This chapter covers the following subjects:
• Configuring Windows Firewall: Windows Firewall is a comprehensive stateful packet-filtering application that is enabled by default in Windows 10.
This section introduces you to the Windows Firewall Control Panel applet and shows you how to create exceptions that allow specified programs or ports to communicate through the firewall. It then continues with the
Windows Firewall with Advanced Security Microsoft Management Console snap-in, which provides a comprehensive interface for configuring all types of inbound, outbound, and connection security rules. This section shows you how to create and modify the various types of rules available with this tool.
• Configuring IPsec Security Rules: This section continues from the previous one, showing you how to create connection rules for Windows Firewall that allow connections only for specific users or computers on the network. This section discusses the methods for creating rules designed to allow or block specific local users, remote users, and remote computers.
• Configuring Network Discovery: Windows Network Discovery is a technology that enables computers to locate and connect to other computers, devices, and services on the network. This is convenient for users, but may present a security risk on untrusted networks. In this section you learn about Network Discovery, network profiles, and how to configure discovery for a Windows 10 computer. Windows 10 has made connecting to Wi-Fi networks easy, and wireless networks are available in many locations. But this utility comes with risks. This section looks at technologies used to ensure that private information remains private even when it is transmitted over the air where it can be picked up by anyone.
This chapter covers the following objectives for the 70-697 exam:
Configure networking: Configure and support IPv4 and IPv6 network
settings; configure name resolution; connect to a network; configure network locations; configure network discovery; configure Wi-Fi settings; configure Wi-Fi Direct; troubleshoot network issues; configure VPN, such as app- triggered VPN, traffic filters, and lockdown VPN; configure IPsec; configure Direct Access.
Configure and maintain network security: Configure Windows Firewall, configure Windows Firewall with Advanced Security, configure connection security rules (IPsec), configure authenticated exceptions, configure network discovery.
Configure networking: Configure Windows Firewall, configure Windows Firewall with Advanced Security.
In Chapter 6, "Windows 10 Networking," you learned how to set up and maintain wireless networks. The explosion of wireless networks, with many hotels and restaurants offering free Wi-Fi connections, has made it easy for cybercriminals to go about the business of intercepting and stealing
information for financial gain, political purposes, and many other nefarious endeavors. In fact, the year 2013 started out with a report that the Japanese Ministry of Agriculture, Forestry, and Fishery was hacked with the theft of more than 3,000 documents, including some of their negotiating strategies.
Late in 2013, the Target department store chain was hacked, with the compromise of as many as 40 million customers in the United States and Canada. More recently, the Democratic National Committee and campaign managers were hacked and their emails released on the Internet, leading the government to conclude that Russia interfered with the 2016 national
election. Anyone who works with or supports a modern computer network must be able to ensure that the network maintains an adequate level of security, so Microsoft expects you to know basic security practices as a component of the 70-697 and 70-698 exams.
“Do I Know This Already?” Quiz
The “Do I Know This Already?” quiz allows you to assess whether you should read this entire chapter or simply jump to the “Exam Preparation Tasks” section for review. If you are in doubt, read the entire chapter. Table
16-1 outlines the major headings in this chapter and the corresponding “Do I Know This Already?” quiz questions. You can find the answers in Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes.”
Table 16-1. “Do I Know This Already?” Foundation Topics Section-to- Question Mapping
Foundations Topics Section Questions Covered in This Section
Configuring Windows Firewall 1–5
Configuring IPsec Security Rules 6–7
Configuring Network Discovery 8–10
Caution
The goal of self-assessment is to gauge your mastery of the topics in this chapter. If you do not know the answer to a question or are only partially sure of the answer, you should mark that question as wrong for purposes of the self-assessment. Giving yourself credit for an answer you correctly guess skews your self-assessment results and might provide you with a false sense of security.
1. You want to configure Windows Firewall settings on your notebook computer so that others are unable to access anything on your computer.
Which type of network location should you enable?
a. Work b. Home
c. Public d. Private
2. Which of the following actions can you perform from the Windows Firewall Control Panel applet on your Windows 10 computer? (Choose three.)
a. Specify ports that are allowed to communicate across the Windows Firewall.
b. Specify programs that are allowed to communicate across the Windows Firewall.
c. Set the firewall to block all incoming connections, including those in the list of allowed programs.
d. Configure logging settings for programs that are blocked by the firewall.
e. Specify a series of firewall settings according to the type of network to which you are connected.
3. You open the Windows Firewall with Advanced Security snap-in and notice that a large number of firewall rules have already been preconfigured.
Which of the following rule settings types does not include any preconfigured firewall rules?
a. Inbound rules b. Outbound rules
c. Connection security rules d. Monitoring rules
4. You want to configure Windows Firewall so that Windows Media Player can receive data only from connections that have been authenticated by IPsec.
What setting should you configure?
a. Run the New Inbound Rule Wizard, specify the path to Windows Media Player on the program page, then specify the Allow the Connection if It Is Secure option.
b. Run the New Outbound Rule Wizard, specify the path to Windows Media Player on the program page, then specify the Allow the Connection if It Is Secure option.
c. Run the New Connection Security Rule Wizard, specify the path to Windows Media Player on the program page, then specify the Allow the Connection if It Is Secure option.
d. Merely select Windows Media Player from the Allowed Programs and Features list in the Windows Firewall Control Panel applet.
5. You have configured a new inbound rule that limits connections by a specific application on your computer to only those connections that have been authenticated using IPsec. The next day when you start your application, you realize that you should have configured this rule as an outbound rule.
What should you do to correct this error with the least amount of effort?
a. Access the Scope tab of the Properties dialog box for your rule and change the scope from Inbound to Outbound.
b. Access the Advanced tab of the Properties dialog box for your rule and change the interface type from Inbound to Outbound.
c. Select the rule from the list of inbound rules in the Details pane of
Windows Firewall with Advanced Security and drag the rule to the Outbound Rules node in the console tree.
d. You must deactivate or delete the inbound rule you configured and then use the New Outbound Rule Wizard to set up a new rule that is specific to your application.
6. You want Windows Firewall with Advanced Security to display a
notification when a program is blocked from receiving inbound connections.
What should you do?
a. Right-click Windows Firewall with Advanced Security at the top of the console tree and choose Properties. From the tab corresponding to the required profile, click Customize under Settings. Then ensure that the Display a Notification drop-down list is set to Yes.
b. Right-click the Inbound Rules node in the console tree and choose Properties. From the tab corresponding to the required profile, click
Customize under Settings. Then ensure that the Display a Notification drop- down list is set to Yes.
c. Right-click the Monitoring node in the console tree and choose Properties. From the tab corresponding to the required profile, click
Customize under Settings. Then ensure that the Display a Notification drop- down list is set to Yes.
d. Right-click the Firewall subnode below the Monitoring node in the console tree and choose Properties. From the tab corresponding to the required profile, click Customize under Settings. Then ensure that the Display a Notification drop-down list is set to Yes.
7. You are configuring a firewall rule to allow only the Accounting group to connect to network shares on a computer. What Action in General settings should you select before specifying the group in the Remote Users setting?
a. Allow the connection
b. Allow the connection if it is secure c. Block the connection
d. Block edge traversal
8. In which Network Profiles can you turn off Network Discovery? (Select all that apply.)
a. Private
b. Guest or Public
c. Domain
d. All Networks
9. You are configuring Network Discovery, turning it on for a network. You have also configured Network Discovery to perform automatic setup of network connected devices. Which network profile are you configuring?
a. Private
b. Guest or Public c. Domain
d. All Networks
10. You are off-site with a coworker and want to collaborate by creating an ad-hoc network to connect your individual Windows 10 laptops to each other.
Which wireless security type will be used when the two computers establish a connection?
a. WEP
b. WPA-Enterprise c. WPA2-Enterprise d. WPA-Personal e. WPA2-Personal
Foundation Topics
Configuring Windows Firewall
Originally called the Internet Connection Firewall (ICF) in Windows XP prior to SP2, Windows Firewall is a personal firewall, stopping undesirable traffic from being accepted by the computer. Using a firewall can avoid
security breaches as well as viruses that utilize port-based TCP or UDP traffic to enter the computer’s operating system. For computers that use broadband Internet connections with dedicated IP addresses, the Windows Firewall can help avoid attacks aimed at disrupting a home computer. When you take your laptop to a Wi-Fi enabled public location, such as an airport, hotel, or
restaurant, the firewall protects you from individuals who might be probing the network to see what they can steal or infect. Even people with dial-up Internet connections can benefit from added protection. The Windows Firewall is enabled by default when you install Windows 10, as it was in all Windows operating systems since Vista.
Windows Firewall is a stateful host-based firewall that you can configure to allow or block specific network traffic. It includes a packet filter that uses an access control list (ACL) specifying parameters (such as IP address, port number, and protocol) that are allowed to pass through. When a user
communicates with an external computer, the stateful firewall remembers this conversation and allows the appropriate reply packets to reach the user.
Packets from an outside computer that attempts to communicate with a
computer on which a stateful firewall is running are dropped unless the ACL contains rules permitting them.
Windows Vista introduced considerable improvements to its original
implementation in Windows XP SP2, including outbound traffic protection, support for IP Security (IPsec) and IP version 6 (IPv6), improved
configuration of exceptions, and support for command-line configuration.
Microsoft has improved Windows Firewall even further in more recent versions of Windows. The following are some of the important recent features. Of particular note are the new PowerShell cmdlets introduced for Windows 10 and Windows Server 2016.
• Support for Internet Key Exchange version 2 (IKEv2) for IPsec
transport mode: Additional scenarios have been supported, including IPsec end-to-end transport mode connections. Included is expanded support for interoperability with other operating systems using IKEv2 for end-to-end security and the support for Suite B requirements described in Request for Comment (RFC) 4869.
• Windows Store app network isolation: You can fine tune network access
in Windows Firewall to provide added control of Windows Store apps. You can enforce network boundaries that allow compromised apps to access only networks to which they have been explicitly granted. Doing so significantly reduces the scope of their impact on other networks, the system, and the network. You can also isolate apps and protect them from malicious access across the network.
• New Windows PowerShell cmdlets for Windows Firewall: You can use PowerShell for configuration and management of Windows Firewall, IPsec, and related features. Full configuration capabilities are now available.
You can perform basic configuration of Windows Firewall from a Control Panel applet. You can also perform more advanced configuration of
Windows Firewall, including the use of security policies from a Microsoft Management Console (MMC) snap-in. We look at each of these in turn.
Basic Windows Firewall Configuration
The Windows Firewall Control Panel applet, found in the System and Security category and shown in Figure 16-1, enables you to set up firewall rules for each of the network types: Private, Guest or Public, and Domain.
Figure 16-1. Configuring Basic Firewall Settings for Different Network Locations from the Windows Firewall Control Panel Applet
Note
If your computer is joined to an Active Directory Domain Services (AD DS) domain, you will see the Domain Networks location as shown in Figure 16-1.
If your computer is not joined to a domain, you will not see this network.
Settings in this location can be configured through exclusively using domain- based Group Policy so that users cannot modify firewall settings locally.
You can enable or disable the Windows Firewall separately for each
connection. In doing so, you are able to use Windows Firewall to protect a computer connected to the Internet via one adapter, and not use Windows Firewall for the adapter connected to the private network. Use the following instructions to perform basic firewall configuration:
Step 1. Open the Windows Firewall applet by using any of the following methods:
• Right-click Start and choose Control Panel. Then click System and Security > Windows Firewall.
• In the Search bar or Cortana, type firewall into the Search field. From the list of programs displayed, click Windows Firewall.
• Open the Network and Sharing Center and select Windows Firewall from the list in the bottom-left corner.
Step 2. From the left pane, select Turn Windows Firewall On or Off. If you receive a User Account Control (UAC) prompt, click Continue. This
displays the Customize settings for each type of network dialog box, shown in Figure 16-2.
Figure 16-2. Customize Settings for Each Type of Network Dialog Box Enabling You to Turn the Firewall On or off and to Block Incoming Connections
Step 3. If you are connected to a corporate network with a comprehensive hardware firewall, select Turn off Windows Firewall (Not Recommended) under the Private Network Location Settings section. If you connect at any time to an insecure network, such as an airport or restaurant Wi-Fi hot spot, select the Block All Incoming Connections, Including Those in the List of Allowed Programs option under Public network settings. This option
disables all exceptions you’ve configured on the Exceptions tab.
Warning
Don't disable the firewall unless absolutely necessary, even on the Private Network Settings section. Never select the Turn Off Windows Firewall option in Figure 16-2 unless you’re absolutely certain that your network is well protected with a good firewall. The only exception should be
temporarily to troubleshoot a connectivity problem. After you’ve solved the problem, be sure to reenable the firewall immediately.
Step 4. To configure program exceptions, return to the Windows Firewall applet and click Allow an App or Feature Through Windows Firewall.
Step 5. From the list shown in Figure 16-3, select the programs or ports you want to have access to your computer on either of the Private or Public profiles. Table 16-2 describes the more important items in this list. Clear the check boxes next to any programs or ports to be denied access, or select the check boxes next to programs or ports to be granted access.
Figure 16-3. Allow Apps to Communicate Through Windows Firewall Dialog Box Enabling You to Specify Which Programs Are Allowed to Communicate Through the Firewall
Table 16-2. Key Windows Firewall Configurable Exceptions
Exception Description Enabled by
Default?
Core
Networking Network Discovery
Each option works with the other to enable your computer to connect to other network computers or the Internet
Yes; network discovery for home or work only
Distributed Transaction Coordinator
Coordinates the update of transaction- protected resources such as databases, message queues, and file systems
No
File and
Printer Sharing
Enables your computer to share resources such as files and printers with other
computers on your network
Yes
HomeGroup Allows communication to other
Yes, for Private only when joined
computers in the homegroup to a homegroup
iSCSI Service Used for connecting to iSCSI target
servers and devices No
Key
Management Service
Used for machine counting and license
compliance in enterprise environments No
MSN Money MSN News MSN Sports MSN Weather Mail and Calendar Microsoft Edge, People, Photos, and Messaging
Allows these default Windows apps to communicate on the Internet; others might also be listed, including some games
Yes
Media Center Extenders
Allows Media Center Extenders to communicate with a computer running Windows Media Center
No
Netlogon Service
Maintains a secure channel between domain clients and a domain controller for authenticating users and services
Only on a
computer joined to an Active
Directory domain
Network Discovery
Allows computers to locate other resources on the local network
Yes, for Private only
Performance Logs and Alerts
Allows remote management of the
Performance Logs and Alerts service No
Remote Assistance
Enables an expert user to connect to the desktop of a user requiring assistance in a Windows Feature
Yes, for Private only
Remote Desktop
Enables a user to connect with and work
on a remote computer No
Remote (item) Management
Enables an administrator to manage items on a remote computer, including event logs, scheduled tasks, services, and disk volumes
No for all these tasks
Routing and Remote Access (RRAS)
Enables remote users to connect to a server to access the corporate network (used on RRAS server computers only)
No
Store and Store Purchase App
Enables access to the App Store, and, separately, access to purchase apps from the Store.
Yes
Windows Remote Management
Enables you to manage a remote
Windows computer No
Step 6. To add a program not shown in the list, click Allow Another App.
From the Add an App dialog box shown in Figure 16-4, select the program to be added and then click Add. If necessary, click Browse to locate the desired program. You can also click Network Types to choose which network type is allowed by the selected program.
Figure 16-4. Add an App Dialog Box Enabling You to Allow Specific Programs Access Through the Windows Firewall
Step 7. Use the Allow Apps to Communicate Through Windows Firewall dialog box (refer to Figure 16-3) to view the properties of any program or port on the list; select it, and click Details.
Step 8. To remove a program from the list, select it and click Remove. You can do this only for programs you have added using Step 6.
Step 9. If you need to restore default settings, return to the Windows Firewall applet previously shown in Figure 16-1 and click Restore Defaults. Then confirm your intention in the Restore Default Settings dialog box that appears.