What's New in Windows Firewall with Advanced Security
Updated: October 26, 2009
Applies To: Windows Server 2008, Windows Vista
The following topic summarizes important new features in Windows Firewall with Advanced Security:
New features in Windows 7 and Windows Server 2008 R2
New features in Windows Vista and Windows Server 2008
The following sections describe some of the new features introduced in Windows Firewall with Advanced Security in Windows 7 and Windows Server 2008 R2.
In Windows Vista and Windows Server 2008, only one firewall profile can be active at a time. If a computer is attached to more than one network, then the profile that has the most restrictive rules is applied to all connections on the computer. The Public profile is the most restrictive, followed by the Private profile, and then the Domain profile.
In Windows 7 and Windows Server 2008 R2, each network adapter is assigned the appropriate profile (domain, private, or public), independently of any other network adapters on the computer. Network traffic sent to or arriving from each network is processed by the rules that are appropriate for that network type.
Windows Firewall with Advanced Security consists of a set of services that provide much more than the traditional firewall. IPsec connection security rules, network service hardening, boot time filters, firewall filters, and stealth filters are all services provided by Windows Firewall with Advanced Security in Windows 7 and Windows Server 2008 R2. Because multiple firewall programs can be problematic due to conflicts, if you install a third-party firewall program, you need to turn off the Windows Firewall. In previous versions of Windows, turning off the firewall meant also disabling all of the related services. If the third-party program does not provide all of the same functionality, then you might be unintentionally exposing your computer to threats for which you no longer have protection. In Windows Server 2008 R2 and Windows 7, Windows Firewall with Advanced Security enables more specific disabling of its features through published application program interface (API) calls. When a third-party firewall program is installed, the installer can disable only those portions of Windows Firewall with Advanced Security that conflict with the services that are provided by the third-party program. Other Windows Firewall with Advanced Security services are left enabled, and continue to help protect your computer.
Connection security rules in Windows 7 and Windows Server 2008 R2 can use certificates issued by an intermediate certification authority (CA), in addition to certificates issued by a root CA.
When creating an inbound firewall rule that specifies computers or users that are authorized to access the local computer over the network, Windows 7 and Windows Server 2008 R2 support the ability to specify exceptions to the authorized list. This allows easy creation of an “everyone except a, b, and c” rule. For example, you can identify a group in the authorized list, yet specify a user or a computer in the exception list that are members of the authorized group. Computers or users that are members of both lists are denied access. Network traffic from the computers or users you specified in the exception list is blocked by the firewall even though traffic from all other members of the authorized list are permitted. You can also create outbound rules that specify both authorized computers and computers that are exceptions to the authorized list.
By using the Windows Firewall with Advanced Security Microsoft Management Console (MMC) snap-in Windows 7 and Windows Server 2008 R2, you can create connection security rules that specify port numbers or protocols. Only network traffic to or from the specified ports, or using the specified protocol, are subject to the IPsec requirements of the connection security rule. In Windows Vista and Windows Server 2008, these rules can be created only by using the netsh command-line tool.
Firewall rules in Windows 7 and Windows Server 2008 R2 can specify ranges of port numbers, such as allowing a program to access the network by using ports 5000 through 5010. You can also do this in connection security rules that specify authentication exemption.
Connection security rules that specify advanced authentication and encryption algorithms that are commonly referred to as the “Suite B” set of algorithms (as specified in RFC 4869), can be created by using the Windows Firewall with Advanced Security MMC snap-in in Windows 7 and Windows Server 2008 R2. In previous versions of Windows, rules that specify Suite B algorithms can be created only by using the netsh command-line tool.
Firewall rules in Windows 7 and Windows Server 2008 R2 support dynamic encryption, simplifying the creation of IPsec connection security rules that require per port encryption settings. Primarily it prevents an administrator from having to create two or more connection security rules on both the client and server to achieve per port encryption. Instead, you can create one connection security rule on both the client and server that requires IPsec protection between the server and all clients. You complete the process by creating one new firewall rule on the server that specifies the port number whose traffic is to be encrypted, and that specifies Enable Dynamic Encryption. This rule causes the server to start a quick mode negotiation with the client when a network packet with the specified port is first received.
You can create connection security rules that specify authentication, but no Encapsulating Security Payload (ESP) or Authenticated Header (AH) protection on the data packets. This makes authentication protection possible in environments with network equipment that is incompatible with ESP or AH, such as intrusion detection and protection systems, even when traffic is unencrypted. The connection is authenticated before data can be exchanged, but individual packets in the data stream receive no IPsec protection.
You can create tunnel-mode connection security rules that specify an address for only one endpoint of the tunnel.
Applied to an IPsec gateway server in a rule that specifies IP addresses only for the localtunnelendpoint and endpoint1, and specifies any for endpoint2, this option specifies that the gateway can accept an incoming IPsec tunnel from any remote client destined for an IP address in endpoint1.
Applied to a client in a rule that specifies IP addresses only for the remotetunnelendpoint and endpoint2, and specifies any for endpoint1, this option specifies that the client computer is to establish an IPsec tunnel to the IPsec gateway server specified as the remote tunnel endpoint for any traffic destined to IP addresses in endpoint2. This helps simplify policy creation when there can be multiple IPsec gateways and clients on multiple remote networks.
These tunnel rules are bi-directional, so the tunnels described in the previous two paragraphs can also be established by traffic traveling in either direction.
You can specify that only authorized computers and authorized users can establish an inbound tunnel to an IPsec gateway server. Especially when you use dynamic tunnel endpoints, as described in the previous section, you need to ensure that only authorized users can access your enterprise network.
In Windows 7 and Windows Server 2008 R2, you can specify groups of users or computers that are authorized to establish a tunnel to the local computer. You then create tunnel-mode connection security rules that specify that authorization is required for tunnels created by the rule.
The tunnel-mode rule must specify authentication that can identify the remote computer or user, and then pass those credentials to the local computer. The identity of the computer or user is compared to the authorized list, and if there is a match, then the tunnel is established and data can be exchanged. If the computer or user making the connection is not on the authorized list for the local computer, then the connection fails and the tunnel is not established. You can also specify exceptions to the authorized user and computer lists, for easy creation of “everyone except UserA” type rules. Tunnel-mode authorization works only for inbound tunnels terminating at the IPsec gateway, it does not apply to outbound tunnels.
If you create a connection security rule that uses a feature not supported by Internet Key Exchange version 1 (IKEv1), such as requesting user authentication, then Authenticated IP (AuthIP) is used instead of IKE. By default, AuthIP uses the secret generated by the authentication method requested. For example, if you specify Kerberos V5 authentication, then the Kerberos service ticket secret is used instead of the secret generated by a Diffie-Hellman exchange. However, in some environments, regulatory requirements might dictate the use of Diffie-Hellman. Starting with Windows 7 and Windows Server 2008 R2, you can specify that Diffie-Hellman is to be used in all IPsec main mode negotiations, even if AuthIP is used.
In Windows Vista and Windows Server 2008, you can specify only one Diffie-Hellman algorithm that is used in all IPsec proposals. This restricted you to ensuring that all computers in your organization used the same single Diffie-Hellman algorithm for IPsec negotiations. Starting with Windows 7 and Windows Server 2008 R2, you can specify a different Diffie-Hellman algorithm for each main mode proposal that you create.
Windows 7 and Windows Server 2008 R2 include support for an IPv6 transition technology called IP over HTTPS (IPHTTPS). IPHTTPS is a tunneling protocol that embeds IPv6 packets inside an HTTPS datagram inside an IPv4 network packet. IPHTTPS allows IPv6 traffic to successfully traverse some IP proxies that do not support IPv6 or some of the other IPv6 transition technologies, such as Teredo and 6to4. For a Windows Firewall inbound or outbound rule, you can set the TCP port to IPHTTPS instead of a number to have Windows Firewall automatically recognize and handle the connection appropriately.
In addition, Windows 7 and Windows Server 2008 R2 include support for an IPv6 transition technology called Teredo. Teredo is a tunneling protocol that embeds IPv6 packets inside a User Datagram Protocol (UDP) datagram inside an IPv4 network packet. For a Windows Firewall inbound rule, you can set the UDP port to Edge Traversal instead of a specific port number to have Windows Firewall automatically recognize and handle the connection appropriately.
In Windows 7 and Windows Server 2008 R2, you can use the netsh advfirewall set global ipsec defaultexemptions command with the DHCP parameter to exempt all DHCP network traffic from IPsec requirements.
In Windows 7 and Windows Server 2008 R2, you can now specify that an outbound Allow rule can override a block rule when it is secured by an IPsec connection security rule.
In Windows 7 and Windows Server 2008 R2, there are two new options when configuring authentication for an IPsec tunnel-mode rule. You can now specify Do not authenticate and Require inbound and clear outbound to support a wider variety of tunnel-mode scenarios.
If network traffic that is already IPsec protected is sent through an IPsec tunnel, it is wrapped in yet another IPsec and IP header. Instead, Windows 7 and Windows Server 2008 R2 enable you to specify on a tunnel-mode rule that network traffic that is already IPsec protected is exempted from the tunnel, and instead proceeds through the tunnel endpoint without the additional encapsulation.
In Windows Vista and Windows Server 2008, you can specify only one set of main mode proposals that are used for all IPsec connections to or from the computer. Windows 7 and Windows Server 2008 R2 support a new netsh command context called “mainmode” that includes commands that you can use to create main mode proposals for specific origin and destination IP addresses or specific network location profiles. Each main mode configuration can include key exchange, encryption, integrity, and authentication algorithm options. If a network connection matches a main mode rule then it uses the settings in the rule instead of the global defaults or those specified in the connection security rule.
In Windows Vista and Windows Server 2008, all firewall events were considered ‘audit’ events, and were generated only if the appropriate audit category was enabled. In Windows 7 and Windows Server 2008 R2, some of these events are now ‘operational’ events, and appear in the Event Viewer without having to be enabled first. They appear under Applications and Service Logs \ Microsoft \ Windows \ Windows Firewall with Advanced Security.
The following sections describe some of the new features introduced in Windows Firewall with Advanced Security in Windows Vista and Windows Server 2008.
Windows Service Hardening helps prevent critical Windows services from being used for potentially malicious activity in the file system, registry, or network. If the firewall detects abnormal behavior as defined by the Windows Service Hardening network rules, the firewall blocks the behavior. In addition, services can be limited to writing only to specified areas of the file system or registry based on access control lists (ACLs). This helps prevent a compromised service from changing important configuration settings in the file system or registry, or infecting other computers on the network. For example, the Remote Procedure Call (RPC) service can be restricted from replacing system files or modifying the registry.
By default, Windows Firewall is enabled for both inbound and outbound connections. The default policy is to block most inbound connections and allow outbound connections. You can use the Windows Firewall with Advanced Security interface to configure rules for both inbound and outbound connections. Unlike earlier versions of Windows Firewall, which supported the filtering of UDP, TCP, and ICMP only, Windows Firewall with Advanced Security supports the filtering of any protocol numbers.
Windows Firewall can manage outbound as well as inbound filtering. This helps administrators limit which applications can be used to send traffic onto the network, enforcing corporate policies for compliance.
You can configure different rules and settings for the following firewall profiles:
Domain. Used when a computer is connected to an Active Directory domain of which the computer is a member.
Private. Used when a computer is connected to a private network behind a private gateway or router. Only a user with administrative credentials can designate a network as private.
Public. Used when a computer is connected directly to the Internet or any network that has not been selected as Private or Domain.
With IPsec authentication, you can configure bypass rules for specific computers so that connections from those computers bypass other rules set up in Windows Firewall with Advanced Security. This allows you to block a particular type of traffic, but allow authenticated computers to bypass the block. With Windows Vista and Windows Server 2008, Windows Firewall allows more finely detailed authenticated bypass rules, enabling the administrator to specify which ports or programs have access, as well as which computer or group of computers have access.
You can create firewall rules that filter connections by user, computer, or groups in Active Directory. For these types of rules, the connection must be authenticated by using IPsec using a credential that carries the Active Directory account information, such as Kerberos V5.
Windows Firewall with Advanced Security fully supports an IPv6-only environment.