Server 2008 : Using the Integrated Windows Firewall with Advanced Security

Windows Server 2008 R2 includes a vastly improved integrated firewall that is turned on by default in all installations of the product. The firewall, administered from an MMC snap-in shown in Figure 1 (Start, All Programs, Administrative Tools, Windows Firewall with Advanced Security), gives unprecedented control and security to a server.

Figure 1. Using the integrated Windows Firewall with Advanced Security.

Understanding Windows Firewall Integration with Server Manager

The firewall with advanced security is fully integrated with the Server Manager utility and the Server Roles Wizard. For example, if an administrator runs the Server Roles Wizard and chooses to make the server a file server, only then are those ports and protocols that are required for file server access opened on the server.

Note

It is instinctual for most administrators to disable software firewalls on servers, as they have caused problems with functionality in the past. This is not recommended in Windows Server 2008 R2, however, as the product itself is tightly integrated with its firewall, and the firewall itself provides for a much greater degree of security than previous versions of Windows Server provided.

Creating Inbound and Outbound Rules on the Windows Firewall

In certain cases, when a third-party application is not integrated with Server Manager, or when needing to open specific individual ports, it might become necessary to create firewall rules for individual services to run properly. Both inbound rules, addressing traffic to the server, and outbound rules, addressing how the server can communicate out, can be created. Rules can be created based on the following factors:

• Program— A rule can be created that allows a specific program executable access. For example, you can specify that the c:\Program Files\Custom Program\myprogram.exe file has full outbound access when running. The Windows Firewall program will then allow any type of connections made by that program full access. This can be useful in scenarios when a specific application server uses multiple varied ports, but the overall security that the firewall provides is still desired.

• Port— Entering a traditional UDP or TCP port into the Add Rules Wizard is supported. This covers traditional scenarios such as “We need to open Port 8787 on the server.”

• Predefined— Windows Server also has built-in, predefined rules, such as those that allow AD DS, DFS, BITS, HTTP, and many more. The advantage to using a predefined rule is that Microsoft has done all the legwork in advance, and it becomes much easier to allow a specific service.

• Custom— The creation of custom rule types not covered in the other categories is also supported.

For example, the following procedure details the creation of an inbound rule to allow a custom application to use TCP Port 8787 for inbound communication:

1.	Open the Windows Firewall MMC (Start, All Programs, Administrative Tools, Windows Firewall with Advanced Security).
2.	Click on the Inbound Rules node in the node pane.
3.	In the Actions pane, click the New Rule link.
4.	On the Rule Type page of the New Inbound Rule Wizard, shown in Figure 2, select Port to create a rule based on the port, and click Next to continue. Figure 2. Creating a rule on the Windows Firewall.
5.	On the Protocol and Ports page, shown in Figure 3, select TCP, and enter 8787 in the Specific Local Ports field. Click Next to continue. Figure 3. Entering port information for the firewall rule.
6.	On the Action page, select Allow to enable the connection. Note The Action page of the New Inbound Rule Wizard also allows for a rule to be configured that only allows the connection if it is secured using IPSec technologies.
7.	On the Profile page, shown in Figure 4, select all three check boxes. This enables an administrator to specify that a rule only applies when connected to specific networks. Click Next to continue. Figure 4. Specifying the profile of a firewall rule.
8.	Enter a descriptive name for the rule, and click Finish.

Review the rule settings in the Inbound Rules node, shown in Figure 5. This allows for a quick-glance view of the rule settings. You can also include a rule in a rule group, which allows for multiple rules to be tied together for easy on/off application.

Figure 5. Viewing the firewall rules.

Using the integrated Windows Firewall is no longer just a good idea; it’s a vital part of the security of the product. The addition of the ability to define rules based on factors such as scope, profile, IPSec status, and the like further positions the Server OS as one with high levels of integrated security.