Step 11. When you are finished, click OK.
Tip
When allowing additional programs to communicate through the Windows Firewall, by default these programs are allowed to communicate through the private network profile only (or the domain profile for domain-joined
computers). You should retain this default unless you need a program to communicate through the Internet from a public location. From the Public column of the dialog box shown in Figure 16-3, you should select the boxes next to any connections that link to the Internet. You should clear the boxes next to any connections to a private network.
Configuring Windows Firewall with Advanced Security
First introduced in Windows Vista and enhanced in more modern versions of Windows, the Windows Firewall with Advanced Security snap-in enables you to perform a comprehensive set of configuration actions. You can configure rules that affect inbound and outbound communication, and you can configure connection security rules and the monitoring of firewall actions. Inbound rules help prevent actions such as unknown access or
configuration of your computer, installation of undesired software, and so on.
Outbound rules help prevent utilities on your computer from performing certain actions, such as accessing network resources or software without your knowledge. They can also help prevent other users of your computer from downloading software or inappropriate files without your knowledge.
Use any of the following methods to access the Windows Firewall with Advanced Security snap-in:
• Access the Search bar or Cortana, type security into the Search field of the Start menu, and then select Windows Firewall with Advanced Security from the Apps list.
• From the task list on the left side of the Windows Firewall applet (refer to
Figure 16-1), select Advanced Settings.
• If you have enabled the Administrative Tools option from the Start menu as described in Chapter 4, “Managing Windows in an Enterprise,” click the Windows Firewall with Advanced Security tile on the Start menu.
After accepting the UAC prompt (if you receive one), you see the snap-in shown in Figure 16-5.
Figure 16-5. Windows Firewall with Advanced Security Snap-in Enabling You to Perform Advanced Configuration Options
When the snap-in first opens, it displays a summary of configured firewall settings. From the left pane, you can configure any of the following types of properties:
• Inbound Rules: Displays a series of defined inbound rules. Enabled rules are shown with a green check mark icon. If no icon is visible, the rule is not enabled. To enable a rule, right-click it and select Enable Rule; to disable an enabled rule, right-click it and select Disable Rule. You can also create a new rule by right-clicking Inbound Rules and selecting New Rule. We discuss creation of new rules later in this section.
• Outbound Rules: Displays a series of defined outbound rules, also with a green check mark icon for enabled rules. You can enable or disable rules and create new rules in the same manner as with inbound rules.
• Connection Security Rules: By default, this branch does not contain any
rules. Right-click it and choose New Rule to create rules that are used to determine limits applied to connections with remote computers.
• Monitoring: Displays a summary of enabled firewall settings and provides links to active rules and security associations. This includes a domain profile for computers that are members of an AD DS domain. The following three links are available from the bottom of the Details pane:
• View Active Firewall Rules: Displays enabled inbound and outbound rules.
• View Active Connection Security Rules: Displays enabled connection security rules that you have created.
• View Security Associations: Displays IPsec main mode and quick mode associations.
Configuring Multiple Firewall Profiles
A profile is simply a means of grouping firewall rules so that they apply to the affected computers dependent on where the computer is connected. The Windows Firewall with Advanced Security snap-in enables you to define different firewall behavior for each of the following three profiles:
• Domain Profile: Specifies firewall settings for use when connected directly to an AD DS domain. If the network is protected from unauthorized external access, you can specify additional exceptions that facilitate communication across the LAN to network servers and client computers.
• Private Profile: Specifies firewall settings for use when connected to a private network location, such as a home or small office. You can open up connections to network computers and lock down external communications as required.
• Public Profile: Specifies firewall settings for use when connected to an
insecure public network, such as a Wi-Fi access point at a hotel, restaurant, airport, or other location where unknown individuals might attempt to
connect to your computer. By default, network discovery and file and printer sharing are turned off, inbound connections are blocked, and outbound
connections are allowed.
To configure settings for these profiles from the Windows Firewall with Advanced Security snap-in, right-click Windows Firewall with Advanced Security at the top-left corner and choose Properties. This opens the dialog box shown in Figure 16-6.
Figure 16-6. Windows Firewall with Advanced Security on Local Computer Properties Dialog Box Enabling You to Configure Profiles Specific for Domain, Private, and Public Networks
You can configure the following properties for each of the three profiles individually from this dialog box:
• State: Enables you to turn the firewall on or off for the selected profile and block or allow inbound and outbound connections. For inbound connections, you can either block connections with the configured exceptions or block all connections. Click Customize to specify which connections you want
Windows Firewall to help protect.
• Settings: Enables you to customize firewall settings for the selected profile.
Click Customize to specify whether to display notifications to users when programs are blocked from receiving inbound connections or allow unicast responses. You can also view but not modify how rules created by local administrators are merged with Group Policy-based rules.
• Logging: Enables you to configure logging settings. Click Customize to specify the location and size of the log file and whether dropped packets or successful connections are logged (see Figure 16-7).
Figure 16-7. Customizing Logging Settings for Each of the Windows Firewall Profiles
In addition, you can configure IPsec settings from the IPsec Settings tab (refer to Figure 16-6), including defaults and exemptions. IPsec
authentication rules enable you to configure bypass rules for specific computers that enable these computers to bypass other Windows Firewall rules. Doing so enables you to block certain types of traffic while enabling authenticated computers to receive these types of traffic. Configuring IPsec settings is covered later in the “Configuring IPsec Security Rules” section of this chapter.
Configuring New Firewall Rules
By clicking New Rule under Inbound Rules or Outbound Rules in the Windows Firewall with Advanced Security snap-in (refer to Figure 16-5), you can create rules that determine programs or ports that are allowed to pass through the firewall. Use the following procedure to create a new rule:
Step 1. Right-click the desired rule type in the Windows Firewall with Advanced Security snap-in and choose New Rule. This starts the New (Inbound or Outbound) Rule Wizard, as shown in Figure 16-8. (We chose a new inbound rule, so our example shows the New Inbound Rule Wizard.)
Figure 16-8. New (Inbound or Outbound) Rule Wizard Starts with a Rule Type Page Enabling You to Define the Type of Rule You Want to Create
Step 2. Select the type of rule you want to create:
• Program: Enables you to define a rule that includes all programs or a specified program path.
• Port: Enables you to define rules for specific remote ports using either the TCP or UDP protocol.
• Predefined: Enables you to select from a large quantity of predefined rules covering the same exceptions described previously in Table 10-2 and shown in Figure 10-3. Select the desired exception from the drop-down list.
• Custom: Enables you to create rules that apply to combinations of
programs and ports. This option combines settings provided by the other rule- type options.
Step 3. After you've selected your rule type, click Next.
Step 4. The content of the next page of the wizard varies according to which option you've selected. On this page, define the program path, port number and protocol, or predefined rule that you want to create, and then click Next.
Step 5. On the Action page, specify the action to be taken when a connection matches the specified conditions, as shown in Figure 16-9.
Figure 16-9. Action Page Enabling You to Specify the Required Action Type
Step 6. If you choose the Allow the Connection if It Is Secure option, click Customize to display the dialog box shown in Figure 16-10. From this dialog box, select the required option as explained on the dialog box and click OK.
If you desire that encryption be enforced in addition to authentication and integrity protection, select the Require the Connections to Be Encrypted option and also select the provided check box if you want to allow
unencrypted data to be sent while encryption is being negotiated.
Figure 16-10. Customize Allow if Secure Settings Dialog Box Enabling You to Select Additional Actions to Be Taken for Packets That Match the Rule Conditions Being Configured
Step 7. Click Next to display the Users page, shown in Figure 16-11. This page enables you to limit the users that are allowed to connect using this rule.
By default, all users are authorized to connect. To limit authorized users, select the check box labeled Only Allow Connections from These Users and click Add to display the Select Users or Groups dialog box, which enables you to select one or more users to be allowed access. To prevent users that are otherwise authorized to use the connection, select the check box labeled Skip This Rule for Connections from These Users and click Add to display the Select Users or Groups dialog box and specify the desired users. The latter option is useful if you want to prevent access by a specific
user while allowing access by other users of the group to which the first user belongs.
Figure 16-11. Specifying Users Who Are Allowed to Create the Connection Specified by the Rule
Step 8. Click Next to display the Computers page. Options on this page are similar to those for users in Figure 16-11 and enable you to limit the
computers that are allowed to use the rule you're creating.
Step 9. Click Next to display the Profile page. On this page, select the profiles (Domain, Private, and Public) to which the rule is to be applied.
Then click Next.
Step 10. On the Name page, specify a name and optional description for your new rule. Click Finish to create the rule, which will then appear in the Details pane of the Windows Firewall with Advanced Security snap-in.
Configuring IPsec Security Rules
IPsec is a set of industry standard cryptography protection protocols and services. IPsec can be used to protect any TCP/IP protocol, with the exception of Address Resolution Protocol (ARP).
Windows Firewall with Advanced Security supports IPsec, which allows you to require authentication from any device. When authentication is required, devices that are unable to be authenticated will be blocked from
communicating with your secured computer or device. You can also require encryption on any network connection to ensure transport security.
The connection security rules in Windows Firewall with Advanced Security are configured using a set of conditions and actions that are applied to
network connection attempts that match the condition. The action applied can be to allow, block, or require the connection to be protected using IPsec.
Configuring New Connection Security Rules (IPsec)
Creating a new connection security rule is similar to that for inbound or outbound rules as discussed in the previous section, but the options are
slightly different. From the Windows Firewall with Advanced Security dialog box previously shown in Figure 16-5, right-click Connection Security Rules and choose New Rule to display the New Connection Security Rule Wizard, as shown in Figure 16-12.
Figure 16-12. New Connection Security Rule Wizard Enabling You to Create Five Types of Connection Security Rules
Connection security rules manage authentication of two machines on the network and the encryption of network traffic sent between them using IPsec.
Security is also achieved with the use of key exchange and data integrity checks. As shown in Figure 16-12, you can create the following types of connection security rules:
• Isolation: Enables you to limit connections according to authentication criteria that you define. For example, you can use this rule to isolate domain- based computers from external computers, such as those located across the Internet. You can request or require authentication and specify the
authentication method that must be used.
• Authentication Exemption: Enables specified computers, such as DHCP and DNS servers, to be exempted from the need for authentication. You can specify computers by IP address ranges or subnets, or you can include a predefined set of computers.
• Server-to-Server: Enables you to create a secured connection between computers in two endpoints that are defined according to IP address ranges.
• Tunnel: Enables you to secure communications between two computers by means of IPsec tunnel mode. This encapsulates network packets that are routed between the tunnel endpoints. You can choose from several types of tunnels; you can also exempt IPsec-protected computers from the defined tunnel.
• Custom: Enables you to create a rule that requires special settings not covered explicitly in the other options. All wizard pages except those used to create only tunnel rules are available.
Modifying Rule Properties
You can modify any Windows Firewall rule from its Properties dialog box, accessed by right-clicking the rule in the Details pane of the Windows
Firewall with Advanced Security snap-in and choosing Properties. From the dialog box shown in Figure 16-13, you can configure the following
properties:
• General tab: Enables you to edit the name and description of the rule or change the action.
Figure 16-13. Properties Dialog Box for a Firewall Rule Enabling You to Modify Rules Criteria for Rules You Have Created or Default Rules Supplied in Windows Firewall with Advanced Security
• Programs and Services tab: Enables you to define which programs and services are affected by the rule.
• Remote Computers tab: Enables you to specify which computers are authorized to allow connections according to the rule, or enables you to specify computers for which the rule will be skipped.
• Protocols and Ports tab: Enables you to specify the protocol type and the local and remote ports covered by the rule.
• Scope tab: Enables you to specify the local and remote IP addresses of connections covered by the rule. You can specify Any Address or select a subnet or IP address range.
• Advanced tab: Enables you to specify the profiles (domain, private, or public) to which the rule applies. You can also specify the interface types (local area network, remote access, and/or wireless) and whether edge traversal (traffic routed through a NAT device) is allowed or blocked.
• Local Principals tab: Enables you to specify which local users or groups are authorized to allow connections according to the rule, or enables you to specify users or groups for which the rule will be skipped.
• Remote Users tab: Similar to the Local Principals tab, except it works with users or groups at remote computers.
Note
For additional information on all aspects of using the Windows Firewall with Advanced Security snap-in, refer to "Windows Firewall with Advanced
Security " at https://technet.microsoft.com/en-us/itpro/windows/keep-
secure/windows-firewall-with-advanced-security and the links and references in the article. For details on planning security in your organization using Windows Firewall with Advanced Security rules and IPsec encryption, start with “Windows Firewall with Advanced Security Design Guide” at
https://technet.microsoft.com/en-us/itpro/windows/keep-secure/windows- firewall-with-advanced-security-design-guide.
Configuring Notifications
You can configure Windows Firewall with Advanced Security to display notifications when a program is blocked from receiving inbound connections according to the default behavior of Windows Firewall. When you have selected this option and no existing block or allow rule applies to this program, a user is notified when a program is blocked from receiving inbound connections.
To configure this option, right-click Windows Firewall with Advanced Security at the top of the left pane in the Windows Firewall with Advanced Security snap-in, and then choose Properties. This opens the dialog box previously shown in Figure 16-6. Select the tab that corresponds to the profile you want to configure, and then click the Customize command button in the Settings section. From the Customize Settings for the (selected) Profile dialog box shown in Figure 16-14, select Yes under Display a Notification and then click OK twice.
Figure 16-14. Configuring Windows Firewall to Display Notifications
Group Policy and Windows Firewall
Group Policy in Windows Firewall enables you to configure similar policies to those configured with the Windows Firewall with Advanced Security
snap-in. Use the following procedure to configure Group Policy for Windows Firewall:
Step 1. From the Search bar or Cortana, type gpedit.msc, and then click gpedit.msc in the Programs list. If you receive a UAC prompt, click Continue.
Step 2. Navigate to the Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security node. The right pane displays the Windows Firewall with Advanced Security settings, as shown in Figure 16-15.
Figure 16-15. Using Group Policy to Configure Windows Firewall with Advanced Security Options
Step 3. Scroll the Details pane to select links for inbound rules, outbound rules, and connection security rules. These links open subnodes in the console tree.
Step 4. Unlike the Group Policy with Windows Firewall snap-in, no default rules are present. To add rules, right-click in the Details pane and select New Rule. This starts the New Rule Wizard, which enables you to create rules using the same options already discussed in this section.
After you have added firewall rules in Group Policy, you can filter the view according to profile (domain, private, or public) or by state (enabled or
disabled).
Tip
A Group Policy feature first introduced in Windows Vista enables you to configure common policy settings for all user accounts on a computer used by more than one user. This includes Windows Firewall as discussed here, as well as UAC and all other policy settings. In addition, you can configure separate policies for administrators or nonadministrators. If necessary, you can even configure local group policies on a per-user basis.
Configuring Authenticated Exceptions
Windows Firewall with Advanced Security enables you to configure
exceptions for users and computers accessing your computer through firewall rules that are included by default or created by an administrator. Use the following procedure to configure authenticated exceptions:
Step 1. From the Windows Firewall with Advanced Security snap-in, select the inbound or outbound rule you want to configure.
Step 2. Double-click the rule to display the Properties dialog for the selected rule.
Step 3. Select the Configuration tab from the rule properties. You can create authenticated exceptions for Remote Users, Remote Computers, or Local Principals. Local Users are defined using the Local Principals tab. Select the appropriate tab.
Note
Note that you cannot set an exception for Remote Users on an inbound rule.