Windows Firewall with Advanced Security

Updated: January 21, 2008

Applies To: Windows Server 2008

Beginning with the Windows Vista® and Windows Server® 2008 operating systems, configuration of both Windows® Firewall and Internet Protocol security (IPsec) are combined into a single tool, the Windows Firewall with Advanced Security Microsoft Management Console (MMC) snap-in.

The Windows Firewall with Advanced Security MMC snap-in replaces both of the previous IPsec snap-ins, IP Security Policies and IP Security Monitor, for configuring computers that are running Windows Vista and Windows Server 2008. The previous IPsec snap-ins are still included with Windows to manage client computers that are running the Windows Server® 2003, Windows XP, or Microsoft® Windows 2000 operating systems. Although computers that are running Windows Vista and Windows Server 2008 can also be configured and monitored by using the previous IPsec snap-ins, you cannot use the older tools to configure the many new features and security options introduced in Windows Vista and Windows Server 2008. To take advantage of those new features, you must configure the settings by using the Windows Firewall with Advanced Security snap-in, or by using commands in the advfirewall context of the Netsh tool.

Windows Firewall with Advanced Security provides several functions on a computer that is running Windows Vista or Windows Server 2008:

  • Filtering of all IP version 4 (IPv4) and IP version 6 (IPv6) traffic entering or leaving the computer. By default, all incoming traffic is blocked unless it is a response to a previous outgoing request from the computer (solicited traffic), or it is specifically allowed by a rule created to allow that traffic. By default, all outgoing traffic is allowed, except for service hardening rules that prevent standard services from communicating in unexpected ways. You can choose to allow traffic based on port numbers, IPv4 or IPv6 addresses, the path and name of an application or the name of a service that is running on the computer, or other criteria.

  • Protecting network traffic entering or exiting the computer by using the IPsec protocol to verify the integrity of the network traffic, to authenticate the identity of the sending and receiving computers or users, and to optionally encrypt traffic to provide confidentiality.

Starting with Windows XP Service Pack 2, Windows Firewall has been enabled by default on client operating systems from Microsoft. Windows Server 2008 is the first server operating system from Microsoft to have the Windows Firewall enabled by default. Because the Windows Firewall is turned on by default, every administrator of a server that is running Windows Server 2008 must be aware of this feature and understand how to configure the firewall to allow required network traffic.

Windows Firewall with Advanced Security can be fully configured by using either the Windows Firewall with Advanced Security MMC snap-in, or the commands available in the advfirewall context of the Netsh command-line tool. Both the graphical and command-line tools support managing Windows Firewall with Advanced Security on the local computer or on a remote computer running Windows Server 2008 or Windows Vista that is on the network. Settings created by using either of these tools can be deployed to the computers attached to the network by using Group Policy.

You should review this section on Windows Firewall with Advanced Security if you are in any one of the following groups:

  • IT planners and analysts who are technically evaluating the product

  • Enterprise IT planners and designers

  • IT professionals who deploy or administer networking security solutions in your organization

Windows Firewall with Advanced Security consolidates two functions that were managed separately in earlier versions of Windows. In addition, the core functionality of each of the firewall and IPsec components of Windows Firewall with Advanced Security is significantly enhanced in Windows Vista and Windows Server 2008.

Windows Firewall has been turned on by default on Windows client operating systems since Windows XP Service Pack 2, but Windows Server 2008 is the first server version of the Windows operating system to have Windows Firewall turned on by default. This has implications whenever an application or service is installed that must be allowed to receive unsolicited incoming traffic over the network. Many older applications are not designed to work with a host-based firewall, and might not operate correctly unless you define rules to allow that application to accept unsolicited incoming network traffic. When you install a server role or feature that is included with Windows Server 2008, the installer automatically enables or creates firewall rules to make sure that the server role or feature operates correctly. To determine what firewall settings must be configured for an application, contact the application vendor. Firewall settings are often posted on the vendor's support Web site.

A computer that is running Windows Server 2003 and that is upgraded to Windows Server 2008 maintains the same firewall operational state that it had before the upgrade. If the firewall was turned off before the upgrade, then it remains off after the upgrade. We strongly recommend that you turn the firewall on as soon as you confirm that the applications on the server work with the firewall as configured, or as soon as you configure appropriate firewall rules for the applications that are running on your computer.

In earlier versions of Windows, implementations of server or domain isolation sometimes required the creation of a large number of IPsec rules to make sure that required network traffic was protected appropriately, while still permitting required network traffic that could not be secured with IPsec.

The need for a large, complex set IPsec rules is reduced by a new default behavior for IPsec negotiation that requests but does not required IPsec protection. When this setting is used, IPsec sends an IPsec negotiation attempt and also sends plaintext packets to the destination computer at the same time. If the destination computer responds to and successfully completes the negotiation then the plaintext communication is stopped, and subsequent communication is protected by IPsec. However, if the destination computer does not respond to the IPsec negotiation then the plaintext attempt is allowed to continue. Earlier versions of Windows waited three seconds after the IPsec negotiation attempt before trying to communicate by using plaintext. This resulted in significant performance delays for traffic that could not be protected and had to be retried in plaintext. To avoid this performance delay, an administrator had to create multiple IPsec rules to address the different requirements of each type of network traffic.

The new behavior allows the option to request but not require IPsec protection to perform almost as well as unprotected traffic, because it no longer requires a three-second delay. This enables you to protect traffic where it is required, without having to create as many rules that explicitly allow for the needed exceptions. This results in a more secure, less complex, and easier to troubleshoot environment.

In earlier versions of Windows, IPsec supported only the Internet Key Exchange (IKE) protocol for negotiating IPsec security associations (SAs). Windows Vista and Windows Server 2008 support an extension to IKE known as Authenticated IP (AuthIP). AuthIP provides additional authentication capabilities such as:

  • Support for new credential types that are not available in IKE alone. These include the following: health certificates provided by a Health Registration Authority server that is part of a Network Access Protection (NAP) deployment; user-based certificates; Kerberos user credentials; and NTLM version 2 user or computer credentials. These are in addition to credential types that IKE supports, such as computer-based certificates, Kerberos credentials for the computer account, or simple pre-shared keys.

  • Support for authentication by using multiple credentials. For example, IPsec can be configured to require that both computer and user credentials are successfully processed before traffic is allowed. This increases the security of the network by reducing the chance of a trusted computer being used by an untrusted user.

Earlier versions of Windows do not support using IPsec to protect traffic between domain controllers and domain member computers. Windows Vista and Windows Server 2008 support protecting the network traffic between domain member computers and domain controllers by using IPsec, while still enabling a non-domain member computer to join a domain by using the IPsec-protected domain controller.

The implementation of IPsec in Windows Vista and Windows Server 2008 supports additional algorithms for main mode negotiation of SAs:

  • Elliptic Curve Diffie-Hellman P-256, an elliptic curve algorithm using a 256-bit random curve group.

  • Elliptic Curve Diffie-Hellman P-384, an elliptic curve algorithm using a 384-bit random curve group.

Also, the following encryption methods using Advanced Encryption Standard (AES) are supported:

  • AES with cipher block chaining (CBC) and a 128-bit key size (AES 128).

  • AES with CBC and a 192-bit key size (AES 192).

  • AES with CBC and a 256-bit key size (AES 256).

Windows Vista and Windows Server 2008 can notify network-enabled applications, such as the Windows Firewall, about changes in the network location types available through any attached network adapters, dial-up connections, virtual private networks (VPNs), and so on. Windows supports three network location types, and programs can use these location types to automatically apply the appropriate set of configuration options. Applications must be written to take advantage of this feature and to receive notifications of changes to the network location types. Windows Firewall with Advanced Security in Windows Vista and Windows Server 2008 can provide different levels of protection based on the network location type to which the computer is attached. The network location types are:

  • Domain. This network location type is selected when the computer is a member of a domain, and Windows determines that the computer is currently attached to the network hosting the domain. This selection is automatic based on successful authentication with a domain controller on the network.

  • Private. This network location type can be selected for networks trusted by the user, such a home network or small office network. Settings assigned to this location type are typically more restrictive than a domain network because it is not expected that a home network is as actively managed as a domain network. A newly detected network is never automatically assigned to the Private location type. A user must explicitly choose to assign the network to the Private location type.

  • Public. This network location type is assigned by default to all newly detected networks. Settings assigned to this location type are typically the most restrictive because of the security risks present on a public network.

The network location type feature is most useful on client computers, especially portable computers, which are likely to move from network to network. A server is not as likely to be mobile, and so a suggested strategy for a typical computer that is running Windows Server 2008 is to configure all three profiles the same.

In Windows Vista and Windows Server 2008, the user interface for the firewall and IPsec components are now combined into the Windows Firewall with Advanced Security MMC snap-in, and commands in the advfirewall context of the Netsh command-line tool. The tools used in Windows XP, Windows Server 2003, and Windows 2000—the Windows Firewall administrative template Group Policy settings, the IP Security Policy and IP Security Monitor MMC snap-ins, and the ipsec and firewall contexts of the Netsh command — are still available, but they do not support any of the newer features included with Windows Vista and Windows Server 2008. The Windows Firewall icon in Control Panel is also still present, but it is an end-user interface for managing the basic functionality of the firewall, and does not present the advanced options required by an administrator.

By using the multiple tools for firewall and IPsec in earlier versions of Windows, administrators could accidentally create conflicting settings, such as an IPsec rule that causes a specific type of network packet to be dropped, even though a firewall rule to allow that same type of network packet is present. This can result in very difficult troubleshooting scenarios. Combining the two functions reduces the possibility of creating conflicting rules, and helps make sure that the traffic you want to protect is handled correctly.

All of the firewall and IPsec features available in Windows Vista and Windows Server 2008 are available for protecting both IPv4 and IPv6 network traffic.

If you create software that is designed to be installed on with Windows Vista or Windows Server 2008, then you must make sure that your installation tool correctly configures the firewall by creating or enabling rules that allow your program's network traffic to pass through the firewall. Your program should recognize the different network location types recognized by Windows, domain, private, and public, and correctly respond to a change in network location type. Be aware that a change in the network location type can result in different firewall rules being in effect on the computer. For example, if you want your application to only run in a secured environment, such as a domain or private network, then the firewall rules must prevent your application from sending network traffic when the computer is on a public network. If the network location type changes unexpectedly while your application is running, it must handle the change gracefully.

The following resources provide additional information about Windows Firewall with Advanced Security and IPsec:

Community Additions