Understanding Windows Firewall with Advanced Security CHAPTER 26 1253 attempts. For example, a back-end database server might be configured to accept only authenticated connections from a front-end Web application server. For more information on how server isolation works and how to implement it, see http://technet.microsoft.com/en-us/network/bb545651.aspx. See also the Step-by-Step Guide: Deploying Windows Firewall and IPsec Policies at http://technet.microsoft.com /en-us/library/cc732400.aspx for a walkthrough of how to implement a basic server isolation scenario. n Domain isolation Domain isolation involves configuring connection security rules on both clients and servers so that domain members accept only authenticated (and optionally, encrypted) connection attempts from other domain members. By default, connection attempts from non-domain members are not accepted, but you can con- figure exception rules that allow unauthenticated connections from specific non-domain members. For more information on how domain isolation works and how to implement it, see http://technet.microsoft.com/en-us/network/bb545651.aspx. See also the Step-by-Step Guide: Deploying Windows Firewall and IPsec Policies at http://technet.microsoft.com/en-us/library/cc732400.aspx for a walkthrough of how to implement a basic domain isolation scenario. n Network Access Protection Network Access Protection (NAP) is a technology avail- able in Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2 that enforces health requirements by monitoring and assessing the health of client computers when they try to connect or communicate on a network. Client computers that are found to be out of compliance with the health policy can then be provided with restricted network access until their configuration has been updated and brought into compliance with policy. Windows Firewall with Advanced Security can be used as part of a NAP implementation by creating connection security rules that require com- puter certificates for authentication. Specifically, client computers that are determined to be in compliance with health policy are provisioned with the computer certificate needed to authenticate. For more information on how NAP works and how to imple- ment it, see http://www.microsoft.com/nap/. n DirectAccess DirectAccess is a new feature of Windows 7 and Windows Server 2008 R2 that provides users with the experience of being seamlessly connected to their corporate network any time they have Internet access. Using DirectAccess, users can securely access internal resources such as e-mail servers and intranet sites without the need of first establishing a VPN connection with their corporate network. DirectAccess uses IPv6 together with IPsec tunnels to establish secure, bidirectional communications between the client computer and the corporate network over the public Internet. DirectAccess also seamlessly integrates with server and domain isolation scenarios and NAP implementations enabling enterprises to create comprehensive end-to-end security, access, and health requirement solutions. For more information on how DirectAccess works and how to implement it, see http://www.microsoft.com/directaccess/. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. CHAPTER 26 Configuring Windows Firewall and IPsec 1254 diReCt FRoM tHe SoURCe Combining Domain Isolation with Server Isolation Dave Bishop, Senior Technical Writer WSUA Networking Y ou can easily combine both Domain Isolation and Server Isolation on the same network. The Domain Isolation rules that configure your computers to authen- ticate before connecting can also serve as the basis for identifying computers and users to restrict access to sensitive servers. By default, only computer authentica- tion is performed, but on computers that are running Windows 7, Windows Vista, Windows Server 2008, or Windows Server 2008 R2, you can configure the rules to also require user authentication. The client rules that support Domain Isolation support Server Isolation as well. To isolate a server, you configure the server to permit connections from authorized users and computers only. To do this, add a firewall rule to the isolated server that uses the Allow The Connection If It Is Secure action. This enables the Users and Computers tabs, where you can identify the user and computer accounts that are authorized to connect to the isolated server. No further configuration on the client computers is required; the user and computer credentials used for authentication for Domain Isolation are also used for the authorization on the isolated server. Server Isolation is an important defense-in-depth layer that helps to protect your sensitive servers, such as Payroll, Personnel, and other servers that must be carefully guarded. TYPES OF CONNECTION SECURITY RULES Depending on the scenario you want to implement or the business need you are trying to meet, different types of connection security rules may be needed for your environment. Windows Firewall with Advanced Security allows you to create the following types of connection security rules: n Isolation rules These rules are used to isolate computers by restricting inbound con- nections based on credentials such as domain membership. Isolation rules are typically used when implementing a server or domain isolation strategy for your network. n Authentication exemption rules These rules are used to identify computers that do not require authentication when attempting to connect to a domain member when implementing a domain isolation strategy. n Server-to-server rules These rules are used to protect communications between specific computers. This is basically the same as an isolation rule except that you can specify the endpoints. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Understanding Windows Firewall with Advanced Security CHAPTER 26 1255 n Tunnel rules These rules are used to protect communications between gateways on the public Internet. In Windows 7, you can create dynamic tunnel endpoint rules that enable Client-to-Gateway and Gateway-to-Client tunnel configurations. n Custom rules These rules can be created when the other types of connection secu- rity rules don‘t meet the needs of your environment. SUPPORTED IPSEC SETTINGS FOR CONNECTION SECURITY RULES Connection security rules use IPsec to protect traffic between the local computer and other computers on the network. IPsec is an industry-standard set of protocols for protecting communications over IP networks using cryptographic security services. IPsec can provide network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection to ensure the security of traffic as it passes across a network. For general information concerning IPsec concepts and how IPsec can be used to protect a network, see the resources available at http://www.microsoft.com/IPsec/. The range of IPsec features supported previously in the Windows Vista RTM has been expanded, first in Windows Vista SP1 and later versions in Windows 7 to include new security methods, data integrity algorithms, data encryption algorithms, and authentication protocols. Tables 26-2 through 26-6 summarize the key exchange algorithms, data protection (integrity or encryption) algorithms, and authentication methods now supported for IPsec communica- tions in Windows 7. Note that some algorithms are supported only for main mode or quick mode, and different authentication methods are supported for first and second authentica- tion. For more information on how to configure IPsec settings in Windows 7, see the section titled “Creating and Configuring Connection Security Rules” later in this chapter. TABLE 26-2 Supported Key Exchange Algorithms for IPsec Communications in Windows 7 KEY EXCHANGE ALGORITHM NOTES Diffie-Hellman Group 1 (DH Group 1) Not recommended. Provided for backward compatibility only. DH Group 2 Stronger than DH Group 1. DH Group 14 Stronger than DH Group 2. Elliptic Curve Diffie-Hellman P-256 Stronger than DH Group 2. Medium resource usage. Compatible only with Windows Vista and later versions. Elliptic Curve Diffie-Hellman P-384 Strongest security. Highest resource usage. Compatible only with Windows Vista and later versions. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. CHAPTER 26 Configuring Windows Firewall and IPsec 1256 TABLE 26-3 Supported Data Integrity Algorithms for IPsec Communications in Windows 7 DATA INTEGRITY ALGORITHM NOTES Message-Digest algorithm 5 (MD5) Not recommended. Provided for backward compatibility only. Secure Hash Algorithm 1 (SHA-1) Stronger than MD5 but uses more resources. SHA 256-bit (SHA-256) Main mode only. Supported on Windows Vista SP1 and later versions. SHA-384 Main mode only. Supported on Windows Vista SP1 and later versions. Advanced Encryption Standard-Galois Message Authentication Code 128 bit (AES-GMAC 128) Quick mode only. Supported on Windows Vista SP1 and later versions. Equivalent to AES-GCM 128 for integrity. AES-GMAC 192 Quick mode only. Supported on Windows Vista SP1 and later versions. Equivalent to AES-GCM 192 for integrity. AES-GMAC 256 Quick mode only. Supported on Windows Vista SP1 and later versions. Equivalent to AES-GCM 256 for integrity. AES-GCM 128 Quick mode only. Supported on Windows Vista SP1 and later versions. Equivalent to AES-GMAC 128 for integrity. AES-GCM 192 Quick mode only. Supported on Windows Vista SP1 and later versions. Equivalent to AES-GMAC 192 for integrity. AES-GCM 256 Quick mode only. Supported on Windows Vista SP1 and later versions. Equivalent to AES-GMAC 256 for integrity. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Understanding Windows Firewall with Advanced Security CHAPTER 26 1257 TABLE 26-4 Supported Data Encryption Algorithms for IPsec Communications in Windows 7 DATA ENCRYPTION ALGORITHM NOTES Data Encryption Standard (DES) Not recommended. Provided for backward compatibility only. Triple-DES (3DES) Higher resource usage than DES. Advanced Encryption Standard-Cipher Block Chaining 128-bit (AES-CBC 128) Faster and stronger than DES. Supported on Windows Vista and later versions. AES-CBC 192 Stronger than AES-CBC 128. Medium resource usage. Supported on Windows Vista and later versions. AES-CBC 256 Strongest security. Highest resource usage. Supported on Windows Vista and later versions. AES-GCM 128 Quick mode only. Faster and stronger than DES. Supported on Windows Vista and later versions. The same AES-GCM algorithm must be speci- fied for both data integrity and encryption. AES-GCM 192 Quick mode only. Medium resource usage. Supported on Windows Vista and later versions. The same AES-GCM algorithm must be speci- fied for both data integrity and encryption. AES-GCM 256 Quick mode only. Faster and stronger than DES. Supported on Windows Vista and later versions. The same AES-GCM algorithm must be speci- fied for both data integrity and encryption. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. CHAPTER 26 Configuring Windows Firewall and IPsec 1258 TABLE 26-5 Supported First Authentication Methods for IPsec Communications in Windows 7 FIRST AUTHENTICATION METHOD NOTES Computer (Kerberos V5) Compatible with Microsoft Windows 2000 or later versions. Computer (NTLMv2) Use on networks that include systems running an earlier version of Windows and on stand- alone systems. Computer certificate The default signing algorithm is RSA, but Elliptic Curve Digital Signature Algorithm (ECDSA)–P256 and ECDSA-P384 are also supported signing algorithms. New in Windows 7 is added support for using an intermediate CA as a certificate store in addition to using a root CA as was previously supported in Windows Vista. Certificate to account mapping is also supported. First authentication can also be configured to accept only health certificates when using a NAP infrastructure. Pre-shared key Not recommended. TABLE 26-6 Supported Second Authentication Methods for IPsec Communications in Windows 7 SECOND AUTHENTICATION METHOD NOTES User (Kerberos V5) Compatible with Windows 2000 or later versions. User (NTLMv2) Use on networks that include systems running an earlier version of Windows and on stand- alone systems. User certificate The default signing algorithm is RSA, but ECDSA-P256 and ECDSA-P384 are also supported signing algorithms. New in Windows 7 is added support for using an intermediate CA as a certificate store in addition to using a root CA as was previously supported in Windows Vista. Certificate to account mapping is also supported. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Understanding Windows Firewall with Advanced Security CHAPTER 26 1259 SECOND AUTHENTICATION METHOD NOTES Computer health certificate The default signing algorithm is RSA, but ECDSA-P256 and ECDSA-P384 are also supported signing algorithms. New in Windows 7 is added support for using an intermediate CA as a certificate store in addition to using a root CA as was previously supported in Windows Vista. Certificate to account mapping is also supported. DEFAULT IPSEC SETTINGS FOR CONNECTION SECURITY RULES The default IPsec settings for Windows Firewall with Advanced Security are as follows: n Default key exchange settings (main mode): • Key exchange algorithm: DH Group 2 • Data integrity algorithm: SHA-1 • Primary data encryption algorithm: AES-CBC 128 • Secondary data encryption algorithm: 3DES • Key lifetime: 480 minutes/0 sessions n Default data integrity settings (quick mode): • Primary protocol: Encapsulating Security Payload (ESP) • Secondary protocol: Authentication Header (AH) • Data integrity algorithm: SHA-1 • Key lifetime: 60 minutes/100,000 KB n Default data encryption settings (quick mode): • Primary protocol: ESP • Secondary protocol: ESP • Data integrity algorithm: SHA-1 • Primary data encryption algorithm: AES-CBC 128 • Secondary data encryption algorithm: 3DES • Key lifetime: 60 minutes/100,000 KB The default authentication method used for first authentication of IPsec connections is Computer (Kerberos V5). By default, no second authentication method is configured for IPsec connections. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. CHAPTER 26 Configuring Windows Firewall and IPsec 1260 By default, these settings are used when creating new connection security rules unless you select different settings when using the New Connection Security Rule Wizard. For more information, see the section titled “Creating and Configuring Connection Security Rules” later in this chapter. Windows Firewall and Windows PE B eginning with Windows 7 and Windows Server 2008 R2, you can now configure IPsec in Windows Preinstallation Environment (Windows PE) for added security during desktop and server deployment. While Windows PE 3.0 now supports IPsec by default, the computer you want to connect to may require additional configu- ration to allow a connection. The default IPsec settings for Windows PE 3.0 are as follows: n MM Security Offer: AES128-SHA1-ECDHP256, where MM is main mode. n MM Authentication Method: Anonymous n QM Policy: 3DES-SHA1; AES128-SHA1, where QM is quick mode. n QM Authentication Method: NTLMv2 Understanding Default Rules Default rules specify the default behavior of Windows Firewall with Advanced Security when traffic does not match any other type of rule. Default rules can be configured on a per-profile basis. The possible default rules for inbound traffic are: n Block (the default for all profiles) n Block all connections n Allow The possible default rules for outbound traffic are: n Allow (the default for all profiles) n Block From a practical standpoint, the block all connections default rule for inbound traffic can be interpreted as “shields up” or “ignore all allow and allow-bypass rules.” For information on configuring default rules, see the section titled “Configuring Firewall Profiles and IPsec Set- tings by Using Group Policy” later in this chapter. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Understanding Windows Firewall with Advanced Security CHAPTER 26 1261 Understanding WSH Rules WSH rules are built-in rules that protect Windows services (and thereby also the applications that use these services) by restricting services from establishing connections in ways other than they were designed. WSH rules are not exposed to management using the Windows Firewall with Advanced Security MMC snap-in, the Netsh command, or Group Policy. Third-party ISVs who create services for Windows can also create WSH rules to protect those services. For more information on this, see http://msdn.microsoft.com/en-us/library /aa365491.aspx. Understanding Rules Processing If more than one rule matches a particular packet being examined, Windows Firewall with Advanced Security must decide which of these rules to apply to the packet so as to decide what action to take. The order in which Windows Firewall with Advanced Security processes rules is as follows: 1. WSH rules (this is not configurable by the user) 2. Connection security rules 3. Authenticated bypass rules 4. Block rules 5. Allow rules 6. Default rules When a packet is being examined by Windows Firewall with Advanced Security, the packet is compared to each of these types of rules in the order they are listed. If the packet matches a particular rule, that rule is applied, and rule processing stops. In addition, if two rules in the same group match, then the rule that is more specific (that is, has more matching criteria) is the one that is applied. For example, if rule A matches traffic to 192.168.0.1 and rule B matches traffic to 192.168.0.1 TCP port 80, then traffic to port 80 on that server matches rule B, and its action is the one taken. By default, the rule processing described previously includes both local rules (firewall and/ or connection security rules configured by the local administrator of the computer) and rules applied to the computer by Group Policy. If more than one Group Policy object (GPO) applies to a particular computer, the default rules come from the GPO with the highest precedence. Merging of local rules can be enabled or disabled using Group Policy. For more information, see the section titled “Considerations When Managing Windows Firewall Using Group Policy” later in this chapter. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. CHAPTER 26 Configuring Windows Firewall and IPsec 1262 Managing Windows Firewall with Advanced Security Windows 7 and Windows Server 2008 R2 include tools for configuring and managing Windows Firewall with Advanced Security in both stand-alone and domain environments. These tools can be used to perform common tasks such as creating firewall rules to block or allow traffic, creating connection security rules to protect network traffic using IPsec, monitoring firewall and connection security activity, and more. The sections that follow examine the tools that you can use to manage Windows Firewall with Advanced Security and describe some common management tasks. Tools for Managing Windows Firewall with Advanced Security The following tools can be used for managing Windows Firewall with Advanced Security: n Windows Firewall Control Panel item n Windows Firewall with Advanced Security MMC snap-in n Windows Firewall with Advanced Security Group Policy node n Netsh advfirewall command context The sections that follow summarize the differences in functionality between using these various tools. Managing Windows Firewall Using Control Panel The Windows Firewall utility in Control Panel exposes only a small subset of Windows Firewall with Advanced Security functionality and is primarily intended for consumers and for users working in SOHO environments. Using this utility, a user on the local computer can perform the following tasks: n Turning Windows Firewall on or off for each type of network location (domain, private, or public) n Enabling or disabling firewall notifications for each type of network location n Verifying which firewall profiles apply to which network connections on the computer n Allowing a program or feature to communicate through Windows Firewall for a par- ticular firewall profile (see Figure 26-7) n Restoring the default settings for Windows Firewall Note that most actions involving Windows Firewall require local administrator credentials on the computer. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. [...]... fe80::8413:5c0:13e9 :79 bc ff02::1:2 546 5 47 0 - - - - - - - SEND 2009-03-29 12:40:53 DROP TCP 192.168.1. 176 192.168.1. 175 49653 23 52 S 316 171 8899 0 8192 - - - RECEIVE 2009-03-29 12:40:53 ALLOW UDP 192.168.1. 176 192.168.1. 175 500 500 0 - - - - - - RECEIVE 2009-03-29 12:40:53 DROP TCP 192.168.1. 176 192.168.1. 175 49653 23 52 S 316 171 8899 0 8192 - - - RECEIVE 2009-03-29 12:40:56 DROP TCP 192.168.1. 176 192.168.1. 175 49653... 23 52 S 316 171 8899 0 8192 - - - RECEIVE 2009-03-29 12:41:02 DROP TCP 192.168.1. 176 192.168.1. 175 49653 23 48 S 316 171 8899 0 65535 - - - RECEIVE 2009-03-29 12:41:24 ALLOW UDP fe80::8413:5c0:13e9 :79 bc ff02::1:2 546 5 47 0 - - - - - - - SEND 2009-03-29 12:41:36 ALLOW TCP 192.168.1. 175 192.168.1. 170 49 871 389 0 - 0 0 0 - - - SEND 2009-03-29 12:41:36 ALLOW TCP 192.168.1. 175 192.168.1. 170 49 872 445 0 - 0... Chapter 26 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 1263 Note  The Windows 7 version of the Windows Firewall with Advanced Security snap-in can be used to manage Windows Firewall on Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2 Using the Windows Firewall with Advanced Security snap-in, you can perform a wide variety of administrative tasks,... http://technet.microsoft.com/en-us/library/cc 771 920.aspx Common Management Tasks The sections that follow briefly describe some common management tasks for administering Windows Firewall with Advanced Security on Windows 7 and Windows Server 2008 R2 For additional information concerning managing Windows Firewall with Advanced Security, see the references in the section titled “Related Information” at the end of this chapter 1 272 Chapter... on to ensure maximum protection for computers running Windows 7 and Windows Server 2008 R2 However, should you need to enable or disable Windows Firewall with Advanced Security for some reason on a computer, you can do one of the following: n Open Windows Firewall from Control Panel and click Turn Windows Firewall On Or Off Then select Turn Off Windows Firewall (Not Recommended) for each firewall profile... monitoring Windows Firewall with Advanced Security, see “Monitoring Windows Firewall with Advanced Security” at http://technet.microsoft.com/en-us /library/dd42 171 7.aspx in the TechNet Library Note  The Monitoring node is not available under the firewall policy node in Group Policy Troubleshooting Windows Firewall Tools for troubleshooting Windows Firewall with Advanced Security include the following: n n Windows. .. the TechNet Library: n “Configuring a Profile” at http://technet.microsoft.com/en-us/library/cc754139.aspx n “Configuring IPsec Settings” at http://technet.microsoft.com/en-us/library/cc733 077 .aspx n Windows Firewall with Advanced Security Properties Page” at http://technet.microsoft.com/en-us/library/cc753002.aspx Creating and Configuring Firewall Rules You can create and configure firewall rules... 1 278 “Understanding Firewall Rules” at http://technet.microsoft.com/en-us/library /dd42 170 9.aspx “Firewall Rule Properties Page” at http://technet.microsoft.com/en-us/library /dd42 172 7.aspx Chapter 26  Configuring Windows Firewall and IPsec Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark Figure 26-13  Configuring a firewall rule Direct from the Source Using RPC with Windows. .. BootTimeRuleCategory Windows Firewall FirewallRuleCategory Windows Firewall StealthRuleCategory Windows Firewall ConSecRuleRuleCategory Windows Firewall To view full details concerning a particular firewall rule such as the Remote Assistance (TCP-In) rule, first type firewall and press Enter to change to the netsh advfirwall firewall context, then use the show rule command as follows 1 270 Chapter 26  Configuring Windows. ..Figure 26 -7 Viewing which firewall profiles allow Remote Assistance to communicate through Windows Firewall Managing Windows Firewall Using the Windows Firewall with Advanced Security Snap-in The Windows Firewall with Advanced Security MMC snap-in exposes most of the functionality of Windows Firewall for advanced users and administrators of the local . note The Windows 7 version of the Windows Firewall with Advanced Security snap-in can be used to manage Windows Firewall on Windows 7, Windows Vista, Windows. in this chapter. Windows Firewall and Windows PE B eginning with Windows 7 and Windows Server 2008 R2, you can now configure IPsec in Windows Preinstallation