Using Windows Firewall With Advanced Security console

The Windows Firewall control panel is designed to enable administrators and advanced users to manage basic firewall settings. For full access to the Windows Firewall configuration settings, you must use the Windows Firewall With Advanced Security snap-in for the MMC.
To open the console, open Server Manager and, from the Tools menu, select Windows Firewall With Advanced Security. The Windows Firewall With Advanced Security console opens, as shown in Figure 1.

Windows Firewall With Advanced Security console 1

FIGURE 1 The Windows Firewall With Advanced Security console

Configuring profile settings

At the top of the Windows Firewall With Advanced Security console’s middle pane, in the Overview section, there are status displays for the computer’s three network location profiles.
If you connect the computer to a different network (which is admittedly not likely with a server), Windows Firewall can load a different profile and a different set of rules.
The default Windows Firewall configuration calls for the same basic settings for all three profiles, as follows:

  • The firewall is turned on.
  • Incoming traffic is blocked unless it matches a rule.
  • Outgoing traffic is allowed unless it matches a rule.

You can change this default behavior by clicking the Windows Firewall Properties link, which displays the Windows Firewall With Advanced Security On Local Computer dialog box.
In this dialog box, each of the three network location profiles has a tab with identical controls which enable you to modify the default profile settings. You can, for example, configure the firewall to shut down completely when it is connected to a domain network and you can configure the firewall to turn on with its most protective settings when you connect the computer to a public network. You can also configure the firewall’s notification options, its logging behavior, and how it reacts when rules conflict.

Creating rules

The allowed applications that you can configure in the Windows Firewall control panel are a relatively friendly method for working with firewall rules. In the Windows Firewall With Advanced Security console, you can work with the rules in their raw form.
Selecting either Inbound Rules or Outbound Rules in the left pane displays a list of all the rules operating in that direction, as shown in Figure 2. The rules that are currently operational have a check mark in a green circle next to them; the rules not in force are unavailable.

Windows Firewall With Advanced Security console 2

FIGURE 2 The Inbound Rules list in the Windows Firewall With Advanced Security console

Creating new rules by using this interface provides much more flexibility than the Windows Firewall control panel. When you right-click the Inbound Rules (or Outbound Rules) node and select New Rule from the shortcut menu, the New Inbound (or Outbound) Rule Wizard takes you through the process of configuring the following sets of parameters:

  • Rule Type

    Specifies whether you want to create a program rule, a port rule, a variant on one of the predefined rules, or a custom rule. This selection determines which of the following pages the wizard displays.

  • Program

    Specifies whether the rule applies to all programs, to one specific program, or to a specific service. This is the equivalent of defining an allowed application in the Windows Firewall control panel, except that you must specify the exact path to the application.

  • Protocol And Ports

    Specifies the network or transport layer protocol or the local and remote ports to which the rule applies. This enables you to specify the exact types of traffic that the rule should block or allow. To create rules in this way, you must be familiar with the protocols and ports that an application uses to communicate at both ends of the connection.

  • Predefined Rules

    Specifies which predefined rules defining specific network connectivity requirements the wizard should create.

  • Scope

    Specifies the IP addresses of the local and remote systems to which the rule applies. This enables you to block or allow traffic between specific computers.

  • Action

    Specifies the action the firewall should take when a packet matches the rule. You configure the rule to allow traffic if it is blocked by default or block traffic if it is allowed by default. You can also configure the rule to allow traffic only when the connection between the communicating computers is secured using IPsec.

  • Profile

    Specifies the profile(s) to which the rule should apply: domain, private, or public.

  • Name

    Specifies a name and (optionally) a description for the rule.

The rules you can create by using the wizards range from simple program rules, like those you can create in the Windows Firewall control panel, to highly complex and specific rules that block or allow only specific types of traffic between specific computers. The more complicated the rules become, however, the more you have to know about TCP/IP communications in general and the specific behavior of your applications. Modifying the default firewall settings to accommodate some special applications is relatively simple, but creating an entirely new firewall configuration is a formidable task.

Importing and exporting rules

The process of creating and modifying rules in the Windows Firewall With Advanced Security console can be time-consuming, and repeating the process on multiple computers even more so. Therefore, the console makes it possible for you to save the rules and settings you have created by exporting them to a policy file.
A policy file is a file with a .wfw extension that contains all the property settings in a Windows Firewall installation and all its rules, including the preconfigured rules and those you have created or modified. To create a policy file, select Export Policy from the Action menu in the Windows Firewall With Advanced Security console, and then specify a name and location for the file.
You can then duplicate the rules and settings on another computer by copying the file and using the Import Policy function to read in the contents.

NOTE: IMPORTING POLICIES
When you import policies from a file, the console warns you that all existing rules and settings will be overwritten. You must therefore be careful not to create custom rules on a computer and then expect to import other rules by using a policy file.

Creating rules by using Group Policy

The Windows Firewall With Advanced Security console makes it possible to create complex firewall configurations, but Windows Firewall is still an application designed to protect a single computer from intrusion. If you have a large number of servers running Windows Server 2012 R2, manually creating a complex firewall configuration on each one can be a lengthy process. Therefore, as with most Windows configuration tasks, administrators can distribute firewall settings to computers throughout the network by using Group Policy.
When you edit a GPO and browse to the Computer ConfigurationPoliciesWindows SettingsSecurity SettingsWindows Firewall With Advanced Security node, you see an interface that is nearly identical to the Windows Firewall With Advanced Security console.
You can configure Windows Firewall properties and create inbound, outbound, and connection security rules, just as you would in the console. The difference is that you can then deploy those settings to computers  anywhere on the network by linking the GPO to an AD DS domain, site, or OU object.

When you open a new GPO, the Windows Firewall With Advanced Security node contains no rules. The preconfigured rules that you find on every computer running Windows Server 2012 R2 are not there. You can create new rules from scratch to deploy to the network, or you can import settings from a policy file, just as you can in the Windows Firewall With Advanced Security console.
Group Policy does not overwrite the entire Windows Firewall configuration like importing a policy file does. When you deploy firewall rules and settings by using Group Policy, the rules in the GPO are combined with the existing rules on the target computers. The only exception is when you deploy rules with the identical names as existing rules. In that case, the GPO settings overwrite those found on the target computers.

Creating connection security rules

Windows Server 2012 R2 also includes a feature that incorporates IPsec data protection into the Windows Firewall. The IP Security (IPsec) standards are a collection of documents that define a method for securing data while it is in transit over a TCP/IP network. IPsec includes a connection establishment routine, during which computers authenticate each other before transmitting data, and a technique called tunneling, in which data packets are encapsulated within other packets for their protection.
In addition to inbound and outbound rules, the Windows Firewall With Advanced Security console enables you to create connection security rules by using the New Connection Security Rule Wizard. Connection security rules define the type of protection you want to apply to the communications that conform to Windows Firewall rules.

When you right-click the Connection Security Rules node and select New Rule from the shortcut menu, the New Connection Security Rule Wizard takes you through the process of configuring the following sets of parameters, as follows:

  • Rule Type

    Specifies the basic function of the rule, such as to isolate computers based on authentication criteria, to exempt certain computers (such as infrastructure servers) from authentication, to authenticate two specific computers or groups of computers, or to tunnel communications between two computers. You can also create custom  rules combining these functions.

  • Endpoints

    Specifies the IP addresses of the computers that will establish a secured connection before transmitting any data.

  • Requirements

    Specifies whether authentication between two computers should be requested or required in each direction.

  • Authentication Method

    Specifies the type of authentication the computers should use when establishing a connection.

  • Profile

    Specifies the profile(s) to which the rule should apply: domain, private, public, or a combination thereof.

  • Name

    Specifies a name and (optionally) a description for the rule.

This article is a part of 70-410 Installing and Configuring Windows Server 2012 Prep course, more articles in this course are :

article

Configuring Work Folders

Work Folders is a Windows Server 2012 R2 feature that enables administrators to provide their users with synchronized access to ...
Read More
article

Deploying print server

Installing, sharing, monitoring, and managing a single network print device is relatively simple, but when you are responsible for dozens ...
Read More
article

Sharing printer

Using Windows Server 2012 R2 as a print server can be simple or complex, depending on how many clients the ...
Read More
article

Managing documents in print queue

Managing documents refers to pausing, resuming, restarting, and canceling documents that are currently waiting in a print queue. By default, ...
Read More
article

Managing printers

Users with the Allow Manage This Printer permission can go beyond manipulating queued documents; they can reconfigure the printer itself ...
Read More
article

Using Print and Document Services role

All the printer sharing and management capabilities discussed in the previous sections are available on any Windows Server 2012 R2 ...
Read More
article

Using Server Manager for remote management

Server Manager has been the primary server administration tool for Windows Server ever since Windows Server 2003. The most obvious ...
Read More
article

Using Remote Server Administration Tools

You can manage remote servers from any computer running Windows Server 2012 R2; all the required tools are installed by ...
Read More
article

Working with remote servers

Once you have added remote servers to Server Manager, you can access them using a variety of remote administration tools ...
Read More
article

Virtualization architectures

Virtualization products can use several different architectures to share a computer’s hardware resources among VMs. The earlier type of virtualization ...
Read More

70-410 Installing and Configuring Windows Server 2012 Prep course includes following practice tests:

No posts found.