Firewall in Vista

Before you start

Objectives: learn where to find and how to configure Windows Firewall in Vista.

Prerequisites: no prerequisites.

Key terms: firewall, rule, network, settings, profile, traffic, exception, allowed, user, port, advanced


Default Configuration

The default behavior of Windows Firewall in Vista is like XP Firewall. That means that all outbound connections are allowed and the replay traffic is allowed back in. However, all externally initiated traffic coming to the Firewall is blocked.

The difference between the XP version of the Firewall and Windows Firewall in Vista is that in XP there were no outbound rules. There was no way to control outbound traffic. Now, in Windows Firewall we can control outbound traffic. Outbound blocking is off by default, so we need to use the firewall MMC snap-in to configure that.

We can make exceptions to allow certain traffic through the Firewall. For example if we are hosting a Web server or FTP server behind the Firewall, we can allow those exceptions trough the firewall.

To work with Windows firewall with advanced security, we need to use the Windows Firewall MMC snap-in. Here we can get into great detail when customizing the firewall.

Network Location

Great new feature is the ability of blocking the traffic based on the network location type. There are three options for network location type: a domain profile, public profile or a private profile. If we are at work and logged on to an Active Directory domain, we are in the domain profile. In situation like this, it is likely that our Firewall will be turned off to make it easier for administrators at corporate environment to manage our computer. Public profile means that we are connected to a public network and we want to protect ourselves, for example, on the Internet. Private profile is used when we’re not connected to the Internet, perhaps at home or some other small network. Based on the profile we’re in we will have different Windows Firewall settings. We can also configure settings specifically for each profile.

MMC Snap-in

At the Firewall MMC Snap-in we can create very detailed inbound and outbound rules. We can filter our view by profile when we want to work with specific profile, we can enable or disable existing rules, we can require the use of IPsec for certain rules and we can restrict what users and computers are allowed to use. We can also import or export our policy settings from or to other computers. In MMC we also have real-time monitoring capabilities. We can also configure ICMP exceptions. ICMP is a protocol used for common network diagnostic tools such as ping and tracert. By default, incoming ICMP requests are blocked. We can enable Edge Traversal. Edge Traversal allows the application or service to be accessible from outside of a Network Address Translation (NAT) device. We can configure connection-specific rules such as different port exceptions for different interfaces. For example, we can allow Remote Desktop on the wired interface while keeping it blocked on the wireless interface.

Rules

Rules are still based on protocols port numbers and programs. We can specify rules that only apply to certain range of IP addresses. We can also customize them to only apply to certain profiles.

Common Firewall Exceptions

File and Printer Sharing is used to share files stored locally on the computer as well as printers with other users on the network. This exception is useful when we need to share media or other files stored on or printers directly connected to our computer. By default it is disabled, but if we turn on File sharing in Network and Sharing Center, Windows automatically enables this exception in the Firewall.

The Network Discovery exception enables our computer to see and be seen by other computers on the network. This is useful when accessing information on the network on other computers. The enabled status depends on the current network profile. This feature is controlled through the Network and Sharing Center and if modified, it will change the status of this exception in the Firewall.

The Performance Logs and Alerts exception allows non-local computers to view and manage Performance Logs and Alert services, viewable in Windows Firewall with Advanced Security. This is useful for network administrators to remotely troubleshoot performance issues.

The Remote Administration exception allows remote administration tools to work through Windows Firewall, including tools that use Windows Management Instrumentation (WMI), remote procedure calls, and DCOM.

The Windows Remote Management exception allows remote management of the computer by a web-based protocol called WS-Management.

The Remote Assistance exception allows users to view and sometimes control remote desktops. By default this exception is disabled, but is automatically enabled when Remote Assistance is enabled or when a user sends a Remote Assistance request for the first time.

The Remote Desktop exception allows a remote user to log on and access the desktop of a computer, allowing access to all programs and files on the computer. This is disabled by default and must be manually enabled.

The Windows Media Player exception allows users to receive streaming media over an IP network.

The Windows Media Player Network Sharing Service exception allows users to share media on their computer with other network users.

Example Configuration

There are two main areas where we can configure the Windows firewall. The first is the standard view for Windows Firewall. For that we can go to Control Panel > Security > Firewall. Here we can see if our Firewall is turned on or off and change those settings.

Firewall

Image 235.1 – Windows Firewall

We can see that inbound connections that do not have an exception are blocked, which means that any externally initiated traffic coming in is blocked unless we have an exception. Also, by default notification will be displayed when a program is blocked. It would be a good idea to turn that off in corporate environments, so we don’t bother end users with that information. We can also see that our network location is Private network. Firewall will change its settings based on that location type.

Let’s click on ‘Change settings’. On the General tab we can see some common options like to turn Firewall on or off.

Firewall Settings

Image 235.2 – Firewall Settings

We can turn on our Firewall with or without exceptions. We would select ‘Block all incoming traffic connections’ option when we connect to less secure networks. When we select that, all exceptions will be ignored and we will not be notified when Windows Firewall blocks programs. Typical we will leave it to ‘On’. We can see which programs or services are allowed trough a Firewall on the Exceptions tab.

Exceptions Tab

Image 235.3 – Exceptions Tab

On the Exceptions tab we can see a list of programs and ports that are allowed or not allowed trough the firewall (checked programs or ports are allowed). The Exceptions list is initially created based on the services originally installed on our computer. Each time a program attempts Internet access it is added to the list but not allowed unless we grant permission. We can select any entry in the list and click on the Properties button to get more information on what it does, but not in great detail. For example, let’s do that for File and Printer Sharing.

File Sharing Properties

Image 235.4 – File and Printer Sharing Properties

On the Exceptions tab we can also add our own programs or ports which we want to allow trough the Firewall. To add a program click on the ‘Add program…’ button.

Add Program

Image 235.5 – Add Program

If the program is not on the list we can browse for it. Also, Notice the ‘Change scope…’ button.

Scope

Image 235.6 – Scope

In the Change Scope windows we can specify exactly which computers or computers form certain networks are allowed to use particular software. If we select, for instance, the ‘My network (subnet) only’ option, only computers from our local subnet will be allowed to use our software.

On the Exceptions tab we can also add specific port numbers by clicking on the ‘Add port…’ button.

Adding Ports Example

Image 235.7 – Add a Port

We simply enter the application name, enter the port number which the application is using and select the transport layer protocol (TCP or UDP). Here we can also change scope for that particular port.

On the Advanced tab we can see network connections on which we have enabled our Firewall.

Advanced Tab

Image 235.8 – Advanced Tab

Advanced Configuration

All settings mentioned until now are enough for end users. Advanced users should configure Windows Firewall with Advanced Security. We can find those advanced features in the MMC console. Enter mmc in search menu and hit enter. Empty MMC will open up. From the File menu select ‘Add or Remove Snap-ins’, select ‘Windows Firewall with Advanced Security’ and hit OK. We will manage our local computer. The following windows will appear.

Firewall With Advanced Security

Image 235.9 – Firewall With Advanced Security

As we said before, Firewall settings change based on the network location type. Overview window shows us how our firewall will behave in various profiles. Of course, all these settings can be managed trough Group Policies. If we scroll down, we can see that we can set up IPsec connections here.

IPsec

Image 235.10 – IPSec

Here it is referred to as communication authentication or Connection Security Rules, but actually we are configuring IPsec here. IPsec is used to secure IP traffic from one computer to the other.

Notice that on the right-hand side of the Console windows we have Actions. We can import and export all our firewall settings. Also, here we can find the Properties button. We can also go to properties if we right-click on the Windows Firewall with Advanced Security.

Properties

Image 235.11 – Firewall Properties

In the Properties window we can customize settings based on profiles. Notice the Domain, Private and Public Profile tabs. In each profile we can specify the Firewall state (on or off). For example, common settings for Domain Profile could be that the firewall is turned off. This is the case because administrators manage our Firewall from central location. However, in Private and Public profiles we want to have our Firewall turned on. For each profile we can set some customized settings, so let’s click on the Customize button.

Custom Settings

Image 235.13 – Custom Settings

In the Custom Settings windows we can set how notifications are displayed, or how to respond to multicast or broadcast network traffic. Also, we can select how to merge local rules and rules set trough Group Policy. Let’s go back and check out Logging.

Logging

Image 235.14 – Logging

Logging is great for troubleshooting. The default log file is called ‘pfirewall.log’ and we can find it in%windir%\sysstem32\LogFiles\Firewall\pfirewall.log. We can change the default size limit of the file, and what to do with dropped packets and successful connections. In the fourth tab we can see IPsec Settings.

IPsec

Image 235.15 – IPSec Settings Tab

Let’s go back to Domain Profile and turn off our firewall for that profile. When we go back to the Overview window we can see that the Firewall is turned off for Domain Profile.

Firewall Turned Off

Image 235.16 – Firewall Turned Off on Domain Profile

We assume that we have some kind of enterprise firewall protecting our whole network in this case.

On the left-hand size we select to customize our Inbound and Outbound rules. Let’s select Inbound rules.

Inbound Rules

Image 235.17 – Inbound Rules

By default, all externally initiated traffic is blocked unless we have made an inbound rule exception. In contrast, outbound rules are wide opened by default which means that any traffic is allowed out. Now, notice that each rule in Inbound Rules are several times in the list. That’s because settings are set for different profiles. Let’s try and customize some rule. Let’s select Netlogon service, right-click and select Properties.

Netlogon Service

Image 235.18 – NetLogon Service

We can see if it is enabled or not and short description. On the General tab in the Action section we see IPsec related configuration. Also, important tab is Users and Computers.

Computers and Users

Image 235.19 – Users and Computers

This is where we can configure which computers and users are allowed to use this rule. On the Protocols and Ports tab we can see which protocols and which port this rule applies to. On the Scope tab we can set which IP addresses are allowed to use that particular service. On the Advanced tab we can select to which profiles and which interfaces does this rule apply to.

Since there are some settings that we can’t modify because this is a predefined rule, we might want to create our own rule. To do that simply right-click on Inbound Rules and select New Rule, or select New Rule option from the Actions pane. New Inbound Rule Wizard will open.

Rule Wizard

Image 235.20 – Rule Wizard

In the first step we have to select what type of rule we want to create. Our rule can control a program, port, some predefined connections or we can create custom rule. In our case we will select Port and click Next.

Protocol and Ports

Image 235.21 – Protocols and Ports

On the next screen we have to select our protocol, TCP or UDP. We also have to specify port numbers (if our rule doesn’t apply to all ports). We will just enter some example port, choose TCP and click Next. On the next screen we set what to do if the traffic meets specified conditions. In our case we will block the connection and click Next.

Action

Image 235.22 – Action

On the next screen we select which profiles does this rule apply to. We will select all profiles and click Next.

Profiles

Image 235.23 – Profiles

On the next screen we can name our rule and give it short description. In our case we named it Example Block Rule. After that we can click Finish. Notice that in the rule list, our rule has little red icon, which means that it will block the traffic that meets this rule.

Example Block Rule

Image 235.24 – Example Block Rule

Disabled rules are grayed out. Let’s disable our rule now by right-clicking it and selecting Disable Rule.

Disabled Rule

Image 235.25 – Example Block Rule Disabled

Outbound rules function exactly the same way, we just have to set them up.

Remember

Advanced users should configure Windows Firewall with Advanced Security. We can find those advanced features in the MMC console. Firewall settings change based on the network location type. For each network profile we can set customized settings. We can import and export all our Firewall settings. The default log file is called ‘pfirewall.log’. By default, all externally initiated traffic is blocked unless we have made an inbound rule exception. In contrast, outbound rules are wide opened by default which means that any traffic is allowed out. Since there are some settings that we can’t modify because this is a predefined rule, we might want to create our own rule. Rules with red icon are blocking rules. Green icons represent rules which allow traffic. Disabled rules are grayed out.

Paths that are mentioned in this article

  • Control Panel > Security > Firewall – end user application which can be used to configure Firewall
  • %windir%\sysstem32\LogFiles\Firewall\pfirewall.log – default location of the log file called pfirewall.log