Lesson 1: Managing Windows Firewall CHAPTER 7 393 3. If you want to limit the remote IP address that the rule applies to (for example, when you want the rule to only apply to inbound traffic from a specific subnet), select the These IP Addresses option under Remote IP Addresses and click Add to specify the individual IP addresses, network address, or IP address range. You can use the Advanced options of a rule’s properties to specify which network interfaces the rule applies to. This is similar to limiting the local IP addresses that the rule applies to, except it is done by selecting a particular device, not the address attached to that device. On the Advanced tab, you can also configure how a rule responds to traffic that has passed through an edge device such as a Network Address Translation (NAT) router. The options are: n Block edge traversal When selected, the target of the rule is blocked from receiving unsolicited traffic from the Internet through a NAT device. n Allow edge traversal When selected, the target of the rule will process unsolicited traffic directly from the Internet through a NAT device. n Defer to user When selected, the user receives a message informing them of incoming traffic from a NAT device. If the user has sufficient privileges, they can block or allow communication manually. n Defer to application When selected, application settings determine whether incoming traffic from a NAT device is accepted or rejected. Connection Security Rules Connection security rules are a special type of rule that deal with authenticated and encrypted traffic. You can use connection security rules to manage how communication occurs between different hosts on the network. You use the New Connection Security Rule Wizard, shown in Figure 7-10, to create connection security rules. Connections can be authenticated using the Kerberos V5 protocol requiring a domain computer and user account or a domain computer account. If you select advanced properties, connections can be authenticated using NTLMv2, computer certificates from a particular certificate authority (CA) or using a pre-shared key. The different connection security rules work in the following ways: n Isolation Isolation rules allow you to limit communication to hosts that are able to authenticate using specific credentials. For example, you can use an isolation rule to stop computers communicating with any hosts that are not members of an AD DS domain. You can configure an isolation rule to request authentication for inbound and outbound communication, require authentication for inbound communication and request it for outbound communication, or require authentication for all communication. n Authentication exemption These rules allow you to configure exemptions to isolation rules. You can configure authentication exemptions to allow a computer to connect to infrastructure servers, such as DHCP servers and DNS servers, without having to authenticate. 3 9 4 CHAPTER 7 Windows Firewall and Remote Management FIGURE 7-10 New connection security rule n Server-to-server These rules allow you to protect connections between specific computers. They differ from isolation rules in that instead of applying to all connections, they apply to connections between hosts at specific addresses. n Tunnel These rules are similar to server-to-server rules, except that they apply to connections through tunnels to remote sites, such as site-to-site links. note CONNECTION SECURITY RULES AND IPSec POLICIES The relationship between connection security rules and IPSec policies is similar to the relationship between AppLocker and Software Restriction Policies. Both sets of rules do similar things, but the ones that you use depend on the operating systems used by the client computers in your organization. All editions of Windows 7 and Windows Vista support connection security rules, but Windows XP does not. Importing and Exporting Firewall Configuration Most organizations that use clients running Windows 7 apply firewall rules through Group Policy. In the event that you need to support a number of stand-alone clients running Windows 7, you can replicate complex firewall configurations using the WFAS Import Policy and Export Policy options. Importing and exporting policy also allows you to save the current firewall configuration state before you make changes to it. Exported policy files use the .wfw Lesson 1: Managing Windows Firewall CHAPTER 7 395 extension. Exported policies use a binary format, not Extensible Markup Language (XML) format like many other Windows 7 configuration files. You can also export and import firewall policies in the same .wfw format using the netsh advfirewall export or netsh advfirewall import commands. Managing WFAS with Netsh You can use the Netsh.exe command-line utility from an elevated command prompt to manage WFAS rules. The advantage of this is that you can combine it with Windows Remote Shell (WinRS), which you will learn about in the next lesson, to manage WFAS rules on other computers running Windows 7 on your network. You can also use Netsh.exe to script the creation of firewall rules on stand-alone computers that are not members of an AD DS domain and hence are not subject to domain-applied Group Policy. To use Netsh.exe to create WFAS firewall rules, you need to be in the advfirewall firewall context. The following are some examples of using WFAS to create firewall rules: n To create a rule named WebServerRule that applies in the domain profile and allows inbound traffic on TCP port 80, issue the command netsh advfirewall firewall add rule name=”WebServerRule” profile=domain protocol=TCP dir=in localport=80 action=allow. n To create a rule named AllowCalc that allows inbound traffic to the Calc.exe application in all network profiles, issue the command netsh advfirewall firewall add rule name=”Calc” dir=in program=”c:\windows\system32\calc.exe”. n To create a rule named BlockFTP that blocks outbound traffic from the Ftp. exe application, issue the command netsh advfirewall firewall add rule name=”BlockFTP” dir=out program=”c:\windows\system32\ftp.exe” action=block. eXaM tIP Know when you need to use WFAS to create a rule and when you can use Windows F i r e w a l l . Practice Configuring Windows Firewall In this practice, you use Windows Firewall and WFAS to configure two different firewall rules. By interacting with the interface, you learn more about the types of rules that you can configure with each tool. exercise 1 Configuring Firewall Rules with Windows Firewall In this exercise, you configure a rule that allows incoming traffic to the Internet Backgammon application. To complete this exercise, perform the following steps: 1. Log on to Canberra with the Kim_Akers user account. 2. Click Start, Control Panel, and System And Security. 3 9 6 CHAPTER 7 Windows Firewall and Remote Management 3. Under Windows Firewall, click Allow A Program Through Windows Firewall. 4. In the Allow Programs To Communicate Through Windows Firewall dialog box, shown in Figure 7-11, click Change Settings. FIGURE 7-11 Allow programs through Windows Firewall 5. Click Allow Another Program. This opens the Add A Program dialog box. Click Browse and navigate to the Program Files\Microsoft Games\Multiplayer\Backgammon folder. Select Bckgzm.exe and click Open. 6. Click Network Location Types and verify that the settings match those shown in Figure 7-12. Click OK and then click Add. FIGURE 7-12 Choose Network Location Types Lesson 1: Managing Windows Firewall CHAPTER 7 397 7. Verify that a rule for Internet Backgammon now appears in the list of Allowed Programs And Features for the Home/Work (Private) profile, but not the Public profile and then click OK. exercise 2 Configuring WFAS Rules In this exercise, you configure a WFAS rule for a hypothetical Internet Relay Chat (IRC) server hosted on a client running Windows 7. You configure the rule to accept only authenticated connections from hosts on a specific subnet. 1. If you have not already done so, log on to the computer named Canberra with the Kim_Akers user account. 2. Click Start. In the Search Programs And Files text box, type Windows Firewall with Advanced Security, and click Windows Firewall with Advanced Security. This opens the Windows Firewall With Advanced Security console. 3. Select the Inbound Rules node. In the Actions pane, click New Rule. 4. On the Rule Type page, select Port and then click Next. 5. On the Protocols And Ports page, type 6667 in the Specific Local Ports box, as shown in Figure 7-13, and then click Next. FIGURE 7-13 Specify TCP port 6667 6. On the Action page, select Allow The Connection If It Is Secure and then click Customize. 3 9 8 CHAPTER 7 Windows Firewall and Remote Management 7. On the Customize Allow If Secure Settings dialog box, select require The Connections To Be Encrypted option and then select the Allow The Computers To Dynamically Negotiate Encryption check box, as shown in Figure 7-14, and click OK. FIGURE 7-14 Customize secure connection settings 8. Click Next. On the Users page of the New Inbound Rule Wizard, click Next. 9. On the Computers page of the New Inbound Rule Wizard, click Next. 10. On the When Does This Rule Apply page, configure the rule to apply only in the Domain and Private profiles, and then click Next. 11. On the Name page, enter the name IRC Server Rule and then click Finish. 12. In the list of Inbound Rules, right-click the IRC Server Rule and then choose Properties. 13. Click the Scope tab. In the Remote IP Address section, select These IP Addresses and then click Add. 14. In the This IP Address Or Subnet text box, enter 10.0.10.0/24 and then click OK. 15. Verify that the IRC Server Rule Properties dialog box matches Figure 7-15, and then click OK. Lesson 1: Managing Windows Firewall CHAPTER 7 399 FIGURE 7-15 Configuring rule scope Lesson Summary n Windows Firewall and WFAS work together on a client running Windows 7. n Windows Firewall allows for the creation of basic rules that apply to programs and Windows 7 features. You cannot configure rule scope or authentication settings for Windows Firewall rules. n Network profiles allow different sets of firewall rules to apply depending on the properties of the network connection. The three network profiles are Domain, Public, and Home Or Work (Private). n Windows Firewall rules can apply selectively to network profiles. Different network profiles can apply to different network interfaces at the same time. n WFAS allows you to configure inbound and outbound firewall rules for ports, programs, and services. n WFAS allows you to configure rule scope and authentication. 4 0 0 CHAPTER 7 Windows Firewall and Remote Management Lesson Review You can use the following questions to test your knowledge of the information in Lesson 1, “Managing Windows Firewall.” The questions are also available on the companion DVD if you prefer to review them in electronic form. note ANSWERS Answers to these questions and explanations of why each answer choice is correct or incorrect are located in the “Answers” section at the end of the book. 1. You are responsible for managing student laptops that have Windows 7 installed at a small community college. You want to prevent students from uploading files using FTP to FTP sites on the Internet but allow them to send outbound e-mail using the Simple Mail Transfer Protocol (SMTP). Which of the following rules would you configure to accomplish that goal? a. Inbound rules B. Outbound rules c. Isolation rules D. Authentication exemption rules 2. You want to create a firewall rule that allows inbound communications on port 80 when your laptop computer with Windows 7 installed is connected to your office network, but blocks inbound communication on TCP port 80 when you are connected to your home network. Which of the following tools could you use to create this rule? (Choose all that apply.) a. Windows Firewall B. WFAS c. Netsh D. Netstat 3. What does the command netsh advfirewall firewall add rule name=”CustomRule” profile=domain protocol=TCP dir=in localport=80 action=allow do when executed from an elevated command prompt? a. Creates an inbound rule that applies only in the Domain profile that blocks traffic on port 80 B. Creates an outbound rule that applies only in the Domain profile that blocks traffic on port 80 c. Creates an inbound rule that applies only in the Domain profile that allows traffic on port 80 D. Creates an outbound rule that applies only in the Domain profile that allows traffic on port 80 Lesson 1: Managing Windows Firewall CHAPTER 7 401 4. You are configuring firewall rules on a client running Windows 7. You want to allow incoming traffic to the application named Application.exe, but only if it is authenticated. Which of the following steps should you perform to accomplish this goal? a. Use Windows Firewall to create a rule B. Use WFAS to create a rule c. Use the Credential Manager to create a rule D. Use the Authorization Manager to create a rule 5. You want Windows 7 to send you a message when the firewall blocks a new program when you are connected to your organization’s domain network. Windows 7 should not send you a message when the firewall blocks a new program when you are connected to a public network. Which of the following settings should you configure? (Choose all that apply; each answer forms part of a complete solution.) a. In the Home Or Work (Private) Network Location Settings area, select Turn On Windows Firewall and enable Notify Me When Windows Firewall Blocks A New Program. B. In the Home Or Work (Private) Network Location Settings area, select Turn On Windows Firewall and disable Notify Me When Windows Firewall Blocks A New Program. c. In the Public Network Location Settings area, select Turn On Windows Firewall and enable Notify Me When Windows Firewall Blocks A New Program. D. In the Public Network Location Settings area, select Turn On Windows Firewall and disable Notify Me When Windows Firewall Blocks A New Program. 4 0 2 CHAPTER 7 Windows Firewall and Remote Management Lesson 2: Windows 7 Remote Management Remote management allows a user in one location to perform management tasks on a computer in another location. Through remote management, you can perform almost every task remotely that you can perform when you are sitting directly in front of the computer. In this lesson, you learn about the remote management technologies that can be used with Windows 7 including Remote Desktop, Remote Assistance, Windows PowerShell, and Windows Remote Shell (WinRS). After this lesson, you will be able to: n Use Windows PowerShell for remote management. n Use WinRS for remote management. n Configure Remote Assistance. n Configure Remote Desktop. Estimated lesson time: 40 minutes Remote Desktop Remote Desktop allows you to log on remotely to a computer running Windows 7 and to interact with that computer it in the same manner as you would if you were sitting in front of it. Remote Desktop allows you to print using printers connected to the remote computer, or print to a local printer from an application running on the remote computer. Remote Desktop functions well as a management tool because it allows employees responsible for managing, maintaining, and configuring client operating systems to perform many of those tasks remotely. note REMOTE MANAGEMENT TERMINOLOGY For the purposes of clarity, when discussing remote management throughout this lesson, the management computer is the computer that the user is logged on to directly. The remote computer is the computer to which the user is making a remote desktop connection. All remote management technologies require that there be network connectivity between the management computer and the remote computer. You can perform a logon using Remote Desktop if no one is currently logged on to the remote computer, though the remote computer does need to be switched on. If Wake On LAN is configured for the physical network interface, it is possible for the computer to wake from sleep or hibernate mode when an incoming remote desktop session is detected, though configuring Windows 7 to support this functionality is beyond the scope of the 70-680 exam. If a user locks the screen on their client running Windows 7, it is possible for that user to . 7- 15, and then click OK. Lesson 1: Managing Windows Firewall CHAPTER 7 399 FIGURE 7- 15 Configuring rule scope Lesson Summary n Windows Firewall and WFAS work together on a client running Windows. settings match those shown in Figure 7- 12. Click OK and then click Add. FIGURE 7- 12 Choose Network Location Types Lesson 1: Managing Windows Firewall CHAPTER 7 3 97 7. Verify that a rule for Internet. without having to authenticate. 3 9 4 CHAPTER 7 Windows Firewall and Remote Management FIGURE 7- 10 New connection security rule n Server-to-server These rules allow you to protect connections