What Is Windows Firewall?
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
In this section
Windows Firewall provides host-firewall protection on computers running Windows Server 2003 with Service Pack 1 (SP1) and Windows XP with Service Pack 2 (SP2). As a host firewall, Windows Firewall runs on each of your servers and clients, providing protection from network attacks that pass through your perimeter network or originate inside your organization, such as Trojan horse attacks, worms, or any other type of malicious program spread through unsolicited incoming traffic.
The following figure shows how Windows Firewall works in conjunction with perimeter network firewalls.
Windows Firewall inspects and filters all IP version 4 (IPv4) and IP version 6 (IPv6) network traffic. It is a stateful firewall, which means it tracks the state of each network connection and determines whether incoming traffic is allowed or blocked. Windows Firewall blocks incoming traffic unless it is in response to a request by the host (in which case, it is solicited traffic) or has been specifically allowed (in which case, it has been added to the Windows Firewall exceptions list). Aside from a few Internet Control Message Protocol (ICMP) messages, Windows Firewall allows all outgoing traffic.
Windows Firewall is designed to be a supplemental security solution. You cannot use Windows Firewall as a perimeter firewall. Windows Firewall should be part of a comprehensive security architecture that implements a variety of security technologies, such as border routers, perimeter firewalls, intrusion detection systems, virtual private networking (VPN), IEEE 802.1X authentication for wireless and wired connections, and Internet Protocol security (IPsec).
Common Windows Firewall Scenarios
With a few exceptions, Windows Firewall can be enabled on all configurations of Windows Server 2003 with SP1. Therefore, it is recommended that you enable Windows Firewall on every server in your organization, including bastion hosts and other servers in your perimeter network, mobile and remote clients that connect to your network and run Windows Server 2003, and all servers in your internal network. In addition, Windows Firewall can be enabled for any network architecture. Therefore, it is also recommended that you enable Windows Firewall regardless of the way in which you have designed and implemented your perimeter network or your internal network.
Common Configuration Tasks
When it is enabled in its default configuration, Windows Firewall blocks all unsolicited incoming network traffic on all network connections. Although blocking unsolicited incoming traffic reduces your attack surface and increases your level of security, it can cause programs and system services that are acting as servers, listeners, or peers to stop working properly. On clients, the number of programs and system services that do this is small because clients are typically configured as service consumers, not service providers. On servers, the number of programs and system services that do this can be large because, by their nature, servers are service providers; they must receive unsolicited incoming traffic.
Therefore, you usually need to configure some Windows Firewall settings on servers so that the appropriate unsolicited traffic is not blocked by Windows Firewall. The configuration changes that you need to make vary according to the server role and the programs and system services that are running on the server.
In addition, you need to configure Windows Firewall settings on every server that you intend to manage remotely. If you are managing the server by using the Administration Tools Pack on a client running Windows XP, then you need to configure Windows Firewall settings on the server to ensure that Windows Firewall allows the unsolicited traffic from the client computer to reach the programs and system services that are running on the server. You might also need to configure Windows Firewall settings on the client if the server initiates traffic to the client (for example, when an e-mail server notifies an e-mail client that new messages have arrived).
Restrictions and Limitations
You should disable Windows Firewall in the following scenarios.
Servers Running Routing and Remote Access
Do not run Windows Firewall if you are running Routing and Remote Access. Routing and Remote Access uses its own firewall and it cannot be used with Windows Firewall.
Computers Running a Perimeter Firewall
Do not run Windows Firewall on a server that is running a perimeter firewall, such as Microsoft Internet Security and Acceleration (ISA) Server 2004. The protection that Windows Firewall provides in this situation is redundant and unnecessary. In addition, Windows Firewall can cause perimeter firewalls such as ISA Server to function improperly.
Computers Running Non-Microsoft Host Firewalls
Do not use Windows Firewall on a computer that is running a non-Microsoft host firewall. Although it is possible to run two host firewalls on a single computer, it is not recommended that you do so. Host firewall implementations vary widely and there is no guarantee that a non-Microsoft host firewall and Windows Firewall will work well together.
Computers Acting as Domain Controllers
Do not permanently run Windows Firewall on a domain controller. You can use Windows Firewall on a temporary basis (for example, to protect a domain controller from attack while you install security updates, virus signatures, or security software).
In addition, you might want to disable Windows Firewall if a server requires you to open numerous ports or allow a large number of applications and system services to receive unsolicited traffic. In this case, it might make sense to disable Windows Firewall because a significant volume of network traffic will be allowed to pass through Windows Firewall anyway. By disabling Windows Firewall, you eliminate the operational overhead associated with Windows Firewall configuration and maintenance. However, you should closely evaluate the design of any client or server that requires you to open numerous ports. Servers that are configured for numerous roles or to provide numerous services can be a critical point of failure in your organization and might indicate poor infrastructure design.
Technologies Related to Windows Firewall
Windows Server 2003 provides several network security technologies that are related to and complement Windows Firewall. It is recommended that you use these technologies in conjunction with Windows Firewall to ensure that your security architecture is built on a solid defense-in-depth strategy.
IPsec helps protect networks from active and passive attacks by securing IP packets through the use of packet filtering, cryptographic security services, and the enforcement of trusted communications. IPsec supports network-level data integrity, data confidentiality, data origin authentication, and replay protection. Because IPsec is integrated at the Internet layer (layer 3), it provides security for all IPv4-based traffic, and because IPsec is applied transparently to applications, there is no need to configure separate security for each application that uses TCP/IP. In addition, IPsec helps provide defense-in-depth against:
Network-based attacks from untrusted computers, attacks that can result in the denial-of-service of applications, services, or the network.
Administrative control of servers, other computers, and the network.
IPsec and Windows Firewall are not mutually exclusive security technologies. The use of IPsec in conjunction with Windows Firewall increases the security of the communication on your internal network and reduces the attack surface on each of your clients and servers. For example, on a secured Web server, you can use Windows Firewall to block all unsolicited incoming traffic except Web traffic and you can use IPsec to secure all Web traffic as it travels across the network.
VPN is a network access technology that is part of the Routing and Remote Access service in Windows Server 2003. You can use VPN to securely connect remote clients and remote offices to an organization’s private network. VPN technology provides access to private networks at a lower cost than leased-line connections, which create a physical connection to a port on a remote access server on a private network.
A VPN connection uses authentication and data encryption to help preserve the privacy and, in some cases, integrity of data as it traverses a public network. VPN connections use either Point-to-Point Tunneling Protocol (PPTP) or Layer Two Tunneling Protocol/Internet Protocol security (L2TP/IPsec) over an intermediate network, such as the Internet. By using the Internet as a connection medium, VPN saves the cost of long-distance phone service and hardware associated with the use of dial-up or leased line connections. A VPN solution includes advanced security technologies, such as data encryption, user and computer authentication, authorization, and Network Access Quarantine Control.
VPN clients can use standard tools to access resources. For example, clients can use Windows Explorer to access shared files and folders and connect to printers. Connections are persistent; users do not need to reconnect to network resources during their VPN sessions. Because drive letters and universal naming convention (UNC) names are fully supported by VPN, most commercial and custom applications work without modification.