MCTS 70-680: Windows Firewall with Advanced Security
Uploaded by itfreetraining on 23.10.2011
Transcript:
Welcome back to free Windows 7 training. In the last video we
looked at the basic configuration options for the Windows firewall. The basic configuration
works well until you need to do something more advanced.
To perform more advanced configuration you will need to use the Windows Firewall with
advanced security tool. In previous versions of Windows such as Windows Vista and Windows
XP you could configure port exemption using the basic firewall tool.
In Windows 7 this has been removed from the basic tool. To configure port exemptions you
now need to use the advanced tool. In most cases you can get around this by creating
exceptions based on software. Creating a software exemption through the firewall gives you the
added bonus that you do not have to know the port or ports that the program is using.
Using Windows firewall with advanced security also gives you more granular control over
the rules that are used. For example you can allow only data that comes from a certain
IP address. Windows firewall with advanced security also gives you control over the incoming
rules used in the firewall. Once you have configured the firewall the
way you want it, you may to use the settings on anther computer. With the advanced tool
you can export the firewall settings so they can be imported on anther computer. These
settings can also be imported into group policy. This means you can configure one computer
the way you want and then deploy these setting to all computers on your network using group
policy. Let’s have a look at how to configure the Windows firewall with advanced security.
To access the advanced tool, first I will open the basic tool from the control panel
by opening system and security and then opening the firewall. From here, all I need to do
is select the option advanced security from the left hand side.
First of all I will open the properties for Windows firewall with advanced security. From
here you can set the default behavior for in bound and out bound connections. By default
the firewall will block incoming connections unless a rule is created to allow the traffic
in. If you are connected to an unsecure network such as wireless hot spot at any airport, you
may want to select the option block all connections. By default outbound connections will be allowed
however you can change this to block. Doing this on most computers would be pointless
as it would stop your computer from accessing the network but in some cases you may want to
do this. These options apply to the domain profile,
if you want to change the settings for other locations it is just a matter of selecting
the tab domain, private or public from the top. The last tab is IPSec settings. If you
select the customize button you can configure how IPSec will operate.
It is beyond the scope of this course to go into too much detail about the IPSec options
and in most cases the default options work fine. If you have a non-Microsoft IPSec device
on your network you may need to configure some option in here to make it work correctly.
You may be wondering what IPSec has to do with the window firewall. With Windows 7 IPSec
has been integrated in the firewall which makes it a lot easier to configure. To understand
why consider this network.
The problem occurs when you want to use IPSec to encrypt network traffic. Look what happens
when you open the ports for IPSec in the firewall. Any data traveling over the IPSec connection
by passes the Windows firewall. That means any mal ware on the other side of the IPSec
connection can use the IPSec connection to infect your computer.
To fix this problem, IPSec and other connections to your computer can be configure inside the
Windows firewall interface. This means any traffic traveling over an IPSec connection
is subject to the same firewall rules as any other network data. This means any malware
attempting to travel over an IPSec connection will hopefully be stopped by your firewall.
If I now go back to the Windows firewall with advanced security, the last option in IPSec
you may want to configure is exempt ICMP from IPSec. Allowing ICMP traffic allows troubleshooting
tools like ping to work which can make troubleshooting IPSec problems a lot easier.
The next area I want to look at are the inbound rules. Any rules that are enabled will be
in green and any that are disabled will be grey. If I select the rules for file and printer
sharing to you will notice that there are a lot of them.
In the basic Windows firewall control panel you will only have one option to enable file
and printer sharing. Using the Windows firewall with advanced security gives you a lot more
granular control over what you want to enable through the firewall.
For example, when you enable file sharing on your computer you also enable echo requests
which mean the computer will response to ping requests. If you just want file and printer
sharing and don’t want pings responded to you can select all the other rules and enable
them. Notice that there are 4 rules for echo request. Looking closer there are in fact
only two rules. One rule is for IP version 4 and the other for IP version 6. The rules
are duplicated because one has been created for each profile in this case the domain and
private profiles. The same applies if I wanted to enable file
sharing by not enable printer sharing. You would simply enable the file sharing rules
and leave the printer spooler rules disabled like this.
You will also notice a section for out bound rules. The Windows 7 firewall has bi directional
support so you can create rules to either allow or disallow incoming traffic. If I right
click on in bound rules I can select the option new rule.
On the first screen of the new rule wizard I can select which type of rule I want to
create. By default I can select program rule. When selecting program rule, any traffic generated
from that program will automatically be allowed through the firewall.
The next option is port rule. For example, if you wanted to allow all web traffic through
you could select port rule for port 80. This means any software using port 80 will be allowed
through the firewall. The advantage of a port rule is that if mal ware attached itself to
the software it would only be able to use port 80. With a software rule, mal ware can
open any port that it wants since the Windows firewall will consider the software trusted.
If you are not sure what port you are trying to enable or multiple ports are required,
you can try the predefended area for a lot of the commonly used services. For example,
if I want to enable traffic for IScsi I could select it here.
In this case I will select the option custom as this gives me the most options. On this
screen you can select the program you want the rule to apply to. For example, if I wanted
to stop the user browsing the internet I could select the internet explorer executable.
The problem with this approach is the user could install anther browser such as Firefox
and by pass this rule. For this example I will leave it on all programs and move on.
On the next screen you can select the protocol the rule will apply to.
In this case I will select TCP which means the rule will apply to all traffic regardless
of whether it is IP version 4 or IP version 6. The next option allows you to select the
local port. Setting a local port is useful if you want to allow a service through or
block it from coming in. In this case I want to stop the user accessing port 80 on anther
computer so I need to set this in the remote port section.
On the screen I can set the local and destination IP addresses that this port will apply to.
In this case if I wanted to make sure that the users only accesses the internet by going
through my proxy server I would put the destination IP address in here.
The next screen determines if the rule is an allow rule or a block rule. Notice also
the option allow the connection if it is secure. This means traffic will only be allowed if
it comes over an IPSec connection. In this example I will block traffic so I will leave
in on the default of block. The next screen will determine which profile
this rule will apply to. In this case I will configure this rule to only apply to the public
network. This means if the user tries to connect to my local internet web server or the internet
via my proxy server when connected on an internal network they will be allowed.
Lastly I can set a name for the rule and press finish. You can also create connection security
rules. To do this, all I need to do is right click on connection security rules to start
the wizard. The first option in the wizard creates an isolation rule.
An isolation rule essentially creates a rule based on whether the computer meets a certain
criteria. For example, if the computer is a member of a domain. The name isolation rule
is a little confusing but what it supposed to mean is that if the computer does not meet
the criteria then it will be isolated. In the real world this is not really the case,
it simply means that the computer will not be able to communicate over that connection
but will still be able to communicate over any other network the firewall allows it to.
The next option allows you to create a connection that not require authentication. This does
not mean that it is not encrypted it just means no authentication is required to bring
up the connection. Usually when creating these connections the IP address of both parties
is checked to ensure the connection is coming from where it is supposed to. However, IP
addresses can be faked so this type of security is considered weak.
The server to server option allows you to specify the IP address on both ends of the
connection. This could be as the name suggests servers, but also could be subnets or groups
of computers. The option tunnel is used when you want IPSec to use tunnel mode instead
of transport mode. This essentially means that all IP packets are encoded and placed
in the tunnel and must be decoded on the other side. With transport mode the packet may be
decoded by many different end points, however with tunnel mode the packets can only exit
from one point. In this case I will select custom so you can
see more options. On this screen you can enter in the end point or end points that you want
to use. In other words where the traffic can come from and where it can go.
On the next screen you can determine when authentication will be used if at all. You
even have the option of requesting it and using clear communication if it is not available.
In this case I will select require authentication for in bound connections but only request
it for out bound connections. This means that any traffic coming into the computer will
be encrypted but going out will only be encrypted if the other computer supports it.
The next screen you can configure which type of authentication you will use. By default
Kerberos will be used, however if you want to use other methods you can select advanced
for example if you needed to connection to 3rd party network devices.
The next screen allowed you to see the protocol and type. In this case I will select TCP and
port 23. Port 23 is the telnet port which is not encrypted. So this rule will attempt
to encrypt telnet data using IPSec when possible. Lastly I can select the profile which I will
leave on the default and finally enter a name for the rule. Now that the rule is created
you may want to export the settings. To do this, right click Windows firewall with advanced
security and select the option export policy. Once exported, these settings can be imported
into anther computer. Group policy uses the same interface so you can also import the
settings into group policy and apply them to your domain.
That’s it for the Windows firewall. In the next video I will look at how you can configure
remote management to support your Windows 7 computers. If you are after more videos,
exam questions and study guides have a look at our web site. Thanks for watching.
looked at the basic configuration options for the Windows firewall. The basic configuration
works well until you need to do something more advanced.
To perform more advanced configuration you will need to use the Windows Firewall with
advanced security tool. In previous versions of Windows such as Windows Vista and Windows
XP you could configure port exemption using the basic firewall tool.
In Windows 7 this has been removed from the basic tool. To configure port exemptions you
now need to use the advanced tool. In most cases you can get around this by creating
exceptions based on software. Creating a software exemption through the firewall gives you the
added bonus that you do not have to know the port or ports that the program is using.
Using Windows firewall with advanced security also gives you more granular control over
the rules that are used. For example you can allow only data that comes from a certain
IP address. Windows firewall with advanced security also gives you control over the incoming
rules used in the firewall. Once you have configured the firewall the
way you want it, you may to use the settings on anther computer. With the advanced tool
you can export the firewall settings so they can be imported on anther computer. These
settings can also be imported into group policy. This means you can configure one computer
the way you want and then deploy these setting to all computers on your network using group
policy. Let’s have a look at how to configure the Windows firewall with advanced security.
To access the advanced tool, first I will open the basic tool from the control panel
by opening system and security and then opening the firewall. From here, all I need to do
is select the option advanced security from the left hand side.
First of all I will open the properties for Windows firewall with advanced security. From
here you can set the default behavior for in bound and out bound connections. By default
the firewall will block incoming connections unless a rule is created to allow the traffic
in. If you are connected to an unsecure network such as wireless hot spot at any airport, you
may want to select the option block all connections. By default outbound connections will be allowed
however you can change this to block. Doing this on most computers would be pointless
as it would stop your computer from accessing the network but in some cases you may want to
do this. These options apply to the domain profile,
if you want to change the settings for other locations it is just a matter of selecting
the tab domain, private or public from the top. The last tab is IPSec settings. If you
select the customize button you can configure how IPSec will operate.
It is beyond the scope of this course to go into too much detail about the IPSec options
and in most cases the default options work fine. If you have a non-Microsoft IPSec device
on your network you may need to configure some option in here to make it work correctly.
You may be wondering what IPSec has to do with the window firewall. With Windows 7 IPSec
has been integrated in the firewall which makes it a lot easier to configure. To understand
why consider this network.
The problem occurs when you want to use IPSec to encrypt network traffic. Look what happens
when you open the ports for IPSec in the firewall. Any data traveling over the IPSec connection
by passes the Windows firewall. That means any mal ware on the other side of the IPSec
connection can use the IPSec connection to infect your computer.
To fix this problem, IPSec and other connections to your computer can be configure inside the
Windows firewall interface. This means any traffic traveling over an IPSec connection
is subject to the same firewall rules as any other network data. This means any malware
attempting to travel over an IPSec connection will hopefully be stopped by your firewall.
If I now go back to the Windows firewall with advanced security, the last option in IPSec
you may want to configure is exempt ICMP from IPSec. Allowing ICMP traffic allows troubleshooting
tools like ping to work which can make troubleshooting IPSec problems a lot easier.
The next area I want to look at are the inbound rules. Any rules that are enabled will be
in green and any that are disabled will be grey. If I select the rules for file and printer
sharing to you will notice that there are a lot of them.
In the basic Windows firewall control panel you will only have one option to enable file
and printer sharing. Using the Windows firewall with advanced security gives you a lot more
granular control over what you want to enable through the firewall.
For example, when you enable file sharing on your computer you also enable echo requests
which mean the computer will response to ping requests. If you just want file and printer
sharing and don’t want pings responded to you can select all the other rules and enable
them. Notice that there are 4 rules for echo request. Looking closer there are in fact
only two rules. One rule is for IP version 4 and the other for IP version 6. The rules
are duplicated because one has been created for each profile in this case the domain and
private profiles. The same applies if I wanted to enable file
sharing by not enable printer sharing. You would simply enable the file sharing rules
and leave the printer spooler rules disabled like this.
You will also notice a section for out bound rules. The Windows 7 firewall has bi directional
support so you can create rules to either allow or disallow incoming traffic. If I right
click on in bound rules I can select the option new rule.
On the first screen of the new rule wizard I can select which type of rule I want to
create. By default I can select program rule. When selecting program rule, any traffic generated
from that program will automatically be allowed through the firewall.
The next option is port rule. For example, if you wanted to allow all web traffic through
you could select port rule for port 80. This means any software using port 80 will be allowed
through the firewall. The advantage of a port rule is that if mal ware attached itself to
the software it would only be able to use port 80. With a software rule, mal ware can
open any port that it wants since the Windows firewall will consider the software trusted.
If you are not sure what port you are trying to enable or multiple ports are required,
you can try the predefended area for a lot of the commonly used services. For example,
if I want to enable traffic for IScsi I could select it here.
In this case I will select the option custom as this gives me the most options. On this
screen you can select the program you want the rule to apply to. For example, if I wanted
to stop the user browsing the internet I could select the internet explorer executable.
The problem with this approach is the user could install anther browser such as Firefox
and by pass this rule. For this example I will leave it on all programs and move on.
On the next screen you can select the protocol the rule will apply to.
In this case I will select TCP which means the rule will apply to all traffic regardless
of whether it is IP version 4 or IP version 6. The next option allows you to select the
local port. Setting a local port is useful if you want to allow a service through or
block it from coming in. In this case I want to stop the user accessing port 80 on anther
computer so I need to set this in the remote port section.
On the screen I can set the local and destination IP addresses that this port will apply to.
In this case if I wanted to make sure that the users only accesses the internet by going
through my proxy server I would put the destination IP address in here.
The next screen determines if the rule is an allow rule or a block rule. Notice also
the option allow the connection if it is secure. This means traffic will only be allowed if
it comes over an IPSec connection. In this example I will block traffic so I will leave
in on the default of block. The next screen will determine which profile
this rule will apply to. In this case I will configure this rule to only apply to the public
network. This means if the user tries to connect to my local internet web server or the internet
via my proxy server when connected on an internal network they will be allowed.
Lastly I can set a name for the rule and press finish. You can also create connection security
rules. To do this, all I need to do is right click on connection security rules to start
the wizard. The first option in the wizard creates an isolation rule.
An isolation rule essentially creates a rule based on whether the computer meets a certain
criteria. For example, if the computer is a member of a domain. The name isolation rule
is a little confusing but what it supposed to mean is that if the computer does not meet
the criteria then it will be isolated. In the real world this is not really the case,
it simply means that the computer will not be able to communicate over that connection
but will still be able to communicate over any other network the firewall allows it to.
The next option allows you to create a connection that not require authentication. This does
not mean that it is not encrypted it just means no authentication is required to bring
up the connection. Usually when creating these connections the IP address of both parties
is checked to ensure the connection is coming from where it is supposed to. However, IP
addresses can be faked so this type of security is considered weak.
The server to server option allows you to specify the IP address on both ends of the
connection. This could be as the name suggests servers, but also could be subnets or groups
of computers. The option tunnel is used when you want IPSec to use tunnel mode instead
of transport mode. This essentially means that all IP packets are encoded and placed
in the tunnel and must be decoded on the other side. With transport mode the packet may be
decoded by many different end points, however with tunnel mode the packets can only exit
from one point. In this case I will select custom so you can
see more options. On this screen you can enter in the end point or end points that you want
to use. In other words where the traffic can come from and where it can go.
On the next screen you can determine when authentication will be used if at all. You
even have the option of requesting it and using clear communication if it is not available.
In this case I will select require authentication for in bound connections but only request
it for out bound connections. This means that any traffic coming into the computer will
be encrypted but going out will only be encrypted if the other computer supports it.
The next screen you can configure which type of authentication you will use. By default
Kerberos will be used, however if you want to use other methods you can select advanced
for example if you needed to connection to 3rd party network devices.
The next screen allowed you to see the protocol and type. In this case I will select TCP and
port 23. Port 23 is the telnet port which is not encrypted. So this rule will attempt
to encrypt telnet data using IPSec when possible. Lastly I can select the profile which I will
leave on the default and finally enter a name for the rule. Now that the rule is created
you may want to export the settings. To do this, right click Windows firewall with advanced
security and select the option export policy. Once exported, these settings can be imported
into anther computer. Group policy uses the same interface so you can also import the
settings into group policy and apply them to your domain.
That’s it for the Windows firewall. In the next video I will look at how you can configure
remote management to support your Windows 7 computers. If you are after more videos,
exam questions and study guides have a look at our web site. Thanks for watching.