At A Glance:
Relying on a single point of protection, such as an edge firewall, can lead to a false sense of security. Fortunately, Windows Firewall provides protection at the workstation level, enabling you to thwart malicious attacks regardless of their source.
To help you manage Windows Firewall for a more secure environment, we’ll:

• Discuss the new firewall capabilities introduced with Windows Vista.
• Describe the tools you can use to manage firewall services.
• Show you how to block specific inbound traffic on a per application, per port, and per interface basis.
Administrators typically deploy firewalls at the network perimeter. The purpose of these “edge” firewalls is to protect the network at large from unauthorized or unauthenticated public access. Unfortunately, these firewalls provide little (if any) protection for individual workstations. After all, a bold attack against a workstation may not originate outside your network at all, but rather from a “trusted” source within the organization itself. In today’s computing environments, enabling a firewall on a workstation is part and parcel of a multilayered approach to security, especially when the workstation in question is a mobile unit. In this article, we’ll examine the protective capabilities that Vista’s firewall provides.
A new OS, a new firewall
Although Windows XP had an integrated firewall component from the start, it wasn’t until the release of Service Pack 2 that users had an intuitive interface for managing its settings. As a result, it’s fairly safe to assume that most users simply didn’t bother with it (out of sight, out of mind).
The firewall in Windows Vista includes all the same features as the one in Windows XP, and extends them to include AES encryption and IPsec authentication. Table A summarizes the key features sets of the firewalls built into Windows XP and Windows Vista, respectively.
Table A: Windows XP and Windows Vista firewall feature comparison
Feature Windows XP SP2 Windows Vista
Filtering direction Inbound only Both inbound and outbound
Default filtering action Block (fixed) Configurable actions for inbound and outbound traffic
Protocols supported TCP, UDP, ICMP (partial) Any IANA protocols
Type of rules Filter by port, application, or ICMP type Filter by any combination or permutation of the following: protocol, local or remote port (TCP and UDP only), ICMPv4/v6 Type and code, local or remote IP addresses, interface type, programs, services, and IPsec metadata
Possible rule actions Allow only Allow, block, bypass
Group Policy support Provided by ADM files Provided by a custom Group Policy extension snap-in that is the same as the snap-on used to configure local policy
Remote Management n/a Using MMC snap-in, netsh, and APIs
User interface and tools Control panel and netsh Control panel, MMC snap-in, and netsh
APIs Public COM APIs Enhance public COM APIs
Vista’s firewall in brief
Windows Vista provides two types of firewalls that operate in conjunction with one another to protect a workstation from unauthorized as well as unauthenticated access. The types of firewalls included with Vista are:
Windows Firewall. Provides baseline protection by disallowing inbound access to a workstation. You use the Security | Windows Firewall control panel shown in Figure A to configure and manage this firewall.
Windows Firewall With Advanced Security. Extends and enhances the baseline protection by allowing you to manage both inbound and outbound access via custom rules and security associations. You use the Windows Firewall With Advanced Security administrative tool shown in Figure B to configure and manage this firewall.
Editor’s note: For the purpose of this article, we’ll focus on Windows Firewall, reserving a discussion of Windows Firewall With Advanced Security for an upcoming issue of Windows Server 2003 Solutions.
Figure A: Windows Firewall is a component of the Security control panel group.
Article figure image
Figure B: Windows Firewall With Advanced Security is a component of Administrative Tools.
Article figure image
Manage Windows Firewall
When you launch the Windows Firewall control panel, the details pane reports the status of the firewall (On or Off) as well as your current network location (Public or Private). Taking note of the network location is important because any changes you make to the firewall’s settings apply to only this location.

Enable or disable Windows Firewall

Windows Firewall is enabled by default after you install Windows Vista. If it becomes disabled for some reason, you’ll see a notification in the system tray, as shown in Figure C. Clicking on the notification takes you to the Windows Security Center where you can turn on the firewall directly, or access the Windows Firewall control panel to turn it on.
Figure C: Vista conveniently warns you if Windows Firewall is disabled.
Article figure image
To enable or disable Windows Firewall:
Open the Windows Firewall control panel.
Click on either the Turn Windows Firewall On Or Off link (in the task pane) or the Change Settings link (in the details pane).
On the General tab of the Windows Firewall Settings dialog box shown in Figure D, select either the On or the Off option button as necessary.
Note: If you want to block all incoming connections, regardless of whether they’re on the Exceptions list, also select the Block All Incoming Connections check box.
Figure D: You can respect or ignore the Exceptions list when you enable the firewall.
Article figure image

Identify pre-set exceptions

By default, Windows Firewall blocks all incoming connections other than those listed as exceptions. An exception is simply an application or a port that is allowed to bypass the firewall check because you’ve deemed it safe based on your network location. You can see the current exceptions on the Exception tab, as shown in Figure E.
Common tasks you might perform here include enabling or disabling specific applications or ports, and determining the function of a particular application or port. For example:
To enable an application or open a port, select its related check box; similarly, deselect the check boxes for the items you want to block.
To view a description of an application or port, highlight its name in the list, and then click the Properties button.
Figure E: The Exceptions list already contains the programs you’re most likely to need.
Article figure image

Define custom exceptions

Depending on your network environment and the work you need to perform, you may need to permit certain applications or open particular ports. We’ll show you how to do that next.
To allow an application:
On the Exceptions tab, click the Add Program button.
In the Add A Program dialog box, select an application from the list, or browse for a new one.
Click OK.
To open a port:
On the Exceptions tab, click the Add Port button.
In the Add A Port dialog box, enter a descriptive name, the desired port number, and the required protocol (TCP or UDP).
Click OK.
Both the Add A Program and the Add A Port dialog boxes provide a Scope button. When you click this button, you can restrict incoming access to specific hosts, thus limiting the workstation’s exposure to potentially hostile incoming connections. For example, as shown in Figure F, you can specify any computer, computers on your local subnet only, or a custom list of hosts.
Figure F: A scope refers to the set of computers for which a particular service is unblocked.
Article figure image

Configure advanced settings

The settings you apply using the Windows Firewall control panel apply to all interfaces on the workstation. However, you manage the settings on a per-interface basis as well. For example, on the Advanced tab shown in Figure G, we’ve selected the LAN and WLAN interfaces but deselected the two virtual interfaces (VMnet1 and VMnet8). Be aware that incoming connections on deselected interfaces bypass the firewall check.
Figure G: You can include and exclude specific network interfaces.
Article figure image
On the Advanced tab, you can also reset Windows Firewall to its default settings by clicking on the Restore Defaults button. Resetting the firewall to its default values, and then re-configuring it (one setting at a time), is often more efficient than trying to troubleshoot a specific problem you’re encountering.