Lesson 1: Managing Windows Firewall CHAPTER 7 383 Lesson 1: Managing Windows Firewall The firewall that ships with Windows 7 is designed to keep your computer safe. It will help keep your computer safe when it is connected to the protected network in the office or the less-safe public WiFi networks of coffee shops and airport lounges. In this lesson, you learn the differences between Windows Firewall and Windows Firewall with Advanced Security. You also learn about connection security rules, which you can use to limit your computer’s network communication so that it occurs only with other computers that have proven their identity. After this lesson, you will be able to: n Configure rules for multiple profiles. n Allow or deny applications. n Create profile network-profile-specific rules. n Configure notifications. n Configure authenticated exceptions. Estimated lesson time: 40 minutes Windows Firewall Firewalls restrict network traffic based on a collection of configurable rules. Another name for these rules is exceptions. When traffic reaches a network interface protected by a firewall, the firewall analyzes it, either discarding the traffic or allowing it to pass on the basis of the rules that have been applied to the firewall. Windows 7 uses two firewalls that work together: Windows Firewall and the Windows Firewall with Advanced Security (WFAS). The primary difference between these firewalls relates to the complexity of the rules that can be configured for them. Windows Firewall uses simple rules that directly relate to a program or service. WFAS allows for more complicated rules that filter traffic on the basis of port, protocol, address, and authentication. WFAS will be covered in more detail later in this lesson. When thinking about how firewall rules work, remember that unless a rule exists that explicitly allows a particular form of traffic, the firewall will drop that traffic. In general, you must explicitly allow traffic to pass across a firewall, though there will be some occasions when you need to configure a deny rule. You will learn about deny rules later in this lesson. Windows Firewall and WFAS ship a minimum number of default rules that allow you to interact with networks. This means that although you are able to browse the Web without having to configure a firewall rule, if you try to use an application to interact with the network that is not covered by a default rule, such as File Transfer Protocol (FTP), you receive a warning. This behavior is different to earlier versions of Microsoft Windows, such as Windows XP, where the firewall blocked only incoming traffic and did not block outgoing traffic. The firewall in Windows 7 blocks most outbound traffic by default. When a program is blocked for the first time, you are notified by the firewall, as shown in Figure 7-1, allowing you to configure an exception that allows traffic of this type in the future. 3 8 4 CHAPTER 7 Windows Firewall and Remote Management FIGURE 7-1 Most outbound traffic is blocked but generates a warning. The Windows 7 firewall uses a feature known as full stealth. Stealth blocks external hosts from performing Operating System (OS) fingerprinting. OS fingerprinting is a technique where an attacker determines what operating system a host is running by sending special traffic to the host’s external network interface. After an attacker knows what operating system a host is using, they can target OS-specific exploits at the host. You cannot disable the stealth feature of Windows 7. Boot time filtering, another feature of Windows 7, ensures that Windows Firewall is working from the instant the network interfaces become active. In previous operating systems, such as Windows XP, the firewall, either built into Windows or from a third-party vendor, would become operational only once the startup process was complete. This left a small but important period where a network interface would be active but not protected by a firewall. Boot time filtering closes this window of opportunity. To understand the operation of Windows Firewall, you need to be familiar with some core networking concepts. If you have a lot of experience with networks, you may want to skip ahead to the next section because you are already familiar with them. These core concepts are: n Protocol In terms of Windows Firewall, you need to consider only three protocols, Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP). TCP is more reliable and is used for the majority of Internet traffic. UDP is used for broadcast and multicast data, as well as the sort of traffic associated with online games. You use ICMP primarily for diagnostic purposes. n Port A port is an identification number that is contained within the header of a TCP or UDP datagram. Ports are used to map network traffic to specific services or programs running on a computer. For example, port 80 is reserved for World Wide Web traffic and port 25 is reserved for the transmission of e-mail across the Internet. n IPSec (Internet Protocol Security) IPSec is a method of securing network traffic by encrypting it and signing it. The encryption ensures that an attacker cannot read captured traffic. The signature allows the recipient of the traffic to validate the sender’s identity. Lesson 1: Managing Windows Firewall CHAPTER 7 385 n Network address Each host on a network has a network address. You can configure firewalls to treat traffic differently based on the destination network of outgoing or the origin network of incoming traffic. n Inbound traffic Inbound traffic is network data that originates from the external host and is addressed to your client running Windows 7. n Outbound traffic Outbound traffic is traffic that your client running Windows 7 sends to external hosts over the network. n Network interface A network interface can be a physical local area network (LAN) connection, a wireless connection, a modem connection, or a virtual private network (VPN) connection. Network Location Awareness Network Location Awareness (NLA) is a feature through which Windows 7 assigns a network profile based on the properties of a network connection. As you can see in Figure 7-2, Windows 7 uses three network profiles, Domain Networks, Home Or Work (Private) Networks, and Public Networks. When you connect to a new network, Windows 7 queries you with a dialog box asking you whether the network is a Home network, a Work network, or a Public network. Windows 7 remembers the designation that you assign to the network and associates it with the properties of the network so that that designation will be applied the next time you connect the computer to that network. You can change the designation of a network using the Network and Sharing center. You learned about changing Network designations in Chapter 6. NLA assigns the Domain network profile when you log on to an Active Directory Domain Services (AD DS) domain. FIGURE 7-2 Windows Firewall in Control Panel 3 8 6 CHAPTER 7 Windows Firewall and Remote Management Network profiles are important because you can use them to apply different collections of firewall rules based on which network profile is active. Figure 7-3 shows that the Windows Virtual PC rule is active in the Domain and Home/Work (Private) profiles but not in the Public profile. A significant difference between Windows Vista and Windows 7 is that in Windows 7, profiles apply on a per-network interface basis. This means that if you have one network adapter connected to the Internet and another connected to your office LAN, different sets of rules apply for each connection. The firewall in Windows Vista chooses the most restrictive network profile when a computer has connections to different network types and applies the most restrictive set of rules to all interfaces. FIGURE 7-3 Allowing programs and features by profile As shown in Figure 7-4, you can selectively enable Windows Firewall for each network profile. You can also specify whether you want notifications to appear to the logged-on user when Windows Firewall blocks a new program and whether you want all incoming connections blocked, including those for which there are existing firewall rules. Users are only able to create rules to deal with the traffic that they have been notified about if they have local administrator privileges. Lesson 1: Managing Windows Firewall CHAPTER 7 387 FIGURE 7-4 Enabling Windows Firewall selectively The primary reason why you might want to disable Windows Firewall for all profiles is if you have a firewall product from another vendor and you want that vendor’s firewall to protect your computer rather than having Windows Firewall perform that function. It is important to note that you should not disable Windows Firewall just because there is another firewall, such as a small office/home office (SOHO) router or hardware firewall, between your client running Windows 7 and the Internet. It is possible that malware has infected another computer on your local network. Good security practice is to treat all networks as potentially hostile. Allowing Programs Through Windows Firewall Windows Firewall allows you to configure exceptions based on programs. This differs from Windows Vista where Windows Firewall would allow you to configure exceptions based on port address. You can still create rules based on port address; you just have to do it using WFAS, covered later in this lesson. You can also allow specific Windows 7 features, such as Windows Virtual PC, through Windows Firewall. Feature rules become available when you enable the feature using the Programs And Features item in Control Panel. To add a rule for a feature or program, click Allow A Program Or Feature Through Windows Firewall item in the Windows Firewall section of Control Panel. The dialog box, displayed earlier in Figure 7-3, 3 8 8 CHAPTER 7 Windows Firewall and Remote Management shows a list of currently installed features and any programs for which rules have been created as well as the profiles for which rules concerning those programs and features are enabled. To modify the settings on this page, you need to click the Change Settings item. Only users that are members of the local Administrators group, or who have been delegated the appropriate privileges are able to modify Windows Firewall settings. If a program that you want to create a rule for is not present on this list, click Allow Another Program. This opens the Add A Program dialog box, shown in Figure 7-5. If the program that you want to create a rule for is not listed, click Browse to add it. Use the Network Location Types button to specify the network profiles in which the rule should be active. FIGURE 7-5 Adding a program exception note RESET FIREWALL TO DEFAULT CONFIGURATION You can reset Windows Firewall and WFAS to their out-of-the-box configuration by running the command netsh advfirewall reset from an elevated command prompt. You can also reset Windows Firewall and WFAS by clicking on Restore Defaults in the Windows Firewall control panel. Quick Check n On what basis can you create rules for Windows Firewall (as opposed to WFAS)? Quick Check Answer n You can create rules for Windows Firewall only for programs and Windows 7 features. You cannot create rules for Windows Firewall based on port address or service. Lesson 1: Managing Windows Firewall CHAPTER 7 389 Windows Firewall with Advanced Security Windows Firewall with Advanced Security (WFAS) allows you to create nuanced firewall rules. For most users, the options available with Windows Firewall will be enough to keep their computers secure. If you are a more advanced user, however, you can use WFAS to: n Configure inbound and outbound rules. Windows Firewall does not allow you to create rules based on whether traffic is inbound or outbound. n Configure rules that apply based on protocol type and port address. n Configure rules that apply based on traffic that addresses specific services, rather than just specific applications. n Limit the scope of rules so that they apply based on traffic’s source or destination a d d r e s s . n Configure rules that allow traffic only if it is authenticated. n Configure connection security rules. You can access the WFAS console either by typing Windows Firewall with Advanced Security into the Search Programs And Files text box on the Start menu or by clicking the Advanced Settings item in the Windows Firewall control panel. The WFAS console displays which network profiles are currently active. As is the case with Windows Firewall, different collections of rules apply depending on which profile is active for a particular network adapter. For example, Figure 7-6 shows that the Domain Profile and Public Profile are active. In this case, it is because the computer on which this screen shot was taken is connected to a domain network through its wireless network adapter and to the Internet through a universal serial bus (USB) cellular modem. You could enable a rule that allows traffic on port 80 for the Domain Profile but not enable it for the Public Profile. This would mean that hosts contacting this computer through the wireless network adapter would be able to access a Web server hosted on the computer, whereas hosts attempting to access the same Web server through the USB cellular modem’s Internet connection are blocked. Creating WFAS Rules The process for configuring inbound rules and outbound rules is essentially the same: In the WFAS console, select the node that represents the type of rule that you want to create and then click New Rule. This opens the New Inbound (or Outbound) Rule Wizard. The first page, shown in Figure 7-7, allows you to specify the type of rule that you are going to create. You can select between a program, port, predefined, or custom rule. The program and predefined rules are similar to what you can create using Windows Firewall. A custom rule allows you to configure a rule based on criteria not covered by any of the other options. You would create a custom rule if you wanted a rule that applied to a particular service rather than a program or port. You can also use a custom rule if you want to create a rule that involves both a specific program and a set of ports. For example, if you wanted to allow communication to a specific program on a certain port but not other ports, you would create a custom rule. 3 9 0 CHAPTER 7 Windows Firewall and Remote Management FIGURE 7-6 Multiple active network profiles in the WFAS console FIGURE 7-7 New Inbound Rule Wizard Lesson 1: Managing Windows Firewall CHAPTER 7 391 If you decide to create a program rule, you then need to specify a program for which the rule applies. If you choose a port rule, you must choose whether the rule applies to the TCP or the UDP protocol. You must also specify port numbers. In the next step, you specify what action to take when the firewall encounters traffic that meets the rule conditions. The options are as follows: n Allow the connection WFAS allows the connection if the traffic meets the rule conditions. n Block the connection WFAS blocks the connection if the traffic meets the rule conditions. n Allow the connection if it is secure WFAS allows the connection if the traffic meets the rule conditions and is authenticated using one of the methods specified in the connection security rules. Security options are shown in Figure 7-8. FIGURE 7-8 Security option settings The default setting requires that the connection be authenticated and integrity protected, but not encrypted. Use the Require The Connection To Be Encrypted option if you want firewall rules to enforce data encryption as well as authentication and integrity protection. The override block rules option allows you to specify a computer account or computer group that can bypass existing block rules. 3 9 2 CHAPTER 7 Windows Firewall and Remote Management Rule Scope A rule scope allows you to specify whether a rule applies to specific source and destination addresses. If you want to create a rule that allows a particular type of traffic but want to limit that traffic to a particular set of network addresses, you need to modify the rule’s scope. You can specify a scope when creating a custom rule, but not a standard program or port rule. For these rule types, you can specify the scope by editing the rule’s properties after it has been created, as shown in Figure 7-9. You can specify Internet Protocol (IP) addresses or IP address ranges, or use one of the predefined sets of computers that include the Default Gateway, Windows Internet Naming Service (WINS) servers, Dynamic Host Configuration Protocol (DHCP) servers, Domain Name System (DNS) servers, and Local Subnet. You can specify both IPv4 and IPv6 addresses and ranges when configuring a rule’s scope. FIGURE 7-9 Configuring rule scope To modify a rule’s scope, perform the following actions: 1. Right-click the rule in the WFAS console and then choose Properties. This opens the Properties dialog box for the rule. Click the Scope tab. 2. If you want to limit the local IP address that the rule applies to (for example, when more than one address is assigned to a network adapter or there are multiple network adapters on your computer), select the These IP Addresses option below Local IP Address. Click Add and specify which address or addresses the rule applies to. . CHAPTER 7 Windows Firewall and Remote Management FIGURE 7- 6 Multiple active network profiles in the WFAS console FIGURE 7- 7 New Inbound Rule Wizard Lesson 1: Managing Windows Firewall CHAPTER 7 391 If. privileges. Lesson 1: Managing Windows Firewall CHAPTER 7 3 87 FIGURE 7- 4 Enabling Windows Firewall selectively The primary reason why you might want to disable Windows Firewall for all profiles. (NLA) is a feature through which Windows 7 assigns a network profile based on the properties of a network connection. As you can see in Figure 7- 2, Windows 7 uses three network profiles, Domain