Configure Windows Firewall with Advanced Security

Windows Firewall with Advanced Security is a fully integrated and very configurable security solution. In fact, it is two security solutions combined: a host-based firewall and IPsec. Working in conjunction with a perimeter firewall, it provides a layer of security at the OS level. A second advantage of Windows Firewall is protection from attacks from within the network. Because all inbound requests to the server require both a firewall and connection rule, your server is protected from inadvertent attacks from within your organization.

Windows Firewall is a stateful firewall, which means each packet is inspected and allowed or disallowed based on the state of the packet. This is determined by the firewall rules and the connection security rules implemented by Windows Firewall.

Windows Firewall with Advanced Security comes preconfigured, but what if you need to add additional rules for the firewall and for connections to this server? To configure Windows Firewall with Advanced Security, perform the following steps:

1.	From Server Manager, under Security Information, click Go to Windows Firewall. Note Alternatively, you can expand the configuration tree in Server Manager and select Windows Firewall. Or you can select Start, Administrative Tools, Windows Firewall.
2.	On the overview screen that shows the settings for the Domain, Private, and Public profiles (see Figure 1), click Windows Firewall Properties. Figure 11. Overview of Windows Firewall with Advanced Security.
3.	Note that the properties page has four tabs (see Figure 2), where you can set the behavior of Windows Firewall for the three profiles as well as the IPsec settings: Domain Profile: On this tab, you specify the firewall behavior for when a computer is connected to a domain. You can change the firewall state (On or Off) and set how the firewall will handle inbound and outbound connections (Block, Allow, or Block All Connections). You can customize settings for the firewall profile, including displaying notifications, allowing unicast responses, and merging rules. You can also customize logging for the profile, set the name and location of the log, choose the log size, and choose to log dropped and/or successful packets. Private Profile: On this tab, you specify the firewall behavior for when a computer is connected to a private network. You can change the firewall state (On or Off) and set how the firewall will handle inbound and outbound connections (Block, Allow, or Block All Connections). You can customize settings for the firewall profile, including displaying notifications, allowing unicast responses, and merging rules. You can also customize logging for the profile, set the name and location of the log, choose the log size, and choose to log dropped and/or successful packets. Public Profile: On this tab, you specify the firewall behavior for when a computer is connected to a public network. You can change the firewall state (On or Off) and set how the firewall will handle inbound and outbound connections (Block, Allow, or Block All Connections). You can customize settings for the firewall profile, including displaying notifications, allowing unicast responses, and merging rules. You can also customize logging for the profile, set the name and location of the log, choose the log size, and choose to log dropped and/or successful packets. IPsec Settings: In this tab, you can customize the IPsec defaults. You can change and customize the key exchange, data protection, and authentication method. You can also set IPsec exemptions. Figure 2. Connection profiles properties page.

Customize settings here, as needed. (We recommend that you leave the firewall profiles active and use the firewall and connection rules.)

Create Inbound and Outbound Rules

If you expand the Windows Firewall and Advanced Security console tree and highlight Inbound or Outbound Rules, you will notice that Windows Server 2008 has already predefined rules for Windows Firewall. The number of rules defined depends on which roles and features have been installed. From the Action menu, you can filter the results by profile, state, and group. Here’s how you create inbound and outbound rules:

1.	To create a new firewall rule, click New Rule.
2.	When the New Inbound/Outbound Rule Wizard begins, choose which type of rule to create: Program: Rules that control connections for a program Port: Rules that control connections for a TCP or UDP port Predefined: Rules that control connections for a Windows experience Custom: A customized rule based on all or part of the previous three types Choose the custom rule type (this will allow you to see the set up options for all the rule types) and click Next.
3.	On the next screen, apply the rule to all programs, apply the rule to a specific program path (for example, <c:\path\executable>), or apply the rule to a service. You can customize service rules as well, applying them to all programs and services, to services only, or to a specific service. After you choose how you want to apply this rule, click Next.
4.	In the Protocol and Ports screen, choose the protocol type, local port, and remote port. (If you choose ICMP, you can customize ICMP types.) Click Next.
5.	Choose the scope for this rule. You can choose to apply the rule to any IP address, a single IP address, a subnet, or a range of IP addresses. The scope is set for local and remote connections. You can also customize the interface types, choosing to apply the rule to all interfaces or specifying local area network, remote access, or wireless. Choose the scope settings for your rule and click Next.
6.	In the next screen, note that you have the following options: Allow the Connection: Allows connections, regardless of whether they have been protected by IPsec. Allow the Connection if It Is Secure: Allows only connections that have been authenticated and protected with IPsec. In addition, you can choose to require the connection to be encrypted. You can also override block rules (only for inbound rules). Note If you choose the option Allow the Connection if It Is Secure, you also need to specify authorized computers or computer groups for inbound rules. In addition, you need to choose authorized computers if this is selected for an outbound rule. Block the Connection: Does not accept any connection to this port, service, or program. In this case, choose Allow the Connection if It Is Secure and click Next.
7.	Choose the computers and users that will be allowed to connect to this computer using this inbound rule and click Next.
8.	Choose when this rule applies by choosing a profile. Again, the profile types are Domain, Private, and Public. Click Next.
9.	Name this inbound rule and provide an optional description that will help you identify this inbound rule on your network. Click Finish.

After the rule is created, you can change any of the settings you configured by clicking the properties page in the Actions pane. You can also set an option that is not available while you are creating the rule: You can allow edge traversal (see Figure 3). You can also disable this inbound rule from the Action menu.

Figure 3. A rule properties page with advanced settings shown.

Create Connection Security Rules

Along with the Windows Firewall rules, you can set connection security rules. Expand the Windows Firewall and Advanced Security console tree and highlight Connection Security Rules. In the Action menu, you can filter these rules by profile and by state. To create a new connection security rule, follow these steps:

1.	Select Action, New Rule. There are five different connection security rule types to choose from: Isolation: Restrict connections based on authentication prerequisites (for example, health status, domain membership). Authentication Exemption: Do not authenticate connections from specified computers. Server-to-Server: Authenticate connections between specified servers. Tunnel: Authenticate a connection between gateway computers. Custom: Create custom authentication and endpoint criteria for connection security (see Figure 4). Figure 4. The New Connection Security Rule Wizard. Choose Custom to create a custom rule and click Next.
2.	Select the endpoints for a secured connection. These are set as endpoint 1 and endpoint 2. (For tunnel endpoints, you need to provide the IP address for the tunnel computers closest to endpoint 1 and endpoint 2.) You can also customize the interface types, choosing to apply the rule to all interfaces or specifying local area network, remote access, or wireless. Choose the endpoint settings for your rule and click Next.
3.	In the requirements page, select one of the four choices: Request Authentication for Inbound and Outbound Connections: Authenticates whenever possible, but authentication is not required. Require Authentication for Inbound Connections and Request for Outbound Connections: Inbound connections must be authenticated. Outbound connections are authenticated whenever possible, but authentication is not required. Require Authentication for Inbound and Outbound Connections: Both inbound and outbound connections must be authenticated. Do Not Authenticate: No authentication is necessary for connections. Click Next.
4.	On the authentication methods page, choose one of the five choices: Default: Uses the method specified in the profile properties page. Computer and User (Kerberos V5): Restricts communications to connections from domain-joined users and computers. Computer (Kerberos V5): Restricts communications to connections from domain-joined computers. Computer Certificate: Restricts communications to connections from computers that have a certificate from a specified CA. Advanced: Allows you to choose two authentication methods. You also have the option of making either the first or second authentication method optional. Click Next.
5.	Specify when this connection security rule applies by choosing a profile. Again, the profile types are Domain, Private, and Public. Click Next.
6.	In the final step, name this connection security rule and provide an optional description that will help identify this inbound rule on your network. Click Finish.

When the connection security rule is created, you can change any of the settings you configured by clicking the properties page in the Actions pane. You can also disable this connection security rule from the Action menu.

Monitor Windows Firewall and Advanced Security

After you add inbound and outbound rules and set up connection security rules for Windows Firewall, you can then monitor these, along with the predefined rules established by Windows Server 2008. Expand the console tree under Windows Firewall with Advanced Security and click Monitoring.

When you expand the console tree, you see three more monitoring options:

• Firewall: Monitors all active firewall rules for the active profiles. Also monitors firewall rules distributed by GPOs.

• Connection Security Rules: Monitors all enabled connection rules. Also provides detailed information about those connections.

• Security Associations (SA): Monitors communications from senders and receivers, based on the security connections rules defined to create the SA. Monitoring SAs consist of two types: Main Mode and Quick Mode. Both provide a view of the IP address of each endpoint.

Policies that are created using the IPsec Security Policy snap-in cannot be monitored using this tool.