The purpose of Windows
Firewall is to examine all incoming network data, looking for attempts
to connect to your computer. Windows Firewall maintains a list of
networking services for which incoming connections should be permitted,
within a given range of network addresses. For example, by default, on a
private network, Windows Firewall permits file-sharing connections only
from computers on the same “subnet” or LAN as your computer. Attempts
by users outside your immediate network to contact your computer are
rebuffed. This prevents Internet users from examining your shared files.
(Outgoing requests, attempts by your computer to connect to others, are
not restricted.)
Windows
Firewall also monitors application programs and system services that
announce their willingness to receive connections through the network.
These are compared against a list of authorized programs. If an
unexpected program sets itself up to receive incoming network
connections, Windows Firewall displays a pop-up message similar to the
one shown in Figure 1,
giving you the opportunity to either prevent the program from receiving
any network traffic (Cancel) or add the program to the authorized list
(Allow Access). This gives you a chance to prevent “spyware” and Trojan
horses from doing their dirty work. Firewall-aware programs such as
Windows Messenger automatically instruct Windows Firewall to unblock
their data connections.
Note
You
might ask, why don’t the spyware programs do the same thing? Good
question. They will certainly try. However, UAC ensures that unless you
give them permission, they won’t have the privileges necessary to open
up the firewall. Most application setup programs are run with elevated
privileges, so they do have the opportunity to configure Windows
Firewall as part of the setup process. You will be shown a UAC prompt
before such a setup program runs. |
If you don’t
recognize the program listed in a Windows Firewall pop-up, click Cancel.
This is a break from the way Windows programs usually work: Cancel here
doesn’t mean “don’t do anything now.” In this case it actually does
make an entry in the firewall’s program list, and the entry is set up to
block the program.
On Windows 7, Windows Firewall
has separate settings for each application based on whether your
computer is connected to a public or private network. In most cases,
it’s best to allow a program to receive connections on private networks,
but not public. This is certainly the case for file and printer sharing
and Windows management functions. The exceptions to this principle
would be programs that are meant to work with other Internet users, such
as chat or telephony programs.
Note
On
a corporate network, your network manager might enforce or prevent the
use of Windows Firewall, and may restrict your capability to change its
settings while your computer is connected to the network. |
The remainder of this section discusses the various setup options for Windows Firewall.
Enabling and Disabling Windows Firewall
To configure
Windows Firewall, click Start, Control Panel, System and Security,
Windows Firewall (or, if you happen to have a Command Prompt window
open, just type start firewall.cpl). The current settings are listed in the right pane, as shown in Figure 2.
In Windows 7, it should
not ever be necessary to change the firewall’s default settings.
However, if you do have to make a change, click one of the left pane
tasks, which are described in turn in the followingv sections.
Allow a Program or Feature Through Windows Firewall
If
you use a program that has to receive incoming network connections, its
setup program should configure Windows Firewall to permit incoming
connections; or failing that, the first time you run it you should see a
pop-up notification like that shown in Figure 1.
If you handle that pop-up incorrectly, or want to change the setting,
select the Allow a Program or Feature Through Windows Firewall task to
bring up the dialog box shown in Figure 3. Then, click Change Settings.
To disable a program’s connections, find it in the list and uncheck the box to the left of its name.
To enable a program’s
connections, find it in the list and check the box to the left of its
name. Then, check either or both of the boxes to the right, to permit it
to receive connections through a private network and/or public network.
To make a new
entry for a specific program, so that it can receive connections, click
Allow Another Program. Then, click Browse and locate the program file (.exe
file), and click OK. Click Add, then review the Home/Work (Private) and
Public check boxes to make sure that they are set correctly.
To
open the firewall for a program or service by its network port number,
you’ll have to use the Advanced Settings task, which is discussed
shortly.
Change Notification Settings, Turn Windows Firewall On or Off
Both of these tasks bring up the same screen, shown in Figure 4. From there, you can turn Windows Firewall on or off. You can also check a box that blocks all
incoming connections regardless of any entries in the Allowed Programs
and Features list. (This corresponds to the Block All Incoming
Connections and Don’t Allow Exceptions check boxes in Windows Vista and
XP, respectively.) Finally, you can enable or disable the pop-up that
occurs when a new program wants to receive incoming connections. If you
disable notification, newly discovered programs will be blocked
silently.
In previous versions
of Windows, it was necessary to disable all firewall exceptions when you
brought your computer to a public location, but on Windows 7, as I
mentioned previously, this is no longer necessary.
Restore Defaults
This
task restores Windows Firewall to its default settings, and clears out
any additions you’ve made to the Exceptions list. This may cause
networking applications such as instant messenger programs and remote
control programs like VNC to stop working until you reinstall them, but
it will re-secure your computer and restore the functioning of standard
services like file and print sharing.
Advanced Settings
This task brings up the Windows Firewall with Advanced Security Administrative program, shown in Figure 5.
You will need to use this program if you want to open the firewall for a
network service based on its port number, because the basic firewall
“Allowed Programs and Features” list does not let you do this on Windows
7. To open an exception for a TCP or UDP network port, follow these
steps:
1. | In the left pane, click Inbound Rules.
|
2. | In the Actions list to the right, select New Rule.
|
3. | Select Port, and click Next.
|
4. | Select
TCP or UDP, and select Specific Local Ports. Enter the port number or a
port number range, then click Next. (To open an exception for both TCP
and UDP, you must enter two separate rules).
|
5. | Select Allow the Connection and click Next.
|
6. | Select
the types of networks from which the connection should be accepted:
Domain (corporate), Private, and/or Public. Click Next.
|
7. | Enter a name and description for the network service, and click Next.
|
Tip
Are
you curious to know what programs and services on your computer are
listening for incoming network connections? Just follow these convoluted
steps:
1. | Click Start, and, in the Search box, type cmd.
| 2. | In the search results, right-click cmd.exe and select Run As Administrator. Confirm the UAC prompt.
| 3. | When the command prompt window opens, type the command netstat -ab | more.
(This might take quite a long time to run.) A list of open ports is
listed along with the names of the programs that are using them.
|
An even better way to view this information is to download and run the program at http://live.sysinternals.com/tcpview.exe. If
you don’t recognize a program’s name, use Google to see if it’s
discussed on any web pages; this might help you determine whether it’s a
legitimate Windows program or some sort of malware. |
You can also use this
tool to open an exception for a protocol other than TCP or UDP, and you
can filter based on the remote IP address and port number; I won’t
describe this other than to suggest that at step 3, select Custom.
When
you attempt to send someone a file using Windows Live Messenger, what
actually happens is that the other person’s copy of Windows Messenger
contacts your computer to pick up the file. If Windows Firewall blocks
incoming Windows Messenger data, the other person’s copy of Messenger
will not be able to retrieve the file. Check the Windows Firewall
configuration dialog box to ensure that Windows Live Messenger is listed
and that the boxes are checked in both the Home/Work and Public
columns. Also,
if you are using a connection-sharing router, enable Universal Plug and
Play (UPnP) on the router so that Messenger can tell it how to route
incoming file-transfer |
