Order of Windows Firewall with Advanced Security Rules Evaluation
Published: April 17, 2009
Updated: December 1, 2009
Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista
Windows Firewall with Advanced Security supports the following types of rules:
Windows Service Hardening. This type of built-in rule restricts services from establishing connections in ways other than they were designed. Service restrictions are configured so that Windows services can communicate only in specified ways (for example, allowed traffic might be restricted to a specified port).
Connection security rules. This type of rule defines how and when computers authenticate using IPsec. A connection security rule can also require encryption, which helps to keep data private. Connection security rules are typically used to establish server and domain isolation, as well as to enforce NAP policy.
Authenticated bypass rules. This type of rule allows the connection of specified computers or users even when inbound firewall rules would block the traffic. This rule requires that the network traffic from the authorized computers is authenticated by IPsec so identity can be confirmed. For example, you can allow remote firewall administration from only certain computers by creating authenticated bypass rules for those computers, or enable support for remote assistance by the Help Desk. This kind of rule is sometimes used in enterprise environments to permit “trusted” network traffic analyzers to access computers to assist in troubleshooting connectivity problems. A bypass rules lists the computers that are permitted to bypass rules that would otherwise block network traffic. Because the computer running the network analysis authenticates and is identified as being on the “allowed” list in the bypass rule, authenticated traffic from that computer is permitted through the firewall.
Block rules. This type of rule explicitly blocks a particular type of incoming or outgoing traffic. Because these rules are evaluated before allow rules, they take precedence. Network traffic that matches both an active block and an active allow rule is blocked.
Allow rules. This type of rule explicitly allows a particular type of incoming or outgoing traffic.
Default rules. These rules define the action that takes place when a connection does not match any other rule. The inbound default is to block connections and the outbound default is to allow connections. The defaults can be changed in Windows Firewall Properties on a per-profile basis.
Figure 2 shows the order in which Windows Firewall with Advanced Security applies the various types of rules. This ordering of rules is always enforced, even when rules are coming from Group Policy. Rules, including those from Group Policy, are sorted and then applied. Windows Service Hardening rules are not configurable via Group Policy. Domain administrators can allow or deny local administrators the permission to create new rules.