At A Glance:
Relying on a single point of protection, such as an edge firewall, can lead
to a false sense of security. Fortunately, Windows Firewall provides
protection at the workstation level, enabling you to thwart malicious
attacks regardless of their source.
To help you manage Windows Firewall for a more secure environment, we’ll:
• Discuss the new firewall capabilities introduced with Windows Vista.
• Describe the tools you can use to manage firewall services.
• Show you how to block specific inbound traffic on a per application, per
port, and per interface basis.
Administrators typically deploy firewalls at the network perimeter. The
purpose of these “edge” firewalls is to protect the network at large from
unauthorized or unauthenticated public access. Unfortunately, these
firewalls provide little (if any) protection for individual workstations.
After all, a bold attack against a workstation may not originate outside
your network at all, but rather from a “trusted” source within the
organization itself. In today’s computing environments, enabling a firewall
on a workstation is part and parcel of a multilayered approach to security,
especially when the workstation in question is a mobile unit. In this
article, we’ll examine the protective capabilities that Vista’s firewall
A new OS, a new firewall
Although Windows XP had an integrated firewall component from the start, it
wasn’t until the release of Service Pack 2 that users had an intuitive
interface for managing its settings. As a result, it’s fairly safe to assume
that most users simply didn’t bother with it (out of sight, out of mind).
The firewall in Windows Vista includes all the same features as the one in
Windows XP, and extends them to include AES encryption and IPsec
authentication. Table A summarizes the key features
sets of the firewalls built into Windows XP and Windows Vista, respectively.
Windows XP and Windows Vista firewall feature comparison
||Windows XP SP2
||Both inbound and outbound
|Default filtering action
||Configurable actions for inbound and outbound
||TCP, UDP, ICMP (partial)
||Any IANA protocols
|Type of rules
||Filter by port, application, or ICMP type
||Filter by any combination or permutation of
the following: protocol, local or remote port (TCP and UDP only),
ICMPv4/v6 Type and code, local or remote IP addresses, interface type,
programs, services, and IPsec metadata
|Possible rule actions
||Allow, block, bypass
|Group Policy support
||Provided by ADM files
||Provided by a custom Group Policy extension
snap-in that is the same as the snap-on used to configure local policy
||Using MMC snap-in, netsh, and APIs
|User interface and tools
||Control panel and netsh
||Control panel, MMC snap-in, and netsh
||Public COM APIs
||Enhance public COM APIs
Vista’s firewall in brief
Windows Vista provides two types of firewalls that operate in conjunction
with one another to protect a workstation from unauthorized as well as
unauthenticated access. The types of firewalls included with Vista are:
Windows Firewall. Provides baseline protection by
disallowing inbound access to a workstation. You use the Security |
Windows Firewall control panel shown in Figure A
to configure and manage this firewall.
Windows Firewall With Advanced Security. Extends
and enhances the baseline protection by allowing you to manage both
inbound and outbound access via custom rules and security associations.
You use the Windows Firewall With Advanced Security administrative tool
shown in Figure B to configure and manage this
Editor’s note: For the purpose of this article,
we’ll focus on Windows Firewall, reserving a discussion of Windows Firewall
With Advanced Security for an upcoming issue of
Windows Server 2003 Solutions.
Windows Firewall is a component of the Security control panel group.
Windows Firewall With Advanced Security is a component of Administrative
Manage Windows Firewall
When you launch the Windows Firewall control panel, the details pane reports
the status of the firewall (On or Off) as well as your current network
location (Public or Private). Taking note of the network location is
important because any changes you make to the firewall’s settings apply to
only this location.
Enable or disable Windows Firewall
Windows Firewall is enabled by default after you install Windows Vista. If
it becomes disabled for some reason, you’ll see a notification in the system
tray, as shown in Figure C. Clicking on the
notification takes you to the Windows Security Center where you can turn on
the firewall directly, or access the Windows Firewall control panel to turn
Vista conveniently warns you if Windows Firewall is disabled.
To enable or disable Windows Firewall:
Open the Windows Firewall control panel.
Click on either the Turn Windows Firewall On Or Off link (in the task
pane) or the Change Settings link (in the details pane).
On the General tab of the Windows Firewall Settings dialog box shown in
Figure D, select either the On or the Off option
button as necessary.
Note: If you want to block
all incoming connections, regardless of whether they’re on the
Exceptions list, also select the Block All Incoming Connections check box.
Figure D: You
can respect or ignore the Exceptions list when you enable the firewall.
Identify pre-set exceptions
By default, Windows Firewall blocks all incoming connections other than
those listed as exceptions. An exception is
simply an application or a port that is allowed to bypass the firewall check
because you’ve deemed it safe based on your network location. You can see
the current exceptions on the Exception tab, as shown in
Common tasks you might perform here include enabling or disabling specific
applications or ports, and determining the function of a particular
application or port. For example:
To enable an application or open a port, select its related check box;
similarly, deselect the check boxes for the items you want to block.
To view a description of an application or port, highlight its name in the
list, and then click the Properties button.
Figure E: The
Exceptions list already contains the programs you’re most likely to need.
Define custom exceptions
Depending on your network environment and the work you need to perform, you
may need to permit certain applications or open particular ports. We’ll show
you how to do that next.
To allow an application:
On the Exceptions tab, click the Add Program button.
In the Add A Program dialog box, select an application from the list, or
browse for a new one.
To open a port:
On the Exceptions tab, click the Add Port button.
In the Add A Port dialog box, enter a descriptive name, the desired port
number, and the required protocol (TCP or UDP).
Both the Add A Program and the Add A Port dialog boxes provide a Scope
button. When you click this button, you can restrict incoming access to
specific hosts, thus limiting the workstation’s exposure to potentially
hostile incoming connections. For example, as shown in
Figure F, you can specify any computer, computers on your local
subnet only, or a custom list of hosts.
Figure F: A
scope refers to the set of computers for which a particular service is
Configure advanced settings
The settings you apply using the Windows Firewall control panel apply to all
interfaces on the workstation. However, you manage the settings on a
per-interface basis as well. For example, on the Advanced tab shown in
Figure G, we’ve selected the LAN and WLAN
interfaces but deselected the two virtual interfaces (VMnet1 and VMnet8). Be
aware that incoming connections on deselected interfaces bypass the firewall
Figure G: You
can include and exclude specific network interfaces.
On the Advanced tab, you can also reset Windows Firewall to its default
settings by clicking on the Restore Defaults button. Resetting the firewall
to its default values, and then re-configuring it (one setting at a time),
is often more efficient than trying to troubleshoot a specific problem