Configuring Windows Firewall

When Windows XP was first released, its built-in firewall component was known as Internet Connection Firewall (ICF). This firewall feature was not enabled for any network or dial-up connections by default, leading to a situation whereby most Windows XP systems were left unprotected. Things changed when Windows XP Service Pack 2 was released-installing it replaced ICF with the new Windows Firewall, which is automatically enabled to protect all network connections, by default. Building on the foundation that Windows XP provided, Windows Vista includes a new advanced version of Windows Firewall.

The version of Windows Firewall that was built into Windows XP offered support for inbound traffic filtering only. In other words, the Windows XP version of Windows Firewall lacks the ability to filter or control Internet-bound traffic. Although it does a good job of protecting your PC from connection attempts by Internet users, it does nothing to stop viruses or spyware already installed on your computer from using your Internet connection to infect other computers or send off your personal information to third parties. With the release of Windows Vista, Windows Firewall behaves in the same manner by default, but a new capability-known as Windows Firewall with Advanced Security-now allows advanced users to configure outbound traffic filtering rules if they desire. Unfortunately, configuring outbound traffic filtering with Windows Firewall with Advanced Security is far from a simple task, requiring a comprehensive understanding of how individual programs and related processes communicate on a port/protocol level.

In its default configuration, Windows Firewall is a suitable option only in cases where you're sure that your computer is both 100 percent virus- and spyware-free. This is possible if your system is protected by updated antispyware and antivirus software, assuming that you scan for threats (and remove them, as found) regularly. However, if pests do manage to infect your computer, Windows Firewall will allow them to access the Internet without impunity, putting both your security and privacy at risk.

Having said that, relying on Windows Firewall to protect your PC is still a better option than not using a firewall at all. For this reason, the configuration of Windows Firewall and its settings is explored in more detail throughout this section.

Check Windows Firewall Status

Windows Security Center is a Control Panel tool designed to help keep you informed on the current status of your computer's firewall, virus and spyware protection, operating system updates, and more. On the firewall front, Windows Security Center outlines whether Windows Firewall is on, or if another third-party firewall is installed and enabled. In cases where all firewall components are turned off, Windows Security Center displays a warning message in its program window, and also alerts you via a Security Center icon and message box on your taskbar, as shown in Figure 7-1.

Figure 7-1: Notification message from Windows Security Center when no firewall is protecting a Windows Vista system.

Follow these steps to check the status of Windows Firewall in Windows Security Center:

1. Select Security Start → Control Panel → Security Center. The current status of your Firewall is listed as shown in Figure 7-2.

   
   Figure 7-2: Viewing firewall status information in Windows Security Center.

2. If the status message for your Firewall reads Off (see Figure 7-3), the simple way to remedy the problem is by clicking the Turn On Now button. Alternatively, you can also click the Show Me My Available Options link to search for third-party firewall programs online, or let Windows Vista know that you will be managing and monitoring your own firewall software without the need for Security Center's input. For all but the most experienced users, this second option is not recommended.

   
   Figure 7-3: Windows Security Center displays information about the current status of your firewall, automatic updating, antivirus, antispyware software, and more.

Enabling or Disabling a Specific Connection

When Windows Firewall is turned on, it is enabled for all network connections present on your Windows Vista system by default. Although leaving all connections protected in this way is your best bet if you plan to stick with Windows Firewall, there may be certain connections that you do not want protected by a firewall, such as one that connects to other computers on your home network only. Windows Firewall can be selectively enabled or disabled for different connections if necessary.

Follow these steps to enable or disable Windows Firewall for a specific connection:

1. Select Start → Control Panel → Windows Firewall.

2. Click the Change Settings link.

3. At the Windows Firewall Settings window, click the Advanced tab. In the Network Connections section (see Figure 7-4), select or clear the check boxes next to specific network or dial-up connections to enable or disable Windows Firewall for those connections. When complete, click OK.

   
   Figure 7-4: The Windows Firewall Advanced tab.

Configuring Exceptions

If you're running Windows Firewall and want to allow incoming connections to a certain program or service on your computer, you need to configure an exception. In simple terms, you can think of individual exceptions as a statement that says, "Block all incoming connections, with the following exceptions." So, to allow a user to connect to your computer for the purpose of offering remote assistance, you need to configure an exception for the incoming Remote Assistance connection. Similarly, to allow Internet users to connect to an FTP server installed on your Windows Vista system, you need to configure an exception for incoming FTP connections.

You can configure exceptions with Windows Firewall by:

• Specifying the program that external users will connect to. For example, if you had FTP server software installed and want users to connect it, you can specify an exception for the FTP server program. Windows Firewall then opens the necessary ports to allow incoming connections automatically.

• Specifying the communication port that a program or service uses. When programs are capable of accepting incoming connections, they are often said to be acting as a server. Any program capable of acting as a server listens for connection attempts on what are known as TCP or UDP ports. A port is simply a unique number that a particular service uses-for example, an FTP server program listens for incoming connection attempts on TCP port 21, whereas a web server listens for connections on TCP port 80 by default. Windows Firewall enables you to open communication ports in order to allow incoming connections to reach your computer correctly. For cases where you need to open ports on your firewall to allow incoming connections (as is often the case with online multi-player games), consult the program's documentation for details on the correct port(s) to open.

Follow these steps to configure an exception for Remote Assistance with Windows Firewall:

1. Select Start → Control Panel → Windows Firewall → Exceptions. The Windows Firewall Exceptions tab shows a check mark next to the programs and services that it is not blocking from accepting incoming connections, as shown in Figure 7-5.

   
   Figure 7-5: The Windows Firewall Exceptions tab.

2. To allow another user to connect to your Windows Vista system for the purpose of providing help via Remote Assistance, select the check box next to Remote Assistance, as shown in Figure 7-6. Note that depending on the configuration of your system, this setting may be checked already.

   
   Figure 7-6: Configuring an exception for Remote Assistance connections.

3. Click OK to save your changes and implement the setting that will now allow outside users to connect to your PC for the purpose of offering help via Remote Assistance.

The Windows Firewall Exception tab lists a number of commonly configured program and service exceptions in its list by default. This list is far from comprehensive, however, so Windows Firewall provides the capability to add new custom exceptions for programs or services not on this list.

Follow these steps to add an exception for a specific program, like an online multiplayer game:

1. Select Start → Control Panel → Windows Firewall → Exceptions.

2. Click the Add Program button, and then click the name of the program in the Programs list (as shown in Figure 7-7), or click the Browse button to specify the path to a program not included on the Programs list.

   
   Figure 7-7: Adding an exception for a program.

3. Click the Change scope button to limit users able to connect via this exception, or click OK to enable the exception for all users (scope settings are explained in more detail later in this chapter). When complete, the exception appears selected on the Exceptions tab, as shown in Figure 7-8.

   
   Figure 7-8: Reviewing the exception created for a new program.

4. Click OK to close Windows Firewall.

Although exceptions are required any time that you want to allow outside users to make an incoming connection to your computer through Windows Firewall, they should also be disabled when they're no longer required (even if only temporarily). By disabling an exception, you stop users from making inbound connections to your PC, which is a more secure option-especially when you no longer use the program or service in question. To disable an exception, simply clear the check box next to its name on the Exceptions tab in Windows Firewall.