DEFaULT IpSEC SETTINGS FOR CONNECTION SECURITY RULES The default IPsec settings for Windows Firewall with Advanced Security are as follows: n Default key exchange settings main mode: • K
Trang 1attempts For example, a back-end database server might be configured to accept only authenticated connections from a front-end Web application server For more information on how server isolation works and how to implement it, see
http://technet.microsoft.com/en-us/network/bb545651.aspx See also the Step-by-Step Guide: Deploying Windows Firewall and IPsec Policies at http://technet.microsoft.com /en-us/library/cc732400.aspx for a walkthrough of how to implement a basic server
isolation scenario
n Domain isolation Domain isolation involves configuring connection security rules
on both clients and servers so that domain members accept only authenticated (and optionally, encrypted) connection attempts from other domain members By default, connection attempts from non-domain members are not accepted, but you can con-figure exception rules that allow unauthenticated connections from specific non-domain members For more information on how domain isolation works and how
to implement it, see http://technet.microsoft.com/en-us/network/bb545651.aspx See also the Step-by-Step Guide: Deploying Windows Firewall and IPsec Policies at
http://technet.microsoft.com/en-us/library/cc732400.aspx for a walkthrough of how to
implement a basic domain isolation scenario
n Network Access Protection Network Access Protection (NAP) is a technology
avail-able in Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2 that enforces health requirements by monitoring and assessing the health of client computers when they try to connect or communicate on a network Client computers that are found to be out of compliance with the health policy can then be provided with restricted network access until their configuration has been updated and brought into compliance with policy Windows Firewall with Advanced Security can be used as part of a NAP implementation by creating connection security rules that require com-puter certificates for authentication Specifically, client computers that are determined
to be in compliance with health policy are provisioned with the computer certificate needed to authenticate For more information on how NAP works and how to imple-
ment it, see http://www.microsoft.com/nap/.
n DirectAccess DirectAccess is a new feature of Windows 7 and Windows Server 2008
R2 that provides users with the experience of being seamlessly connected to their corporate network any time they have Internet access Using DirectAccess, users can securely access internal resources such as e-mail servers and intranet sites without the need of first establishing a VPN connection with their corporate network DirectAccess uses IPv6 together with IPsec tunnels to establish secure, bidirectional communications between the client computer and the corporate network over the public Internet DirectAccess also seamlessly integrates with server and domain isolation scenarios and NAP implementations enabling enterprises to create comprehensive end-to-end security, access, and health requirement solutions For more information on how
DirectAccess works and how to implement it, see http://www.microsoft.com/directaccess/.
Trang 2diReCt FRoM tHe SoURCe
Combining Domain Isolation with Server Isolation
Dave Bishop, Senior Technical Writer
WSUA Networking
You can easily combine both Domain Isolation and Server Isolation on the same network The Domain Isolation rules that configure your computers to authen- ticate before connecting can also serve as the basis for identifying computers and users to restrict access to sensitive servers By default, only computer authentica- tion is performed, but on computers that are running Windows 7, Windows Vista, Windows Server 2008, or Windows Server 2008 R2, you can configure the rules to also require user authentication.
The client rules that support Domain Isolation support Server Isolation as well To isolate a server, you configure the server to permit connections from authorized users and computers only To do this, add a firewall rule to the isolated server that uses the allow The Connection If It Is Secure action This enables the Users and Computers tabs, where you can identify the user and computer accounts that are authorized to connect to the isolated server No further configuration on the client computers is required; the user and computer credentials used for authentication for Domain Isolation are also used for the authorization on the isolated server.
Server Isolation is an important defense-in-depth layer that helps to protect your sensitive servers, such as payroll, personnel, and other servers that must be carefully guarded.
TYpES OF CONNECTION SECURITY RULES
Depending on the scenario you want to implement or the business need you are trying to meet, different types of connection security rules may be needed for your environment Windows Firewall with Advanced Security allows you to create the following types of connection security rules:
n Isolation rules These rules are used to isolate computers by restricting inbound
con-nections based on credentials such as domain membership Isolation rules are typically used when implementing a server or domain isolation strategy for your network
n Authentication exemption rules These rules are used to identify computers that
do not require authentication when attempting to connect to a domain member when implementing a domain isolation strategy
n Server-to-server rules These rules are used to protect communications between
specific computers This is basically the same as an isolation rule except that you can
Trang 3n Tunnel rules These rules are used to protect communications between gateways on
the public Internet In Windows 7, you can create dynamic tunnel endpoint rules that enable Client-to-Gateway and Gateway-to-Client tunnel configurations
n Custom rules These rules can be created when the other types of connection
secu-rity rules don‘t meet the needs of your environment
SUppORTED IpSEC SETTINGS FOR CONNECTION SECURITY RULES
Connection security rules use IPsec to protect traffic between the local computer and other computers on the network IPsec is an industry-standard set of protocols for protecting communications over IP networks using cryptographic security services IPsec can provide network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection to ensure the security of traffic as it passes across a network For general information concerning IPsec concepts and how IPsec can be
used to protect a network, see the resources available at http://www.microsoft.com/IPsec/
The range of IPsec features supported previously in the Windows Vista RTM has been expanded, first in Windows Vista SP1 and later versions in Windows 7 to include new security methods, data integrity algorithms, data encryption algorithms, and authentication protocols Tables 26-2 through 26-6 summarize the key exchange algorithms, data protection (integrity
or encryption) algorithms, and authentication methods now supported for IPsec tions in Windows 7 Note that some algorithms are supported only for main mode or quick mode, and different authentication methods are supported for first and second authentica-tion For more information on how to configure IPsec settings in Windows 7, see the section titled “Creating and Configuring Connection Security Rules” later in this chapter
communica-TABlE 26-2 Supported Key Exchange Algorithms for IPsec Communications in Windows 7
Diffie-Hellman Group 1 (DH Group 1) Not recommended
Provided for backward compatibility only
DH Group 2 Stronger than DH Group 1
DH Group 14 Stronger than DH Group 2 Elliptic Curve Diffie-Hellman P-256 Stronger than DH Group 2
Medium resource usage Compatible only with Windows Vista and later versions
Elliptic Curve Diffie-Hellman P-384 Strongest security
Highest resource usage Compatible only with Windows Vista and later versions
Trang 4TABlE 26-3 Supported Data Integrity Algorithms for IPsec Communications in Windows 7
Message-Digest algorithm 5 (MD5) Not recommended
Provided for backward compatibility only Secure Hash Algorithm 1 (SHA-1) Stronger than MD5 but uses more resources SHA 256-bit (SHA-256) Main mode only
Supported on Windows Vista SP1 and later versions
Supported on Windows Vista SP1 and later versions
Advanced Encryption Standard-Galois Message Authentication Code 128 bit (AES-GMAC 128)
Quick mode only Supported on Windows Vista SP1 and later versions
Equivalent to AES-GCM 128 for integrity AES-GMAC 192 Quick mode only
Supported on Windows Vista SP1 and later versions
Equivalent to AES-GCM 192 for integrity AES-GMAC 256 Quick mode only
Supported on Windows Vista SP1 and later versions
Equivalent to AES-GCM 256 for integrity AES-GCM 128 Quick mode only
Supported on Windows Vista SP1 and later versions
Equivalent to AES-GMAC 128 for integrity AES-GCM 192 Quick mode only
Supported on Windows Vista SP1 and later versions
Equivalent to AES-GMAC 192 for integrity AES-GCM 256 Quick mode only
Supported on Windows Vista SP1 and later versions
Equivalent to AES-GMAC 256 for integrity
Trang 5TABlE 26-4 Supported Data Encryption Algorithms for IPsec Communications in Windows 7
Data Encryption Standard (DES) Not recommended
Provided for backward compatibility only Triple-DES (3DES) Higher resource usage than DES
Advanced Encryption Standard-Cipher Block Chaining 128-bit (AES-CBC 128)
Faster and stronger than DES Supported on Windows Vista and later versions AES-CBC 192 Stronger than AES-CBC 128
Medium resource usage Supported on Windows Vista and later versions AES-CBC 256 Strongest security
Highest resource usage Supported on Windows Vista and later versions AES-GCM 128 Quick mode only
Faster and stronger than DES Supported on Windows Vista and later versions The same AES-GCM algorithm must be speci-fied for both data integrity and encryption AES-GCM 192 Quick mode only
Medium resource usage Supported on Windows Vista and later versions The same AES-GCM algorithm must be speci-fied for both data integrity and encryption AES-GCM 256 Quick mode only
Faster and stronger than DES Supported on Windows Vista and later versions The same AES-GCM algorithm must be speci-fied for both data integrity and encryption
Trang 6TABlE 26-5 Supported First Authentication Methods for IPsec Communications in Windows 7
FIRST AUTHENTICATION METHOD NOTES
Computer (Kerberos V5) Compatible with Microsoft Windows 2000 or
later versions Computer (NTLMv2) Use on networks that include systems running
an earlier version of Windows and on alone systems
stand-Computer certificate The default signing algorithm is RSA, but
Elliptic Curve Digital Signature Algorithm (ECDSA)–P256 and ECDSA-P384 are also supported signing algorithms
New in Windows 7 is added support for using
an intermediate CA as a certificate store in addition to using a root CA as was previously supported in Windows Vista
Certificate to account mapping is also supported
First authentication can also be configured to accept only health certificates when using a NAP infrastructure
Pre-shared key Not recommended
TABlE 26-6 Supported Second Authentication Methods for IPsec Communications in Windows 7
SECOND AUTHENTICATION METHOD NOTES
User (Kerberos V5) Compatible with Windows 2000 or later
versions User (NTLMv2) Use on networks that include systems running
an earlier version of Windows and on alone systems
stand-User certificate The default signing algorithm is RSA, but
ECDSA-P256 and ECDSA-P384 are also supported signing algorithms
New in Windows 7 is added support for using
an intermediate CA as a certificate store in addition to using a root CA as was previously supported in Windows Vista
Certificate to account mapping is also supported
Trang 7SECOND AUTHENTICATION METHOD NOTES
Computer health certificate The default signing algorithm is RSA, but
ECDSA-P256 and ECDSA-P384 are also supported signing algorithms
New in Windows 7 is added support for using
an intermediate CA as a certificate store in addition to using a root CA as was previously supported in Windows Vista
Certificate to account mapping is also supported
DEFaULT IpSEC SETTINGS FOR CONNECTION SECURITY RULES
The default IPsec settings for Windows Firewall with Advanced Security are as follows:
n Default key exchange settings (main mode):
• Key exchange algorithm: DH Group 2
• Data integrity algorithm: SHA-1
• Primary data encryption algorithm: AES-CBC 128
• Secondary data encryption algorithm: 3DES
• Key lifetime: 480 minutes/0 sessions
n Default data integrity settings (quick mode):
• Primary protocol: Encapsulating Security Payload (ESP)
• Secondary protocol: Authentication Header (AH)
• Data integrity algorithm: SHA-1
• Key lifetime: 60 minutes/100,000 KB
n Default data encryption settings (quick mode):
• Primary protocol: ESP
• Secondary protocol: ESP
• Data integrity algorithm: SHA-1
• Primary data encryption algorithm: AES-CBC 128
• Secondary data encryption algorithm: 3DES
• Key lifetime: 60 minutes/100,000 KBThe default authentication method used for first authentication of IPsec connections is Computer (Kerberos V5) By default, no second authentication method is configured for IPsec connections
Trang 8By default, these settings are used when creating new connection security rules unless you select different settings when using the New Connection Security Rule Wizard For more information, see the section titled “Creating and Configuring Connection Security Rules” later
in this chapter
Windows Firewall and Windows PE
Beginning with Windows 7 and Windows Server 2008 R2, you can now configure Ipsec in Windows preinstallation Environment (Windows pE) for added security during desktop and server deployment While Windows pE 3.0 now supports Ipsec
by default, the computer you want to connect to may require additional ration to allow a connection The default Ipsec settings for Windows pE 3.0 are as follows:
configu-n MM Security Offer: aES128-SHa1-ECDHp256, where MM is main mode.
n MM authentication Method: anonymous
n QM policy: 3DES-SHa1; aES128-SHa1, where QM is quick mode.
n QM authentication Method: NTLMv2
Understanding Default Rules
Default rules specify the default behavior of Windows Firewall with Advanced Security when traffic does not match any other type of rule Default rules can be configured on a per-profile basis The possible default rules for inbound traffic are:
n Block (the default for all profiles)
n Block all connections
n AllowThe possible default rules for outbound traffic are:
n Allow (the default for all profiles)
n BlockFrom a practical standpoint, the block all connections default rule for inbound traffic can
be interpreted as “shields up” or “ignore all allow and allow-bypass rules ” For information on configuring default rules, see the section titled “Configuring Firewall Profiles and IPsec Set-tings by Using Group Policy” later in this chapter
Trang 9Understanding WSH Rules
WSH rules are built-in rules that protect Windows services (and thereby also the applications that use these services) by restricting services from establishing connections in ways other than they were designed WSH rules are not exposed to management using the Windows Firewall with Advanced Security MMC snap-in, the Netsh command, or Group Policy Third-party ISVs who create services for Windows can also create WSH rules to protect
those services For more information on this, see http://msdn.microsoft.com/en-us/library
/aa365491.aspx
Understanding Rules processing
If more than one rule matches a particular packet being examined, Windows Firewall with Advanced Security must decide which of these rules to apply to the packet so as to decide what action to take The order in which Windows Firewall with Advanced Security processes rules is as follows:
1. WSH rules (this is not configurable by the user)
2. Connection security rules
3. Authenticated bypass rules
4. Block rules
5. Allow rules
6. Default rulesWhen a packet is being examined by Windows Firewall with Advanced Security, the packet
is compared to each of these types of rules in the order they are listed If the packet matches
a particular rule, that rule is applied, and rule processing stops In addition, if two rules in the same group match, then the rule that is more specific (that is, has more matching criteria)
is the one that is applied For example, if rule A matches traffic to 192 168 0 1 and rule B matches traffic to 192 168 0 1 TCP port 80, then traffic to port 80 on that server matches rule
B, and its action is the one taken
By default, the rule processing described previously includes both local rules (firewall and/
or connection security rules configured by the local administrator of the computer) and rules applied to the computer by Group Policy If more than one Group Policy object (GPO) applies
to a particular computer, the default rules come from the GPO with the highest precedence Merging of local rules can be enabled or disabled using Group Policy For more information, see the section titled “Considerations When Managing Windows Firewall Using Group Policy”
later in this chapter
Trang 10Managing Windows Firewall with Advanced Security
Windows 7 and Windows Server 2008 R2 include tools for configuring and managing Windows Firewall with Advanced Security in both stand-alone and domain environments These tools can be used to perform common tasks such as creating firewall rules to block
or allow traffic, creating connection security rules to protect network traffic using IPsec, monitoring firewall and connection security activity, and more The sections that follow examine the tools that you can use to manage Windows Firewall with Advanced Security and describe some common management tasks
Tools for Managing Windows Firewall with advanced Security
The following tools can be used for managing Windows Firewall with Advanced Security:
n Windows Firewall Control Panel item
n Windows Firewall with Advanced Security MMC snap-in
n Windows Firewall with Advanced Security Group Policy node
n Netsh advfirewall command context
The sections that follow summarize the differences in functionality between using these various tools
Managing Windows Firewall Using Control panel
The Windows Firewall utility in Control Panel exposes only a small subset of Windows Firewall with Advanced Security functionality and is primarily intended for consumers and for users working in SOHO environments Using this utility, a user on the local computer can perform the following tasks:
n Turning Windows Firewall on or off for each type of network location (domain, private,
or public)
n Enabling or disabling firewall notifications for each type of network location
n Verifying which firewall profiles apply to which network connections on the computer
n Allowing a program or feature to communicate through Windows Firewall for a ticular firewall profile (see Figure 26-7)
par-n Restoring the default settings for Windows FirewallNote that most actions involving Windows Firewall require local administrator credentials
on the computer
Trang 11FIgURE 26-7 Viewing which firewall profiles allow Remote Assistance to communicate through Windows Firewall
Managing Windows Firewall Using the Windows Firewall with advanced Security Snap-in
The Windows Firewall with Advanced Security MMC snap-in exposes most of the functionality
of Windows Firewall for advanced users and administrators of the local computer (main mode rules and some advanced global IPsec settings are configurable only by Netsh) To start this snap-in, do any of the following:
n From the Start menu, select Control Panel, System And Security, Windows Firewall, Advanced Settings
n Type fire in the Start menu Search box, and then click Windows Firewall With Advanced
Security in the Programs group
n Type wf.msc in the Start menu Search box and press Enter
n Type mmc in the Start menu Search box and press Enter to open a new MMC console,
and then add the Windows Firewall with Advanced Security snap-in to the console in the usual way
The first three methods listed here can be used only to manage Windows Firewall on the local computer The last method can be used to manage Windows Firewall on either the local computer or a specified remote computer You must have local administrator credentials on the computer on which you want to manage Windows Firewall when using this snap-in
Trang 12note The Windows 7 version of the Windows Firewall with advanced Security snap-in can be used to manage Windows Firewall on Windows 7, Windows Vista, Windows Server
2008, and Windows Server 2008 R2.
Using the Windows Firewall with Advanced Security snap-in, you can perform a wide variety of administrative tasks, including the following:
n Configuring default settings for each firewall profile
n Enabling and disabling firewall rules
n Creating and configuring firewall rules
n Configuring default IPsec settings
n Enabling and disabling connection security rules
n Creating and configuring connection security rules
n Exporting and importing firewall policy for the computer
n Restoring the default firewall settings for the computer
n Configuring firewall logging settings
n Monitoring the state of the firewall and its configuration
n Monitoring active firewall rules
n Monitoring active connection security rules
n Monitoring security associations for both main mode and quick mode
n Monitoring event logs associated with Windows FirewallMany of these management tasks are described in more detail in the section titled “Com-mon Management Tasks” later in this chapter
To make it easier to manage large numbers of rules on a computer, the Windows Firewall with Advanced Security snap-in lets you filter firewall and connection security rules by profile (domain, private or public) and/or by state (enabled or disabled) In addition, firewall rules (but not connection rules) can also be filtered by rule group Figure 26-8 shows all inbound rules that match the following filtering criteria:
n Profile: domain
n State: enabled
n Group: Remote Assistance
To remove applied filters, select Clear All Filters from the shortcut menu
Trang 13FIgURE 26-8 You can filter firewall rules by profile, state, and group to make it easier to manage large numbers of rules
Managing Windows Firewall Using Group policy
In enterprise environments, the primary method for managing Windows Firewall on remote computers (both clients and servers) is to use Group Policy To manage Windows Firewall on a collection of computers on your network using Group Policy, do the following:
1. Create a new GPO and link the GPO to the organizational unit (OU) where the puter accounts for these computers reside
2. Open the GPO using the Group Policy Management Editor from the Group Policy Management Console (GPMC) and navigate to the following location:
Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall With Advanced Security\
3. Select the policy node under this location, which should look like this:
Windows Firewall with Advanced Security - LDAP://CN={GUID},CN=POLICIES,CN=
SYSTEM,DC=domain_name,DC=COMHere GUID is the globally unique identifier for the Group Policy Container (GPC) associated with the GPO you have opened
Once you have selected this node, you can configure Group Policy settings for Windows Firewall using the same graphical user interface for the Windows Firewall with Advanced Security snap-in described previously (see Figure 26-9)
Trang 14FIgURE 26-9 Using Group Policy to configure Windows Firewall with Advanced Security on targeted computers
CONSIDERaTIONS WHEN MaNaGING WINDOWS FIREWaLL USING GROUp pOLICY
The following considerations should be kept in mind when managing Windows Firewall using Group Policy:
n The state of each firewall profile in the firewall policy of a GPO is initially Not ured This means that firewall policy applied to computers targeted by the GPO will have no effect For example, if the domain profile of Windows Firewall on a targeted computer is enabled, it will remain enabled after Group Policy processing has occurred Similarly, if the domain profile of Windows Firewall on a targeted computer is disabled,
Config-it will remain disabled after Group Policy processing has taken place on the computer
So if a local administrator on the targeted computer turns off Windows Firewall on his computer, it will remain turned off even after Group Policy processing has taken place
on the computer Therefore, if you want to ensure that the firewall policy in the GPO applies to targeted computers, you must enable the firewall profiles in the policy To
do this, right-click the following policy node in the GPO:
Windows Firewall with Advanced Security - LDAP://CN={GUID},CN=POLICIES,CN=
SYSTEM,DC=domain_name,DC=COM
Trang 15Select Properties from the context menu, and on each profile tab (Domain Profile, Private Profile, and Public Profile), change the Firewall State policy setting from Not Configured to On (Recommended)
n The default inbound and outbound rules for each firewall profile in the firewall policy
of a GPO are also initially Not Configured Therefore, if you want to ensure that firewall rules are processed as expected when the GPO is processed by targeted computers, you should configure the desired default inbound and outbound rules in the policy
To do this, right-click on the policy node described above and select Properties from the context menu Then on each profile tab (Domain Profile, Private Profile, and Public Profile), change the Inbound Connections and Outbound Connections policy settings
to the values you want to use, which are typically the following
Note that if multiple GPOs for firewall policy target the same computer and each GPO has different default rules configured, the default rules for the GPO that has the highest precedence apply Note also that if you set outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive it will not receive subsequent Group Policy updates unless you first create and deploy an outbound rule that enables Group Policy to work Predefined rules for Core Networking include outbound rules that enable Group Policy to work Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying the policy
n By default, rule merging is enabled between local firewall policy on Windows 7 puters and firewall policy specified in GPOs that target those computers This means that local administrators can create their own firewall and connection security rules
com-on their computers, and these rules will be merged with the rules obtained through Group Policy targeting the computers Rule merging can be enabled or disabled on a
Trang 16per-GPO, per-profile basis by opening the Properties of the policy node described viously, selecting a firewall profile, and clicking Customize under Settings Then under
pre-Rule Merging in the Customize Settings For The firewall_profile dialog box, change the
Apply Local Firewall Rules and/or Apply Local Connection Security Rules policy settings from Not Configured to Yes (Default) or No, as shown here
To ensure that only GPO-supplied rules are applied to computers targeted by the GPO and that locally defined rules on the computers are ignored, change these two policy settings from Not Configured to No If you decide to leave rule merging enabled in the firewall policy of a GPO by configuring these two policy settings as either Yes (Default)
or Not Configured, you should explicitly configure all firewall policy settings that may
be needed by the targeted computers including firewall and IPsec settings, firewall rules, and connection security rules Otherwise, any policy settings that you leave unconfigured in the GPO can be overridden by the local administrator on the targeted computer by using the Windows Firewall with Advanced Security snap-in or the Netsh command
MoRe inFo See also the Step-by-Step Guide: Deploying Windows Firewall and IPsec
Policies at http://technet.microsoft.com/en-us/library/cc732400.aspx, for a walkthrough
of how to deploy firewall and connection security rules using Group policy.
note For faster processing of GpOs that are used only for applying firewall policy to targeted computers, disable the User portion of the GpO using the GpMC.
Trang 17Managing Windows Firewall Using the Netsh Command
The Netsh command can be used to manage Windows Firewall either interactively from the command line or by using scripts The Netsh command also has been enhanced in Windows 7
to expose almost all aspects of Windows Firewall to viewing and configuration (some settings, such as global quick mode, can only be configured using the Windows Firewall with Advanced
Security snap-in By using the netsh advfirewall context of this command, you can display the
status and configuration of Windows Firewall, configure firewall and IPsec settings, create and configure both firewall and connection security rules, monitor active connections, and perform other management tasks
note You must run the netsh advfirewall command from an elevated command prompt
to set (configure) Windows Firewall settings You do not need to run it from an elevated command prompt if you only want to show (view) Windows Firewall settings.
To enter the netsh advfirewall context from the command line, type netsh and press Enter,
then type advfirewall and press Enter
C:\Windows\System32>netsh netsh>advfirewall
netsh advfirewall>
The prompt indicates the current context of the command Typing help at the netsh
advfirewall prompt displays the following additional commands available for this context:
n consec Changes to the netsh advfirewall consec context, which lets you view and
configure connection security rules
n export Exports the current firewall policy to a wfw file
n firewall Changes to the netsh advfirewall firewall context, which lets you view and
configure firewall rules
n import Imports a wfw policy file into the current policy store
n mainmode New in Windows 7, this changes to the netsh advfirewall mainmode
context, which lets you view and configure main mode configuration rules
n monitor Enhanced with added functionality in Windows 7, this changes to the netsh
advfirewall monitor context, which lets you view the current IPsec, firewall, and main
mode states, and the current quick mode and main mode security associates lished on the local computer
estab-n reset Resets the firewall policy to the default out-of-box policy
n set Sets per-firewall profile and global firewall settings
n show Displays firewall profiles and global firewall settings
For example, you can use the show domainprofile command to view the firewall settings
for the domain profile as follows
Trang 18netsh advfirewall>show domainprofile
Domain Profile Settings:
- State ON
Firewall Policy BlockInbound,AllowOutbound LocalFirewallRules N/A (GPO-store only) LocalConSecRules N/A (GPO-store only) InboundUserNotification Enable
RemoteManagement Disable UnicastResponseToMulticast Enable Logging:
LogAllowedConnections Disable LogDroppedConnections Disable FileName %systemroot%\system32\LogFiles\Firewall\pfirewall.log MaxFileSize 4096
To view the global firewall and IPsec settings on the local computer, use the show global
command as follows
netsh advfirewall>show global
Global Settings:
- IPsec:
StrongCRLCheck 0:Disabled SAIdleTimeMin 5min DefaultExemptions NeighborDiscovery,DHCP IPsecThroughNAT Never
AuthzUserGrp None AuthzComputerGrp None StatefulFTP Enable StatefulPPTP Enable Main Mode:
KeyLifetime 480min,0sess SecMethods DHGroup2-AES128-SHA1,DHGroup2-3DES-SHA1 ForceDH No
Categories:
BootTimeRuleCategory Windows Firewall FirewallRuleCategory Windows Firewall StealthRuleCategory Windows Firewall ConSecRuleRuleCategory Windows Firewall
To view full details concerning a particular firewall rule such as the Remote Assistance
(TCP-In) rule, first type firewall and press Enter to change to the netsh advfirwall firewall
Trang 19netsh advfirewall firewall>show rule name="Remote Assistance (TCP-In)"
profile=domain,private verbose
Rule Name: Remote Assistance (TCP-In) - Description: Inbound rule for Remote Assistance traffic
[TCP]
Enabled: Yes Direction: In Profiles: Domain,Private Grouping: Remote Assistance LocalIP: Any
RemoteIP: Any Protocol: TCP LocalPort: Any RemotePort: Any Edge traversal: Defer to application Program: C:\Windows\system32\msra.exe InterfaceTypes: Any
Security: NotRequired Rule source: Local Setting Action: Allow
You can also pipe Netsh to Findstr to display the names of all inbound rules belonging to
a specific rule group For example, to display all inbound rules for the Remote Assistance rule group, use this command
C:\Windows\system32>netsh advfirewall firewall show rule name=all dir=in |
findstr /I /C:"remote assistance"
Rule Name: Remote Assistance (PNRP-In) Grouping: Remote Assistance
Rule Name: Remote Assistance (SSDP TCP-In) Grouping: Remote Assistance
Rule Name: Remote Assistance (SSDP UDP-In) Grouping: Remote Assistance
Rule Name: Remote Assistance (TCP-In) Grouping: Remote Assistance
Rule Name: Remote Assistance (DCOM-In) Grouping: Remote Assistance
Rule Name: Remote Assistance (RA Server TCP-In) Grouping: Remote Assistance
Rule Name: Remote Assistance (PNRP-In) Grouping: Remote Assistance
Rule Name: Remote Assistance (TCP-In) Grouping: Remote Assistance
Trang 20To show all connection security rules configured on the local computer, type consec to
change to the netsh advfirewall consec context Then use the show rule command as follows
netsh advfirewall consec>show rule name=all
Rule Name: Lab Server - Enabled: Yes
Profiles: Domain Type: Static Mode: Transport Endpoint1: 172.16.11.131/32 Endpoint2: 172.16.11.163/32 Protocol: Any
Action: RequestInRequestOut Auth1: ComputerPSK
Auth1PSK: test MainModeSecMethods: DHGroup2-AES128-SHA1,DHGroup2-3DES-SHA1 QuickModeSecMethods: ESP:SHA1-None+60min+100000kb,ESP:SHA1- AES128+60min+100000kb,ESP:SHA1-3DES+60min+ 100000kb,AH:SHA1+60min+100000kb
note To view all firewall settings including global settings, per-firewall profile settings, and all active firewall rules on the computer, type netsh advfirewall monitor show firewall verbose at a command prompt.
Also new in Windows 7 are the following two Netsh contexts:
n netsh trace Enables ETW tracing and/or Network Diagnostics Framework (NDF)
diagnostics for various features and scenarios including Windows Firewall and IPsec
n netsh wfp Enables WFP and Internet Key Exchange (IKE)/AuthIP tracing
MoRe inFo For more information concerning Netsh syntax and examples of usage, see “Netsh Commands for Windows Firewall with advanced Security” at
http://technet.microsoft.com/en-us/library/cc771920.aspx.
Common Management Tasks
The sections that follow briefly describe some common management tasks for administering Windows Firewall with Advanced Security on Windows 7 and Windows Server 2008 R2 For additional information concerning managing Windows Firewall with Advanced Security, see the references in the section titled “Related Information” at the end of this chapter
Trang 21iMpoRtAnt When using Group policy to perform these tasks, be sure to refer to the section titled “Considerations When Managing Windows Firewall Using Group policy”
earlier in this chapter.
Enabling or Disabling Windows Firewall
Windows Firewall with Advanced Security should be turned on to ensure maximum protection for computers running Windows 7 and Windows Server 2008 R2 However, should you need to enable or disable Windows Firewall with Advanced Security for some reason on a computer, you can do one of the following:
n Open Windows Firewall from Control Panel and click Turn Windows Firewall On Or Off Then select Turn Off Windows Firewall (Not Recommended) for each firewall profile for which you want to disable the firewall
n Open the Windows Firewall with Advanced Security snap-in Right-click on the root node and select Properties, then change the Firewall State to Off on the tab for each firewall profile for which you want to disable the firewall
n Open a command prompt and type netsh advfirewall set profile_name state off,
where profile_name can be domainprofile, privateprofile, or publicprofile You can also
type netsh advfirewall set allprofiles state off to completely turn off Windows
Firewall on the computer
iMpoRtAnt Turning off Windows Firewall by disabling the Windows Firewall service is not supported by Microsoft.
diReCt FRoM tHe SoURCe
Firewall Coexistence (aka Categories) in Windows 7
Sharad Kylasam, program Manager
Core Networking
Windows Firewall with advanced Security enforces security policy for core firewall, Ipsec, Stealth mode, boot time, and service hardening In Windows Vista, when Windows Firewall is turned off (typically when another host firewall is installed), this meant that functionality associated with Ipsec, Stealth mode, and boot time were no longer enforced This has been changed in Windows 7 such that additional switches are provided for third parties to take over only parts of the functionality that they intend to control (like Core firewall policy) while allowing Windows Firewall to continue enforcement of the rest of the functionality (like Ipsec policy) This functionality eases the adoption and deployment of scenarios like Server and Isolation.
Trang 22For a host firewall to use this functionality, a new apI has been created so that the firewall can register to selectively replace the functionalities of Windows Firewall
See http://msdn.microsoft.com/en-us/library/aa366415.aspx for guidance on these
n Firewall Firewall policy is configured based on the security needs as fied by the administrator If ownership of the Firewall category is taken, own- ership of the Boot Time category (described next) must also be taken Failure
identi-to do so would leave the operating system in an unknown firewall state.
n Connection Security (IPsec) Connection Security policy enables secure networking by ensuring that communications can be authenticated and encrypted with Ipsec If Connection Security ownership is taken, ownership of the Firewall and Boot Time categories must be taken as well.
n Boot Time Boot Time policy is present when Windows is starting up and is used to prevent unsolicited inbound connections.
n Stealth Mode Stealth Mode policy makes a computer running Windows invisible on a network and is used to prevent port scanning discoverability.
Configuring Firewall profiles and Ipsec Settings by Using Group policy
To configure firewall profiles on targeted computers using Group Policy, right-click the firewall policy node in your GPO and select Properties to display the properties for the firewall policy (shown in Figure 26-10) For each firewall profile (domain, private, and public), you can use the tab for the profile to perform the following tasks:
n Enable or disable the firewall state for that profile
n Configure default rules for inbound and outbound connections
n Configure whether users should receive notifications when firewall rules for that profile block inbound connections
n Configure whether a unicast response should be allowed for broadcast or multicast traffic
Trang 23n Configure whether rule merging should be enabled or disabled for firewall and/or connection security rules (this can only be configured using Group Policy)
n Configure firewall logging for traffic filtered by that profile
FIgURE 26-10 Configuring firewall profiles
note You can use the netsh advfirewall monitor show currentprofile command in
Windows 7 to display all currently active firewall profiles on the computer and also the networks assigned to each active profile.
The IPsec tab of this properties sheet (shown in Figure 26-11) can be used to configure default and system-wide IPsec settings on the targeted computers Examples of settings you can configure here include:
n IPsec Defaults Clicking Customize opens other dialog boxes that allow you to
configure the default key exchange methods, data protection algorithms, and tication methods used by IPsec These default settings are used for new connection security rules that you create However, when you create a connection security rule, you can also override the default authentication methods specified here
authen-n IPsec Exemptions This option determines whether ICMP traffic should be protected
by IPsec Because ICMP is used by many network troubleshooting tools, exempting such traffic from IPsec can ensure that such troubleshooting tools function as intended
n IPsec Tunnel Authorization New in Windows 7, this option determines whether you
can specify authorized and exempted users and computers for IPsec tunnel connections
Trang 24to the computer Selecting Advanced and clicking Customize opens a dialog box that lets you specify two types of information:
• Authorized computers, users, or groups of computers or users
• Exempted computers, users, or groups of computers or usersNote that any authorizations and exemptions you specify here apply only to tunnel rules for which the Apply IPsec Tunnel Authorization option is selected when the tunnel rule is created
FIgURE 26-11 Configuring default and system-wide IPsec settings
For more information on configuring firewall profiles and IPsec settings, see the following sections of the TechNet Library:
n “Configuring a Profile” at http://technet.microsoft.com/en-us/library/cc754139.aspx
n “Configuring IPsec Settings” at http://technet.microsoft.com/en-us/library/cc733077.aspx
n “Windows Firewall with Advanced Security Properties Page” at http://technet.microsoft.com/en-us/library/cc753002.aspx
Creating and Configuring Firewall Rules
You can create and configure firewall rules on targeted computers using Group Policy Firewall rules filter traffic passing between the computer and the network For information concerning the types of firewall rules that you can create and the different rule conditions you can specify, see the section titled “Understanding Rules” earlier in this chapter
To create an inbound firewall rule on targeted computers using Group Policy, right-click
Trang 25Doing this starts the New Inbound Rule Wizard, shown in Figure 26-12, which walks you through the steps of creating an inbound firewall rule by selecting the type of rule you want
to create and specifying the conditions needed for the rule Note that different pages may be displayed in the wizard depending upon the options you select on each page For example, if you select Allow The Connection If It Is Secure on the Action page, a Users page and a Com-puters page is displayed so you can specify the user and computer accounts allowed to access the computer using the rule (This also requires creating a separate connection security rule that requires traffic that matches the rule to be authenticated )
FIgURE 26-12 Creating a new firewall rule using the New Inbound Rule Wizard
Similarly, to create an outbound firewall rule using Group Policy, right-click the Outbound Rules node and select New Rule to start the New Outbound Rules Wizard Again, different pages may be displayed in the wizard depending upon the options you select on each page For example, if you select the Allow The Connection If It Is Secure option on the Action page,
a Computers page is displayed so that you can specify the computer account allowed to access the computer using the rule (Again, this also requires creating a separate connection security rule that requires traffic that matches the rule to be authenticated )
Best practices for creating firewall rules include the following:
n When possible, select Predefined as the rule type because this enables a group of rules
to enable a specific Windows experience or feature to access the network
n If a predefined rule doesn‘t meet your needs, the next best rule type to use is Program, which will allow a specified application (executable) to access the network Program rules are enabled when the underlying application is running and disabled when the application is terminated This allows Windows Firewall to keep the minimum number
of ports open at any time, which reduces the attack surface of the computer Note