Windows Firewall filters incoming traffic to help block unwanted network traffic. Optionally, Windows Firewall can also filter outgoing traffic to help limit the risk of malware. Although Windows Firewall’s default settings will work well with components built into Windows, they might prevent other applications from functioning correctly. Windows Firewall’s default settings can also be significantly improved to provide even stronger protection by requiring authorization or limiting the scope of allowed connections.
Why Firewalls Are Important
In networking, firewalls analyze communications and drop packets that haven’t been specifically allowed. This is an important task because connecting to the Internet means any of the millions of other Internet-connected computers can attack you. A successful compromise or attack can crash a service or computer, compromise confidential data, or even allow the attacker to take complete control of the remote computer. In the case of worms, automated software attacks computers across the Internet, gains elevated privileges, copies itself to the compromised computer, and then begins attacking other computers (typically at random).
The purpose of a firewall is to drop unwanted traffic, such as traffic from worms, while allowing legitimate traffic, such as authorized file sharing. The more precisely you use firewall rules to identify legitimate traffic, the less you risk exposure to unwanted traffic from worms.
Firewall Profiles
When you create firewall rules to allow or block traffic, you can separately apply them to the Domain, Private, and Public profiles. These profiles enable mobile computers to allow incoming connections while connected to a domain network (for example, to allow incoming Remote Desktop connections) but block connection attempts on less-secure networks (such as public wireless hotspots).
Domain
Applies when a computer is connected to its Active Directory domain. Specifically, any time a member computer’s domain controller is accessible, this profile will be applied.
Private:
Applies when a computer is connected to a private network location. By default, no networks are considered private—users must specifically mark a network location, such as their home office network, as private.
Public
The default profile applied to all networks when a domain controller is not available.
For example, the Public profile is applied when users connect to Wi-Fi hotspots at airports or coffee shops. The Public profile by default allows outgoing connections but blocks all incoming traffic that is not part of an existing connection.
Most servers will always be connected to a domain environment. To ensure consistent operation even if a domain controller is not available, configure the same firewall rules for all three profiles when configuring a server.
Creating Inbound Filters
By default, Windows Firewall (as well as most other firewalls) blocks any inbound traffic that hasn’t been specifically allowed. By default, the Public profile allows absolutely no incoming connections—this provides excellent security when connecting to public hotspots or other non-trusted networks. The Domain and Private profiles allow some incoming connections, such as connections for file and printer sharing.
If you install or enable a Windows feature that requires incoming connections, Windows will automatically enable the required firewall rules. Therefore, you do not need to manually adjust the firewall rules.
Profile Public Private Domain
Inbound Traffic Blocked Allowed Allowed
File and Print sharing Blocked Allowed Allowed
Windows component Blocked Automatically added Automatically added
Creating an Inbound Filter
If you install an application that does not automatically enable the required firewall rules, you will need to create the rules manually. You can create firewall rules using the standalone Windows Firewall With Advanced Security console.
To create an inbound filter, expand Configuration>Windows Firewall with Advanced Security and right-click Inbound Rules. Select New Rule.
Program
A rule that allows or blocks connections for a specific executable file, regardless of the port numbers it might use. You should use the Program rule type whenever possible. The only time it’s not possible to use the Program rule type is when a service does not have its own executable.
Port
A rule that allows or blocks communications for a specific TCP or UDP port number, regardless of the program generating the traffic.
Predefined
A rule that controls connections for a Windows component, such as
Active Directory Domain Services, File And Printer Sharing, or Remote Desktop.
Typically, Windows enables these rules automatically.
Custom
A rule that can combine program and port information.
Select Predefined. From the drop down list select the required service, Click Next. From the list select the required service and click Next.
Allow The Connection Allows any connection that matches the criteria you specified on the previous pages.
Allow The Connection If It Is Secure Allows connections that match the criteria
you specified on the previous pages, only if they are protected with IPsec.
Optionally, you can select the Require The Connections To Be Encrypted check box, which requires encryption in addition to authentication. Selecting the Override Block Rules check box configures the rule to take precedence over other rules that might prevent a client from connecting. If you select this rule type, the wizard will also prompt you to select users and computers that are authorized to establish this type of connection.
Block The Connection Drops any connection attempt that matches the criteria you specified on the previous pages. Because inbound connections are blocked by default, you rarely need to create this rule type. However, you might use this action for an outbound rule if you specifically want to prevent an application from initiating outgoing connections.Select the appropriate action and click Finish.
Creating an Inbound Filter – Program Rule
To create an inbound filter, expand Configuration>Windows Firewall with Advanced Security and right-click Inbound Rules. Select New Rule > Program > Next.
Then select This program path and click Browse. Select the required Program and click Open. Click Next and then select Allow the Connection and click Next. Select all Profiles and click Next. Type in a name. The new rule has now been added to the firewall.
Creating an Outbound Filter
By default, Windows Firewall allows all outbound traffic. Allowing Outbound traffic is far less risky than allowing inbound traffic. However, outbound traffic still carries some risk:
If malware infects a computer, it might send outbound traffic containing confidential data (such as content from a Microsoft SQL Server database, e-mail messages from a Microsoft Exchange server, or a list of passwords). Worms and viruses seek to replicate themselves. If they successfully infect a computer, they will attempt to send outbound traffic to infect other computers. After one computer on an intranet is infected, network attacks can allow malware to rapidly infect computers on an intranet. Users might use unapproved applications to send data to Internet resources and either knowingly or unknowingly transmit confidential data.
By default, all versions of Windows (including Windows Server 2008) do not filter outbound traffic. However, Windows Server 2008 does include outbound filters for core networking services, enabling you to quickly enable outbound filtering while retaining basic network functionality.
To create a new rule right-click Outbound Rules. In the Following example, we will create a port rule to block Limewire File sharing. Select New Rule and then Select Rule Type. For this example Select Port. Then click Next. Type in Specific Local Ports 6346 the default port for Limewire. Then click Next.
Select Block the Connection and then click Next. Select All Profiles. Then click Next. Type in Name and Description for the new rule and click Finish.
Firewall Profiles
One of the most powerful ways to increase computer security is to configure a firewall scope. Using scopes, you can allow connections from your internal network and block connections from external networks. This can be used in the following ways.
For a server that is connected to the Internet, you can allow anyone on the Internet to connect to public services (such as the Web server) while allowing only users on your internal network to access private servers (such as Remote Desktop). For internal servers, you can allow connections only from the specific subnets that contain potential users. When planning such scope limitations, remember to include remote access subnets.
For outgoing connections, you can allow an application to connect to servers only on specific internal subnets. Example as you might allow SNMP traps to be sent to only your SNMP management servers. Similarly, you might allow a network backup application to connect to only your backup servers.
You can allow specific communications for mobile computers (such as Remote Desktop) from only the subnets you use for management. For mobile computers, you can allow specific communications (such as Remote Desktop) from only the subnets you use for management. Profiles can be created for either Inbound or Outbound connections.
Right, click the rule and select Properties. Select Scope and then These IP Addresses. Fill in the IP Address and click OK. The addresses have been added. Select These IP Addresses in the remote IP address. Then click Add. Select a Predefined set of computers. Select from the drop down list. Click OK. Click OK to complete.
Authorizing Connections
If you are using IPsec connection security in an Active Directory environment, you can also require the remote computer or user to be authorized before a connection can be established. For example, imagine that your organization had a custom accounting application that used TCP port 1073, but the application had no access control mechanism—any user who connected to the network service could access confidential accounting data. Using Windows Firewall connection authorization, you could limit inbound connections to users who are members of the Accounting group—adding access control to the application without writing any additional code.
Right, click the rule to be configured and select Properties. Then select Allow only secure connections. Select Require encryption, then select Users and Computers. Select Allow only connections from these users. Click Add. Click OK to complete. The connection is now secured.
Logging for Windows Firewall
If you are ever unsure about whether Windows Firewall is blocking or allowing traffic, you should enable logging, re-create the problem you’re having, and then examine the log files.
Right-click Windows Firewall with Advanced Security. Select Properties. Click Customize. Enable logging by selecting Yes from the drop down lists and then Click OK. Logging should be enabled on all Profiles. Click OK to finish. Output in the Windows Firewall Log.
In most production environments, this log will be almost constantly written to, which could impact on system performance. You should enable logging only when actively troubleshooting a problem and then immediately disable logging when you’re done.
Identifying Network Communications
If you use Port firewall rules or if you need to configure a network firewall that can identify communications based only on port number, and the application’s documentation does not list the firewall requirements, then you can examine the application’s behavior to determine the port numbers in use.
The simplest tool to use is Netstat. On the server, run the application, and then run the following command to examine which ports are listening for active connections:
netstat -a -b.
No comments:
Post a Comment