Windows Firewall

Windows Firewall is a host-based firewall included from Windows XP with Service Pack 2 and later, and Windows Server 2003 with Service Pack 1. This Windows Firewall filters incoming traffic, protecting the local computer from malicious users and programs that rely on unsolicited incoming traffic to attack computers.

From Windows Vista and Windows Server 2008, the Windows Firewall can also filter outgoing traffic, integrating rules for firewall behavior and traffic protection with Internet Protocol security (IPsec). This Firewall is configured using the Windows Firewall with Advanced Security.

To access the Windows Firewall with Advanced Security. On the Server Manage, click the Tools menu and select Windows Firewall with Advanced Security.
FW_1

In the Windows Firewall with Advanced Security windows you will see three firewall profiles; Domain, Private, and Public profile. A profile is a way of grouping firewall rules and connection security rules, which are applied to the computer depending on where the computer is connected.

Domain Profile
The Domain Profile is active when the computer member of an Active Directory (AD) domain. The Domain profile is applied to a NIC when it is connected to a network on which it can detect a domain controller of the domain to which the computer is joined.

Private Profile
Is applied to a NIC when it is connected to a network that is identified by the user or administrator as a private network. This connection can be to a home network that is not connected directly to the Internet, but is behind some kind of security device, such as a router or hardware firewall.

Public Profile
Is applied to a NIC when it is connected to a public network (such as those available in coffee shops). The default profile is Public, unless it is set to Private, or the computer is member of an AD domain.

Network location awareness, enables network-interacting programs to change their behavior based on how the computer is connected to the network. With Windows Firewall with Advanced Security, you can create rules that will apply only when the profile associated with a specific network location type is active on your computer.

When the computer is communicating with a Domain Controller, the Domain profile is automatically applied and cannot be changed. If the communication with the Domain Controller is interrupted, and it is detected that the computer is connected to an external network, the profile will automatically change to Public Profile.

The basic operation of each profile can be configure as follow:

  1. Open Windows Firewall with Advance Security.
  2. Right click on Windows Firewall with Advance Security on Local Computer, and select Properties.
    FW_14
  3. You can specify the behavior of the Firewall according to the profile by clicking on each profile tab.
    FW_2

    • Firewall state
      Here you can select On (recommended) so that Windows Firewall use the settings for this profile to filter network traffic, or you can select Off to turn off Windows Firewall for this profile.
    • Inbound connections
      Here you can determine the behavior for inbound connections that do not match an inbound firewall rule. You can choose the following behavior:

      • Block (default)
        Will block all connections that do not have firewall rules that explicitly allow the connection.
      • Block all connections
        Will block all connections, regardless of any firewall rules that explicitly allow the connection.
      • Allow
        Will allow the connection unless there is a firewall rule that explicitly blocks the connection.
    • Outbound connections
      Here you can determine the behavior for outbound connections that do not match an outbound firewall rule. You can choose the following behavior:

      • Block
        Will block all connections that do not have firewall rules that explicitly allow the connection.
      • Allow (default)
        Will allow all connection unless there is a firewall rule that explicitly blocks the connection.

 

Filtering Inbound and Outbound Traffic

On Windows Firewall with Advance Security, you can define filters for the incoming traffic (Inbound Rules) and for outgoing traffic (Outbound Rules).

Creating Firewall Rules
Firewall rules can be added when needed. For example, to add an inbound rule:

  1. From the Windows Firewall with Advance Security Windows, right click on Inbound Rules and select New Rule. The New Inbound Rule Wizard will open.
    FW_3
  2. On the Rule Type page you can choose between 4 basic types of firewall rules:
    • Program
      This type of rule will allow a connection based on the program that is trying to connect. You only need to specify the path to the program executable file (.exe).
    • Port
      This type of rule will allow a connection based on the TCP or UDP port number over which the computer is trying to connect.
    • Predefined
      This type of rule will allow a connection by selecting one of the programs or services from a pre-defined list. This list will have most of the well-known services and programs available on the computer, as well as network programs that you installed on the computer.
    • Custom
      This type of rule will create a firewall rule that you can configure to allow a connection based on criteria not covered by the other types of firewall rules.

    FW_4

  3. Select the type of rule you want to create and click next. The next page will change according to the type of rule you selected. For the purpose of this guide I selected a Port type rule. On the Protocol and Ports page, you can specify the protocol (TCP or UDP) and the local Port or Ports (you can specify more than one port number). Click Next.
    FW_6
  4. On the Action page, you can specify the action to take for incoming that match the rule criteria.
    • Allow the connection
      This will allow network packets that match the rule criteria.
    • Allow the connection if it is secure
      This option allows you to specify that only connections that are protected by Internet Protocol security (IPsec) are allowed.
    • Block the connection
      This option will block any network packet that matches the rule criteria.

    FW_16

  5. On the Profile page, you can specify the profiles to which the rule will be applied. You can select one profile, or any combination of profiles. Click Next.
    FW_17
  6. On the Name page, you can give a Name to your rule and an optional Description of the rule. Then click Finish.
    FW_18
  7. Your new rule will be displayed with the others inbound rules on the Windows Firewall with Advance Security windows.
    FW_19

You can create an outbound rule following the same steps.
FW_20

Bellow, I will show a few things you should remember and that you should know.

Enabling Ping
As you might know, when you use the Ping tool to ping the IP address of the computer you want to test, you send an ICMP Echo Request message to that computer, and you will get an ICMP Echo Reply message in response.
By default, Windows Firewall does not allow incoming ICMP Echo messages. Therefore the computer cannot send an ICMP Echo Reply in response.

To enable ICMP Echo messages:
On the Windows Firewall with Advanced Security Screen Windows, click on Inbound Rules. There, scroll down and select File and Printer Sharing (Echo Request – ICMPv4-in), right click on the rule and select Enable Rule.
FW_15

Remember the following well-known ports numbers and protocol:

Telnet ——— TCP 23
DNS ———— TCP/UDP 53
HTTP ———– TCP 80
SMTP ———– TCP 25
RDP ———— TCP 3389
HTTPS (SSL) —- TCP 443

Also you should remember the VPN protocol:

PPTP ————- Port # TCP 1723 —- Generic Routing Encapsulation (GRE) IP protocol 47
SSTP ————- Port # TCP 443
L2TP ————- Port # UDP 1701 —- L2TP is often used with IPSec to establish a VPN.
IPSec uses IP protocol 50 for Encapsulated Security Protocol (ESP). UDP Port 500 used by IKEv1.

Enabling HTTPS (SSL)
To enable HTTPS (SSL) you should create an inbound rule allowing traffic on the TCP Port 443.

Enabling PPTP
To enable PPTP VPN connections, you will need to create a custom inbound rule on your firewall to permit the IP Protocol ID 47 and a port type inbound rule to open the TCP port 1723.

Firewall Rule Customization
Firewall rules that can also be customized to be further applied only when communicating with a particular network. In other words, if you want a firewall rule to be applied to only to some selected computers, it is possible to specify the local and/or remote IP addresses you wish to apply the rule to.

To do this, select the rule you wish to customize, right click on it and select Properties. Click on the Scope tab. There you can add the Local IP address and Remote IP address you want to apply that rule to.
FW_25

Connection Security Rules
Connection Security Rules use IPSec to protect the security of network communication. IPsec protects network traffic from address spoofing, data injection, session hijacking, and other types of data tampering. Additionally, you can specify IP packets to be encrypted. With this in mind, you can easily create a rules for network communication using IPSec:

  1. On the Windows Firewall with Advance Security windows, right-click Connection Security Rules and select New Rule. The New Connection Security Rule Wizard will open.
    FW_26
  2. On the Rule Type page you can choose between 5 basic types of rules:
    • Isolation
      This rule will restrict connections based on authentication criteria that you define. For example, you can isolate domain-joined computers from computers that are outside the domain.
    • Authentication exemption
      With this rule you can specify the computers to be exempted from being required to authenticate, regardless of other connection security rules.
    • Server-to-server
      This rule will allow you to authenticate the communications between two specified computers, between two groups of computers, between two subnets, or between a specified computer and a group of computers or a subnet.
    • Tunnel
      This rule type allows you to secure communications between two computers by using tunnel mode, instead of transport mode, in IPsec.
    • Custom
      This rule type allows you to create a rule that requires special settings.

    FW_9

  3. Select the type of rule you want to create and click Next. The next page will change according to the type of rule you selected.
    • If you select Isolation type then the following pages will be:
      • Requirements
      • Authentication Method
    • If you select Authentication exemption type then the following pages will be:
      • Exempt Computers
    • If you select Server-to-server type then the following pages will be:
      • Endpoints
      • Requirements
      • Authentication Method
    • If you select Tunnel type then the following pages will be:
      • Tunnel Type
      • Requirements
      • Tunnel Endpoints
      • Authentication Method
    • If you select Custom type then the following pages will be:
      • Endpoints
      • Requirements
      • Authentication Method
      • Protocols and Ports
  4. On the Profile page, common for all rules types, you can specify the profiles to which the rule will be applied. You can select one profile, or any combination of profiles. Click Next.
    FW_27
  5. Finally, on the Name page, also common for all rule types, you can give a Name to your rule and an optional Description of the rule. Then click Finish.
    FW_28

The various configurations of Windows Firewall with Advanced Security that I showed in this post, can also be centrally managed by Group Policy if you have Active Directory environment. My next few post will be related to Active Directory.

Advertisements

One thought on “Windows Firewall

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s