Using Windows Firewall With Advanced Security console
The Windows Firewall control panel is designed to enable administrators and advanced users to manage basic firewall settings. For full access to the Windows Firewall configuration settings, you must use the Windows Firewall With Advanced Security snap-in for the MMC.
To open the console, open Server Manager and, from the Tools menu, select Windows Firewall With Advanced Security. The Windows Firewall With Advanced Security console opens, as shown in Figure 1.
Configuring profile settings
At the top of the Windows Firewall With Advanced Security console’s middle pane, in the Overview section, there are status displays for the computer’s three network location profiles.
If you connect the computer to a different network (which is admittedly not likely with a server), Windows Firewall can load a different profile and a different set of rules.
The default Windows Firewall configuration calls for the same basic settings for all three profiles, as follows:
- The firewall is turned on.
- Incoming traffic is blocked unless it matches a rule.
- Outgoing traffic is allowed unless it matches a rule.
You can change this default behavior by clicking the Windows Firewall Properties link, which displays the Windows Firewall With Advanced Security On Local Computer dialog box.
In this dialog box, each of the three network location profiles has a tab with identical controls which enable you to modify the default profile settings. You can, for example, configure the firewall to shut down completely when it is connected to a domain network and you can configure the firewall to turn on with its most protective settings when you connect the computer to a public network. You can also configure the firewall’s notification options, its logging behavior, and how it reacts when rules conflict.
The allowed applications that you can configure in the Windows Firewall control panel are a relatively friendly method for working with firewall rules. In the Windows Firewall With Advanced Security console, you can work with the rules in their raw form.
Selecting either Inbound Rules or Outbound Rules in the left pane displays a list of all the rules operating in that direction, as shown in Figure 2. The rules that are currently operational have a check mark in a green circle next to them; the rules not in force are unavailable.
Creating new rules by using this interface provides much more flexibility than the Windows Firewall control panel. When you right-click the Inbound Rules (or Outbound Rules) node and select New Rule from the shortcut menu, the New Inbound (or Outbound) Rule Wizard takes you through the process of configuring the following sets of parameters:
Specifies whether you want to create a program rule, a port rule, a variant on one of the predefined rules, or a custom rule. This selection determines which of the following pages the wizard displays.
Specifies whether the rule applies to all programs, to one specific program, or to a specific service. This is the equivalent of defining an allowed application in the Windows Firewall control panel, except that you must specify the exact path to the application.
Protocol And Ports
Specifies the network or transport layer protocol or the local and remote ports to which the rule applies. This enables you to specify the exact types of traffic that the rule should block or allow. To create rules in this way, you must be familiar with the protocols and ports that an application uses to communicate at both ends of the connection.
Specifies which predefined rules defining specific network connectivity requirements the wizard should create.
Specifies the IP addresses of the local and remote systems to which the rule applies. This enables you to block or allow traffic between specific computers.
Specifies the action the firewall should take when a packet matches the rule. You configure the rule to allow traffic if it is blocked by default or block traffic if it is allowed by default. You can also configure the rule to allow traffic only when the connection between the communicating computers is secured using IPsec.
Specifies the profile(s) to which the rule should apply: domain, private, or public.
Specifies a name and (optionally) a description for the rule.
The rules you can create by using the wizards range from simple program rules, like those you can create in the Windows Firewall control panel, to highly complex and specific rules that block or allow only specific types of traffic between specific computers. The more complicated the rules become, however, the more you have to know about TCP/IP communications in general and the specific behavior of your applications. Modifying the default firewall settings to accommodate some special applications is relatively simple, but creating an entirely new firewall configuration is a formidable task.
Importing and exporting rules
The process of creating and modifying rules in the Windows Firewall With Advanced Security console can be time-consuming, and repeating the process on multiple computers even more so. Therefore, the console makes it possible for you to save the rules and settings you have created by exporting them to a policy file.
A policy file is a file with a .wfw extension that contains all the property settings in a Windows Firewall installation and all its rules, including the preconfigured rules and those you have created or modified. To create a policy file, select Export Policy from the Action menu in the Windows Firewall With Advanced Security console, and then specify a name and location for the file.
You can then duplicate the rules and settings on another computer by copying the file and using the Import Policy function to read in the contents.
NOTE: IMPORTING POLICIES
When you import policies from a file, the console warns you that all existing rules and settings will be overwritten. You must therefore be careful not to create custom rules on a computer and then expect to import other rules by using a policy file.
Creating rules by using Group Policy
The Windows Firewall With Advanced Security console makes it possible to create complex firewall configurations, but Windows Firewall is still an application designed to protect a single computer from intrusion. If you have a large number of servers running Windows Server 2012 R2, manually creating a complex firewall configuration on each one can be a lengthy process. Therefore, as with most Windows configuration tasks, administrators can distribute firewall settings to computers throughout the network by using Group Policy.
When you edit a GPO and browse to the Computer ConfigurationPoliciesWindows SettingsSecurity SettingsWindows Firewall With Advanced Security node, you see an interface that is nearly identical to the Windows Firewall With Advanced Security console.
You can configure Windows Firewall properties and create inbound, outbound, and connection security rules, just as you would in the console. The difference is that you can then deploy those settings to computers anywhere on the network by linking the GPO to an AD DS domain, site, or OU object.
When you open a new GPO, the Windows Firewall With Advanced Security node contains no rules. The preconfigured rules that you find on every computer running Windows Server 2012 R2 are not there. You can create new rules from scratch to deploy to the network, or you can import settings from a policy file, just as you can in the Windows Firewall With Advanced Security console.
Group Policy does not overwrite the entire Windows Firewall configuration like importing a policy file does. When you deploy firewall rules and settings by using Group Policy, the rules in the GPO are combined with the existing rules on the target computers. The only exception is when you deploy rules with the identical names as existing rules. In that case, the GPO settings overwrite those found on the target computers.
Creating connection security rules
Windows Server 2012 R2 also includes a feature that incorporates IPsec data protection into the Windows Firewall. The IP Security (IPsec) standards are a collection of documents that define a method for securing data while it is in transit over a TCP/IP network. IPsec includes a connection establishment routine, during which computers authenticate each other before transmitting data, and a technique called tunneling, in which data packets are encapsulated within other packets for their protection.
In addition to inbound and outbound rules, the Windows Firewall With Advanced Security console enables you to create connection security rules by using the New Connection Security Rule Wizard. Connection security rules define the type of protection you want to apply to the communications that conform to Windows Firewall rules.
When you right-click the Connection Security Rules node and select New Rule from the shortcut menu, the New Connection Security Rule Wizard takes you through the process of configuring the following sets of parameters, as follows:
Specifies the basic function of the rule, such as to isolate computers based on authentication criteria, to exempt certain computers (such as infrastructure servers) from authentication, to authenticate two specific computers or groups of computers, or to tunnel communications between two computers. You can also create custom rules combining these functions.
Specifies the IP addresses of the computers that will establish a secured connection before transmitting any data.
Specifies whether authentication between two computers should be requested or required in each direction.
Specifies the type of authentication the computers should use when establishing a connection.
Specifies the profile(s) to which the rule should apply: domain, private, public, or a combination thereof.
Specifies a name and (optionally) a description for the rule.