Appendix E: Windows Firewall and Security Configuration Wizard

Applies To: Windows Server 2003 with SP1

Windows Firewall is a host firewall technology that replaces Internet Connection Firewall in Windows Server 2003 with Service Pack 1 (SP1) and Windows XP with Service Pack 2 (SP2). Windows Firewall is off by default on Windows Server 2003 with SP1, but is easily turned on.

Security Configuration Wizard (SCW) is an attack surface reduction tool for Windows Server 2003 with SP1. When you run it, you can create, edit, apply, or roll back a security policy (stored as an XML file). Any security policy that you create takes effect only when you apply it to a server.

Overview: Windows Firewall and Security Configuration Wizard

Windows Firewall provides stateful inspection of incoming Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6) traffic and is designed to help protect you from network attacks that pass through your perimeter network or originate inside your organization, such as Trojan horse attacks, port scanning attacks, and worms. By running Windows Firewall on each of your clients and servers, you can extend your defense-in-depth strategy to the innermost layer of your security architecture.

SCW determines the minimum functionality required for a server's role or roles, and disables functionality that is not required. For example, it can disable unneeded services and block unused ports. SCW guides you through the process of creating, editing, applying, or rolling back a security policy based on the selected roles of the server. The security policies that are created with SCW are XML files that, when applied, configure services, network security, specific registry values, audit policy, and if applicable, Internet Information Services (IIS).

Group Policy Settings that Affect Windows Firewall

Windows Server 2003 with SP1 includes Group Policy settings through which you can configure Windows Firewall. (Windows XP with SP2 also includes these settings.)

To Locate the Group Policy Settings for Windows Firewall

  1. See Appendix B: Resources for Learning About Group Policy, for information about using Group Policy. Ensure that your Administrative templates have been updated, and then edit an appropriate GPO.

  2. Click Computer Configuration, click Administrative Templates, click Network, click Network Connections, and then click Windows Firewall.

  3. Click either Domain Profile or Standard Profile.

  4. View the Group Policy objects that are available.

For more details about any of the Group Policy settings, use a Group Policy interface to navigate to the setting and then click the Extended tab, or open the setting and then click the Explain tab.

There is a setting through which you can disable Windows Firewall. This setting is located in Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile and is called Windows Firewall: Protect all network connections. If you disable this policy setting, Windows Firewall does not run and cannot be started.

Note

In Computer Configuration\Administrative Templates\Network\Network Connections, the setting called Prohibit use of Internet Connection Firewall on your DNS domain network still exists. This setting has no effect if Windows Firewall: Protect all network connections is enabled or disabled. However, if Windows Firewall: Protect all network connections is set to Not Configured, your servers are in a DNS domain, and you enable Prohibit use of Internet Connection Firewall on your DNS domain network, it will prevent Windows Firewall from running (Internet Connection Firewall is the former name for Windows Firewall).

Resources for Learning About Windows Firewall and Security Configuration Wizard

The following resources provide detailed information about using Windows Firewall and Security Configuration Wizard: