Windows 7 : Working with the Windows Firewall (part 3) - Configuring Advanced Firewall Security & Troubleshooting Advanced Firewall Problems

4. Configuring Advanced Firewall Security

In addition to the basic Windows Firewall, Windows 7 includes Windows Firewall with Advanced Security. At home, you probably won’t work much with this feature. At the office, however, especially if you work in a medium or large organization, you may find it critical to know how the advanced firewall works.

Windows Firewall with Advanced Security allows you to open a custom management console for use in managing advanced firewall features. As Figure 4 shows, this console gives you direct control over inbound, outbound, and connection security rules for the firewall’s domain profile, private profile, and public profile. One way to open the firewall console is to click the “Advanced settings” link in the main page for the basic firewall. Another way to open Windows Firewall with Advanced Security is to follow these steps:

1. Click Start and then click Control Panel.

2. In the Control Panel, click System and Security and then click Administrative Tools.

3. In Administrative Tools, double-click Windows Firewall with Advanced Security.

Figure 4. Configuring advanced firewall settings using Windows Firewall with Advanced Security

Windows Firewall with Advanced Security gives you a host of additional features and management options over the basic Windows Firewall. You have object classes on the left side of the window, and their associated properties on the right side of the window. This follows the classic design of Microsoft products, making management very intuitive. To configure specific settings, simply click the desired object from the left and manage it from the right. You also can right-click a selected object to get context menus with more options. Table 2 lists the objects and their associated properties from the Windows Firewall with Advanced Security management console.

Table 2. Windows Firewall with Advanced Security features

Feature	Associated properties
Windows Firewall with Advanced Security	Provides an overview of the firewall profiles associated with the local computer as well as Getting Started options.
Inbound Rules	Provides an at-a-glance listing of the inbound packet filtering rules. Lists the associated inbound rules created on the computer according to the rule name, associated program group, profile, enabled status, action, and more.
Outbound Rules	Provides an at-a-glance listing of the outbound packet filtering rules. Lists the associated outbound rules created on the computer according to the rule name, associated program group, profile, enabled status, action, and more.
Connection Security Rules	Provides an at-a-glance listing of the IPSec rules. Lists the associated connection rules created on the computer according to the rule name, enabled status, endpoints, authentication mode, authentication method, and associated program group.
Monitoring	Provides a detailed summary of the firewall’s domain profile, private profile, and public profile according to the firewall state, general settings, and logging settings.
Monitoring→Firewall	Lists the standard inbound and outbound connection settings and their associated status, giving you one place to look for monitoring the currently active inbound and outbound rules.
Monitoring→Connection Security Rules	Lists the status of connection security rules.
Monitoring→Security Associations	Lists the security associations for Main Mode and Quick Mode, as well as their status.

Windows Firewall with Advanced Security maintains a separate firewall profile for each type of network to which you can connect. For each profile, you can manage settings for the firewall state, inbound connections, outbound connections, notification, unicast response, and logging. As Table 3 shows, the default configuration for each setting is the same for each profile.

NOTE

It’s important to note that the standard network profile types differ slightly in the advanced firewall. The advanced firewall has domain, private and public network profiles. The private profile is the same as the home or work (private) profile in the basic firewall.

Table 3. Default configuration for Windows Firewall with Advanced Security

Setting	Domain profile	Private profile	Public profile
Firewall State	On	On	On
Inbound Connections	Block	Block	Block
Outbound Connections	Allow	Allow	Allow
Notification	Yes	Yes	Yes
Unicast Response	Yes	Yes	Yes
Log Dropped Packets	No	No	No
Log Successful Connections	No	No	No

You can configure the settings for the domain, public, and private profiles by completing these steps:

1. In Windows Firewall with Advanced Security, select the Windows Firewall with Advanced Security node.

2. In the main pane, click the Windows Firewall Properties link. You’ll find this link in the Overview section below the profile status listings. This opens the management dialog box, shown in Figure 5.

3. Select the tab for the profile type you want to manage.

4. Use the “Firewall state” list to turn the firewall on or off for the selected profile.

5. Use the “Inbound connections” list to allow or block inbound connections when using this profile. You can also specify that you want to override the profile settings and block all connections when using this profile.

6. Use the “Outbound connections” list to allow or block outbound connections when using this profile.

7. Under Settings, you may also elect to customize the specific settings of a profile by selecting the Customize button. Settings customization allows you to turn notifications on or off, and to allow or disallow unicast responses to multicast or broadcast traffic.

8. Under Logging, you may also elect to customize the logging options of a profile by selecting the Customize button. Logging customization allows you to enable or disable logging of dropped packets and successful connections. When you use logging, you can also set the location and size of the firewall log.

9. Click OK to save your settings.

Figure 5. Managing the settings for each firewall profile

You can configure the default IPSec settings by completing these steps:

Figure 6. Customizing IPSec

Figure 7. Customizing advanced key exchange settings

Figure 8. Customizing data protection settings

Figure 9. Customizing authentication methods

1. In Windows Firewall with Advanced Security, select the Windows Firewall with Advanced Security node.

2. In the main pane, click the Windows Firewall Properties link. You’ll find this link in the Overview section below the profile status listings. This opens the management dialog box.

3. On the IPSec tab, click the Customize button. This displays the Customize IPSec Settings dialog box, shown in Figure 15-19.

4. In the Customize IPSec Settings dialog box, you can specify key exchange settings, including the security methods applied. These include SHA1 AES-128 and SHA1 3DES by default, with Kerberos V5 for authentication.

5. If you want to add a method for key exchange, do the following:

   1. Click the Advanced option under “Key exchange” and then click the related Customize button.

   2. In the Customize Advanced Key Exchange Settings dialog box, shown in Figure 7, click Add.

   3. Select the integrity algorithm and the related encryption algorithm to use. Your options for encryption algorithms are AES-CBC-256, AES-CBC-192, AES-CBC-128, 3DES, and DES. Your options for integrity algorithms are SHA1, MD5, SHA-256, and SHA-384.

   4. Use the “Key exchange algorithm” option to select the desired key exchange algorithm and then click OK. The default algorithm is Diffie-Hellman Group 2. Your other options are to select Elliptic Curve Diffie-Hellman P-384, Elliptic Curve Diffie-Hellman P-256, Diffie-Hellman Group 14, and Diffie-Hellman Group 1.

   5. In the “Security methods” list, use the options provided to set the relative priority of each configured algorithm. As the security method listed first is tried first, you’ll usually want the strongest supported encryption method to be listed first. Click OK.

6. If you want to require encryption for all connection security rules or add data integrity and encryption algorithms, return to the Customize IPsec Settings dialog if necessary and do the following:

   1. Click the Advanced option under “Data protection” and then click the related Customize button.

   2. In the Customize Data Protection Settings dialog box, shown in Figure 8, select the “Require encryption . . .” checkbox if you want to require encryption for all connection security rules.

   3. By default, IPSec uses ESP with SHA1 and AH with SHA1 for data integrity. You can also use ESP and AH with MD5, AES-GMAC 128, AES-GMAC 192, and AES-GMAC 256. To do this, click Add under “Data integrity,” select the desired security protocol and the desired integrity algorithm, and then click OK.

   4. By default, IPSec uses ESP with SHA1 integrity and AES-CBC-128 encryption as well as ESP with SHA1 integrity and 3DES encryption. You can add support for the AH security protocol, various encryption algorithms, and various integrity checking algorithms if desired. To do this, click Add under “Data integrity and encryption,” select the desired security protocol, the desired encryption algorithm, and the desired integrity algorithm, and then click OK.

   5. In both the Data Integrity Algorithms and the Data Integrity and Encryption Algorithms lists, use the options provided to set the relative priority of each configured algorithm. As the security method listed first is tried first, you’ll usually want the strongest supported encryption method to be listed first. Click OK.

7. If you want to configure the authentication mechanism to use, return to the Customize IPsec Settings dialog if necessary and do the following:

   1. Click the Advanced option under Authentication Method and then click the related Customize button.

   2. In the Customize Authentication Methods dialog box, shown in Figure 9, Kerberos V5 is listed as the first authentication method. You can also use NTLMv2, computer certificates, and preshared keys for authentication.

   3. To add an authentication method for use in authenticating your computer, click Add under “First authentication methods,” select the desired authentication method, provide additional information as necessary, and then click OK.

   4. To add an authentication method for use in authenticating your user account, click Add under “Second authentication methods,” select the desired authentication method, provide additional information as necessary, and then click OK.

   5. In the Methods lists, use the options provided to set the relative priority of each configured authentication method. As the method listed first is tried first, you’ll usually want the strongest supported authentication method to be listed first. Click OK.

8. Be sure to click OK to save your changes, or click Cancel to avoid changing these options if you are unsure of the implications.

To create inbound or outbound rules, right-click the Inbound Rule or Outbound Rule node as appropriate and then select New Rule from the context menu provided. You have the option of choosing a program, port, predefined selection, or custom rule. You must then determine the action taken by the rule, the profile with which to associate the rule, and the name you want to give the rule. Managing existing rules only requires you to double-click the rule to view the properties and manage the settings associated with the rule.

Numerous feature sets are available for each rule, allowing you to configure the associated users or computers, protocols and ports, scope of the rule, standard enablement, and allow or block action. You may select which program or service to associate with a rule. You also can change the profile associations, interface types, and edge traversal with the advanced feature options. Edge traversal allows traffic to and from the Internet to bypass specified devices, including NAT routers, as may be necessary when using IPSec in a rule.

Windows Firewall with Advanced Security also offers you the ability to filter rules by profiles or state. You can manage the stopping, starting, and disablement of rules using the options on the Action menu. You can import and export rules by selecting the desired operation from the Action menu. This makes managing multiple computers a snap. You can create the rules you desire for all your computers on a single computer, export those settings, and then use them in Group Policy to manage your entire network.

5. Troubleshooting Advanced Firewall Problems

Troubleshooting advanced firewall configurations can become very complicated in a hurry. This is true especially if you have created customized authentication methods, applied certificate-based communications, or edited the standardized listings available within the management console. You must be methodical and patient when pursuing these problems in some cases. Don’t become discouraged, because you can always fall back to the postinstallation configuration by restoring the default settings.

When you are experiencing problems with advanced firewall configurations, the first thing to set is the logging feature for each profile associated with Windows Firewall. Although you must enable logging separately for each profile, the firewall records all logged activities—dropped packets, successful connections, or both—in a central logfile. The default location for the firewall log is %SystemRoot%\System32\logfiles\firewall\pfirewall.log. This log can help you diagnose problems, and offers some insight into additional issues associated with the advanced firewall features.

If you are having problems with inbound or outbound connections, refer to the profile settings for the active profile. When you select the Monitoring node in Windows Firewall with Advanced Security, the active profile is listed as such. Check the status of your current profile. If the firewall is on and you are blocking all incoming connections, select Block instead of Block All Connections. If the firewall is on and you are blocking outgoing connections, select Allow instead of Block.

If you have created IPSec policies for specific connection types or you require IPSec for communications, verify that you have the correct certificate installed or make sure the certificate has not expired or become untrusted. You will also want to verify that the remote computer has the same authentication methods set to allow proper authentication among them. You may also want to enable IPSec exemptions to allow ICMP traffic to flow regularly with IPSec. This can save a lot of time when determining specific network issues without IPSec blocking echo requests.

If a specific program does not work, make sure that you have not created a customized rule that denies the desired behavior. Look in the inbound and outbound rules to make sure the settings are correct for the port, protocol, and IP address requirements as well as associated computers or users. Make sure you have enabled or disabled the rule, depending on your specific situation. You should also try to determine the correct ports and protocols in use for the program to operate correctly. Once you have the correct information, ensure that you have either created the custom rule for inbound and outbound traffic, or changed the predefined listing to work correctly according to your information.

Sometimes it helps to restart the Windows Firewall service to make sure something has not ended up in an unusable state due to configuration changes. Also, confirm that the desired functionality works with the firewall disabled. This can help to determine whether you have a separate issue besides the firewall configuration.

You may also want to check Event View in Computer Management to determine whether errors are being logged for Windows Firewall. If you find a stop error, use the specified information to look up errors with Microsoft’s Support site to determine how to fix your specific problem.

When all else fails, you may consider restoring the default settings. To do so, follow these steps:

1. In Windows Firewall with Advanced Security, select the Windows Firewall with Advanced Security node.

2. On the Action menu, select Restore Default Policy.

3. When prompted to confirm the action, click Yes to change Windows Firewall back to the default settings when first installed. Keep in mind that this will also disable any custom exceptions you have created, possibly causing certain programs to function incorrectly. This is especially true for networked games, so you will need to reenable your custom settings after verifying that your network connections work correctly once you’ve reset the default configuration.

When all else fails, you can either consult with a professional computer repair service, contact your network administrator, consult with the Microsoft online forum for specific answers to detailed questions, or use any errors you find in the Event Viewer to determine whether someone else has this problem by searching for it online. Microsoft offers an automated network troubleshooting link in the main page of the basic firewall. Clicking this link displays a list of network and Internet troubleshooters. Use the Incoming Connections troubleshooter to help you diagnose and resolve configuration problems with the Windows Firewall.