How to Enable Authenticated Firewall Bypass

Applies To: Windows Server 2008

Authenticated bypass enables you to create rules for Windows Firewall with Advanced Security that block incoming traffic unless it is from a specified trusted computer or user. For example, an administrator might want to deploy firewall rules to computers on the network that do not have any subnet, IP address, or port-level exceptions. However, the administrator might also want to use an enterprise management and security program to scan and update those same computers. To reconcile these conflicting goals, the administrator can create and deploy connection security and firewall rules that require computer-based Kerberos version 5 authentication. With these rules and settings in place, the administrator can deploy Windows Firewall with no exceptions, but the scanning server can access all required ports on the clients. The use of authenticated bypass in this scenario eliminates the need for port-level exceptions.

In this topic:

• How does authenticated bypass work?

• Authenticated bypass for Windows XP and Windows Server 2003

• Using the Netsh command-line tool to create an authenticated bypass rule

How does authenticated bypass work?

There are two methods for configuring authenticated bypass rules:

• All authenticated IP traffic from approved computers bypasses Windows Firewall. This method uses connection security rules that specify computer-based authentication and a list of computers or groups of computers whose network traffic can bypass the firewall. This method is supported on computers that are running Windows® XP with Service Pack 2 (SP2) or later.

• Traffic that matches a firewall rule that uses the Allow connection if it is secure setting bypasses Windows Firewall. The rule can filter the traffic by IP address, port, or protocol. This method is supported on Windows Vista® or Windows Server® 2008.

Authenticated bypass for Windows XP and Windows Server 2003

To allow all authenticated IP traffic from approved computers to bypass Windows Firewall, you configure the Windows Firewall: Allow authenticated IPSec bypass Group Policy setting with a Security Descriptor Definition Language (SDDL) string that contains a list of the computers or groups of computers whose network traffic you want to bypass Windows Firewall. If a computer receives an IPsec-protected network packet from a computer that is a member of one of the security groups on the SDDL list, Windows Firewall allows the traffic to bypass firewall filters on the computer and allows the inbound traffic.

The Windows Firewall: Allow authenticated IPSec bypass Group Policy setting can be found in the Group Policy editing tools under Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall.

The format of the SDDL string for a single group is:

O:DAG:DAD:(A;;RCGW;;;SID)

Where SID is the security identifier (SID) of a group account. See Finding the SID for a group account later in this topic.

If you want to allow computers in a group to bypass Windows Firewall, use the following string to configure the Windows Firewall: Allow authenticated IPSec bypass Group Policy setting:

O:DAG:DAD:(A;;RCGW;;;S-1-5-21-3575094098-3669797271-991787341-1127)

If you have more than one group, then the syntax for the SDDL string is:

O:DAG:DAD:(A;;RCGW;;;sid1) (A;;RCGW;;;sid2) (A;;RCGW;;;sid3)   …

In Windows Vista and Windows Server 2008, the format required for the SDDL string has changed.

In Windows XP and Windows Server 2003, this is the required format:

O:DAG:DAD:(A;;RCGW;;;S-1-5-21-2127521184-1604012920-1887927527-1856988)(A;;RCGW;;;S-1-5-21-2127521184-1604012920-1887927527-1856817)

In Windows Vista and Windows Server 2008, this is the required format:

O:DAG:DAD:(A;;CC;;;S-1-5-21-2127521184-1604012920-1887927527-1856988)(A;;CC;;;S-1-5-21-2127521184-1604012920-1887927527-1856817)

The characters RCGW must be changed to CC.

Enabling authenticated IPsec bypass

To perform the following procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure.

To allow traffic protected by IPsec through Windows Firewall

1. Open the Group Policy Management Console to modify the Group Policy object (GPO) that is used to manage Windows Firewall settings in your organization.

2. In the navigation pane, expand Computer Configuration, expand Administrative Templates, expand Network, expand Network Connections, and then click Windows Firewall.

3. In the results pane, double-click Windows Firewall: Allow authenticated IPSec bypass.

4. In the Windows Firewall: Allow authenticated IPSec bypass Properties dialog box, on the Settings tab, click Enabled.

5. In Define IPSec peers to be exempted from firewall policy, type the SDDL string that corresponds to the group accounts for the computers to which this policy applies, and then click OK.

Authenticated bypass for Windows Vista and Windows Server 2008

You can perform the preceding procedure on computers running Windows Vista and Windows Server 2008, but Windows Vista and Windows Server 2008 also support the creation of more detailed authenticated bypass rules, specifically:

• You can enable authenticated bypass only for network traffic types you specify. In Windows XP and Windows Server 2003, if the traffic is successfully authenticated, it bypasses the firewall. You cannot limit the traffic to only specified network ports, protocols, or IP addresses.

• You can approve specific users, or groups of users, in addition to computer accounts, because Windows Vista and Windows Server 2008 now support user-based authentication.

• You can specify that authenticated bypass is permitted only if the network traffic is encrypted by using IPsec, in addition to the previously required authentication.

Instead of a Group Policy setting, you enable authenticated bypass in Windows Firewall with Advanced Security in Windows Vista and Windows Server 2008 by setting the Allow connection if it is secure option in a firewall rule. Selecting this check box enables the Users and Computers tab that you can use to enter the computer or user group accounts that are checked against the credentials supplied by IPsec authentication. This results in a set of rules that say "this traffic from the approved computers or users is permitted if no other rules block it."

If you also enable Override block rules in the firewall rule, then authenticated traffic that matches the rule is permitted, even if another rule would block it. The result is a set of rules that say "this traffic is blocked unless it is coming from an authenticated computer or user who is approved."

Enabling authenticated bypass

To perform the following procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure.

To allow network traffic protected by IPsec through Windows Firewall by using the Windows Firewall with Advanced Security MMC snap-in

1. Open the Windows Firewall with Advanced Security MMC snap-in.

2. In the navigation pane, right-click Inbound Rules, and then select New rule.

3. In the New Inbound Rule Wizard, configure the Rule Type, Program, Protocol and Ports, and Scope, according to the type of network traffic you want to allow to bypass the firewall.

4. On the Action page, select Allow the connection if it is secure, select Override block rules, and then click Next.

5. On the Users and Computers wizard page, select Only allow connections from these computers, click Add, and then select the computer or computer groups that you want to allow to bypass the firewall rules on this computer.

6. Select Only allow connections from these users, click Add, and then select the user or user groups that you want to allow to bypass the firewall rules on this computer.

7. Following the remaining steps in the wizard.

Using the Netsh command-line tool to create an authenticated bypass rule

For computers that are running Windows Vista and Windows Server 2008, you can also create authenticated bypass rules by using the Netsh command-line tool.

To create an authenticated bypass rule, you specify the following parameters:

• dir=in

  This parameter specifies that the rule is an inbound firewall rule. Authenticated bypass is supported for inbound firewall rules only.

• security=authenticate or security=authenc

  Either parameter specifies that authentication is required.

• action=bypass

  This parameter specifies that network traffic matching the criteria in this rule can bypass other firewall rules if the traffic is authenticated by an approved user or computer.

• rmtcomputergrp="D:(A;;CCC;;;SIDofComputerGroup)"

  This parameter specifies the SID of a computer or computer group account. See Finding the SID for a group account for more information.

• rmtusergrp="D:(A;;CCC;;;SIDofUserGroup)"

  This optional parameter specifies the SID of a user or user group account. See Finding the SID for a group account for more information.

When combined into a complete command using a single computer group and a single user group, the syntax for creating an authenticated bypass rule might look like the following:

netsh advfirewall firewall add rule name="Inbound Secure Bypass Rule" dir=in security=authenticate action="bypass" rmtcomputergrp="D:(A;;CC;;;``S-1-5-21-2329867823-2610410949-1491576313-1114)" rmtusrgrp="D:(A;;CC;;; S-1-5-21-2329867823-2610410949-1491576313-1735)"

This example permits authenticated bypass for any network traffic on any port from any IP address, as long as it is authenticated as coming from a user and computer account that is a member of the specified groups.

Finding the SID for a group account

Use the Getsid.exe command-line tool to obtain the SID of a group account. Getsid.exe is one of the Windows support tools available on the Windows Server 2003 product disk. For information about how to install the support tools, see Install Windows Support Tools (https://go.microsoft.com/fwlink/?linkid=111016). Getsid.exe is used to compare the SIDs of two accounts on different domain controllers, but you can also use it to obtain the SID of a specified user or group account.

To obtain a SID for a group account, use the following syntax:

getsid \\DomainControllerGroupName \\DomainControllerGroupName

where DomainController is the computer name of a domain controller and GroupName is the group account name.

The following example uses the Getsid.exe tool with a domain controller named EXAMPLE2 in the example.com domain and a group account named IPsecComputers:

C:\>getsid \\example2 IPsecComputers \\example2 IPsecComputers
The SID for account EXAMPLE\IPsecComputers matches account EXAMPLE\IPsecComputers
The SID for account EXAMPLE\IPsecComputers is 
S-1-5-21-3575094098-3669797271-991787341-1127
The SID for account EXAMPLE\IPsecComputers is
S-1-5-21-3575094098-3669797271-991787341-1127

Additional references

For more information, see the following topics:

• Windows Firewall with Advanced Security and IPsec at https://go.microsoft.com/fwlink/?linkid=96525

• Group Policy at https://go.microsoft.com/fwlink/?linkid=93542

• Security Descriptor String Format at https://go.microsoft.com/fwlink/?linkid=109950