WindowsDevCenter.com
oreilly.comSafari Books Online.Conferences.

advertisement


AddThis Social Bookmark Button

Mastering Windows' New Firewall, Part 1

by Mitch Tulloch
10/31/2006

The Windows Firewall has been enhanced in several ways in the upcoming Windows Vista. Some of these enhancements include more granular firewall rules, support for outbound traffic filtering, location-aware profiles, full IPv6 support, a new management console, new Group Policy support, integrated IPsec functionality, and more. In this article I'll focus on the new management interface for Windows Firewall and how network-aware firewall profiles work. In future articles I'll dig deeper into firewall rules (including outbound rules) and also show you how easy it is now to set up a secure IPsec connection between two Vista machines using Windows Firewall.

The New Management Console

While most users will still use the Windows Firewall utility in Control Panel to manage Windows Firewall on their Vista machines, advanced users may want to check out the new Windows Firewall with Advanced Security MMC console (see Figure 1). The simplest way to open this console is to press the WIN+R key combination to open the Run box, type WF.msc and press ENTER. You'll have to respond to a User Account Countrol (UAC) prompt at that point, which means either clicking Continue (if you're a local admin on the machine) or entering admin credentials (if you're a standard user and can do so).

Thumbnail, click for full-size image.
Figure 1: The new Windows Firewall with Advanced Security MMC console. (Click for full-size image.)

Understanding Firewall Profiles

The main screen of the console shows the default configuration of the firewall for each profile. A profile is a firewall configuration that is used for a specific networking environment. Windows XP's firewall had only two profiles: Standard and Domain. The Domain profile was the active firewall profile (the firewall profile in use) whenever your computer had a domain DNS suffix (for example, mycomputer.oreilly.com), otherwise the Standard profile was used. Both profiles were identical in terms of which firewall exceptions were allowed out-of-box (OOB), but administrators would usually use Group Policy to configure Standard profiles to be more restrictive than Domain profiles so that users would be better protected when they disconnected their laptop from the corporate network and connected to a public wireless hot spot at a coffee shop.

In Windows Vista however, there are now three different firewall profiles: Domain, Private, and Public. These three profiles match up with the different network categories available in Vista. A network category (or network location type) is the type of network that a Vista computer is currently connected to. There are basically three network categories, though the UI suggests that there are four. When you log on to a Vista computer for the first time, you're presented with a dialog asking you whether your computer will be used at Home, at Work, or at a Public Location. Choosing either Home or Work basically gives the same result--your network category is set to Private. If you choose Public Location, your network category becomes Public. You can manually switch between categories using Network And Sharing Center, or Vista can detect when the network connectivity of your machine changes and switch categories for you. And if you join your computer to a domain, your network category becomes Domain. That means there are three underlying network categories (Domain, Private, and Public) and these correspond one-to-one with the three firewall profiles available and having the same names. (See this this article on TechNet for more information about network location types in Vista).

How does Vista decide which firewall profile to make the active one? Remember, the active profile is the one whose firewall rules are currently used to protect the machine. The firewall profile selection process basically works like this:

  1. If your computer can authenticate with a domain controller using every network interface on the computer, then the active firewall profile is the Domain profile. By network interface I mean LAN interfaces, wireless interfaces, virtual private network (VPN) tunnel interfaces, even Bluetooth interfaces. If any one of these active network interfaces on your machine cannot authenticate to a domain, then the Domain profile cannot be the active one.
  2. If your computer is configured so that every network interface on it has a network location type of Private, then the Private firewall profile is the active one.
  3. Under any other circumstance, the active firewall profile is set to Public. So for example, if your LAN connection is set to Private but your wireless connection is Public, the active firewall profile is Public and this is so on all network interfaces on your machine. In other words, the active firewall profile is used by all network interfaces on your machine, regardless of the network location type of any one particular interface.

Another thing that's different with Vista's version of Windows Firewall is that the set of firewall rules that are enabled by default are different for each firewall profile. Vista uses rules instead of exceptions for its firewall (though the Control Panel utility still displays them as exceptions). A rule (or firewall rule) determines what happens to specific types of network traffic passing through the firewall. Rules can be configured to either Allow or Block the type of traffic that matches the conditions of the rule, and a rule can be either Enabled (which means it allows or blocks traffic matching its conditions) or Disabled (in which case the rule is ignored). And rules can either filter inbound traffic (inbound rules) or outbound traffic (outbound rules).

Rules are grouped together into rule groups, with each rule group matching an experience (a feature or program) for Vista. For example, the Windows Meeting Space rule group must be enabled (i.e., all rules in the rule group must be enabled) for the active firewall profile in order for the Windows Meeting Space program to work properly. (See here for an article I wrote about how to use Windows Meeting Space to collaborate with other users.)

We'll dig deeper into firewall rules and rule groups in Part 2 of this article, but for now let me get back to my point earlier that in Vista the particular firewall rules enabled by default now differ for each profile. Here are the specifics (assuming you just installed Vista and haven't used any of the experiences since using an experience for the first time often punches open firewall rules to enable that experience to work):

  1. For the Domain profile, only the Core Networking rule group has its rules enabled by default. The Core Networking rule group supports basic TCP/IP traffic such as DHCP, DNS, ICMP, Group Policy, and so on (both for IPv4 and IPv6). If the rules in this rule group are disabled, your machine can't talk on the network. Typically the network administrator will use Group Policy to enable additional rules needed to allow specific experiences to work on their machines.
  2. The Private profile has three rule groups enabled: Core Networking, Network Discovery (so your machine can see other machines on the network), and Remote Assistance (in case you need help from another user on your Home or Work network).
  3. The Public profile looks almost the same as the Domain profile (i.e., only rules in the Core Networking group are enabled). The difference is that there are a few outbound rules (specifically those for Group Policy and DNS traffic) that only exist in the Domain profile and not the Public profile.

Conclusion

Now that you've got a basic grasp of how firewall profiles work in Vista, what's ahead? In Part 2 of this article, we'll examine firewall rules in detail, examining how they work and also the difference between inbound and outbound rules.

Mitch Tulloch is the author of Windows 2000 Administration in a Nutshell, Windows Server 2003 in a Nutshell, and Windows Server Hacks.


Return to the Windows DevCenter.