Windows Server 2008 R2 includes a
vastly improved integrated firewall that is turned on by default in all
installations of the product. The firewall, administered from an MMC
snap-in shown in Figure 1 (Start, All Programs, Administrative Tools, Windows Firewall
with Advanced Security), gives unprecedented control and security to a
server.
Understanding Windows
Firewall Integration with Server Manager
The firewall with advanced
security is fully integrated with the Server Manager utility and the
Server Roles Wizard. For example, if an administrator runs the Server
Roles Wizard and chooses to make the server a file server, only then are
those ports and protocols that are required for file server access
opened on the server.
Note
It is instinctual for most administrators to disable
software firewalls on servers, as they have caused problems with
functionality in the past. This is not recommended in Windows Server
2008 R2, however, as the product itself is tightly integrated with its
firewall, and the firewall itself provides for a much greater degree of
security than previous versions of Windows Server provided.
Creating Inbound and
Outbound Rules on the Windows Firewall
In certain cases, when a
third-party application is not integrated with Server Manager, or when
needing to open specific individual ports, it might become necessary to
create firewall rules for individual services to run properly. Both
inbound rules, addressing traffic to the server, and outbound rules,
addressing how the server can communicate out, can be created. Rules can
be created based on the following factors:
Program— A rule can be created that allows a specific
program executable access. For example, you can specify that the
c:\Program Files\Custom Program\myprogram.exe file has full outbound
access when running. The Windows Firewall program will then allow any
type of connections made by that program full access. This can be useful
in scenarios when a specific application server uses multiple varied
ports, but the overall security that the firewall provides is still
desired.
Port— Entering a traditional UDP or TCP port into the Add
Rules Wizard is supported. This covers traditional scenarios such as “We
need to open Port 8787 on the server.”
Predefined—
Windows Server also has built-in, predefined rules, such as those that
allow AD DS, DFS, BITS, HTTP, and many more. The advantage to using a
predefined rule is that Microsoft has done all the legwork in advance,
and it becomes much easier to allow a specific service.
Custom— The creation of custom rule types not covered in
the other categories is also supported.
For example, the following
procedure details the creation of an inbound rule to allow a custom
application to use TCP Port 8787 for inbound communication:
1. | Open the
Windows Firewall MMC (Start, All Programs, Administrative Tools, Windows
Firewall with Advanced Security).
|
2. | Click on the Inbound Rules node in the node pane.
|
3. | In the Actions pane, click the New Rule link.
|
4. | On the Rule Type page of the New Inbound Rule Wizard,
shown in Figure 2, select Port to create a rule based on the port, and click
Next to continue.
|
5. | On the
Protocol and Ports page, shown in Figure 3, select TCP, and
enter 8787 in the Specific Local Ports field. Click Next to continue.
|
6. | On the
Action page, select Allow to enable the connection.
Note
The Action page of the New
Inbound Rule Wizard also allows for a rule to be configured that only
allows the connection if it is secured using IPSec technologies.
|
7. | On the
Profile page, shown in Figure 4, select all three
check boxes. This enables an administrator to specify that a rule only
applies when connected to specific networks. Click Next to continue.
|
8. | Enter a
descriptive name for the rule, and click Finish.
|
Review the rule settings in
the Inbound Rules node, shown in Figure 5.
This allows for a quick-glance view of the rule settings. You can also
include a rule in a rule group, which allows for multiple rules to be
tied together for easy on/off application.
Using the integrated
Windows Firewall is no longer just a good idea; it’s a vital part of the
security of the product. The addition of the ability to define rules
based on factors such as scope, profile, IPSec status, and the like
further positions the Server OS as one with high levels of integrated
security.
