Introduction to Windows Firewall with Advanced Security
Overview
Abstract
Windows Firewall with Advanced Security is a stateful, host-based firewall that blocks incoming and outgoing connections based on its configuration. While typical end-user configuration of Windows Firewall still takes place through the Windows Firewall Control Panel tool, advanced configuration now takes place in a Microsoft Management Control (MMC) snap-in named Windows Firewall with Advanced Security. The inclusion of this snap-in not only provides an interface for configuring Windows Firewall locally but also for configuring Windows Firewall on remote computers and via Group Policy. Firewall functions are now integrated with IPsec (Internet Protocol security) protection settings, reducing the possibility of conflict between the two protection mechanisms. Windows Firewall with Advanced Security supports separate profiles for when computers are domain-joined or connected to a private or public network. It also supports the creation of rules for enforcing server and domain isolation policies. Windows Firewall with Advanced Security supports more granular rules, including Microsoft Active Directory users and groups, source and destination Internet Protocol (IP) addresses, IP port number, ICMP settings, IPsec settings, specific types of interfaces, services, and more.
.gif)
The increasing ease and efficiency of network connectivity and the growing number of network-aware programs have delivered a new level of productivity for businesses, organizations, and individuals. New breakthroughs in wireless and other connectivity choices have also brought to the mobile worker more options than ever.
Heightened network connectivity also increases risk. The ease of connection that allows authorized users to access resources from almost anywhere at any time can also allow unauthorized users and malicious programs to attack a network with relative speed and anonymity.
Protecting your network and information assets requires a layered, defense-in-depth security model. You must protect the computers on your network from unauthorized users and programs not only on the Internet but also on the local intranet. A layered defense can provide protection from unauthorized, unmanaged, and unhealthy computers no matter how they connect to the network.
Windows Firewall with Advanced Security is an important part of a layered security model. By providing host-based, two-way firewalling for a computer, Windows Firewall with Advanced Security blocks unauthorized network traffic flowing into or out of the local computer. Windows Firewall with Advanced Security also works with Network Awareness so that it can apply security settings based on the type of network to which the computer is connected. Now that Windows Firewall and Internet Protocol Security (IPsec) configuration settings are integrated into a single Microsoft Management Console (MMC) named Windows Firewall with Advanced Security, Windows Firewall also becomes an important part of your network’s isolation strategy.
Business and Technical Benefits
Windows Firewall with Advanced Security helps your business face the challenges of providing more secure networking with a scalable and tightly-integrated solution that is also simple to use.
Connected computers face the following challenges:
Mobile workers and devices complicate a network’s physical topology, making it difficult to prevent unauthorized access to trusted network assets.
Viruses, worms, and denial of service (DoS) attacks are increasing in complexity, making it more difficult to mitigate the risk of malware threats and DoS attacks.
Regulatory burdens are increasing, making it more difficult to achieve and maintain compliance with legislative regulations.
Data is a critical asset for almost every employee in most organizations, making it difficult to limit access to authorized users while still providing ease of access.
To help address these challenges, Windows Firewall with Advanced Security offers the following benefits:
Reduces the risk of network security threats. Windows Firewall with Advanced Security reduces the attack surface of a computer, providing an additional layer to the defense-in-depth model. Reducing the attack surface of a computer increases manageability and decreases the likelihood of a successful attack. Network Access Protection (NAP), a feature of Windows Server “Longhorn” (now in beta), also helps ensure healthy client computers. The integration of NAP helps prevent communications between healthy and unhealthy computers.
Safeguards sensitive data and intellectual property. With its integration with IPsec, Windows Firewall with Advanced Security provides a simple way to enforce authenticated, end-to-end network communications, providing scalable, tiered access to trusted network resources, enforcing integrity of data, and optionally of protecting the confidentiality.
Extends the value of existing investments. Since Windows Firewall with Advanced Security is a host-based firewall that is included with Microsoft Windows Vista operating system, as well as Windows Server “Longhorn.” and since it tightly integrates with Active Directory and Group Policy, there is no additional hardware or software required. Windows Firewall with Advanced Security is also designed to complement existing third-party network security solutions through a scriptable application programming interface (API).
Summary of New Features
Windows Firewall with Advanced Security adds a number of new features to previous versions of Windows Firewall. Table 1 summarizes important new features.
Table 1. Summary of Important New or Enhanced Features in Windows Firewall with Advanced Security
| Feature | Description |
|---|---|
Windows Service Hardening |
Windows Service Hardening helps prevent critical Windows services from being used for potentially malicious activity in the file system, registry or network. If the firewall detects abnormal behavior as defined by the Windows Service Hardening network rules, the firewall will block it. In addition, services can be limited to writing only to specific areas of the file system or registry based on Access Control Lists (ACLs). This will help prevent a compromised service from changing important configuration settings in the file system or registry, or infecting other computers on the network. For example, the Remote Procedure Call (RPC) service can be restricted from replacing system files or modifying the registry. |
Granular rules |
By default, Windows Firewall is enabled for both inbound and outbound connections. The default policy is to block most inbound connections and allow outbound connections. You can use the Windows Firewall with Advanced Security interface to configure rules for both inbound and outbound connections. Windows Firewall with Advanced Security also supports the filtering of any protocol numbers, while previous versions of Windows Firewall supported filtering only UDP, TCP, and ICMP. |
Outbound Filtering |
The Windows Firewall can manage outbound filtering as well as inbound. This will help administrators limit which applications can be used to send traffic onto the network, enforcing corporate policies for compliance. |
Location-aware profiles |
You can configure different rules and settings for the following firewall profiles:
|
Authenticated bypass |
With IPsec authentication, you can configure bypass rules for specific computers so that connections from those computers bypass other rules set up in Windows Firewall with Advanced Security. This allows you to block a particular type of traffic, but allow authenticated computers to bypass the block. With Windows Vista, the Window Firewall can allow more granular authenticated bypass rules, allowing the administrator to specify which ports or programs can have access, as well as which computer or group of computers can have access. |
Active Directory user, computer, and groups support |
You can create firewall rules that filter connections by user, computer, or groups in Active Directory. For these types of rules, the connection must be secured with IPsec using a credential that carries the Active Directory account information, such as Kerberos version 5 (v5). |
IPv6 Support |
The Windows Firewall with Advanced Security fully supports a pure IPv6 environment. |