At first glance, the Vista firewall may appear to be identical to the Windows Firewall in WinXP SP 2. But once you discover the secret of accessing its advanced configuration settings via the MMC snap-in, you'll be able to set up and customize outbound and inbound rules to fit your precise needs.
Microsoft introduced a personal firewall as part of the operating system with Windows XP. In its initial incarnation, it was known as the Internet Connection Firewall (ICF) and provided pretty rudimentary stateful packet filtering firewall protection. Renamed in XP SP2 to simply Windows Firewall, it received a number of improvements (most notably, it extended firewall protection to the startup and shutdown processes) but still provided only one-way protection, blocking inbound traffic. Consequently, many computer users opted for more sophisticated third-party personal firewalls, such as Kerio or ZoneAlarm.
In Windows Vista, Microsoft has taken the Windows Firewall a step further, retaining its SP2 functionality in the Firewall GUI accessible through the Control Panel, but allowing tech savvy users to configure advanced features through an MMC snap-in. In this article, we'll take a look at how to take advantage of the firewall's enhanced functionality.
Two interfaces for the price of one
Why did Microsoft separate the basic and advanced firewall configuration tasks into two completely different interfaces? I suspect the idea was to keep from confusing less tech savvy users and to prevent them from inadvertently making advanced changes that could disrupt their connectivity and/or put them at risk. In any event, looking at the firewall's basic interface, you'd think it was almost identical to the SP2 firewall. (There are minor differences, such as the renaming of the Edit button on the Exceptions tab to Properties.)
As with XP, you can use the General tab to turn the firewall on or off or set it to block all programs with no exceptions, as shown in Figure A.
|Turn the firewall on and off via the General tab in the Basic interface.|
The Block All Programs option is handy if, for example, you need to connect your laptop to a public wi-fi network. This allows you to temporarily disable all the exceptions you've configured and then enable them again when you get back to your secure LAN with a single click.
Exceptions are configured on the Exceptions tab in the same way as with the XP firewall. You can unblock specific programs or services by selecting their check boxes, as shown in Figure B.
|You can unblock specified programs by selecting a check box.|
If the program you want to allow doesn't appear on the list, you can add it via the Add Program button. In the Add Program dialog box, select the program from the Programs list or browse to the path for its executable by clicking the Browse button. You can unblock the program for specific computers only by using the Change Scope option. Here you can select to unblock the program for:
- Any computer, including those on the Internet
- Only computers on your local network (subnet)
- Only computers you specify by entering their IP addresses or subnets
This is also where you can select whether you want Windows to pop up a notification to tell you when the firewall blocks a program.
The Advanced tab allows you to select the network connection(s) you want the firewall to protect, as shown in Figure C.
|On the Advanced tab, you can select which network(s) the firewall will protect.|
Here, you can configure simple logging (of dropped packets and/or successful connections) and set the maximum log size. You can also specify how the computer is to respond to ICMP requests. By default, incoming echo requests are allowed and other ICMP requests are disallowed, as shown in Figure D.
|You can specify which types of ICMP requests to allow or disallow.|
There is also a button on this tab that lets you quickly undo all your configuration settings and restore the defaults.
Now we get to the exciting part: the Vista firewall's advanced configuration settings. To view or change them, you must create a custom MMC. Here's how:
- Click Start | Programs | Accessories and select Run.
- Type mmc.exe in the Run box. You may be required to enter administrative credentials or click to authorize running the program.
- In the blank MMC, click File | Add/Remove Snap-in.
- In the Available Snap-ins list, scroll down and select Windows Firewall With Advanced Security. Double-click on it or highlight it and click the Add button.
- In the Select Computer dialog box, accept the default (Local Computer) and click Finish.
- Click OK in the Add/Remove Snap-ins Box.
Now you can expand the items in the left console tree, as shown in Figure E, to see the advanced configuration options.
|Use the Vista Firewall With Advanced Security MMC to configure inbound and outbound rules and more.|
Multiple firewall profiles
Your computer can have multiple profiles, depending on whether it's connected to its corporate domain (such as when your laptop is connected at work and logged onto the domain), connected to a private network (such as your home peer-to-peer network), or connected to a public network (such as a wi-fi network at the airport or hotel). Firewall behavior can be different for each profile. Thus, the Windows firewall might be off when connected to the domain, which is protected by a sophisticated perimeter firewall, but on when connected to a private or public network.
To change these settings, click Windows Firewall Properties. On the Domain, Private, and Public Profile tabs, you can turn the firewall on or off and specify whether to block or allow inbound and outbound connections. By default, outbound connections are allowed and inbound are blocked (with exceptions allowed). You can also select to block all connections, including those with exceptions. The Private Profile tab is shown in Figure F. (Options are the same on each profile tab.)
|You can set firewall behavior separately for each profile.|
You can customize settings for each profile by clicking the Customize button. This allows you to control whether to notify the user when inbound connections are blocked and whether to allow unicast response to multicast or broadcast requests. You can also set the logging options on a per-profile basis. (This is the same simple logging of dropped packets and/or successful connections.)
Using the IPSec Settings tab, you can configure settings for IPSec, including Key Exchange, Data Protection, and Authentication Method. By default, all are set to the Default setting, which means that IPSec settings configured at the Group Policy Object level will be used. You can click Custom to configure these settings yourself:
- Key Exchange: You can select the security methods for integrity and encryption and change the order of precedence for the supported methods, as shown in Figure G. You can also select the Key Exchange Algorithm. Diffie-Hellman Group 2 is the default. For highest security, if you're using all Vista systems, you can use Elliptic Curve Diffie-Hellman P-384. You can also set the lifetime of the keys in minutes and sessions.
|You can configure customized key exchange settings.|
- Data Protection:You can select to require the use of data encryption for all IPSec connections (not enabled by default). You can also select the algorithms to be used for data integrity, and for integrity and encryption, as shown in Figure H.
|You can configure the algorithms to be used for data integrity and encryption.|
- Authentication Methods: You can select from among several authentication methods, as shown in Figure I: authenticate both computer and user via Kerberos, authenticate the computer only with Kerberos, authenticate the user only with Kerberos, authenticate the computer with a certificate from a specified CA, or configure custom settings where you can select to authenticate via NTLMv2 or a preshared key. With custom settings, you can configure both a first and second authentication method (unless you select preshared key for the first method, in which case you can't use a second method).
|You can select from several authentication methods or choose to customize authentication settings.|
Computer connection security
Once you've set up the desired profile and IPSec properties, the next step is to configure computer connection security, which determines how and when secure connections are to be created between computers (or groups of computers). To do so, right-click on Computer Connections Security in the left console pane and select New Rule. This opens the New Connection Security Rule Wizard. On the first screen, shown in Figure J, you select the rule type from among the following:
- Isolation: This restricts connections based on such criteria as domain membership or health status.
- Authentication exemption: Specify computers that are exempt from connection authentication.
- Server to server: This rule authenticates connections between computers you specify.
- Tunnel: This rule is used to authenticate connections between gateway systems.
- Custom: If none of the other rule types is appropriate, you can create a custom rule.
|Create connection security rules to govern when and how a secure connection should be established.|
The next step is to specify requirements for the rule. For example, when creating a custom rule, you specify endpoints--that is, which computers are in Endpoint 1 and which are in Endpoint 2. You can specify all computers or you can select individual computers to be included in each Endpoint by IP address or address range. You can also specify a predefined address as one of the endpoints, such as the default gateway, DNS servers, DHCP servers, or the local subnet.
For some rule types, you'll need to set up requirements. For example:
- You can request authentication for all inbound and outbound connections. This means authentication will be used whenever possible, but it's not required.
- You can require authentication for inbound connections and request authentication for outbound connections. Inbound connections that can't be authenticated won't be allowed. Outbound connections will be authenticated if possible.
- You can require authentication for both inbound and outbound connections. No unauthenticated connections will be allowed.
- You can select not to authenticate any connections.
Next, you may need to choose the authentication method as discussed above in the IPSec properties configuration (depending on the type of rule you're creating).
Finally, you select which firewall profile(s) this rule should apply to and give the rule a name and (optionally) a description. Your rule will appear in the middle pane, as shown in Figure K.
|The rules you create appear in the middle pane when you select Computer Connection Security in the left pane.|
You can filter the rule by profile or by state (enabled/disabled). Thus, you can show only the rules that apply to the private profile, for example, or you can show just the rules that have been disabled. You can also customize the columns shown in the middle pane by selecting the View option, as shown in Figure L.
|You can customize the columns to be displayed in the middle pane.|
You can disable or delete a rule at any time by right-clicking on it in the middle pane and selecting Disable Rule or Delete. Disable the rule if you think you'll want to use it again, so you won't have to re-create it later. You can make changes to the rule by right-clicking on it and selecting Properties.
Actions you can take are displayed in the right pane, and you can access them there instead of right-clicking if you prefer.
Creating inbound and outbound rules
To create rules to block or allow connections for specified programs or ports, you can create inbound and outbound rules. There are a number of preconfigured rules, as shown in Figure M, which you can view by clicking Inbound Rules or Outbound Rules in the left console pane.
|The Vista firewall has a number of preconfigured inbound and outbound rules.|
To disable or delete these preconfigured rules, or the rules you create, right-click on or select the appropriate action in the right pane. You can change the rules by selecting Properties, which opens the rule's properties box as shown in Figure N.
|You can make changes to inbound and outbound rules through their properties dialog boxes.|
To create a new inbound or outbound rule, select New Rule from the context menu or the right console pane. This opens a wizard, as shown in Figure O.
|A wizard walks you through the process of creating a new inbound or outbound rule.|
On the first screen, you select whether the rule will apply to a program running on the computer that's running the firewall, a port on that machine, or a Windows service (predefined). You can also create a custom rule. To create a rule to allow a specific program to make connections, select Program and click Next.
On the next screen, you can choose to apply the rule to allow programs or to a specific program. To apply the rule to a specific program, type in the path or browse to locate it.
On the next screen, you select the behavior for the firewall when this program attempts to make a connection (in this case, an inbound connection since we're creating an inbound rule). You can choose from the following:
- Allow all connections, both secure and insecure, for this program.
- Allow secure connections only. If you choose this option, you can also choose to require encryption, so that data sent over the connection will be private. If you don't check this box, the connection will require authentication and data integrity but not data privacy. You can also choose to allow the rule to override Block rules. This would be done in the case of remote administration tools, for example.
- Block all connections. This is the setting you'd use if, for instance, you wanted to prevent all incoming connections from a P2P program.
On the next screen, you can apply the rule to any or all of the firewall profiles you have configured for this computer. Again, you'll need to give the rule a name to identify it in the rules list.
You follow basically the same process to create a rule to block or allow a specific port instead of a program, except that you'll need to know the TCP or UDP port number to which you want to apply the rule.
You can create custom rules to apply to specific protocols on specific ports or within specific applications, and you can also specify that the rule apply only to specified endpoints (computers or groups of computers).
One of the most useful features of the Advanced firewall configuration--and a good reason to create the Firewall With Advanced Security MMC even if you don't need to create additional rules--is the monitoring feature. Here, you can view all of the rules and their properties at a quick glance, as shown in Figure P.
|With the monitoring function, you can view all firewall rules and their properties.|
You can export the list of firewall rules to a text (.txt) or comma-delimited (.csv) file by selecting Export List in the right pane.
Although at first glance the Vista firewall may appear to be identical to the Windows Firewall in Windows XP Service Pack 2, once you discover the secret of accessing its advanced configuration settings via the MMC snap-in, you'll find it to be far more configurable and functional. At last, Windows comes with a sophisticated personal firewall that can be used to set up outbound rules as well as inbound, with the ability to customize rules to fit your precise needs.
CA: Certification authority; a trusted third-party that issues digital certificates to verify the identity of users and computers.
Exceptions: In the Windows firewall, programs, services, or ports you unblock so its packets can go through.
Firewall profiles: Different firewall configurations for different situations; for example, one profile might be used when connecting to the corporate LAN, another when connected to a home network, and yet another when connected to a public wi-fi hotspot.
ICMP: The Internet Control Message Protocol, used for error reporting and troubleshooting.ICMP echo request and echo reply messages are used by the popular Ping command.
IPSec: Internet Protocol Security, a standard mechanism for providing authentication, integrity, and confidentiality at the network layer to packets while traveling across an IP network.
Kerberos: An authentication standard that works by having a centralized server grant "tickets" that are recognized by other servers hosting resources on the network. Supported by Windows 2000, XP, Server 2003, Vista, and Longhorn, as well as UNIX operating systems.
MMC: Microsoft Management Console, a standardized interface into which you can plug snap-ins to perform different administrative tasks.
NTLM: NT LAN Manager authentication based on a challenge/response process between the client and server. Supported by Windows NT and later Microsoft operating systems. NTLMv2 is a cryptographically stronger version.
Stateful packet filtering: The process of allowing or blocking data packets based on the contents of a "state table" that is maintained by a firewall.