Basic Firewall Policy Design

Applies To: Windows Server 2008, Windows Server 2008 R2

Many organizations have a network perimeter firewall that is designed to prevent the entry of malicious traffic in to the organization's network, but do not have a host-based firewall enabled on each computer in the organization.

The Basic Firewall Policy Design helps you to protect the computers in your organization from unwanted network traffic that gets through the perimeter defenses, or that originates from inside your network. In this design, you deploy firewall rules to each computer in your organization to allow traffic that is required by the programs that are used. Traffic that does not match the rules is dropped.

Traffic can be blocked or permitted based on the characteristics of each network packet: its source or destination IP address, its source or destination port numbers, the program on the computer that receives the inbound packet, and so on. This design can also be deployed together with one or more of the other designs that add IPsec protection to the network traffic permitted.

Many network administrators do not want to tackle the difficult task of determining all the appropriate rules for every program that is used by the organization, and then maintaining that list over time. In fact, most programs do not require specific firewall rules. The default behavior of Windows and most contemporary applications makes this task easy:

  • On client computers, the default firewall behavior already supports typical client programs. Programs designed for Windows 7, Windows Vista, Windows Server 2008 R2, and Windows Server 2008 create any required rules for you as part of the installation process. You only have to create a rule if the client program must be able to receive unsolicited inbound network traffic from another computer.

  • When you install a server program that must accept unsolicited inbound network traffic, the installation program likely creates or enables the appropriate rules on the server for you.

    For example, when you install a server role by using the Role Management Tool in Windows Server 2008 R2 or Windows Server 2008, the appropriate firewall rules are created and enabled automatically. For Windows Server 2003, Windows Server 2008 R2, and Windows Server 2008, the Security Configuration Wizard configures firewall rules appropriate for the programs and services installed on the server.

  • For other standard network behavior, the predefined rules that are built into Windows 7, Windows Vista, Windows Server 2008 R2, and Windows Server 2008 can easily be configured in a GPO and deployed to the computers in your organization.

    For example, by using the predefined groups for Core Networking and File and Printer Sharing you can easily configure GPOs with rules for those frequently used networking protocols.

With few exceptions, the firewall can be enabled on all configurations of Windows 7, Windows Vista, Windows Server 2008 R2, and Windows Server 2008. Therefore, we recommended that you enable the firewall on every computer in your organization. This includes servers in your perimeter network, on mobile and remote clients that connect to the network, and on all servers and clients in your internal network.

Warning

Stopping the service associated with Windows Firewall with Advanced Security is not supported by Microsoft.
By default, in new installations, Windows Firewall is turned on in Windows 7, Windows Vista, Windows Server 2008 R2, and Windows Server 2008. If you must disable the firewall, such as when you want to use a third-party firewall program, do not disable Windows Firewall by stopping the service. Instead, use the Windows Firewall with Advanced Security interface (or equivalent Group Policy setting) to turn the firewall off.
If you turn off the Windows Firewall with Advanced Security service you lose other benefits provided by the service, such as the ability to use IPsec connection security rules, Windows Service Hardening, and network protection from forms of attacks that use network fingerprinting. For more information about Windows Service Hardening, see https://go.microsoft.com/fwlink/?linkid=104976.
Third-party firewall software that is compatible with Windows 7, Windows Vista, Windows Server 2008 R2, and Windows Server 2008 can programmatically disable only the parts of Windows Firewall with Advanced Security that might need to be disabled for compatibility. Do not disable the firewall yourself for this purpose.

An organization typically uses this design as a first step toward a more comprehensive Windows Firewall with Advanced Security design that adds server isolation and domain isolation.

After implementing this design, your administrative team will have centralized management of the firewall rules applied to all computers that are running Windows in your organization.

Important

If you also intend to deploy the Domain Isolation Policy Design, or the Server Isolation Policy Design, we recommend that you do the design work for all three designs together, and then deploy in layers that correspond with each design.

The basic firewall design can be applied to computers that are part of an Active Directory forest. Active Directory is required to provide the centralized management and deployment of Group Policy objects that contain the firewall settings and rules.

For more information about this design:

Next: Domain Isolation Policy Design