security offers the following benefits:

·         Reduces the risk of network security threats. Windows Firewall with Advanced Security reduces the attack surface of a computer, providing an additional layer to the defense-in-depth model. Reducing the attack surface of a computer increases manageability and decreases the likelihood of a successful attack. Network Access Protection (NAP), a feature of Windows Server® “Longhorn” (now in beta), also helps ensure healthy client computers. The integration of NAP helps prevent communications between healthy and unhealthy computers.

·         Safeguards sensitive data and intellectual property. With its integration with IPsec, Windows Firewall with Advanced Security provides a simple way to enforce authenticated, end-to-end network communications, providing scalable, tiered access to trusted network resources, enforcing integrity of data, and optionally of protecting the confidentiality.

·         Extends the value of existing investments. Since Windows Firewall with Advanced Security is a host-based firewall that is included with Microsoft Windows Vista™ operating system, as well as Windows Server “Longhorn”, and since it tightly integrates with Active Directory® and Group Policy, there is no additional hardware or software required. Windows Firewall with Advanced Security is also designed to complement existing third-party network security solutions through a scriptable application programming interface (API).

Summary of New Features

Windows Firewall with Advanced Security adds a number of new features to previous versions of Windows Firewall. Table 1 summarizes important new features.

Table 1. Summary of Important New or Enhanced Features in Windows Firewall with Advanced Security

 

Feature	Description
Windows Service Hardening	Windows Service Hardening helps prevent critical Windows services from being used for potentially malicious activity in the file system, registry or network. If the firewall detects abnormal behavior as defined by the Windows Service Hardening network rules, the firewall will block it. In addition, services can be limited to writing only to specific areas of the file system or registry based on Access Control Lists (ACLs). This will help prevent a compromised service from changing important configuration settings in the file system or registry, or infecting other computers on the network. For example, the Remote Procedure Call (RPC) service can be restricted from replacing system files or modifying the registry.
Granular rules	By default, Windows Firewall is enabled for both inbound and outbound connections. The default policy is to block most inbound connections and allow outbound connections. You can use the Windows Firewall with Advanced Security interface to configure rules for both inbound and outbound connections. Windows Firewall with Advanced Security also supports the filtering of any protocol numbers, while previous versions of Windows Firewall supported filtering only UTP, TCP, and ICMP.
Outbound Filtering	The Windows Firewall can manage outbound filtering as well as inbound.  This will help administrators limit which applications can be used to send traffic onto the network, enforcing corporate policies for compliance.
Location-aware profiles	You can configure different rules and settings for the following firewall profiles: ·         Domain. Used when a computer is connected to an Active Directory domain of which the computer is a member. ·         Private. Used when a computer is connected to a private network behind a private gateway or router. Only a user with administrative privileges can designate a network as private. ·         Public. Used when a computer is connected directly to the Internet or any network that has not been selected as Private or Domain.
Authenticated bypass	With IPsec authentication, you can configure bypass rules for specific computers so that connections from those computers bypass other rules set up in Windows Firewall with Advanced Security. This allows you to block a particular type of traffic, but allow authenticated computers to bypass the block. With Windows Vista, the Window Firewall can allow more granular authenticated bypass rules, allowing the administrator to specify which ports or programs can have access, as well as which computer or group of computers can have access.
Active Directory user, computer, and groups support	You can create firewall rules that filter connections by user, computer, or groups in Active Directory.  For these types of rules, the connection must be secured with IPsec using a credential that carries the Active Directory account information, such as Kerberos version 5 (v5).
IPv6 Support	The Windows Firewall with Advanced Security fully supports a pure IPv6 environment.

 

Key Scenarios

You can use Windows Firewall with Advanced Security to help implement the following key scenarios:

·         Location-aware host firewall

·         Server and domain isolation

·         Network Access Protection

Network Location-Aware Host Firewall

Many applications connect to the Internet to look for updates, download real-time information, and facilitate collaboration between users. However, creating applications that can automatically adapt to changing network conditions has been difficult for developers. Network Awareness APIs enable applications to sense changes to the network to which the computer is connected, such as placing a laptop into standby mode at work and then opening it at a wireless hotspot. This enables Windows Vista to alert applications of network changes, and these applications can then behave differently to provide a seamless experience.

Windows Vista identifies and remembers each of the networks to which it connects.  Network Awareness APIs then allow applications to query for characteristics of each of these networks, including:

·         Connectivity. A network may be disconnected, it may provide access to only the local network, or it may provide access to the local network and the Internet.

·         Connections. Windows Vista may be connected to a network by one of more connections.  Network Awareness APIs enable applications to determine via which connections Windows Vista is currently connecting to a given network.

·         Category. Each network is assigned a category in Windows Vista that identifies the type of network it is.  Some of Windows Vista settings will change based upon the categories of the networks to which it is connected.  For example, Windows Firewall with Advanced Security enforces different policies based upon the categories of the networks to which Windows Vista is currently connected.   

There are three categories of networks in Windows Vista:

·         Domain. Windows Vista automatically identifies networks on which Windows Vista can authenticate access to the Domain Controller for the domain to which the computer is joined in this category. No other networks can be placed in this category. 

·         Public. Other than domain networks, all networks are categorized as public.  Networks that represent direct connections to the Internet or are in public places, such as airports and coffee shops should be left public.

·         Private. A network will only be categorized as private if a user or application identifies the network as private.  Only networks located behind a private gateway device should be identified as private networks.  Users will likely want to identify home or small business networks as private.  

When a user connects to a network that is not part of the domain category, Windows Vista asks the user to identify the network as either Public or Private.  The user must be a local administrator of the computer to identify the network as Private.  When the type of network to which the computer is connected is identified, Windows Vista is able to optimize some of its configuration, especially its firewall configuration, for the specified network category. 

The Windows Firewall with Advanced Security is an example of a network-aware application.  The administrator can create a profile for each network category, with each profile containing different firewall policies.  For example, the Windows Firewall can automatically allow incoming traffic for a specific desktop management tool when the computer is on domain networks but block similar traffic when the computer is connected to public or private networks. In this way, Network Awareness can provide flexibility on your internal network without sacrificing security when mobile users travel. The Network Awareness APIs complement the robust and flexible filtering built into Windows Firewall with Advanced Security, which lets you filter programs, services, or ports for specific IP address scopes, interfaces types, users, groups, computers, and levels of protection – all based on which network category the computer is connected to.  A public network profile should have stricter firewall policies to protect against unauthorized access.  A private network profile, on the other hand, may have less restrictive firewall policies to allow file and print sharing, peer-to-peer discovery, and connectivity with Windows Connect Now devices.  Profiles are applied in the following order:  Public, Private, and Domain.

Most incoming traffic is blocked by default. You must create specific rules to allow other authorized traffic to pass through the firewall into the computer. The default settings allow outgoing traffic. You must specifically block programs or types of traffic that should not be allowed.

You will learn how to configure these profiles and create rules in the section, “Managing Windows Firewall with Advanced Security.”

Server and Domain Isolation

In a Microsoft Windows-based network, you can logically isolate server and domain resources to limit access to authenticated and authorized computers. For example, you can create a logical network inside the existing physical network where computers share a common set of requirements for secure communications. Each computer in this logically isolated network must provide authentication credentials to other computers in the isolated network in order to establish connectivity.

This isolation prevents unauthorized computers and programs from gaining access to resources inappropriately. Requests from computers that are not part of the isolated network are ignored. Server and domain isolation can help protect specific high-value servers and data as well as protect managed computers from unmanaged or rogue computers and users.

You can use two types of isolation to protect a network:

·         Server Isolation. In a server isolation scenario, specific servers or applications are configured to require IPsec policy to accept authenticated communications from other computers. For example, you might configure the database server to accept connections from the web application server only.

·         Domain Isolation. To isolate a domain, you use Active Directory domain membership to ensure that domain-member computers accept only authenticated and secured communications from other domain-member computers. The isolated network consists of only computers that are part of the domain, as shown in Figure 1. Domain isolation uses IPsec policy to provide protection for traffic sent between domain members, including all client and server computers.

 

Figure 1. Protecting network computers with Server and Domain Isolation

For more information about server and domain isolation, see http://www.microsoft.com/sdisolation.   

Network Access Protection

Network Access Protection (NAP) is a policy-enforcement platform built into Windows Vista and Windows Server “Longhorn” that allows you to protect network resources by enforcing compliance with computer health requirements. With NAP, you can create health policies to validate computer health before allowing a connection, automatically update compliant computers to ensure ongoing compliance with health policy, and even isolate noncompliant computers to a restricted network until they become compliant.

While NAP is not meant for securing network resources from malicious users, it does help to maintain the health of the computers on the network, which in turns helps maintain the network’s overall integrity. Use can use Windows Firewall with Advanced Security to enforce NAP Policy as part of a larger isolation strategy. You will learn how to require a NAP health policy for a connection in the section, “Managing Windows Firewall with Advanced Security.”

For more information about NAP, see http://www.microsoft.com/nap

Managing Windows Firewall with Advanced Security

Windows Firewall with Advanced Security provides a number of ways to implement settings on both local and remote computers. You can configure Windows Firewall with Advanced Security in the following ways:

·         Configure a local or remote computer by using either the Windows Firewall with Advanced Security MMC snap-in or the netsh avfirewall command

·         Deploy Windows Firewall with Advanced Security settings using Group Policy by using the Windows Firewall with Advanced Security MMC snap-in through the Group Policy Object Editor or by using the netsh advfirewall command

Order of Windows Firewall with Advanced Security Rules Evaluation

Windows Firewall with Advanced Security supports the following types of rules:

·         Windows Service Hardening. This type of rule restricts services from establishing connections. Service restrictions are configured out-of-the-box so that Windows Services can only communicate in specific ways (i.e., restricting allowable traffic through a specific port) but until you create a firewall rule, traffic is not allowed.

·         Connection security rules. This type of rule defines how and when computers authenticate using IPsec. Connection security rules are used in establishing server and domain isolation, as well as in enforcing NAP policy.

·         Authenticated bypass rules. This type of rule allows the connection of particular computers if the traffic is protected with IPsec, regardless of other inbound rules in place. Specified computers are allowed to bypass inbound rules that block traffic. For example, you could allow remote firewall administration from only certain computers by creating authenticated bypass rules for those computers, or enable support for remote assistance by the Help Desk.

·         Block rules. This type of rule explicitly blocks a particular type of incoming or outgoing traffic.

·         Allow rules. This type of rule explicitly allows a particular type of incoming or outgoing traffic.

·         Default rules. These rules define the action that takes place when a connection does not meet any of the parameters of a higher order rule. Out-of-the-box, the inbound default is to block connections and the outbound default is to allow connections.

Figure 2 shows the order in which Windows Firewall with Advanced Security applies the various types of rules. This ordering of rules is always enforced, even when rules are coming from Group Policy. Rules, including those from Group Policy, are sorted and then applied. Domain administrators can allow or deny local administrators the permission to create new rules.

Figure 2. Order of Rules Evaluation

Managing a Single Computer with the MMC

To open Windows Firewall with Advanced Security, use the following steps:

1.       Click the Start button, and then click Control Panel.

2.       In Control Panel, double-click Administrative Tools.

3.       In Administrative Tools, double-click Windows Firewall with Advanced Security.

Figure 3 shows the Windows Firewall with Advanced Security window. The overview pane gives a snapshot of how Windows Firewall with Advanced Security is configured for each profile—Domain, Private, and Public. The console tree to the left provides quick access for viewing and creating rules and computer connection rules, and for monitoring activity. The Actions pane to the right provides a list of context-sensitive actions that change depending on what you are viewing.

Figure 3 The Windows Firewall with Advanced Security Snap-In

Configuring Firewall Properties

To configure firewall properties, in the Overview pane, click Windows Firewall Properties. The Windows Firewall with Advanced Security on Local Computer property sheet displays a tab for each of the three available profiles (Domain, Private, and Public) and a tab for IPsec settings.

Configuring a Profile

The tabs for each profile contain identical options (shown in Figure 4). The options on each tab control how Windows Firewall with Advanced Security behaves when the computer is connected to that type of network.

Figure 4. Configuring a profile

The options that you can configure for each of the three profiles are as follows:

·         Firewall State. You can turn Windows Firewall with Advanced Security on or off independently for each profile.

·         Inbound Connections. You can configure inbound connections to follow one of these rules:

·         Block (default). Windows Firewall with Advanced Security blocks connections that do not match any active firewall rules.

·         Block all connections. Windows Firewall with Advanced Security ignores all inbound rules, effectively blocking all inbound connections.

·         Allow. Windows Firewall with Advanced Security allows inbound connections that do not match an active firewall rule.

·         Outbound Connections. You can configure outbound connections to follow one of these rules:

·         Allow (default). Windows Firewall with Advanced Security allows connections that do not match any active firewall rules.

·         Block. Windows Firewall with Advanced Security blocks outbound connections that do not match an active firewall rule.

·         Settings. Click the Customize button in the Settings area to configure the following settings:

·         Display notifications to the user when a program is blocked from receiving inbound communications. This setting controls whether Windows displays a notification letting a user know that an inbound connection has been blocked.

·         Allow unicast response to multicast or broadcast requests. This setting allows the computer to receive unicast responses to its outgoing multicast or broadcast requests.

·         Apply local firewall rules. Select this option when, in addition to firewall rules applied by Group Policy that are specific to this computer, you want to allow administrators to create firewall rules on this computer. When you clear this option, administrators can still create rules, but the rules will not be applied. This setting is available only when configuring the policy through Group Policy.

·         Allow local connection security rules. Select this option when, in addition to connection security rules applied by Group Policy that are specific to this computer, you want to allow administrators to create connection security rules on this computer. When this option is cleared, administrators can still create rules, but the rules will not be applied.

·         Logging. Click the Customize button in the Logging area to configure the following logging options:

·         Name.  By default, the file is stored in %windir%/pfirewall.log.

·         Size limit.  By default, the size limit is 4096 KB.

·         Log dropped packets. By default, dropped packets are not logged.

·         Log successful connections. By default, successful connections are not logged.

 

Configuring IPsec Settings

The IPsec Settings dialog box shown in Figure 5 opens when you click the Customize button on the IPsec Settings tab of the Windows Firewall with Advanced Security on Local Computer property sheet. These settings are used when you create computer connection security rules.

Figure 5. Configuring IPsec settings

This dialog box allows you to specify the following options:

·         Key Exchange. To enable secure communication, two computers must be able to access the same shared key without transferring that key across the network. Clicking the Settings button allows you to configure security methods, key exchange algorithms, and key lifetimes.

·         Data Protection. IPsec data protection defines the algorithms used to provide data integrity and encryption. Data integrity ensures that data is not modified during transit. Windows Firewall with Advanced Security uses the Authentication Header (AH) or Encapsulating Security Payload (ESP) protocol to provide data protection. Data encryption protects data by concealing the information. Windows Firewall with Advanced Security uses the ESP protocol for data encryption.

·         Authentication Method. This setting lets you choose the default authentication method for IPsec connections on the local computer, unless a different method is applied by a specific rule or by Group Policy settings. The out-of-box authentication method is Kerberos v5. You can also restrict connections to domain-joined computers or users, or to computers that have a certificate from a specified Certificate Authority (CA).

Viewing Rules

Rules allow certain programs, protocols, or services to pass through the firewall. For example, when you enable Remote Desktop in Windows Vista, Windows creates a rule to allow Remote Desktop connection attempts to reach the computer. To view current rules in Windows Firewall with Advanced Security, click either the Inbound Rules folder or the Outbound Rules folder in the console tree. Figure 6 shows an example of the Inbound Rules folder.

Figure 6. Viewing inbound rules

To enable a rule, click the rule, and then click Enable Rule in the Actions list. If a rule is enabled, you can disable the rule by clicking it and then clicking Disable Rule.

To view and modify the properties for a rule, click the rule and then click Properties. The property sheet for a rule (shown in Figure 7) features the tabs and options listed in Table 2.

Figure 7. Viewing properties for a rule

Table 2. Configurable properties for a rule

 

Tab	Option	Usage
General	Name	Type a name for the rule.
	Description	Type a description of the rule.
	Enabled	Turn the rule on or off. This setting indicates whether the rule is active. Disabled rules do not affect traffic that is allowed and blocked.
	Action	Configure the following options: ·         Allow the connections. Use to allow any connection that matches all criteria specified by the rule. This option does not check whether the traffic is protected with IPsec or not. ·         Allow only secure connections. Use to allow any connection that matches all criteria specified by the rule and is also protected by IPsec. You can further specify that the connection must also be encrypted in order to be allowed. You must also create a connection security rule that specifies how traffic is protected otherwise the rule will never match. ·         Block. Use to create a rule that blocks connections meeting the criteria specified in the rule.
Programs and Services	Programs	Specify whether the full path to the executable on the local computer.
	Services	Specify the service short name to which the rule applies.  This is mapped to the Security Identifier (SID) associated with the service.
Users and Computers	Authorized Computers	Specify that connections related to this rule are allowed only from a group of computers that you create. You can select this option only if you have also selected the option Allow only secure connections and if the connection has been protected using a credential that provides the Active Directory identity information (most commonly, computer Kerberos v5).
	Authorized Users	Specify that connections related to this rule are allowed only from a group of users that you create. You can select this option only if you have also selected the option Allow only secure connections and if the connection has been protected using a credential that provides the Active Directory identity information (most commonly, user Kerberos v5).
Protocols and Ports	Protocol Type	Specify any type of IP protocol (for example, TCP or UDP).
	Protocol Number	Windows automatically specifies a port number based on the protocol type. If you are using a custom protocol type, you can specify a protocol number.
	Local port	Specify the local port over which traffic can pass. You can also specify a list of protocols or one of the keywords Dynamic RPC or RPC Endpoint Mapper.
	Remote port	Specify the remote port over which traffic can pass. You can also specify a list of protocols.
	ICMP Settings	Specify particular ICMP types and codes. This option is only available if the protocol type is ICMPv4 or ICMPv6.
Scope	Local and Remote IP address	Specify the local and remote IP addresses, ranges of addresses, and subnets to which the rule applies.
Advanced	Profiles	Specify the profiles to which the rule applies. This can be any combination of domain, public, and private profiles.
	Interface types	Specify which interface type a computer connection security rule is applied to, such a local area network, wireless network adapter, or other connection type.

 

Creating New Rules

Windows Firewall with Advanced Security allows you to create the following types of rules:

·         Program rule. This type of rule allows traffic for a particular program. You can identify the program by program path and executable name.

·         Port rule. This type of rule allows traffic on a particular TCP or UDP port number or range or port numbers.

·         Predefined rule. Windows includes a number of Windows functions that you can enable, such as File and Printer Sharing, Remote Assistance, and Windows Collaboration. Creating a predefined rule actually creates a group of rules that allows the specified Windows functionality to access the network.

·         Custom rule. A custom rule allows you to create a rule that you may not be able to create using the other types of rules.

Creating a program rule on a local computer

1.       In Windows Firewall with Advanced Security, in the console tree, click Inbound Rules or Outbound Rules, depending on the type you want to create.

This action opens either the New Inbound Rule Wizard or the New Outbound Rule Wizard. The steps for creating an inbound or outbound rule are identical.

2.       On the Rule Type page, click Program, and then click Next.

3.       On the Program page, click This program path. Type the path for the executable file for the program. Click Next.

4.       On the Action page (shown in Figure 8), select the desired behavior, and then click Next:

 

Figure 8. Specifying actions for a rule

5.       On the Profile page, select the profiles to which the rule should apply, and then click Next.

6.       On the Name page, type a name and a description for the rule, and then click Finish.

Creating a port rule on a local computer

1.       In Windows Firewall with Advanced Security, in the console tree, click Inbound Connections or Outbound Connections, depending on the type you want to create.

This action opens either the New Inbound Rule Wizard or the New Outbound Rule Wizard. The steps for creating an inbound or outbound rule are identical.

2.       On the Rule Type page, click Port, and then click Next.

3.       On the Port and Protocol page (shown in Figure 9), select whether the rule should use the TCP or UDP protocol. Click Specific Local Ports, type in the numbers of the ports for which you need to create the rule, and then click Next.

 

Figure 9. Selecting a port number for a port rule

4.       On the Action page, select the desired behavior, and then click Next:

5.       On the Profile page, select the profiles to which the rule should apply, and then click Next.

6.       On the Name page, type a name and a description for the rule, and then click Finish.

Creating Connection Security Rules

A connection security rule forces two peer computers to authenticate before they can establish a connection and to secure information transmitted between the two computers. Windows Firewall with Advanced Security uses IPsec to enforce these rules.

To create a computer connection security rule, use the following steps:

1.       In Windows Firewall with Advanced Security, in the console tree, click Computer Connection Security.

2.       In the Actions list, click New Rule.

The Rule Type page, shown in Figure 10, allows you to select the type of rule you want to create. Select a type, and use the wizard to configure the new rule according to the information in the following sections.

 

Figure 10. Using the New Authentication Rule Wizard to create a rule

Isolation

An isolation rule isolates computers by restricting connections based on credentials such as domain membership or health status. Isolation rules allow you to implement a server or domain isolation strategy. When you create an isolation rule, you will see the following wizard pages:

·         Requirements. You choose among the following ways for authentication to occur:

·         Request authentication for inbound and outbound connections.

·         Require authentication for inbound connections, and request authentication for outbound connections.

·         Require authentication for inbound and outbound connections.

·         Method. Whatever means of authentication you choose, you can select from the following authentication methods:

·         Default

·         Computer and User (using Kerberos). This method uses computer and user Kerberos v5 authentication to restrict connections to domain-joined users and computers. This method is compatible only with computers running Windows Vista and later.

·         Computer (using Kerberos). This method uses Kerberos v5 authentication to restrict connections to domain-joined computers. This method is compatible with computers running any version of Windows 2000 and later.

·         Computer certificate. This method restricts connections to computers that have a certificate from a specified CA. This method is compatible with computers running any version of Windows. When using this method with computers running Windows Vista or later, you can also specify that only healthy certificates (those with a NAP health policy applied) are accepted.

·         Advanced. This setting allows you to designate multiple authentication methods.

·         Profile. Choose the profiles (Domain, Public, and Private) to which to apply the rule.

·         Name. Name the rule and type an optional description.

Authentication Exemption

You can use an authentication exemption to designate connections that do not require authentication. You can designate computers by specific IP address, an IP address range, a subnet, or a predefined group such as gateway. When you create an authentication exemption rule, you must configure options on the following wizard pages:

·         Exempt Computers. Add computers that are exempt from authentication. You can add a computer by IP address or IP address range, or you can add a predefined address such as the Default Gateway address.

·         Profile. Choose the profiles (Domain, Public, and Private) to which to apply the rule.

·         Name. Name the rule and type an optional description.

Server to Server

A server-to-server rule protects connections between specific computers. This type of rule usually protects connections between servers. When you create the rule, you specify the network endpoints between which communications are protected. You then designate requirements and the authentication you want to use. When you create a server to server rule, you must configure options on the following wizard pages:

·         Endpoints. Specify the computers that are part of Endpoint 1 and Endpoint 2. Endpoint 1 can contain all computers, specific computers by IP address, or computers that use a certain connection type (such as a Local Area Network or wireless connection). Endpoint 2 can contain all computers or specific computers by IP address.

·         Requirements. Choose the way for authentication to occur. Options are identical to those described in the section “Isolation.”

·         Authentication Method. Choose a method for authentication, including Computer Certificate, Preshared Key, or a customized Advanced method.

·         Profile. Choose the profiles (Domain, Public, and Private) to which to apply the rule.

·         Name. Name the rule and type an optional description.

Tunnel

A tunnel rule allows you to protect connections between gateway computers and is typically used when connecting across the Internet between two security gateways. You must specify the tunnel endpoints by IP address and specify the authentication method by configuring the following wizard pages:

·         Tunnel Endpoints. Identify by IP Address or IP address range the computers that are parts of each endpoint – Endpoint 1 and Endpoint 2. Also identify by IP address which tunnel computer in each endpoint is closest to computers in that endpoint.

·         Authentication Method. Choose a method for authentication, including Computer Certificate, Preshared Key, or a customized Advanced method.

·         Profile. Choose the profiles (Domain, Public, and Private) to which to apply the rule.

·         Name. Name the rule and type an optional description.

Custom

Use a custom rule to authenticate connections between two endpoints when you cannot set up authentication rules you need by using the other types of rules available in the new Connection Security Rule wizard. You will encounter the following wizard pages:

·         Endpoints. Specify the computers that are part of Endpoint 1 and Endpoint 2. Endpoint 1 can contain all computers, specific computers by IP address, or computers that use a certain connection type (such as a Local Area Network or wireless connection). Endpoint 2 can contain all computers or specific computers by IP address.

·         Requirements. Choose the way for authentication to occur. Options are identical to those described in the section “Isolation.”

·         Method. Choose the authentication method. Options are identical to those described in the section “Isolation.”

·         Profile. Choose the profiles (Domain, Public, and Private) to which to apply the rule.

·         Name. Name the rule and type an optional description.

Using the Netsh Advfirewall Command-Line Tool

Netsh is a command-line tool through which you can configure settings for network components. In Windows Vista, you can configure Windows Firewall with Advanced Security settings through a series of commands in the netsh advfirewall context. Using netsh, you can create scripts to automatically configure a set of Windows Firewall with Advanced Security settings, create rules and rules, monitor connections, and display the configuration and status of Windows Firewall with Advanced Security.

To enter the netsh advfirewall context, at the command prompt, type:

netsh

When you enter the netsh context, the command prompt will display the >netsh prompt. At the >netsh prompt, enter the advfirewall context type:

advfirewall

After you are in the advfirewall context, you can type commands in that context. Commands include the following:

·         export. Exports the current firewall policy to a file.

·         help. Displays a list of available commands.

·         import. Imports a policy from the specified file.

·         reset. Restores Windows Firewall with Advanced Security to the default policy.

·         set. Supports the following commands:

·         set file. Copies the console output to a file.

·         set machine. Sets the current machine on which to operate.

·         show. Shows the properties for a particular profile. For example:

·          show allprofiles

·          show domainprofile

·          show privateprofile

·          show publicprofile

In addition to the commands available for the advfirewall context, advfirewall also supports four subcontexts. To enter a subcontext, type the name of the subcontext at the netsh advfirewall> prompt. The available subcontexts are:

·         consec. Allows you to view and configure computer security connection rules.

·         firewall. Allows you to view and configure firewall rules.

·         monitor. Allows you to view and set monitoring configuration.

Tip In any netsh context, you can type help to view a full list of commands, including commands specific to a context. For information and syntax on using a particular command, type /?.

Managing Windows Firewall with Advanced Security via Group Policy

To centralize the configuration of large numbers of computers in an organization network that uses the Active Directory directory service, you can deploy settings for Windows Firewall with Advanced Security through Group Policy. Group Policy provides access to the full feature set of Windows Firewall with Advanced Security, including profile settings, rules, and computer connection security rules. In fact, you configure Group Policy settings for Windows Firewall with Advanced Security by opening the same snap-in through the Group Policy Object Editor. The domain-member computer requests Group Policy updates, which are therefore solicited traffic that is not dropped by default when Windows Firewall with Advanced Security is enabled (unless the outbound default is configured to block traffic).

Note When you configure Windows Firewall with Advanced Security in an organization network using Group Policy, Group Policy may disable specified local Windows Firewall with Advanced Security configuration options, even for local administrators.

In Windows Vista, the new Network Location Awareness provides the flexibility to ensure that Group Policy is properly applied in different situations. In previous versions of Windows, Windows processes Group Policy under the following circumstances:

·         Computer policies are processed when the Windows operating system starts.

·         User policies are processed when a user logs on.

·         Both computer and user policies are refreshed periodically.

Windows Vista processes Group Policy in the following additional circumstances:

·         Computer and user policies are processed when a computer establishes a Virtual Private Network (VPN) connection with a remote site.

·         Computer and user policies are processed when a computer comes out of hibernation or standby.

The additional circumstances help to ensure that computers obtain the most recent Group Policy settings more frequently and whenever the computer changes connections.

Monitoring

Windows Firewall with Advanced Security includes built-in tools for monitoring firewall rules, computer connection security rules, and security associations.

Firewall

Use the Firewall folder, shown in Figure 11, to monitor all active enabled rules, including rules for the active profile and rules distributed via Group Policy.

Figure 11. Monitoring Windows Firewall

Connection Security Rules

Use the Connection Security folder  to monitor the following:

·         Connection Security Rules. This folder lists all of the enabled connection security rules with detailed information about their settings. Connection security rules use Internet Protocol security (IPsec) to secure communication between this computer and other computers. Connection security rules define which authentication, key exchange, data integrity, or encryption can be used to form a security association (SA). An SA defines the security used to protect the communication from sender to.

·         Security associations. This folder lists all of the Main Mode and Quick Mode SAs with detailed information about their settings and endpoints.

·         Main Mode.  This folder lists all of the Main Mode SAs with detailed information about their settings and endpoints. You can use this folder to view the IP addresses of the endpoints.

·         Quick Mode.  This folder lists all of the Quick Mode SAs with detailed information about their settings and endpoints. You can use this folder to view the IP addresses of the endpoints.

 

Summary

Windows Firewall with Advanced Security is a stateful, host-based firewall that blocks incoming and outgoing connections based on its configuration. While end-user configuration still takes place through the Windows Firewall tool in Control Panel, advanced configuration of Windows Firewall now takes place in a Microsoft Management Control (MMC) snap-in named Windows Firewall with Advanced Security. Firewall functions are now integrated with IPsec (Internet Protocol security) protection settings, reducing the possibility of conflict between the two protection mechanisms.

Windows Firewall with Advanced Security also works with Network Location Awareness (NLA) so that it can apply security settings based on the type of network to which a computer connects. Windows Firewall with Advanced Security supports separate profiles for when computers are domain-joined or connected to a private or public network.

See Also

·         Windows Firewall Web page at http://www.microsoft.com/windowsfirewall

·         Network Access Protection Web page at http://www.microsoft.com/nap

·         Server and Domain Isolation Web page at http://www.microsoft.com/sdisolation

·         IPsec Web page at http://www.microsoft.com/ipsec