Using Windows Firewall With Advanced Security console

The Windows Firewall control panel is designed to enable administrators and advanced users to manage basic firewall settings. For full access to the Windows Firewall configuration settings, you must use the Windows Firewall With Advanced Security snap-in for the MMC.
To open the console, open Server Manager and, from the Tools menu, select Windows Firewall With Advanced Security. The Windows Firewall With Advanced Security console opens, as shown in Figure 1.

Windows Firewall With Advanced Security console 1

FIGURE 1 The Windows Firewall With Advanced Security console

Configuring profile settings

At the top of the Windows Firewall With Advanced Security console’s middle pane, in the Overview section, there are status displays for the computer’s three network location profiles.
If you connect the computer to a different network (which is admittedly not likely with a server), Windows Firewall can load a different profile and a different set of rules.
The default Windows Firewall configuration calls for the same basic settings for all three profiles, as follows:

  • The firewall is turned on.
  • Incoming traffic is blocked unless it matches a rule.
  • Outgoing traffic is allowed unless it matches a rule.

You can change this default behavior by clicking the Windows Firewall Properties link, which displays the Windows Firewall With Advanced Security On Local Computer dialog box.
In this dialog box, each of the three network location profiles has a tab with identical controls which enable you to modify the default profile settings. You can, for example, configure the firewall to shut down completely when it is connected to a domain network and you can configure the firewall to turn on with its most protective settings when you connect the computer to a public network. You can also configure the firewall’s notification options, its logging behavior, and how it reacts when rules conflict.

Creating rules

The allowed applications that you can configure in the Windows Firewall control panel are a relatively friendly method for working with firewall rules. In the Windows Firewall With Advanced Security console, you can work with the rules in their raw form.
Selecting either Inbound Rules or Outbound Rules in the left pane displays a list of all the rules operating in that direction, as shown in Figure 2. The rules that are currently operational have a check mark in a green circle next to them; the rules not in force are unavailable.

Windows Firewall With Advanced Security console 2

FIGURE 2 The Inbound Rules list in the Windows Firewall With Advanced Security console

Creating new rules by using this interface provides much more flexibility than the Windows Firewall control panel. When you right-click the Inbound Rules (or Outbound Rules) node and select New Rule from the shortcut menu, the New Inbound (or Outbound) Rule Wizard takes you through the process of configuring the following sets of parameters:

  • Rule Type

    Specifies whether you want to create a program rule, a port rule, a variant on one of the predefined rules, or a custom rule. This selection determines which of the following pages the wizard displays.

  • Program

    Specifies whether the rule applies to all programs, to one specific program, or to a specific service. This is the equivalent of defining an allowed application in the Windows Firewall control panel, except that you must specify the exact path to the application.

  • Protocol And Ports

    Specifies the network or transport layer protocol or the local and remote ports to which the rule applies. This enables you to specify the exact types of traffic that the rule should block or allow. To create rules in this way, you must be familiar with the protocols and ports that an application uses to communicate at both ends of the connection.

  • Predefined Rules

    Specifies which predefined rules defining specific network connectivity requirements the wizard should create.

  • Scope

    Specifies the IP addresses of the local and remote systems to which the rule applies. This enables you to block or allow traffic between specific computers.

  • Action

    Specifies the action the firewall should take when a packet matches the rule. You configure the rule to allow traffic if it is blocked by default or block traffic if it is allowed by default. You can also configure the rule to allow traffic only when the connection between the communicating computers is secured using IPsec.

  • Profile

    Specifies the profile(s) to which the rule should apply: domain, private, or public.

  • Name

    Specifies a name and (optionally) a description for the rule.

The rules you can create by using the wizards range from simple program rules, like those you can create in the Windows Firewall control panel, to highly complex and specific rules that block or allow only specific types of traffic between specific computers. The more complicated the rules become, however, the more you have to know about TCP/IP communications in general and the specific behavior of your applications. Modifying the default firewall settings to accommodate some special applications is relatively simple, but creating an entirely new firewall configuration is a formidable task.

Importing and exporting rules

The process of creating and modifying rules in the Windows Firewall With Advanced Security console can be time-consuming, and repeating the process on multiple computers even more so. Therefore, the console makes it possible for you to save the rules and settings you have created by exporting them to a policy file.
A policy file is a file with a .wfw extension that contains all the property settings in a Windows Firewall installation and all its rules, including the preconfigured rules and those you have created or modified. To create a policy file, select Export Policy from the Action menu in the Windows Firewall With Advanced Security console, and then specify a name and location for the file.
You can then duplicate the rules and settings on another computer by copying the file and using the Import Policy function to read in the contents.

NOTE: IMPORTING POLICIES
When you import policies from a file, the console warns you that all existing rules and settings will be overwritten. You must therefore be careful not to create custom rules on a computer and then expect to import other rules by using a policy file.

Creating rules by using Group Policy

The Windows Firewall With Advanced Security console makes it possible to create complex firewall configurations, but Windows Firewall is still an application designed to protect a single computer from intrusion. If you have a large number of servers running Windows Server 2012 R2, manually creating a complex firewall configuration on each one can be a lengthy process. Therefore, as with most Windows configuration tasks, administrators can distribute firewall settings to computers throughout the network by using Group Policy.
When you edit a GPO and browse to the Computer ConfigurationPoliciesWindows SettingsSecurity SettingsWindows Firewall With Advanced Security node, you see an interface that is nearly identical to the Windows Firewall With Advanced Security console.
You can configure Windows Firewall properties and create inbound, outbound, and connection security rules, just as you would in the console. The difference is that you can then deploy those settings to computers  anywhere on the network by linking the GPO to an AD DS domain, site, or OU object.

When you open a new GPO, the Windows Firewall With Advanced Security node contains no rules. The preconfigured rules that you find on every computer running Windows Server 2012 R2 are not there. You can create new rules from scratch to deploy to the network, or you can import settings from a policy file, just as you can in the Windows Firewall With Advanced Security console.
Group Policy does not overwrite the entire Windows Firewall configuration like importing a policy file does. When you deploy firewall rules and settings by using Group Policy, the rules in the GPO are combined with the existing rules on the target computers. The only exception is when you deploy rules with the identical names as existing rules. In that case, the GPO settings overwrite those found on the target computers.

Creating connection security rules

Windows Server 2012 R2 also includes a feature that incorporates IPsec data protection into the Windows Firewall. The IP Security (IPsec) standards are a collection of documents that define a method for securing data while it is in transit over a TCP/IP network. IPsec includes a connection establishment routine, during which computers authenticate each other before transmitting data, and a technique called tunneling, in which data packets are encapsulated within other packets for their protection.
In addition to inbound and outbound rules, the Windows Firewall With Advanced Security console enables you to create connection security rules by using the New Connection Security Rule Wizard. Connection security rules define the type of protection you want to apply to the communications that conform to Windows Firewall rules.

When you right-click the Connection Security Rules node and select New Rule from the shortcut menu, the New Connection Security Rule Wizard takes you through the process of configuring the following sets of parameters, as follows:

  • Rule Type

    Specifies the basic function of the rule, such as to isolate computers based on authentication criteria, to exempt certain computers (such as infrastructure servers) from authentication, to authenticate two specific computers or groups of computers, or to tunnel communications between two computers. You can also create custom  rules combining these functions.

  • Endpoints

    Specifies the IP addresses of the computers that will establish a secured connection before transmitting any data.

  • Requirements

    Specifies whether authentication between two computers should be requested or required in each direction.

  • Authentication Method

    Specifies the type of authentication the computers should use when establishing a connection.

  • Profile

    Specifies the profile(s) to which the rule should apply: domain, private, public, or a combination thereof.

  • Name

    Specifies a name and (optionally) a description for the rule.

This article is a part of 70-410 Installing and Configuring Windows Server 2012 Prep course, more articles in this course are :

Understanding Active Directory

Active Directory and its Features: Active Directory is the name given to a collection of services created by Microsoft that ...
Read More

Active Directory GUI Installation

Before we get to the installation, there are a few things to check to make sure the server is ready ...
Read More

Understanding DNS Server

Introduction: DNS is a name resolution service. Public DNS services help users access internet resources such as web servers, and ...
Read More

Maintaining and configuring DNS Forwarding

The act of DNS forwarding refers to the relaying of a DNS request from one server to another one when ...
Read More

Planning for a server installation

In versions of Windows Server prior to Windows Server 2008 R2, installation planning could be a complex task. You had ...
Read More

Choosing installation options

Many enterprise networks today use servers that are dedicated to a particular role. When a server is performing a single ...
Read More

Upgrading servers

An in-place upgrade is the most complicated form of Windows Server 2012 R2 installation. It is also the lengthiest and ...
Read More

Migrating roles

Migration is the preferred method of replacing an existing server with one running Windows Server 2012 R2. Unlike an in-place ...
Read More

Completing postinstallation tasks

As part of the new emphasis on cloud-based services in Windows networking, Windows Server 2012 R2 contains a variety of ...
Read More

Using Server Manager

The Server Manager tool in Windows Server 2012 R2 is an application that is the most obvious evidence of a ...
Read More
Loading...

70-410 Installing and Configuring Windows Server 2012 Prep course includes following practice tests:

Exam 70-410 Installing and Configuring Windows Server 2012 Practice Test 1

Instructions for Exam 70-410 Installing and Configuring Windows Server 2012 Practice Test 1 This page shows the instructions for Exam ...
Read More

Exam 70-410 Installing and Configuring Windows Server 2012 Practice Test 2

Instructions for Exam 70-410 Installing and Configuring Windows Server 2012 Practice Test 2 This page shows the instructions for Exam ...
Read More

Exam 70-410 Installing and Configuring Windows Server 2012 Practice Test 3

Instructions for Exam 70-410 Installing and Configuring Windows Server 2012 Practice Test 3 This page shows the instructions for Exam ...
Read More

Exam 70-410 Installing and Configuring Windows Server 2012 Practice Test 4

Instructions for Exam 70-410 Installing and Configuring Windows Server 2012 Practice Test 4 This page shows the instructions for Exam ...
Read More

Exam 70-410 Installing and Configuring Windows Server 2012 Practice Test 5

Instructions for Exam 70-410 Installing and Configuring Windows Server 2012 Practice Test 5 This page shows the instructions for Exam ...
Read More