Windows Firewall Basics

Microsoft continues to follow through on its promise to lock down its Windows OSs. Windows XP Service Pack 2 (SP2) includes a robust evolution of the Internet Connection Firewall (ICF), called Windows Firewall, which makes great strides toward helping secure your corporate workstations. Windows Firewall provides a stateful host-based firewall that you can centrally configure through Active Directory (AD) Group Policy. With ICF, Microsoft extended Windows 2000 IP filtering features into a stateful-inspection firewall. However, ICF suffers from a few shortcomings that have prevented its widespread adoption; for example, ICF is disabled out of the box and you can't centrally manage its settings. With its enhanced logging, centralized management, and more granular rules, Windows Firewall might be just what you're looking for to augment your existing network-layer firewalls. Best of all, Windows Firewall is available free of charge and is automatically enabled when you install XP SP2. In this article, I examine some of the features and configuration options available in Windows Firewall. (Note: At the time of this writing, Microsoft hasn't yet released the final XP SP2 version. This review is based on the prerelease version, Release Candidate 2--RC2--which Microsoft released in June 2004.)

Defense in Depth
Network-layer firewalls protect the perimeter of a network from malicious intruders trying to probe the network or exploit a vulnerability on an internal servers. (They don't protect your systems from worms or viruses embedded in legitimate traffic, such as email attachments.) Unfortunately, users don't always connect their computer to a network protected behind one of these firewalls. Users at an airport, at a hotel, at a customer's site, or at home, often connect their computers to an unsafe network outside the secured network perimeter. Systems administrators can address this risk by installing a host-based firewall such as Windows Firewall on network computers. A host-based firewall is installed lower in the network stack than your applications and inspects all network traffic going to and from the computer on which it's installed.

Similar to how a network-layer firewall works, Windows Firewall inspects traffic destined for your computer and drops any inbound traffic that isn't solicited or permitted by an ACL. Windows Firewall uses firewall technology that maintains the state of a connection to define solicited traffic. If you browse to a Web site, the firewall remembers this connection and will dynamically open a port back to your computer for the return data. When you close the connection, the firewall automatically closes the port.

Implementing a host-based firewall such as Windows Firewall on individual computers in addition to deploying a network-perimeter firewall increases the depth of your network's defense. Consider a scenario in which an employee's laptop is infected with a worm, then brought back into the corporate network, bypassing the perimeter firewall. The worm now might try to propagate to other internal computers. A host-based firewall installed on these computers will help protect them from such internal attacks.

Host-based firewalls inherently require more effort to deploy because you need to install and configure the firewall on individual machines. ICF requires administrators to enable and configure the firewall for each adapter, making deployment onerous. Windows Firewall addresses this limitation by protecting the computer as a whole via centrally managed rules. Also, Windows Firewall is location-aware, meaning that you can lock down a mobile user's laptop when it's connected to the Internet but permit greater access when the machine is connected to the corporate LAN, such as for system management. However, even when computers are connected to the corporate LAN, you should keep Windows Firewall enabled to prevent the spread of any worms that try to connect to some random port. Simply configure the LAN firewall settings to allow for known networking applications such as remote monitoring and management, file sharing, or other business network services.

Outbound Agnostic
Windows Firewall provides more ACL customization than ICF does, but it still isn't as robust as many third-party host-based firewalls. Windows Firewall inspects only inbound traffic to your computer and categorizes it as solicited and unsolicited. Windows Firewall lets you configure rules for handling unsolicited inbound traffic but permits all outbound traffic as well as inbound solicited traffic. This configuration lets you block most attackers, while permitting remote management protocols. More sophisticated host-based firewalls also inspect outbound traffic, which is useful for detecting unauthorized outbound traffic that could be a sign that a worm or spyware has invaded the computer. Microsoft recommends that you use IP Security (IPSec) filtering and policies to manage outbound traffic; however, IPSec isn't a state-aware technology, so you'll need to open quite a few holes to permit the return traffic from remote computers. For example, if you use remote procedure call (RPC) to manage a computer, you could configure Windows Firewall to allow inbound RPC traffic, but you would also need to configure your outbound IPSec filter to allow the outbound traffic, which is usually on a port greater than 1024.

Most firewalls let you define rules based on network traffic parameters such as address and protocol. Host-based firewalls inherently have more access to the programs that generate network traffic because these firewalls are installed on the host transmitting the data. Windows Firewall takes advantage of this situation by supporting not only network-based ACLs (such as allowing SMTP--port 25) but also application-based ACLs. For example, if you create an ACL entry that lets MSN Messenger connect to your computer, Windows Firewall will permit any unsolicited request destined for MSN Messenger when it arrives at your protected computer. Essentially, Windows Firewall opens a port for this traffic and lets it communicate with the MSN Messenger program.

Windows Firewall also lets you loosely define traffic based on its source. So, for example, you can permit other company computers to access a particular computer. Windows Firewall lets you define source IP addresses as Any computer, My network (subnet) only, or Custom list. The My network (subnet) only option specifies the network segment on which the client is installed. If you want to allow file sharing between computers within your company, you can define discrete port rules (such as allowing TCP ports 135 to 139 and port 445), and you can define rules based on source address (such as all computers on the corporate LAN). The Custom list option lets you specify a series of IP addresses or IP address ranges and subnet masks (e.g., 192.168.0.0/255.255.255.0, 192.168.0.10). Allowing multiple subnets and subnetted networks is a boon to midsized and large organizations that use custom subnetting.

Installing and Configuring the Windows Firewall Client
Installing XP SP2 automatically installs the Windows Firewall client and enables the firewall on all network adapters. Later, I show you how to turn off Windows Firewall before you install SP2, which is useful if you already run a third-party host-based firewall.

You locally manage Windows Firewall for all adapters by using the new Control Panel Windows Firewall applet, which Figure 1 shows. You must be a member of the local administrators group to manage the Windows Firewall settings for a computer.

Windows Firewall has three operating states: On (the default), Don't allow exceptions, and Off. As you can guess, Off disables the firewall entirely. Windows Firewall introduces the concept of exceptions, which are simply another name for ACL entries. When you use the firewall in the On state, the firewall protects your computer by using the rules that you define via the Windows Firewall applet Exception tab. However, you can also set the firewall to Don't allow exceptions. In this On mode, the computer blocks all inbound unsolicited communications, with no exceptions. Outbound connections and solicited connections are still permitted.

Configuring Windows Firewall consists primarily of defining the firewall exceptions. To locally manage the exceptions, open the Windows Firewall applet and go to the Exceptions tab, which Figure 2 shows. The Exceptions tab lets you define which applications or ports will be allowed through the firewall.

Windows Firewall manages all network connections for the computer on which it's installed; however, you can disable the firewall for specific adapters by using the Advanced tab. The other configuration options on the Advanced tab let you configure logging and specify rules for allowing Internet Control Message Protocol (ICMP) traffic.

Using Group Policy to Manage Windows Firewall
One of Windows Firewall's most powerful enhancements is the ability to use Group Policy to manage client configurations. You can use Group Policy to configure all your firewall exceptions from one location and apply them to all target computers. You can also configure different firewall configurations for specific groups of users. For example, you might create an organizational unit (OU) named Sales_Laptops that contains all your Sales department laptops. Then you can create a new Group Policy Object (GPO) that enables Windows Firewall on only these computers. The settings are activated when the computers in this OU refresh the GPO. This method lets you specify standard Windows Firewall settings for any domain, site, or OU. A Windows Firewall GPO applies only to XP SP2 computers covered by that GPO.

You can access the new Windows Firewall GPO elements by creating a GPO from an XP SP2 computer. In Group Policy Editor, the Windows Firewall GPO elements are located under Computer Configuration, Administrative Templates, Network, Network Connections, Windows Firewall. If you elect to use Group Policy to manage Windows Firewall, you can effectively block a user from making any local changes--even if the user is a local administrator. The Allow Local Port Exceptions GPO lets you specify whether you want to let local administrators make Windows Firewall port changes on a local computer. Web Figure 1 lists the new Windows Firewall GPOs.

Managing Windows Firewall from the Command Line
You can also manage Windows Firewall clients via the Netsh command-line tool. You can use Netsh to configure network settings through a batch file or directly from the command line. For example, the command

netsh firewall show config

displays the current settings of the Windows Firewall client, as Figure 3 shows. Netsh lets you configure most Windows Firewall settings--good news for scripters, who can now use a logon script to configure and verify Windows Firewall operation.

For example, the following Netsh command will create a local firewall rule to allow certain addresses to telnet into a Windows Firewall-protected computer:

netsh firewall add portopening  protocol = TCP port = 23  name = Telnet mode = ENABLE  scope = CUSTOM addresses =  192.168.0.0/255.255.255.0,  10.0.0.0/255.255.240.0

You can also shorten the command by dropping the attribute names, as the following example shows:

netsh firewall add portopening  TCP 23 Telnet ENABLE CUSTOM  192.168.0.0/255.255.255.0,  10.0.0.0/255.255.240.0

You can view the results of the above command by using the command

netsh firewall show portopening

For more information about using Netsh, see Related Reading.

Domain Profiles vs. Standard Profiles
Another useful Windows Firewall feature is its ability to choose from two security states--standard and domain--depending on which network the computer is connected to. You can configure unique exceptions for each state. For example, you might permit file sharing only while the computer is connected to the domain. Windows Firewall compares the currently connected AD domain name (if one exists) with the IP configuration DNS suffix to determine whether to use the domain or standard profile. To configure the domain and standard profiles, go to the Windows Firewall GPO and select the one you want to configure.

Configuring Exceptions
Windows Firewall includes several predefined exceptions that permit common tasks such as remote administration or file and print sharing. Web Table 1 lists the default Windows Firewall communication exceptions and the ports or programs they open.

You can also create your own exceptions locally via the Windows Firewall applet or a GPO. Simply specify the excepted traffic's program name or network characteristics (e.g., its TCP or UDP port) and source address, then tell Windows Firewall to allow that exception.

The predefined exceptions are more flexible than the exceptions that you create because the predefined ones can include multiple ports per rule. For example, the File and Printer Sharing exception service includes ports TCP 139, TCP 445, UDP 137, and UDP 138. However, if you create a custom exception, you can specify only one port, which means if you need to open a range of ports you need to create multiple exceptions. However, you can specify a custom scope (i.e., an IP address or range of IP addresses for which you want to allow traffic) for both the predefined and custom exceptions, as Figure 4 shows.

You can also use a GPO to configure Windows Firewall exceptions. You specify the port (e.g., 80), the transport (e.g., TCP or UDP), the scope, the status (either enabled or disabled), and the name of the connection. The construction looks like this: Port:Transport:Scope:Status:Name.

The GPO scope parameter syntax is a bit different from the scope parameter syntax in the Windows Firewall applet (which might be an inconsistency between RC2 and the final version of SP2). As of RC2, the GPO scope is defined as "*" (all traffic), localsubnet (traffic on only that subnet), and IP address (e.g., 10.0.0.1 or a Classless Inter-Domain Routing--CIDR--subnet shorthand nomenclature that looks like 192.168.0.0/24, where 24 is the number of bits in the subnet mask). For example, the parameters "1433:TCP:10.0.0.1:Enabled:MSSQL" and "23:TCP:192.168.0.0/24:Enabled:Telnet" allow inbound Microsoft SQL Server connections that use TCP port 1433 only from the host 10.0.0.1 and Telnet connections that use TCP port 23 from the 192.168.0.0/24 subnet.

Logging
You can configure Windows Firewall to write log activity to a text file located on the local computer or a remote share. Windows Firewall can log dropped packets as well as successful connections. The logging includes useful data fields to help troubleshoot denied connections or watch allowed connections.

Web Figure 2 shows a sample log file. The first two lines show examples of dropped file share access attempts, and the last line shows a successful RDP connection on TCP port 3389.

By default, Windows Firewall displays a message warning the user that a particular program tried to access a port. However, if you use Group Policy to centrally manage Windows Firewall, you can disable these notifications, if you so desire.

Disabling Windows Firewall
If you currently run a host-based firewall other than Windows Firewall or Windows' built-in IPSec, then you'll likely want to disable Windows Firewall when you install XP SP2. You have several options for doing so. First, if your target computers are members of a domain, then you can simply create a Windows Firewall GPO that disables the feature. Specifically, you'll need to configure the GPO with the following settings:

Disable:
Domain profile--Windows Firewall: Protect all network connections
Standard profile--Windows Firewall: Protect all network connections

Enable:
Prohibit use of Internet Connection Firewall on your DNS domain network

If you don't want to run the Windows Firewall features on computers within your domain (e.g., employee laptops connected to your corporate network over a LAN) but want to protect remote users when they're not on your network, then configure the GPO as follows:

Disable:
Domain profile--Windows Firewall: Protect all network connections

Enable:
Standard profile--Windows Firewall: Protect all network connections
Prohibit use of Internet Connection Firewall on your DNS domain network

If your XP computers aren't members of a Windows 2003 or Win2K domain that supports Group Policy, you can disable Windows Firewall by modifying a configuration text file named netfw.inf and saving that file centrally along with the other XP SP2 installation files. Add the line HKLM,"SYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyDomainProfile","EnableFirewall",0x00010001,0 to the ICF.AddReg.StandardProfile section of netfw.inf. Refer to the Microsoft documentation about deploying Windows Firewall for more detailed information about the netfw.inf file.

You can also deploy registry entries that will disable Windows Firewall on target XP computers before you install SP2. Use a registry editor to add the HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftFirewallPolicyDomainProfileEnableFirewall=0 (DWORD data type) and HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftFirewallPolicyStandardProfileEnableFirewall=0 (DWORD data type) registry subkeys.

To implement custom Windows Firewall settings, you can modify the unattend.txt file. For information about this process, refer to the Microsoft document "Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2" (http://download.microsoft.com/download/6/8/a/68a81446-cd73-4a61-8665-8a67781ac4e8/wf_xpsp2.doc).

Firewall for the Masses
The improved Windows Firewall, enabled by default when you install XP SP2, provides a great step toward securing XP computers--benefiting home and corporate users alike. The preconfigured exceptions help less-experienced administrators quickly configure Windows Firewall, but the firewall also supports granular customization to meet many different deployment scenarios. The management integration with Group Policy means that you can define a central policy and apply it to select groups of computers. And the price is right--free--making Windows Firewall a serious contender for the host-based firewall of choice for many organizations.