Using Windows Firewall with Advanced Security

Windows Firewall did much to improve the security of Windows XP systems when it was originally released as part of Service Pack 2, but the knock against it has always been its lack of outbound traffic control features. Although the version of Windows Firewall built into Windows Vista functions in a very similar manner by default, it's now possible to control outbound traffic via a new tool called Windows Firewall with Advanced Security.

Windows Firewall with Advanced Security is accessible through the Administrative Tools section of Control Panel. When you first open the tool, the Overview screen displays summary information about the status of your firewall (see Figure 7-9). To account for the fact that some computers (such as laptops) are moved between locations, Windows Firewall with Advanced Security supports three different profiles called Domain, Private, and Public. The basic idea is that you can configure one set of firewall rules that apply at work (Domain), one at home (Private), and one in all other locations (Public). To keep things simple, this explanation will be limited to the configuration of basic settings in the Private profile.

Figure 7-9: The Windows Firewall with Advanced Security Overview screen.

Blocking Inbound and Outbound Connections

Take a closer look at the summary information for the Private Profile in Figure 7-9 and you'll notice that inbound connection attempts that do not match a rule are blocked by default, and outbound connections that do not match a rule are allowed by default. The only exceptions are those that you explicitly configure. In the world of Windows Firewall with Advanced Security, these exceptions take the form of rules designed to allow or deny certain types of traffic in a given direction (inbound or outbound).

The easy way to configure a rule that allows a certain type of inbound connection is by bypassing Windows Firewall with Advanced Security completely and heading to the Exceptions tab in Windows Firewall. Checking a box on the Exceptions list effectively creates the rule for you. However, Windows Firewall doesn't provide a similar interface that enables you to block outbound traffic. It's all allowed to proceed by default, and if there's anything you want to block, you must create rules with Windows Firewall with Advanced Security.

To block certain types of outbound communication, you generally need to either block the program completely, or know a great deal about how it communicates, including details like the protocols and ports being used. If you block a program completely (like Windows Mail), any attempt to connect to the Internet using Windows Mail is blocked. However, if you want to stop users from accessing Usenet newsgroups with Windows Mail while still allowing the program to send and receive e-mail, another approach is required. Windows Firewall with Advanced Security supports both scenarios, but in the second case you must block outbound NNTP traffic (the protocol used to connect to Usenet newsgroups) rather than the entire Windows Mail program. In this particular example, you must create a rule that denies outbound access to TCP port 119. Once implemented, all outbound connections to NNTP servers are blocked, regardless of the program attempting the connection.

The following sections provide an example of how you can implement both of the previous scenarios using Windows Firewall with Advanced Security. In the first set of steps, all users are blocked from accessing the Internet using Windows Mail. In the second, users are blocked from accessing Usenet newsgroups only. Both examples give you a basic idea of how you can implement simple rules using the advanced capabilities of Windows Firewall with Advanced Security.

BLOCKING OUTBOUND CONNECTIONS

Follow these steps to configure Windows Firewall with Advanced Security to stop all users from accessing the Internet using Windows Mail:

1. Select Start → Control Panel → Administrative Tools → Windows Firewall with Advanced Security.

2. Select Outbound Rules in the left column, and then click the New Rule link in the right column.

3. On the Rule Type screen, ensure that Program is selected and click Next.

4. On the Program screen, click the Browse button and then browse to the location of the program's EXE file. In the case of Windows Mail (see Figure 7-10), this location is C:\Program Files\Windows Mail\WinMail.exe. Click Next.

   
   Figure 7-10: Specifying the path to a program in the New Outbound Rule Wizard.

5. On the Action screen, ensure that the Block The Connection option is selected as shown in Figure 7-11, and then click Next.

   
   Figure 7-11: Configuring a rule's action.

6. On the Profile screen, select all profiles to which the rule will apply and then click Next.

7. On the Name screen, give the rule an appropriate name and a description that accurately describes its purpose, as shown in Figure 7-12. Click Finish to begin enforcing the new rule.

   
   Figure 7-12: Adding a name and description for a rule.

When you enable this particular rule, all attempts to access the Internet via Windows Mail are blocked.

BLOCKING INBOUND CONNECTIONS

Follow these steps to create a rule that blocks all users from accessing newsgroups via any program:

1. Select Start → Control Panel → Administrative Tools → Windows Firewall with Advanced Security.

2. Select Outbound Rules in the left column, and then click the New Rule link in the right column.

3. On the Rule Type screen, ensure that Port is selected and click Next.

4. On the Protocols and Ports screen, ensure that the TCP option is selected and enter 119 in the Specific Local Ports box, as shown in Figure 7-13. The NNTP protocol used to access newsgroups uses TCP port 119. Click Next.

   
   Figure 7-13: Configuring a rule's protocol and port settings.

5. On the Action screen, ensure that the Block The Connection option is selected and click Next.

6. On the Profile screen, check the profiles to which this rule should apply and click Next.

7. On the Name screen, enter an appropriate name and description for the rule as shown in Figure 7-14, and then click Finish.

   
   Figure 7-14: Naming and describing a rule to block outbound access to newsgroups.

When you enable this rule, users cannot connect to Usenet newsgroups using any program, including Windows Mail. Assuming that you only implement this rule (and not the one blocking Windows Mail completely), users can still use Windows Mail to send and receive e-mail messages.

Setting Logging and Scope Settings

Even if you decide not to make changes to inbound and outbound communication rules via Windows Firewall with Advanced Security (a wise choice if you don't feel comfortable with the process), there are two main configuration settings worth exploring (and potentially changing) if you plan on sticking with Windows Firewall to keep your Windows Vista system protected. The first involves making changes to the firewall's logging settings. By default, Windows Firewall does the job of allowing and blocking connections silently, without keeping any records of its actions. If you're curious to see what types of connection attempts are being made via your firewall, then you should enable logging. The second set of settings worth exploring are those related to scope, a concept that will be explained shortly.

ENABLING LOGGING SETTINGS

To enable logging settings for Windows Firewall, follow these steps:

1. Select Start → Control Panel → Administrative Tools → Windows Firewall with Advanced Security.

2. On the Overview screen, click the Windows Firewall Properties link.

3. Click the Private Profile tab.

4. In the Logging section, click the Customize button.

5. Change the settings in the Log Dropped Packets and Log Successful Connections drop-down menus to Yes as shown in Figure 7-15. Click OK twice to implement your new logging settings.

   
   Figure 7-15: Configuring logging settings for Windows Firewall.

If you opt to enable Windows Firewall logging, you should review the contents of the log file at least periodically to investigate whether any potential security issues exist. The name of the log file is pfirewall.log, and you can find it in the C:\Windows\system32\logfiles\firewall folder by default.

ENABLING SCOPE SETTINGS

When you configure rules with Windows Firewall with Advanced Security, you are effectively implementing those rules for all computers. For example, if you decide to allow incoming connections for the purpose of obtaining Remote Assistance from another user, you simply enable the built-In Exception for Remote Assistance, so that incoming connections are allowed from any computer at any address. For added security, however, you can limit who is actually allowed to connect. In the context of Windows Firewall, you limit who can connect by associating a scope with the rule or exception. Scope options that you can apply to rules and exceptions include:

• Any computer. This option, selected by default, makes the exception accessible to all computers, including all users on the Internet.

• My network (subnet) only. This option makes the exception accessible to all computers on your private network only. For example, Windows Firewall automatically creates and enabled an exception for the File and Printer Sharing service, but limits the scope of this exception with this option. Ultimately, this ensures that other computers on your home network can connect to the protected computer for the purpose of sharing files or printers, but stops Internet users from being able to do so.

• Custom list. This option enables you to specify the unique IP address (or addresses) of computers that you want to allow to connect via the exception. For example, if you plan to use an exception to play a multiplayer game with only a few friends, you should select this option and enter your friends' IP addresses. By selecting this option, only the addresses listed are able to connect to the exception, stopping all Internet users from connecting through the exception's opening in your firewall.

The version of Windows Firewall included with Windows Vista requires that you configure most scope settings from the Windows Firewall with Advanced Security tool. The following steps explain how to configure scope settings for incoming Remote Assistance connections such that only a user at one IP address (presumably the IP address of a friend or family member who is going to offer you help from a remote location) can connect to your computer. When you configure this scope setting, incoming Remote Assistance connection attempts from all other users are denied.

1. Click Start → Control Panel → Administrative Tools → Windows Firewall with Advanced Security.

2. In the left column, click Inbound Rules.

3. Scroll down until you see the rule named Remote Assistance (TCP-In). Right-click this rule and select Properties.

4. Click the Scope tab. In the Remote IP Address section click These IP Addresses, and then click the Add button. Enter the IP address from which you want to allow Remote Assistance connections, and then click OK. The example shown in Figure 7-16 allows inbound Remote Assistance connections to your computer from a system with the IP address 24.10.10.10. Click OK to implement your new scope settings.

   
   Figure 7-16: Limiting the scope of a rule to connections from one remote computer.