The Cable Guy - January 2006

The New Windows Firewall in Windows Vista and Windows Server 2008

TechNet's The Cable Guy

By The Cable Guy

Microsoft Windows Vista and Windows Server 2008 include a new and enhanced version of Windows Firewall. Like the current Windows Firewall in Windows XP Service Pack 2 (SP2) and later and Windows Server 2003 Service Pack 1 (SP1) and later, the new Windows Firewall is a stateful host-based firewall that allows or blocks network traffic according to its configuration and the applications that are currently running to provide a level of protection from malicious users and programs on a network. The new Windows Firewall includes enhancements for better protection and more advanced configuration.

Note This article describes the new features and the user interface for the new Windows Firewall. This article does not contain step-by-step instructions for configuring the new Windows Firewall for a specific scenario, rule, or behavior. For information on scenarios or specific configuration tasks, use the information in Windows Vista Help and Support. From the Windows Vista desktop, click Start, and then click Help and Support. In Windows Help and Support, type Windows Firewall in Search, and then press ENTER.

Enhancements in the new Windows Firewall

The new Windows Firewall in Windows Vista and Windows Server 2008 has the following enhancements over the current Windows Firewall in Windows XP SP2 and later and Windows Server 2003 SP1 and later:

  • Supports filtering for both incoming and outgoing traffic

  • New Microsoft Management Console (MMC) snap-in for graphical user interface (GUI) configuration

  • Firewall filtering and Internet Protocol security (IPsec) protection settings are integrated

  • Rules (exceptions) can be configured for Active Directory directory service accounts and groups, source and destination IP addresses, IP protocol number, source and destination Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports, all or multiple TCP or UDP ports, specific types of interfaces, Internet Control Message Protocol (ICMP) and ICMP for IPv6 (ICMPv6) traffic by Type and Code, and for services

Supports filtering for both incoming and outgoing traffic

The new Windows Firewall supports firewalling for incoming traffic, dropping all unsolicited incoming traffic that does not correspond to either traffic sent in response to a request of the computer (solicited traffic) or unsolicited traffic that has been specified as allowed (excepted traffic). This is most crucial type of firewalling to have running on a computer, as it helps prevent the infection of computers by network-level viruses and worms that spread through unsolicited incoming traffic.

The new Windows Firewall supports firewalling for both incoming and outgoing traffic. For example, a network administrator can configure the new Windows Firewall with a set of rules to block all traffic sent to specific ports, such as the well-known ports used by virus software, or to specific addresses containing either sensitive or undesirable content.

The default behavior of the new Windows Firewall is to:

  • Block all incoming traffic unless it is solicited or it matches a configured rule.

  • Allow all outgoing traffic unless it matches a configured rule.

New MMC snap-in for GUI configuration

For the current Windows Firewall, the GUI for configuration consists of the Windows Firewall item in Control Panel and a series of Group Policy settings in the Group Policy editor snap-in. For more information about configuring the current Windows Firewall, see Manually Configuring Windows Firewall in Windows XP Service Pack 2.

You can configure the new Windows Firewall with the Windows Firewall item in Control Panel, which displays the same set of configuration options as for the current Windows Firewall. You can configure basic settings for the new Windows Firewall, but you cannot configure enhanced features.

Because of the number of advanced configuration options and the value of having the same GUI for both local and Active Directory Group Policy-based configuration, the new Windows Firewall can also be configured with an MMC snap-in named Windows Firewall with Advanced Security, which is available in the Administrative Tools folder.

With the new Windows Firewall with Advanced Security snap-in, network administrators can configure settings for the new Windows Firewall on remote computers, which is not possible for the current Windows Firewall without a remote desktop connection.

For command-line configuration of advanced settings of the new Windows Firewall, you can use commands in the netsh advfirewall context. This context does not exist for computers running Windows XP with SP2 or Windows Server 2003 with SP1.

For Group Policy-based configuration of the new Windows Firewall, go to Computer Configuration/Windows Settings/Security Settings/Windows Firewall with Advanced Security in the Group Policy Editor snap-in. The new Windows Firewall will apply Group Policy settings configured for the current Windows Firewall at Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall. Computers running Windows XP with SP2 or Windows Server 2003 will ignore the Group Policy settings for the new Windows Firewall.

Firewall and IPsec settings are integrated

IPsec is a set of Internet standards to provide cryptographic protection for IP traffic. In Windows XP and Windows Server 2003, Windows Firewall and IPsec are configured separately. Because both a host-based firewall and IPsec in Windows can block or allow incoming traffic, it is possible to create overlapping or contradictory firewall rules and IPsec rules. The new Windows Firewall has combined the configuration of both network services using the same GUI and command line commands. Another benefit to the integration of firewall and IPsec settings is that configuration of IPsec settings is highly simplified. For more information, see "Using the Windows Firewall with Advanced Security snap-in" in this article.

Rules can be configured for Active Directory accounts and groups

For rules that specify that incoming or outgoing traffic must be protected with IPsec, you can specify the list of computer accounts and groups or user accounts and groups that are authorized to initiate protected communication. For example, you can specify that traffic to specific servers with sensitive data must be protected and can only originate from specific users or computers.

Rules can be configured for source and destination IP addresses

With the current Windows Firewall, you can specify the scope of excepted incoming traffic. The scope defines the portion of the network from which the excepted traffic is allowed to originate, essentially the source IP addresses (both IPv4 and IPv6) of incoming traffic. With the new Windows Firewall, you can configure both source and destination IP addresses for both incoming and outgoing traffic, allowing you to more closely define the type of traffic that is allowed or blocked. For example, if a computer with a specific IP address is not allowed to originate traffic to a set of servers, you can create a blocking outbound rule specifying the locally assigned address as the source address and the addresses of the servers as the destination addresses.

For destination addresses, you can also specify the following predefined addresses with the new Windows Firewall:

  • Default gateway, WINS servers, DHCP servers, DNS servers

    These predefined addresses are dynamically mapped to the addresses of the host's currently defined default gateway, WINS servers, DHCP server, and DNS servers.

  • Local subnet

    These predefined addresses are dynamically mapped to the set of addresses defined by your IPv4 address and subnet mask or by your IPv6 local subnet prefix.

Rules can be configured for IP protocol number

In the current Windows Firewall, you can create rules based on TCP or UDP traffic, but you cannot specify other types of traffic that does not use TCP or UDP. The new Windows Firewall allows you to either select the protocol by name or manually type the value of the IPv4 Protocol or IPv6 Next Header fields for the desired traffic.

Rules can be configured for source and destination TCP and UDP ports

With the current Windows Firewall, you can specify the destination TCP or UDP port for incoming traffic. With the new Windows Firewall, you can configure both source and destination TCP or UDP ports for both incoming and outgoing traffic, allowing you to more closely define the type of TCP or UDP traffic that is allowed or blocked. For example, if you want to block malicious or undesirable traffic that uses a well-known set of TCP ports, you can create blocking outbound and inbound rules specifying the TCP source and destination ports of the traffic.

Rules can be configured for all or multiple ports

When configuring a port-based rule with the current Windows Firewall, you can only specify a single TCP or UDP port. With the new Windows Firewall, you can also specify all TCP or UDP ports (for all TCP or all UDP traffic) or a comma-delimited list of multiple ports. To configure the new Windows Firewall for a range of ports, you must specify all of the ports in the range. For example, if you want to configure a rule for the range of ports 1090-1095, you must configure the following ports: 1090,1091,1092,1093,1094,1095.

Rules can be configured for specific types of interfaces

With the current Windows Firewall, all the enabled rules applied to all the interfaces on which firewalling is enabled. With the new Windows Firewall, you can specify that a rule applies to all interfaces or to specific types of interfaces, which include LAN, remote access, or wireless interfaces. For example, if an application is only used over remote access connections and you do not want the rule to be active for LAN and wireless connections, you can configure the rule to apply only to remote access connections.

Rules can be configured for ICMP and ICMPv6 traffic by Type and Code

With the current Windows Firewall, you can enable rules for a fixed set of ICMP (for IPv4) and ICMPv6 messages. With the new Windows Firewall, there is a predefined set of commonly excepted ICMP and ICMPv6 messages and you can add new ICMP or ICMPv6 messages by specifying the ICMP or ICMPv6 message Type and Code field values. For example, if you want to create a rule for the ICMPv6 Packet Too Big message, you can manually create a rule for ICMPv6 Type 2 and Code 0.

Rules can be configured for services

With the current Windows Firewall, you must configure a rule for a service by specifying the path to the service program file name. With the new Windows Firewall, you can specify that the rule applies to any process, only for services, for a specific service by its service name, or you can type the short name for the service. For example, if you want to configure a rule to apply only to the Computer Browser service, you can select the Computer Browser service in the list of services running on the computer.

Using the Windows Firewall with Advanced Security snap-in

To configure advanced settings for the new Windows Firewall, from the Windows Vista or Windows Server 2008 desktop, click Control Panel, click System and Maintenance, click Administrative Tools, and then double-click Windows Firewall with Advanced Security.

The following figure shows an example of the display of the Windows Firewall with Advanced Security snap-in.

The Windows Firewall with Advanced Security snap-in

See full-sized image.

To modify the new Windows Firewall state or specify additional settings that control the new Windows Firewall behavior, logging settings, and IPsec settings for each profile, right click Windows Firewall with Advanced Security in the tree, and then click Properties. The following figure shows an example.

Windows Firewall with Advanced Security console tree

See full-sized image.

The Windows Firewall with Advanced Security tree has the following nodes:

  • Inbound Rules Stores the set of configured rules for incoming traffic.

  • Outbound Rules Stores the set of configured rules for outgoing traffic.

  • Computer Connection Security Stores the set of rules for protected traffic.

  • Monitoring Displays information about current firewall rules, connection security rules, and security associations. The Monitoring node is not displayed when viewing the Windows Firewall with Advanced Security snap-in within the Group Policy Editor snap-in.

When you select the Windows Firewall with Advanced Security node in the tree, the following panes are displayed:

  • Overview and Getting Started The Overview section displays the current state of the new Windows Firewall for the domain and standard profiles, including which profile is active. The Getting Started section contains links to topics to get you started configuring rules.

  • Resources Provides links to documentation topics for the new Windows Firewall.

The Actions pane displays the context menu commands of the currently selected node in either the tree or details pane.

The new Windows Firewall configuration consists of the following:

  • Inbound rules

  • Outbound rules

  • Computer connection security rules

Configuring an Inbound Rule

To create a new inbound rule, right-click Inbound Rules in the tree, and then click New Rule. Alternately, click Inbound Rules in the tree, and then click New Rule in the Actions pane.

The New Inbound Rule wizard starts. The following figure shows an example.

Inbound Rule wizard

See full-sized image.

From the Rule Type page of the New Inbound Rule wizard, you can select the following:

  • Program To specify a rule for incoming traffic based on a program name. You must also specify an action (to allow, block, or protect), the profile to which the rule applies (standard, domain, or both), and a name for the rule.

  • Port To specify a rule for incoming traffic based on TCP or UDP ports. You must also specify an action (to allow, block, or protect), the profile to which the rule applies (standard, domain, or both), and a name for the rule.

  • Predefined To specify a rule based on one of the predefined services. You must also specify a name for the rule.

  • Custom To create a customized rule. You would select this option when you want to manually configure rule behavior, perhaps based on advanced settings that cannot be configured through the pages of the New Inbound Rule wizard. You must specify a name for the rule.

After the New Inbound Rule wizard has completed, there is a new inbound rule with the name you specified in the details pane. To configure advanced properties for the rule, right-click the name of the inbound rule and click Properties. Alternately, click the name, and then click Properties in the Actions pane.

Configuring an Outbound Rule

To create a new outbound rule, right-click Outbound Rules in the tree, and then click New Rule. Alternately, click Outbound Rules in the tree, and then click New Rule in the Actions pane.

The New Outbound Rule wizard starts. The following figure shows an example.

Outbound Rule wizard

See full-sized image.

From the Rule Type page of the New Outbound Rule wizard, you can select the following:

  • Program

  • Port

  • Predefined

  • Custom

These rule types are the same as for inbound rules, except they are for outgoing traffic.

After the New Outbound Rule wizard has completed, there is a new outbound rule with the name you specified in the details pane. To configure advanced properties for the rule, right-click the name of the outbound rule, and then click Properties. Alternately, click the name, and then click Properties in the Actions pane.

From the properties dialog box for either an inbound an outbound rule, you can configure settings on the following tabs:

  • General The rule's name and the rule's action (allow the connections, allow only secure connections, or block).

  • Programs and Services The programs or services to which the rule applies. You can optionally specify both a program and a service. If you specify both, both must match for the connection to match the rule.

  • User and Computers (inbound) or Computers (outbound) If the rule's action is to allow only secure connections, the user or computer accounts that are authorized to make protected connections.

  • Protocols and Ports The rule's IP protocol, source and destination TCP or UDP ports, and ICMP or ICMPv6 settings.

  • Scope The rule's source and destination addresses.

  • Advanced The profiles or types of interfaces to which the rule applies and, for inbound rules, whether you want to allow the traffic for this exception to pass through your router that is performing network address translation (edge traversal) using the Teredo technology. For more information, see Using IPv6 and Teredo.

Configuring a Connection Security Rule

To create a new connection security rule, right-click Connection Security Rules in the tree, and then click New Rule. Alternately, click Connection Security Rules in the tree, and then click New Rule in the Actions pane. The New Connection Security Rule wizard starts.

The following figure shows an example.

Authentication Rule wizard

See full-sized image.

From the Rule Type page of the Connection Security Rule wizard, you can select the following:

  • Isolation To specify that computers are isolated from other computers based on membership in a common Active Directory infrastructure or because they have an updated and current health status. You must specify when you want authentication to occur (for example, for incoming or outgoing traffic and whether you want to require or only request protection), the authentication method for protected traffic, and a name for the rule. Isolating computers based on their health status uses the new Network Access Protection platform in Windows Vista and Windows Server 2008. For more information, see the Network Access Protection Web site.

  • Authentication exemption rule To specify computers that do not have to authenticate or protect traffic by their IP addresses.

  • Server to server To specify traffic protection between specific computers, typically servers. You must specify the set of endpoints that will exchange protected traffic by IP address, when you want authentication to occur, the authentication method for protected traffic, and a name for the rule.

  • Tunnel To specify traffic protection that is tunneled, typically used when sending packets across the Internet between two security gateway computers. You must specify the tunnel endpoints by IP address, the authentication method, and a name for the rule.

  • Custom��To create a rule that does not specify a protection behavior. You would select this option when you want to manually configure a rule, perhaps based on advanced properties that cannot be configured through the pages of the Connection Security Rule wizard. You must specify a name for the rule.

After the Connection Security Rule wizard has completed, there is a new rule with the name you specified in the details pane of the Connection Security Rules node. To configure advanced properties for the rule, right-click the name of the rule, and then click Properties. Alternately, click the rule name in the details pane, and then click Properties in the Actions pane.

From the properties dialog box for a rule, you can configure settings on the following tabs:

  • General The rule's name and description.

  • Computers The set of computers, by IP address, for which traffic is protected.

  • Authentication When you want authentication for traffic protection to occur (for example, for incoming or outgoing traffic and whether you want to require or only request protection) and the authentication method for protected traffic.

  • Advanced The profiles and types of interfaces to which the rule applies and IPsec tunneling behavior.

For More Information

For more information about Windows Firewall, consult the following resources:

For a list of all The Cable Guy articles, click here.