386 CHAPTER 7 Windows Firewall and Remote Management Network profiles are important because you can use them to apply different collections of firewall rules based on which network profi
Trang 1Lesson 1: Managing Windows Firewall
The firewall that ships with Windows 7 is designed to keep your computer safe It will help
keep your computer safe when it is connected to the protected network in the office or the
less-safe public WiFi networks of coffee shops and airport lounges In this lesson, you learn
the differences between Windows Firewall and Windows Firewall with Advanced Security You
also learn about connection security rules, which you can use to limit your computer’s network
communication so that it occurs only with other computers that have proven their identity
After this lesson, you will be able to:
n Configure rules for multiple profiles
n Allow or deny applications
n Create profile network-profile-specific rules
n Configure notifications
n Configure authenticated exceptions
Estimated lesson time: 40 minutes
Windows Firewall
Firewalls restrict network traffic based on a collection of configurable rules Another name
for these rules is exceptions When traffic reaches a network interface protected by a firewall,
the firewall analyzes it, either discarding the traffic or allowing it to pass on the basis of
the rules that have been applied to the firewall Windows 7 uses two firewalls that work
together: Windows Firewall and the Windows Firewall with Advanced Security (WFAS) The
primary difference between these firewalls relates to the complexity of the rules that can be
configured for them Windows Firewall uses simple rules that directly relate to a program
or service WFAS allows for more complicated rules that filter traffic on the basis of port,
protocol, address, and authentication WFAS will be covered in more detail later in this lesson
When thinking about how firewall rules work, remember that unless a rule exists that
explicitly allows a particular form of traffic, the firewall will drop that traffic In general, you
must explicitly allow traffic to pass across a firewall, though there will be some occasions
when you need to configure a deny rule You will learn about deny rules later in this
lesson Windows Firewall and WFAS ship a minimum number of default rules that allow
you to interact with networks This means that although you are able to browse the Web
without having to configure a firewall rule, if you try to use an application to interact with
the network that is not covered by a default rule, such as File Transfer Protocol (FTP), you
receive a warning This behavior is different to earlier versions of Microsoft Windows, such
as Windows XP, where the firewall blocked only incoming traffic and did not block outgoing
traffic The firewall in Windows 7 blocks most outbound traffic by default When a program is
blocked for the first time, you are notified by the firewall, as shown in Figure 7-1, allowing you
to configure an exception that allows traffic of this type in the future
Trang 2384 CHAPTER 7 Windows Firewall and Remote Management
FIgUre 7-1 Most outbound traffic is blocked but generates a warning
The Windows 7 firewall uses a feature known as full stealth Stealth blocks external hosts from performing Operating System (OS) fingerprinting OS fingerprinting is a technique where an attacker determines what operating system a host is running by sending special traffic to the host’s external network interface After an attacker knows what operating system a host is using, they can target OS-specific exploits at the host You cannot disable the stealth feature of Windows 7
Boot time filtering, another feature of Windows 7, ensures that Windows Firewall is working from the instant the network interfaces become active In previous operating systems, such as Windows XP, the firewall, either built into Windows or from a third-party vendor, would become operational only once the startup process was complete This left
a small but important period where a network interface would be active but not protected by
a firewall Boot time filtering closes this window of opportunity
To understand the operation of Windows Firewall, you need to be familiar with some core networking concepts If you have a lot of experience with networks, you may want to skip ahead to the next section because you are already familiar with them These core concepts are:
n protocol In terms of Windows Firewall, you need to consider only three protocols, Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP) TCP is more reliable and is used for the majority
of Internet traffic UDP is used for broadcast and multicast data, as well as the sort of traffic associated with online games You use ICMP primarily for diagnostic purposes
n port A port is an identification number that is contained within the header of
a TCP or UDP datagram Ports are used to map network traffic to specific services
or programs running on a computer For example, port 80 is reserved for World Wide Web traffic and port 25 is reserved for the transmission of e-mail across the Internet
n IpSec (Internet protocol Security) IPSec is a method of securing network traffic by encrypting it and signing it The encryption ensures that an attacker cannot read captured traffic The signature allows the recipient of the traffic to validate the sender’s identity
Trang 3n Network address Each host on a network has a network address You can configure
firewalls to treat traffic differently based on the destination network of outgoing or the
origin network of incoming traffic
n Inbound traffic Inbound traffic is network data that originates from the external host
and is addressed to your client running Windows 7
n Outbound traffic Outbound traffic is traffic that your client running Windows 7
sends to external hosts over the network
n Network interface A network interface can be a physical local area network (LAN)
connection, a wireless connection, a modem connection, or a virtual private network
(VPN) connection
Network Location Awareness
Network Location Awareness (NLA) is a feature through which Windows 7 assigns a network
profile based on the properties of a network connection As you can see in Figure 7-2,
Windows 7 uses three network profiles, Domain Networks, Home Or Work (Private) Networks,
and Public Networks When you connect to a new network, Windows 7 queries you with
a dialog box asking you whether the network is a Home network, a Work network, or a Public
network Windows 7 remembers the designation that you assign to the network and associates
it with the properties of the network so that that designation will be applied the next time you
connect the computer to that network You can change the designation of a network using the
Network and Sharing center You learned about changing Network designations in Chapter
6 NLA assigns the Domain network profile when you log on to an Active Directory Domain
Services (AD DS) domain
FIgUre 7-2 Windows Firewall in Control Panel
Trang 4386 CHAPTER 7 Windows Firewall and Remote Management
Network profiles are important because you can use them to apply different collections
of firewall rules based on which network profile is active Figure 7-3 shows that the Windows Virtual PC rule is active in the Domain and Home/Work (Private) profiles but not in the Public profile A significant difference between Windows Vista and Windows 7 is that in Windows 7, profiles apply on a per-network interface basis This means that if you have one network adapter connected to the Internet and another connected to your office LAN, different sets
of rules apply for each connection The firewall in Windows Vista chooses the most restrictive network profile when a computer has connections to different network types and applies the most restrictive set of rules to all interfaces
FIgUre 7-3 Allowing programs and features by profile
As shown in Figure 7-4, you can selectively enable Windows Firewall for each network profile You can also specify whether you want notifications to appear to the logged-on user when Windows Firewall blocks a new program and whether you want all incoming connections blocked, including those for which there are existing firewall rules Users are only able to create rules to deal with the traffic that they have been notified about if they have local administrator privileges
Trang 5FIgUre 7-4 Enabling Windows Firewall selectively
The primary reason why you might want to disable Windows Firewall for all profiles is if you
have a firewall product from another vendor and you want that vendor’s firewall to protect
your computer rather than having Windows Firewall perform that function It is important to
note that you should not disable Windows Firewall just because there is another firewall, such
as a small office/home office (SOHO) router or hardware firewall, between your client running
Windows 7 and the Internet It is possible that malware has infected another computer on
your local network Good security practice is to treat all networks as potentially hostile
Allowing Programs Through Windows Firewall
Windows Firewall allows you to configure exceptions based on programs This differs from
Windows Vista where Windows Firewall would allow you to configure exceptions based on
port address You can still create rules based on port address; you just have to do it using
WFAS, covered later in this lesson You can also allow specific Windows 7 features, such as
Windows Virtual PC, through Windows Firewall Feature rules become available when you
enable the feature using the Programs And Features item in Control Panel To add a rule for
a feature or program, click Allow A Program Or Feature Through Windows Firewall item in
the Windows Firewall section of Control Panel The dialog box, displayed earlier in Figure 7-3,
Trang 6388 CHAPTER 7 Windows Firewall and Remote Management
shows a list of currently installed features and any programs for which rules have been created
as well as the profiles for which rules concerning those programs and features are enabled
To modify the settings on this page, you need to click the Change Settings item Only users that are members of the local Administrators group, or who have been delegated the appropriate privileges are able to modify Windows Firewall settings If a program that you want to create a rule for is not present on this list, click Allow Another Program This opens the Add A Program dialog box, shown in Figure 7-5 If the program that you want to create
a rule for is not listed, click Browse to add it Use the Network Location Types button to specify the network profiles in which the rule should be active
FIgUre 7-5 Adding a program exception
note reSet FIreWaLL tO DeFaULt CONFIgUratION
You can reset Windows Firewall and WFAS to their out-of-the-box configuration by
running the command netsh advfirewall reset from an elevated command prompt You can also reset Windows Firewall and WFAS by clicking on Restore Defaults in the Windows Firewall control panel.
quick Check
n On what basis can you create rules for Windows Firewall (as opposed to WFAS)? quick Check answer
n You can create rules for Windows Firewall only for programs and Windows 7 features You cannot create rules for Windows Firewall based on port address or service.
Trang 7Windows Firewall with Advanced Security
Windows Firewall with Advanced Security (WFAS) allows you to create nuanced firewall rules
For most users, the options available with Windows Firewall will be enough to keep their
computers secure If you are a more advanced user, however, you can use WFAS to:
n Configure inbound and outbound rules Windows Firewall does not allow you to create
rules based on whether traffic is inbound or outbound
n Configure rules that apply based on protocol type and port address
n Configure rules that apply based on traffic that addresses specific services, rather than
just specific applications
n Limit the scope of rules so that they apply based on traffic’s source or destination
address
n Configure rules that allow traffic only if it is authenticated
n Configure connection security rules
You can access the WFAS console either by typing Windows Firewall with advanced
Security into the Search Programs And Files text box on the Start menu or by clicking the
Advanced Settings item in the Windows Firewall control panel The WFAS console displays
which network profiles are currently active As is the case with Windows Firewall, different
collections of rules apply depending on which profile is active for a particular network
adapter For example, Figure 7-6 shows that the Domain Profile and Public Profile are active
In this case, it is because the computer on which this screen shot was taken is connected
to a domain network through its wireless network adapter and to the Internet through
a universal serial bus (USB) cellular modem You could enable a rule that allows traffic on
port 80 for the Domain Profile but not enable it for the Public Profile This would mean that
hosts contacting this computer through the wireless network adapter would be able to access
a Web server hosted on the computer, whereas hosts attempting to access the same Web
server through the USB cellular modem’s Internet connection are blocked
Creating WFAS Rules
The process for configuring inbound rules and outbound rules is essentially the same: In the
WFAS console, select the node that represents the type of rule that you want to create and
then click New Rule This opens the New Inbound (or Outbound) Rule Wizard The first page,
shown in Figure 7-7, allows you to specify the type of rule that you are going to create You
can select between a program, port, predefined, or custom rule The program and predefined
rules are similar to what you can create using Windows Firewall A custom rule allows you to
configure a rule based on criteria not covered by any of the other options You would create
a custom rule if you wanted a rule that applied to a particular service rather than a program
or port You can also use a custom rule if you want to create a rule that involves both
a specific program and a set of ports For example, if you wanted to allow communication
to a specific program on a certain port but not other ports, you would create a custom rule
Trang 8390 CHAPTER 7 Windows Firewall and Remote Management
FIgUre 7-6 Multiple active network profiles in the WFAS console
FIgUre 7-7 New Inbound Rule Wizard
Trang 9If you decide to create a program rule, you then need to specify a program for which the
rule applies If you choose a port rule, you must choose whether the rule applies to the TCP
or the UDP protocol You must also specify port numbers In the next step, you specify what
action to take when the firewall encounters traffic that meets the rule conditions The options
are as follows:
n allow the connection WFAS allows the connection if the traffic meets the rule
conditions
n Block the connection WFAS blocks the connection if the traffic meets the rule
conditions
n allow the connection if it is secure WFAS allows the connection if the traffic meets
the rule conditions and is authenticated using one of the methods specified in the
connection security rules Security options are shown in Figure 7-8
FIgUre 7-8 Security option settings
The default setting requires that the connection be authenticated and integrity protected,
but not encrypted Use the Require The Connection To Be Encrypted option if you want
firewall rules to enforce data encryption as well as authentication and integrity protection
The override block rules option allows you to specify a computer account or computer group
that can bypass existing block rules
Trang 10392 CHAPTER 7 Windows Firewall and Remote Management
Rule Scope
A rule scope allows you to specify whether a rule applies to specific source and destination addresses If you want to create a rule that allows a particular type of traffic but want to limit that traffic to a particular set of network addresses, you need to modify the rule’s scope You can specify a scope when creating a custom rule, but not a standard program or port rule For these rule types, you can specify the scope by editing the rule’s properties after it has been created, as shown in Figure 7-9 You can specify Internet Protocol (IP) addresses or
IP address ranges, or use one of the predefined sets of computers that include the Default Gateway, Windows Internet Naming Service (WINS) servers, Dynamic Host Configuration Protocol (DHCP) servers, Domain Name System (DNS) servers, and Local Subnet You can specify both IPv4 and IPv6 addresses and ranges when configuring a rule’s scope
FIgUre 7-9 Configuring rule scope
To modify a rule’s scope, perform the following actions:
1 Right-click the rule in the WFAS console and then choose Properties This opens the Properties dialog box for the rule Click the Scope tab
2 If you want to limit the local IP address that the rule applies to (for example, when more than one address is assigned to a network adapter or there are multiple network adapters on your computer), select the These IP Addresses option below Local IP Address Click Add and specify which address or addresses the rule applies to