Updated: December 7, 2009
Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista
In this guide, you learn about how to create and deploy settings for Windows Firewall with Advanced Security by stepping through procedures that illustrate the common tasks you have to perform in typical scenarios.
Specifically, you configure settings in GPOs to control the following Windows Firewall with Advanced Security options:
Enable or disable the Windows Firewall, and configure its basic behavior.
Determine which programs and network ports are allowed to receive incoming network traffic.
Determine which outgoing network traffic is allowed or blocked.
Support network traffic that uses multiple or dynamic ports, such as those that use Remote Procedure Call (RPC), or the File Transfer Protocol (FTP).
Require that all network traffic entering specific servers be protected by Internet Protocol security (IPsec) authentication and optionally encrypted.
You work with several computers that perform common roles found in a typical network environment. These include a domain controller, a member server, and a client computer, as shown in the following illustration.
The scenario described in this guide includes viewing and configuring firewall settings, and configuring a domain isolation environment. It also includes server isolation, which requires group membership to access a server and can optionally require that all traffic to the server is encrypted. Finally, it includes a mechanism to allow trusted network devices to bypass firewall rules for troubleshooting.
Each of the scenario steps are described in the following sections.
Examining default settings on clients and servers
In this section, you use Windows Firewall settings in Control Panel, the netsh command-line tool, and the Windows Firewall with Advanced Security Microsoft Management Console (MMC) snap-in to examine the default Windows Firewall with Advanced Security settings on the both the CLIENT1 and MBRSVR1 computers. By using the tools directly on a local computer is useful to see the current configuration and the firewall and connection security rules that are active on the computer. This section also compares the features that can be configured by using the Windows Firewall with Advanced Security MMC and the netsh command-line tool.
Deploying basic firewall settings by using Group Policy
This section shows you how to create a Group Policy object (GPO) that contains basic firewall settings, and then apply that GPO to the client computer. To ensure that only the correct computers can apply the GPO settings, you use security group filtering and Windows Management Instrumentation (WMI) filtering to restrict the GPO to only those computers that are in a specified computer group and that are running the specified version of Windows.
The GPO that you configure includes some of the basic Windows Firewall with Advanced Security settings that are part of a typical enterprise's GPO settings, such as:
Any local firewall setting created by a user, even a local administrator, is ignored.
Ensure that the firewall is enabled with your specified handling of network traffic, and cannot be disabled.
The computer does not display the notification when Windows Firewall with Advanced Security blocks a program from listening on a network port.
Creating rules that allow required incoming network traffic
By default, Windows Firewall blocks all incoming network connections that do not match an “allow” rule. On client computers that do not host any services, this might be sufficient. But for any program that acts as a network service, you must create rules to permit the unsolicited network packets from remote computers that want to connect to the application or network service. In this section, you create and modify inbound firewall allow rules to do the following:
Use predefined rule groups to support common network services.
Allow a program to listen for any network traffic it needs to operate.
Allow a program to listen for network traffic on a specified TCP or UDP port only.
Allow a network service to listen for network traffic.
Limit network traffic from only specified IP addresses, and to specific types of networks.
Apply different firewall behavior based on the network location type to which the computer is connected.
Support programs that use the dynamic port assigning capabilities of RPC.
One of the main benefits of integrating firewall and IPsec into the single Windows Firewall with Advanced Security interface is the ability to create firewall rules that allow network traffic only if the traffic is protected by IPsec. These rules are discussed in the Server Isolation and Authenticated Bypass sections of this guide.
Blocking unwanted outbound network traffic
By default, Windows Firewall allows all outbound network connections. Because of the very large number and variety of potential outbound network-aware client programs, it can be a very large amount of work to attempt to restrict outbound traffic. However, in some organizations, where the approved list of applications is known, and security dictates that no other application must be permitted to access the network, then Windows Firewall with Advanced Security supports changing the default outbound rule to block network traffic that is not permitted by an outbound allow rule. In this section, you configure the firewall to block all outbound traffic, and then create outbound firewall rules that allow only approved programs to send outbound traffic from a computer.
Deploying a basic domain isolation policy
In this section, you create IPsec connection security rules on your domain member computers that allow incoming network connection requests from authenticated domain member computers only.
Isolating a server by requiring encryption and group membership
In this section, you expand on the authentication rules created in the previous section, by creating connection security and firewall rules that require that a server or group of servers allow network traffic only from computers that are members of an authorized group. The rules also specify that the traffic to and from these servers must be encrypted.
Creating firewall rules that allow IPsec-protected network traffic to bypass block rules
When you have the firewall and connections security rules up and running, you typically end up blocking network security tools, such as port scanners from being able to do their jobs. Windows Firewall with Advanced Security lets you create firewall allow rules that can override block rules only when certain requirements are met. In this section, you configure firewall and connection security rules to allow IPsec-protected network traffic to bypass the firewall block rules. You also further restrict the rules to allow only specifically authorized users or computers, such as the network port scanners used by network troubleshooting and security teams.
Creating tunnel mode IPsec connection security rules
The rules that you create for the previously described scenarios all use IPsec Transport mode rules. Transport mode provides end-to-end protection from the originating source host all the way to the ultimate destination host. IPsec supports another mode of operation called tunnel mode, where the IPsec traffic is protected only for part of the path between the two hosts. In this section, you configure tunnel mode connection security rules to allow a client computer to access a remote network through an IPsec gateway.