Windows Firewall Shows New Maturity in Vista
Check out the firewall's IPsec integration and finer-grained rules support
April 4, 2007
A personal firewall is a critical first line of defense against many types of malware. Like the personal firewall that's bundled with Windows XP Service Pack 2 (SP2), Vista's personal firewall is turned on by default to protect your computer as soon as the OS is operational. For an overview of the new features in Vista's Windows Firewall, see the Windows IT Pro article "Vista's Firewall," August 2006, InstantDoc ID 50377.
I want to take a more targeted look at the Vista Firewall's new configuration interface, which integrates firewall and IPsec settings; the firewall's more finely grained rules architecture; and its extended support for network profiles. Let's start by comparing the key differences between Vista's and XP SP2's Windows Firewall.
Comparing Vista's Windows Firewall with XP SP2's
Vista's Windows Firewall and its XP SP2 predecessor have three key differences.
First, Vista finally integrates Windows Firewall and IPsec management—in the Microsoft Management Console (MMC) Windows Firewall with Advanced Security snap-in. The combination of Windows Firewall and IPsec configuration in a single interface simplifies configuration, reduces policy conflicts, and puts IPsec in the spotlight more than ever before. Since its introduction in Windows 2000, IPsec has been a powerful—although often ignored—security technology. You can now define both firewall rules determining what traffic is allowed through Windows Firewall and IPsec rules determining how the traffic that's allowed through must be secured (e.g., encrypted) from the Windows Firewall with Advanced Security snap-in.
Second, Vista's Windows Firewall supports both inbound and outbound filtering, whereas XP SP2's firewall supports only inbound filtering. Inbound and outbound filtering let you control how Vista PCs and their services, applications, and users communicate externally. You can set the default behavior for inbound and outbound connections in the Windows Firewall with Advanced Security snap-in's properties dialog box, as Figure 1 shows. Note that by default, inbound connections are blocked and outbound connections are allowed.
Third, Vista's Windows Firewall is integrated with Vista's Network Awareness feature, which enables you to apply different security rules to a computer depending on its location. For example, when a laptop is connected to your internal network, the firewall rules can be defined by the security requirements of your internal network. When a user attempts to connect the same laptop to the Internet via a public (wireless hotspot) network or a private (home) link, a different set of firewall rules can automatically be applied. The ability to apply different security rules based on the laptop's location ensures that the laptop is properly protected against attacks no matter what network it connects to. The Vista firewall has three profiles (domain, public, and private), which I'll discuss in further detail later. XP SP2's firewall has just two profiles (domain and standard).
Table 1 shows a more detailed comparison of the Vista firewall and the XP SP2 firewall.
Configuring Windows Firewall
Vista's Windows Firewall has three configuration interfaces: the Windows Firewall Control Panel applet, the netsh command-line utility, and the aforementioned Windows Firewall with Advanced Security snap-in. You can also centrally control the Windows Firewall settings both during and after installation from an Active Directory (AD) domain environment by using Group Policy Object (GPO) settings. Let's take a look at the new Windows Firewall configuration features in Vista.
When you try to open the Windows Firewall Control Panel applet or the Windows Firewall with Advanced Security snap-in, you'll experience Vista's new least-privilege feature: User Account Control (UAC). Depending on how you logged on to the computer, you'll be prompted either for consent (if you logged on using an administrator-level account) or for administrator credentials (if you logged on using a plain user account) before the Windows Firewall configuration interface will appear. For more information about UAC, see the Windows IT Security article “Windows Vista's Take on Least Privilege,” October 2006, InstantDoc ID 93300.
To configure Windows Firewall from the command line, you must use netsh with the advfirewall switch. The old netsh firewall switch is available in Vista, but it doesn't support as many configuration options as the advfirewall switch. Also, only the advfirewall switch can be used to configure both Vista's Windows Firewall and IPsec features.
In Vista, GPOs are excellent tools for keeping central control over your users' Windows Firewall and IPsec configuration settings in an AD environment. Given the increased complexity of configuring Vista's Windows Firewall, I strongly recommend using GPO settings to control users' Windows Firewall configurations.
In the MMC Group Policy Editor (GPE) snap-in, you can configure XP SP2's Windows Firewall by using the settings that are located in the Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows Firewall GPO container. Configure the IPsec settings by using the settings in the Computer ConfigurationWindows SettingsSecurity SettingsIP Security Policies on Local Computer container.
In addition to these familiar interfaces, Vista contains a new Windows Firewall and IPsec configuration interface that's integrated with the GPO security settings. The new configuration settings are located in the Computer ConfigurationWindows SettingsSecurity SettingsWindows Firewall with Advanced Security container. This container gives you the same interface to configure Windows Firewall and IPsec through GPO settings as the Windows Firewall with Advanced Security snap-in does to configure your Windows Firewall and IPsec settings locally. Figure 2 shows how Vista alerts users in the Windows Firewall properties interface if any of the Windows Firewall settings are enforced through GPOs.
Vista uses different GPO application logic than previous Windows versions, which apply the system GPO settings when the OS boots, apply the user GPO settings when a user logs on, and periodically refresh both user and system GPO settings. In Vista, the GPO settings are also applied (both at the system and user levels) when a VPN connection is established and when a computer resumes operation after hibernation or standby.
Two new Windows Firewall configuration features you'll appreciate are the Windows Firewall with Advanced Security snap-in's ability to remotely connect to a machine to configure its Windows Firewall and IPsec settings, and the ability to export the Windows Firewall policy from one machine and import it on another machine. You can remotely connect to a machine from the Select Computer dialog box that opens when you load the Windows Firewall with Advanced Security snap-in.
For example, you can remotely connect to an infected PC and lock it down by blocking its outbound connections in the Windows Firewall configuration interface. To export and import Windows Firewall policy settings, use the Export Policy and Import Policy options in the Actions pane of the Windows Firewall with Advanced Security - Local Computer container in the Windows Firewall with Advanced Security snap-in. These options are shown in Figure 3.
By default, Windows Firewall in XP SP2 and Vista doesn't reply to incoming Internet Control Message Protocol (ICMP) ping requests. You can enable XP SP2's firewall to reply to ping requests by selecting the Allow incoming echo request check box in the ICMP settings. In Vista, you can specify ICMP restrictions when you define inbound or outbound rules in the Rule Wizard in the Windows Firewall with Advanced Security snap-in. You can also set ICMP restrictions by using the netsh command. The following netsh command (entered all on one line) enables a Vista system to reply to ping messages:
netsh firewall set icmpsetting 8 enable
You can also use a GPO administrative template (located in the Computer SettingsAdministrative TemplatesNetworkNetwork ConnectionsWindows Firewall GPO container) to enable your system to reply to incoming ping requests. Under Windows Firewall: Allow ICMP exceptions, select the Allow inbound echo request check box.
Understanding Rules
A firewall's filtering behavior is controlled by the firewall policy, which is defined in a set of rules. XP SP2's Windows Firewall rules are rather limited: In XP SP2, you can define exceptions to only the default Windows Firewall block all incoming traffic rule and Windows Firewall can apply these exceptions to inbound network traffic only when certain application, IP address or subnet, TCP or UDP port, or ICMP protocol conditions are met.
Vista's rule definition logic allows for more finely grained firewall policy definition. You can define both block and allow rule actions and can require that traffic be secured by using IPsec before it's allowed to pass through Windows Firewall. Vista's Windows Firewall can apply the rules to both inbound and outbound network traffic when certain conditions are met.
A tool that you'll find useful is Vista's New Rule wizard, which makes defining Windows Firewall rules easy. You can open the New Inbound Rule (shown in Figure 4) or New Outbound Rule wizard by right-clicking the Inbound Rules or Outbound Rules container in the Windows Firewall with Advanced Security snap-in and selecting New Rule.
Six rule types apply to the network traffic that's inspected by Vista's Windows Firewall. The order in which the rules are listed is also the rules' evaluation order and shows the tight integration between the firewall and IPsec rules in Vista's Windows Firewall.
1. Service restriction rules. These rules restrict the connections that Windows services can establish. Service restriction rules are great additions to the Windows Firewall rule set and are part of Vista's Windows Service Hardening initiative. In the past, many malware exploits leveraged the high-level privileges that were given to built-in Windows services. In Vista, Microsoft locked down the privileges given to these services and assigned each service a SID. Windows Firewall uses the SID to restrict the network entities a service can communicate with.
Vista comes with a set of predefined service restriction rules, which aren't shown in Vista's Windows Firewall management interfaces. However, you can view them in the HKEY_LOCAL_MACHINE SystemControlSet001ServicesSharedAccessParametersFirewallPolicyRestrictedServicesStatic System registry subkey. I strongly recommend that you not modify the default service restriction rules. You can define your proper inbound and outbound service restriction rules by selecting the Custom rule type in the New Rule wizard that I described above and then selecting the appropriate service in the Customize Service Settings dialog box.
2. Connection security rules. Also known as IPsec rules, connection security rules restrict connections from particular computers and use IPsec to require authentication and authorization. IPsec rules can be defined in the Connection Security Rules container in the Windows Firewall with Advanced Security snap-in. The rules you define in the Connection Security Rules container are useless unless you link them to a Windows Firewall inbound or outbound rule. IPsec rules define only how connections must be secured, not which connections the IPsec settings should be applied to. If you link a connection security rule to a Windows Firewall rule, the connection will be blocked unless it complies with the connection security rule settings.
You can link IPsec rules to Windows Firewall rules by selecting the Allow only secure connections action in the Action section of the New Inbound Rule wizard or, after the rule has been defined, in the Action section of the General tab in the rule's properties dialog box, which Figure 5 shows. Note that if you select the Allow only secure connections option, the Require encryption and Override block rules options become available. If you select the Require encryption check box, IPsec will not only provide authentication and integrity protection, but also encrypt the network connection. If you select the Override block rules check box, the IPsec rule will become an IPsec authenticated bypass rule.
3. IPsec authenticated bypass rules. These rules let specified authenticated computers and/or users bypass firewall block rules. IPsec authenticated bypass rules aren't new to Vista's Windows Firewall—they were introduced in XP SP2's Windows Firewall. Administrators can use IPsec authenticated bypass rules to define exceptions to the standard Windows Firewall behavior that stipulates that block rules always have priority over allow rules.
You don't want to let just any system or user use IPsec authenticated bypass rules because with such an exemption to a block rule comes a lot of power. That's why an IPsec authenticated bypass rule can be configured to require both the user and the machine to authenticate to Vista's Windows Firewall. For example, you could configure an IPsec authenticated bypass rule that says that to access data on the HR server, a user must be a member of the HR department AD group and his or her machine must be in the HR department computers group. IPsec authenticated bypass rules can be applied only to inbound Windows Firewall rules and are ignored if the Block all connections option is selected under Inbound connections in the State section on the Domain, Private, or Public Profile tab of the Windows Firewall properties dialog box.
4. Block rules. Block rules explicitly block specified incoming or outgoing traffic. These rules are linked to a block action and have priority over allow rules because they're evaluated first.
5. Allow rules. These rules explicitly allow specified incoming or outgoing traffic. Allow rules are linked to an allow action.
6. Default rules. These rules are the default Windows Firewall behaviors for inbound and outbound connections as defined in the State section of each of the network profile tabs in the Windows Firewall properties dialog box.
The "Vista's Firewall" article that I mentioned at the beginning of this article contains more examples showing the richness and power of Vista's Windows Firewall rule engine.
Understanding Network Profiles
XP SP2 introduced the notion of network profiles to apply different Windows Firewall configuration settings depending on the network an XP system is connected to. XP SP2's Windows Firewall supports a domain profile and a standard profile. The domain profile is active when the client is connected to a network that contains the domain controllers (DCs) for the domain in which the client account is defined. The domain profile lets you create firewall rules according to the requirements of your organization's Windows domain environment.
Vista's Windows Firewall supports three network profiles: the domain, private, and public profiles (the latter two replace XP SP2's standard profile). These three profiles provide a more finely grained level of control in protecting computers operated outside your organization's network perimeter and domain defenses.
The private profile lets you set a different method of firewall operation when a computer is connected to a network that's outside the domain environment but still trusted, such as an employee's home network. The public profile defines how Windows Firewall reacts when a computer is connected to a public network, such as an airport or hotel wireless LAN (WLAN). The public profile Windows Firewall settings are usually the most restrictive because security can't be as tightly controlled as in a domain or home network environment.
Vista automatically applies the appropriate network profile depending on the network the system is connected to. If a user disconnects from one network and connects to another, the Set Network Location dialog box will open, and the user can select what type of network he or she is connecting to. The supported network locations are home (private profile), work (domain profile), and public (public profile). After a user selects a network location, he or she can still change it by using the Customize link in the Network and Sharing Center Control Panel applet.
Users that have administrator-level privileges can configure Vista's Windows Firewall network profiles and the profiles' properties locally in the Windows Firewall with Advanced Security snap-in's properties dialog box. In XP, the network profiles weren't exposed to local users, so they couldn't define network profile–specific Windows Firewall configuration preferences.
You can also control network profiles and their properties centrally by using GPO settings. When you define a Windows Firewall inbound or outbound rule in Vista, you can also assign it one or more network profiles, as shown in Figure 6. The Windows Firewall with Advanced Security snap-in's Rules list has a Profile column that shows what profiles a particular rule applies to so that you can easily keep track of which rule applies to which profile. You can also filter the Rules list to show only the rules that apply to a particular profile.
Be Prepared
Vista's Windows Firewall is an example of a Microsoft security technology that has grown and has now reached an acceptable level of maturity. However, with this level of maturity comes additional complexity. This article should help you get past the principal configuration complexities that the new firewall introduces and leverage the new Windows Firewall features in a Windows- and AD-centric IT environment.
About the Author
You May Also Like