Appendix G: Windows Firewall in Windows 7 and Windows Server 2008 R2
Updated: December 16, 2009
Applies To: Windows 7, Windows Server 2008 R2
In this appendix
Windows® Firewall helps protect against network attacks for computers on which it is enabled. Windows Firewall does this by checking all communications that cross the connection and selectively blocking communications, according to the configuration settings you specify. Windows Firewall is considered a "stateful" firewall; that is, it monitors all aspects of the communications that cross its path and inspects the source and destination address of each message that it handles.
In Windows 7 and Windows Server® 2008 R2, Windows Firewall includes a variety of enhancements, which are described in Additional references later in this section. Windows Firewall is enabled by default in Windows 7 and Windows Server 2008 R2, and after setup completes, Windows Firewall blocks all inbound traffic until the computer has the latest security updates installed.
Windows 7 and Windows Server 2008 R2 are designed to make it relatively easy to configure Windows Firewall. For example, a variety of features in Windows 7 and Windows Server 2008 R2 are listed in the Exceptions list in Windows Firewall, so that the person configuring the exception does not need to know technical details, only the name of the feature to be used. As another example, the Remote Assistance Wizard can detect whether Windows Firewall is blocking the associated feature, and if so, provide the user with information about unblocking the feature.
You can use Windows Firewall with your organization's firewall to enhance the protection of client computers and servers. You can also use Windows Firewall to protect a small network or single computer that is connected to the Internet.
Another security-related feature in Windows 7 is the Security Center in Control Panel. The Security Center monitors the status of firewalls including Windows Firewall, and the status of automatic updating, virus protection, malware protection, and other security settings. The Security Center notifies the user when the computer might be at risk by providing an icon and balloon message in the notification area.
When the computer running Windows 7 is part of a domain (the usual scenario for a managed environment), by default these notifications are not displayed. For more information, see the explanatory text in the Group Policy setting, Turn on Security Center (domain PCs only). This setting is located in Computer Configuration\Administrative Templates\Windows Components\Security Center.
In Windows Server 2008 R2, you can use a single tool, the Windows Firewall with Advanced Security snap-in, to configure both Windows Firewall and Internet Protocol security (IPsec). The snap-in includes a variety of enhancements, which are described in Additional references later in this section.
In addition, Windows Server 2008 R2 includes a Server Manager console, which features a Security Information area under Server Summary. The information that is displayed under Security Information tells you if Windows Firewall and other security-related features are turned on. From the Security Information area you can also run interfaces such as the Windows Firewall with Advanced Security snap-in.
This section describes a Group Policy setting with which you can disable Windows Firewall. A variety of other Group Policy settings are available for controlling Windows Firewall. The settings are located in Computer Configuration under Policies (if present), in Administrative Templates\Network\Network Connections\Windows Firewall. For more information, see the settings or see Additional references later in this section.
|Because the Windows Firewall service applies service hardening rules to standard Windows networking services, do not disable the firewall by stopping the Windows Firewall service. Instead, use the Windows Firewall Group Policy setting. Stopping the Windows Firewall service is not supported by Microsoft®.|
The Group Policy setting to disable Windows Firewall in a domain environment is located in Computer Configuration under Policies (if present), in Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile. The setting is called Windows Firewall: Protect all network connections. If you disable this policy setting, Windows Firewall does not filter or block any network traffic.
|We recommend that you do not disable Windows Firewall unless you replace it with a non-Microsoft firewall that provides equivalent functionality. Disabling the firewall can expose your computer to malicious traffic from the Internet.|
In Computer Configuration under Policies (if present), in Administrative Templates\Network\Network Connections, the setting called Prohibit use of Internet Connection Firewall on your DNS domain network still exists. This setting has no effect if Windows Firewall: Protect all network connections is enabled or disabled. However, if Windows Firewall: Protect all network connections is set to Not Configured, you can still prevent Windows Firewall from running by enabling Prohibit use of Internet Connection Firewall on your DNS domain network. (Internet Connection Firewall is the former name for Windows Firewall.)
Cable Guy Web site (search for information about Windows Firewall)
The following resources related to Windows 7 and Windows Server 2008 R2 are on the Microsoft Web site: