Key Deployment Scenarios

  • Article

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

You can deploy Windows Firewall with Advanced Security to help implement the following scenarios:

  • Network location-aware host firewall

  • Server and domain isolation

For additional key scenarios, see the Key Scenarios section of the Introduction to Windows Firewall with Advanced Security.

Network location-aware host firewall

Many applications connect to the Internet to look for updates, download real-time information, and facilitate collaboration between users. However, creating applications that can automatically adapt to changing network conditions has been difficult for developers. Network Location Awareness (NLA) APIs enable applications to sense changes to the network to which the computer is connected, such as placing a portable computer into standby mode at work and then restarting it at a wireless hotspot. This enables Windows Vista and later versions of Windows to alert applications of network changes, and these applications can then behave differently to provide a seamless experience.

Windows 7, Windows Vista, Windows Server 2008 R2, and Windows Server 2008 identify and remember each of the networks to which they connect. Network Awareness APIs then allow applications to query for characteristics of each of these networks, including:

  • Connectivity. A network might be disconnected, it might provide access to only the local network, or it might provide access to the local network and the Internet.

  • Connections. A computer might be connected to a network by one of more connections. Network Awareness APIs enable applications to determine which connections Windows is currently using to connect to a specific network.

There are three network location types in Windows Firewall with Advanced Security:

  • Domain. Windows automatically identifies networks on which it can authenticate access to the domain controller for the domain to which the computer is joined in this category. No other networks can be placed in this category.

  • Public. Other than domain networks, all networks are initially categorized as public. Networks that represent direct connections to the Internet or are in public places, such as airports and coffee shops should be left public.

  • Private. A network will only be categorized as private if a user or application identifies the network as private. Only networks located behind a NAT device (preferably a hardware firewall) should be identified as private networks. Users will likely want to identify home or small business networks as private.

When a user first connects to a network that is not part of the domain network location type, Windows asks the user to identify the network as either public or private. The user must be a local administrator of the computer to identify the network as private. When the types of networks to which the computer is connected are identified, Windows is able to optimize some of its configuration (especially its firewall configuration) for the specified network location types.

The Windows Firewall with Advanced Security is an example of a network-aware application. The administrator can create a profile for each network location type, with each profile containing different firewall policies. For example, the Windows Firewall can automatically allow incoming traffic for a specific desktop management tool over a connection to a domain network, but block similar traffic over connections to public or private networks. In this way, network awareness can provide flexibility on your internal network without sacrificing security when mobile users travel. A public network profile should have stricter firewall policies to protect against unauthorized access. A private network profile, on the other hand, might have less restrictive firewall policies to allow file and print sharing, peer-to-peer discovery, and connectivity with Windows Connect Now devices.

In Windows 7 and Windows Server 2008 R2, each network connection is assigned the profile appropriate for the network to which it is attached.

Important

In Windows Vista and Windows Server 2008, only one profile is applied at any one time.

The profile selection order used in Windows Vista and Windows Server 2008 is as follows:

  1. If any interface is connected to a network classified as public then the public profile is applied to all connections on the computer.

  2. If no interfaces are connected to a public network, but one or more interfaces are connected to networks that are classified as private then the private profile is applied to all connections on the computer.

  3. Only if all interfaces are authenticated to a domain controller for the domain of which the computer is a member then the domain profile is applied to all connections on the computer.

This process is not used in Windows 7 or Windows Server 2008 R2 because each connection is assigned to the profile appropriate for its detected network type.

By default, all unsolicited incoming traffic is blocked except for core networking traffic. On the private profile, network discovery and remote assistance traffic is allowed. You must create specific rules to allow other authorized traffic to pass through the firewall into the computer. The default settings allow all outgoing traffic. You must specifically block programs or types of outgoing traffic that you do not want allowed.

Server and domain isolation

In a Microsoft Windows-based network, you can logically isolate server and domain resources to limit access to authenticated and authorized computers. For example, you can create a logical network inside the existing physical network where computers share a common set of requirements for secure communications. Each computer in this logically isolated network must provide authentication credentials to other computers in the isolated network in order to establish connectivity.

This isolation helps prevent unauthorized computers and programs from gaining access to resources inappropriately. Requests from computers that are not part of the isolated network are ignored. Server and domain isolation can help protect specific high-value servers and data as well as protect managed computers from unmanaged or rogue computers and users.

You can use two types of isolation to protect a network:

  • Server isolation. In a server isolation scenario, specific servers are configured to require IPsec policy to accept only authenticated communications from other computers. For example, you might configure the database server to accept connections from the web application server only.

  • Domain isolation. To isolate a domain, you use Active Directory domain membership to ensure that computers that are members of a domain accept only authenticated and secured communications from other computers that are domain members. The isolated network consists of only computers that are part of the domain. Domain isolation uses IPsec policy to provide protection for traffic sent between domain members, including all client and server computers.

For more information about server and domain isolation on the Microsoft Web site, see Server and Domain Isolation (https://go.microsoft.com/fwlink/?LinkId=74576).