The Windows Firewall was first introduced with Windows XP Service Pack 2 (SP2), and was later added to Windows Server 2003 as part of Service Pack 1 (SP1). The Windows Firewall was a big improvement over its predecessor, which had no built-in, host-based firewall at all. This initial release was very basic and included only the most fundamental functionality. With the advent of Vista and Windows Server 2008, the Windows Firewall has been given a substantial makeover and is now known as Windows Firewall with Advanced Security (WFAS). Keep reading for a description of the new features in WFAS as well as a step-by-step configuration example.
Here is a list of some of the most important new features in WFAS:
- WFAS is enabled by default in Windows Server 2008
- The firewall now supports both incoming and outgoing rules
- There is a new Microsoft Management Console (MMC) snap-for WFAS and in this new interface the firewall configuration has been merged with Internet Protocol Security (IPSec) configuration
- Command line interface changes
- Configuration of rules/exceptions is much more powerful
- New profile options
When Microsoft added the Windows Firewall to Windows XP SP2, the new feature was enabled by default. This was an amazing leap forward in desktop security. In Windows Server 2003 SP1, it was enabled when users first set up a server, but disabled once they ran Windows Update to patch the server. Now, with Windows Server 2008, the firewall is fully enabled by default. This is a great step forward in locking down the server OS, and Microsoft makes life easy by automatically adding firewall exceptions when new roles (e.g. DNS) are added through the Server Manager interface. Vista, of course, also enables the firewall by default.
A powerful new feature of WFAS is the ability to create outbound firewall rules. The most common use of a firewall is to keep the bad guys out, but administrators can also keep the good guys in. An example of this would be blocking outbound destination ports 80 and 443 so no one can browse the Web from a server. Of course, be careful: You don't want to block your server from getting its monthly dose of patches. NOTE: By default all outbound connections are allowed.
In addition to managing firewall configuration, the new WFAS MMC snap-in replaces both the IP Security Policies and IP Security Monitor MMC snap-ins that were previously used to manage IPSec. They are, however, both included in Windows Server 2008 and Vista. The older snap-ins can be used to manage down-level clients (e.g. Windows 2000, Windows XP, and Windows Server 2003). See figure 1 for a screen shot of the new interface.
NOTE: The fastest way to open the WFAS interface is by clicking Start, typing "firewall" into the search area, and pressing Enter. You can also get to the new WFAS MMC snap-in through Server Manager in Windows Server 2008.
To manage the new features of WFAS from the command line, you will need to use the new advfirewall context with netsh. You can get to this command line interface by typing
netsh advfirewall at a command prompt (see figure 2). If you are using the new Server Core installation of Windows Server 2008 (this is the command line only version of Windows Server 2008) and you want to use the WFAS MMC snap-in, then you will need to run the following command so you can manage WFAS remotely from a Vista workstation or regular installation of Windows Server 2008:
netsh advfirewall set allprofiles settings remotemanagement enable
Perhaps the most important update to WFAS is the ability to create much more detailed and powerful exceptions. Here is a list of the new types of exceptions allowed by WFAS:
- based on IP protocol number
- source and destination TCP and UDP ports
- all or multiple ports
- specific types of interfaces (LAN, remote access, or wireless)
- ICMP and ICMPv6 traffic by type and code
- for individual services
Previous to WFAS it was nearly impossible to allow all types of traffic from a particular IP address. You would have to manually add an exception for every single port individually, all 65,536 of them! The updated granularity in exception rules is a very welcome addition to WFAS.
The way that profiles operate in WFAS is a bit different from the previous version. With the old Windows Firewall there are two profiles: Domain and Standard. If your machine is joined to a domain and Windows determines that you are operating on the network associated the Windows domain, then the Domain profile is used. Otherwise the Standard profile is used. This allows for different firewall rules depending on which network you are connected to. The idea is that you may want to have stricter firewall rules if you are away from the home office at a coffee shop, etc. With WFAS there are now three profiles: Domain, Private, and Public. The Domain profile operates as it did before. The Public and Private profiles are used when you are connected to a non-domain network, similar to the legacy Standard profile. The difference is that you can designate a particular network as Public or Private. Public is used by default and has more restrictive rules, but you can switch to the Private profile for a particular network from the Network Sharing Center accessible from the Control Panel. To switch between the Public and Private profiles open the Network Sharing Center and click on "Customize".
Add a New Firewall Rule
Now let's go through the steps for adding a new firewall rule to WFAS. The first thing you need to do is figure out what type of exception you want to make. With WFAS you can make exceptions based on port, program/service, or predefined rule. If you want to set up a port-based rule and you are not sure what port a particular program is using, check out this article on how to use the netstat.exe utility.
For this example, let's say we want to open up ports 80 (http) and 443 (https) for a third party Web server. Remember that if you were to just add the Internet Information Services (IIS) role to your server via Server Manager, Windows would automatically open up the appropriate incoming firewall exceptions.
Here are the steps to follow for our scenario:
- Open the WFAS interface by typing "firewall" into the search area on the Start menu and pressing Enter
- Right-click "Inbound Rules" and select "New Rule..."
- Select "Port" and click "Next"
- Type "80,443" into the "Specific local ports" input area, click Next
- The default selection is "Allow the connection" and this is what we want so click Next
- For a desktop machine you may want to adjust the profile settings, but assuming that this rule will be for a server we are going to leave all of the profiles checked and click Next
- Choose a name such as "Web Server" and click Finish
Take a look at figure 3 to see the "Protocols and Ports" tab of the new rule.
With many significant improvements over the previous version, WFAS should make your life much easier when it comes to host-based firewall management on your Windows machines. Now all you have to do is upgrade all of your systems to Vista and Windows Server 2008.
- Technet: Windows Firewall with Advanced Security
- The Cable Guy: Network Determination Behavior for Network-Related Group Policy Settings