Windows Vista
Firewall Enhanced Interface
The New
Windows Firewall in Windows Vista
NOTE: Vista’s Firewall is by default
over half disabled. You will want to learn about Vista’s firewall and get
it set up to run to fit your needs.
For Third Party Firewalls
that work with Vista
See Bottom of Page
Sphinx Software - Vista Firewall Control 1.0.5
I found
an integrated Control (free and paid versions) That allows you more
control over Vista's Firewall. It set rules as you go. Like the pop-up
“Learning Mode” in other firewall programs. Asking if you want to allow
this or that, and how much control to allow.
Settings
for both incoming and outgoing rules.
It
let’s You decide what programs to allow or deny as they are added
for usage.
Sphinx Software - Vista Firewall Control
Windows
Vista Firewall
Microsoft Windows Vista includes a new and enhanced version of
Windows Firewall. Like the current Windows Firewall in Windows XP Service
Pack 2 (SP2). The new Windows Firewall is a tasteful host-based firewall
that allows or blocks network traffic according to its configuration and
the applications that are currently running to provide a level of
protection from malicious users and programs on a network. The new
Windows Firewall includes enhancements for better protection and more
advanced configuration.
New
Enhancements in the new Windows Firewall
The Windows Firewall in Windows Vista has the following
enhancements over the current Windows Firewall in Windows XP SP2:
|
•
|
Supports
filtering for both incoming and outgoing traffic
|
|
•
|
New
Microsoft Management Console (MMC) snap-in for graphical user interface
(GUI) configuration
|
|
•
|
Firewall
filtering and Internet Protocol security (IPsec) protection settings
are integrated
|
|
•
|
Rules
(exceptions) can be configured for Active Directory® directory service
accounts and groups, source and destination IP addresses, IP protocol
number, source and destination Transmission Control Protocol (TCP) and
User Datagram Protocol (UDP) ports, all or multiple TCP or UDP ports,
specific types of interfaces, Internet Control Message Protocol (ICMP)
and ICMP for IPv6 (ICMPv6) traffic by Type and Code, and for services.
|
Supports
filtering for both incoming and outgoing traffic
The new Windows
Firewall supports firewalling for incoming traffic, dropping all
unsolicited incoming traffic that does not correspond to either traffic
sent in response to a request of the computer (solicited traffic) or
unsolicited traffic that has been specified as allowed (excepted
traffic). This is most crucial type of firewalling to have running on a
computer, as it helps prevent the infection of computers by network-level
viruses and worms that spread through unsolicited incoming traffic.
The new
Windows Firewall supports firewalling for both incoming and outgoing
traffic. For example, a network administrator can configure the new
Windows Firewall with a set of rules to block all traffic sent to
specific ports, such as the well-known ports used by virus software, or
to specific addresses containing either sensitive or undesirable content.
The default behavior of the new Windows Firewall is to:
|
•
|
Block
all incoming traffic unless it is solicited or it matches a configured
rule.
|
|
•
|
Allow
all outgoing traffic unless it matches a configured rule.
|
|
|
|
New MMC
snap-in for GUI configuration
For the current Windows Firewall, the GUI for configuration
consists of the Windows Firewall item in Control Panel and a series of
Group Policy settings in the Group Policy editor snap-in.
You can
configure the new Windows Firewall with the Windows Firewall item in
Control Panel, which displays the same set of configuration options as
for the current Windows Firewall. You can configure basic settings for
the new Windows Firewall, but you cannot configure enhanced features.
Because of the
number of advanced configuration options and the value of having the same
GUI for both local and Active Directory Group Policy-based configuration,
the new Windows Firewall can also be configured with an MMC snap-in named
Windows Firewall with Advanced Security, which is available in the
Administrative Tools folder.
With the new
Windows Firewall with Advanced Security snap-in, network administrators
can configure settings for the new Windows Firewall on remote computers,
which is not possible for the current Windows Firewall without a remote
desktop connection.
For
command-line configuration of advanced settings of the new Windows
Firewall, you can use commands in the netsh advfirewall context.
This context does not exist for computers running Windows XP with SP2 or
Windows Server 2003 with SP1.
For Group
Policy-based configuration of the new Windows Firewall, go to Computer
Configuration\Windows Settings\Security Settings\Windows Firewall with
Advanced Security in the Group Policy Editor snap-in. The new Windows
Firewall will apply Group Policy settings configured for the current
Windows Firewall at Computer Configuration\Administrative
Templates\Network\Network Connections\Windows Firewall. Computers running
Windows XP with SP2 will ignore most of the Group Policy settings for the
new Windows Firewall.
Firewall and
IPsec settings are integrated
IPsec is a set
of Internet standards to provide cryptographic protection for IP traffic.
In Windows XP, Windows Firewall and IPsec are configured separately.
Because both a host-based firewall and IPsec in Windows can block or
allow incoming traffic, it is possible to create overlapping or
contradictory firewall rules and IPsec rules. The new Windows Firewall
has combined the configuration of both network services using the same
GUI and command line commands. Another benefit to the integration of
firewall and IPsec settings is that configuration of IPsec settings is highly
simplified
Rules can be
configured for Active Directory accounts and groups
For rules that
specify that incoming or outgoing traffic must be protected with IPsec,
you can specify the list of computer accounts and groups or user accounts
and groups that are authorized to initiate protected communication. For
example, you can specify that traffic to specific servers with sensitive
data must be protected and can only originate from specific users or
computers.
Rules can be
configured for source and destination IP addresses
With the
current Windows Firewall, you can specify the scope of excepted incoming
traffic. The scope defines the portion of the network from which the
excepted traffic is allowed to originate, essentially the source IP
addresses of incoming traffic. With the new Windows Firewall, you can
configure both source and destination IP addresses for both incoming and
outgoing traffic, allowing you to more closely define the type of traffic
that is allowed or blocked. For example, if a computer with a specific IP
address is not allowed to originate traffic to a set of servers, you can
create a blocking outbound rule specifying the locally assigned address
as the source address and the addresses of the servers as the destination
addresses.
For destination addresses, you can also specify the
following predefined addresses with the new Windows Firewall:
|
•
|
Default
gateway, WINS servers, DHCP servers, DNS servers
These
predefined addresses are dynamically mapped to the addresses of the host's
currently defined default gateway, WINS servers, DHCP server, and DNS
servers.
|
|
•
|
Local
subnet
These
predefined addresses are dynamically mapped to the set of addresses
defined by your IPv4 address and subnet mask or by your IPv6 local
subnet prefix.
|
Rules can be
configured for IP protocol number
In the current
Windows Firewall, you can create rules based on TCP or UDP traffic, but
you cannot specify other types of traffic that does not use TCP or UDP.
The new Windows Firewall allows you to either select the protocol by name
or manually type the value of the IPv4 Protocol or IPv6 Next Header
fields for the desired traffic.
Rules can be
configured for source and destination TCP and UDP ports
With the
current Windows Firewall, you can specify the destination TCP or UDP port
for incoming traffic. With the new Windows Firewall, you can configure
both source and destination TCP or UDP ports for both incoming and
outgoing traffic, allowing you to more closely define the type of TCP or
UDP traffic that is allowed or blocked. For example, if you want to block
malicious or undesirable traffic that uses a well-known set of TCP ports,
you can create blocking outbound and inbound rules specifying the TCP
source and destination ports of the traffic.
Rules can be
configured for all or multiple ports
When
configuring a port-based rule with the current Windows Firewall, you can
only specify a single TCP or UDP port. With the new Windows Firewall, you
can also specify all TCP or UDP ports (for all TCP or all UDP traffic) or
a comma-delimited list of multiple ports. To configure the new Windows
Firewall for a range of ports, you must specify all of the ports in the
range. For example, if you want to configure a rule for the range of
ports 1090-1095, you must configure the following ports:
1090,1091,1092,1093,1094,1095.
Rules can be
configured for specific types of interfaces
With the
current Windows Firewall, all the enabled rules applied to all the
interfaces on which firewalling is enabled. With the new Windows
Firewall, you can specify that a rule applies to all interfaces or to
specific types of interfaces, which include LAN, remote access, or
wireless interfaces. For example, if an application is only used over
remote access connections and you do not want the rule to be active for
LAN and wireless connections, you can configure the rule to apply only to
remote access connections.
Rules can be
configured for ICMP and ICMPv6 traffic by Type and Code
With the
current Windows Firewall, you can enable rules for a fixed set of ICMP
(for IPv4) and ICMPv6 messages. With the new Windows Firewall, there is a
predefined set of commonly excepted ICMP and ICMPv6 messages and you can
add new ICMP or ICMPv6 messages by specifying the ICMP or ICMPv6 message
Type and Code field values. For example, if you want to create a rule for
the ICMPv6 Packet Too Big message, you can manually create a rule for
ICMPv6 Type 2 and Code 0.
Rules can be
configured for services
With the
current Windows Firewall, you must configure a rule for a service by
specifying the path to the service program file name. With the new
Windows Firewall, you can specify that the rule applies to any process,
only for services, for a specific service by its service name, or you can
type the short name for the service. For example, if you want to
configure a rule to apply only to the Computer Browser service, you can
select the Computer Browser service in the list of services running on
the computer.
Using
the Windows Firewall with Advanced Security snap-in
To configure advanced settings for the new Windows Firewall,
do the following:
|
•
|
From
the Windows Vista or Windows Server "Longhorn" desktop, click
Control Panel, click System and Maintenance, click Administrative
Tools, and then double-click Windows Firewall with Advanced
Security.
|
The following
figure shows an example of the display of the Windows Firewall with
Advanced Security snap-in.
Click
on picture for larger snapshot.
To modify the
Windows Firewall state, specify additional settings for IPsec, or specify
settings that control Windows Firewall behavior and logging settings for
each profile, right click Windows Firewall with Advanced Security
in the tree, and then click Properties.
The following figure shows an example
.
Click
on picture for larger snapshot.
The Domain
Profile, Private Profile, and Public profile settings apply to the
domain, private, and public network category types.
The Windows Firewall with Advanced Security tree has the
following nodes:
|
•
|
Inbound
Rules Stores the set of configured
rules for incoming traffic.
|
|
•
|
Outbound
Rules Stores the set of configured
rules for outgoing traffic.
|
|
•
|
Connection
Security Rules Stores the set of rules
for protected traffic.
|
|
•
|
Monitoring Displays information about current firewall rules,
connection security rules, and security associations. The Monitoring
node is not displayed when viewing the Windows Firewall with Advanced
Security snap-in within the Group Policy Editor snap-in.
|
When you select the Windows Firewall with Advanced Security
node in the tree, the following panes are displayed:
|
•
|
Overview and Getting Started The Overview section
displays the current state of the new Windows Firewall for the domain and
standard profiles, including which profile is active. The Getting
Started section contains links to topics to get you started configuring
rules.
|
|
•
|
Resources Provides links to documentation topics for the new
Windows Firewall.
|
The Actions
pane displays the context menu commands of the currently selected node in
either the tree or details pane.
The new Windows Firewall configuration consists of the
following:
|
•
|
Inbound
rules
|
|
•
|
Outbound
rules
|
|
•
|
Connection
security rules
|
|
|
|
Configuring an
Inbound Rule
To create a
new inbound rule, right-click Inbound Rules in the tree, and then
click New Rule. Alternately, click Inbound Rules in the
tree, and then click New Rule in the Actions pane.
The New Inbound Rule wizard starts. The following figure
shows an example.
Click on
picture for larger snapshot.
From the Rule Type page of the New Inbound Rule wizard, you
can select the following:
|
•
|
Program To specify a rule for incoming traffic based on a program
name (specified by its path and executable name). You must also specify
an action (to allow, block, or protect), the profile to which the rule
applies (standard, domain, or both), and a name for the rule.
|
|
•
|
Port To specify a rule for incoming traffic based on TCP
or UDP ports. You must also specify an action (to allow, block, or
protect), the profile to which the rule applies (domain, public,
private), and a name for the rule.
|
|
•
|
Predefined To specify a rule based on one of the predefined services.
You must also specify a name for the rule.
|
|
•
|
Custom To create a customized rule. You would select this
option when you want to manually configure rule behavior, perhaps based
on advanced settings that cannot be configured through the pages of the
New Inbound Rule wizard. You must specify a name for the rule.
|
After the New
Inbound Rule wizard has completed, there is a new inbound rule with the
name you specified in the details pane. To configure advanced properties
for the rule, right-click the name of the inbound rule and click Properties.
Alternately, click the name, and then click Properties in the
Actions pane.
Configuring an
Outbound Rule
To create a
new outbound rule, right-click Outbound Rules in the tree, and
then click New Rule. Alternately, click Outbound Rules in
the tree, and then click New Rule in the Actions pane.
The New Outbound Rule wizard starts. The following figure
shows an example
Click
on picture for larger snapshot.
From the Rule Type page of the New Outbound Rule wizard, you
can select the following:
|
•
|
Program
|
|
•
|
Port
|
|
•
|
Predefined
|
|
•
|
Custom
|
These rule
types are the same as for inbound rules, except they are for outgoing
traffic.
After the New
Outbound Rule wizard has completed, there is a new outbound rule with the
name you specified in the details pane. To configure advanced properties
for the rule, right-click the name of the outbound rule, and then click Properties.
Alternately, click the name, and then click Properties in the
Actions pane.
From the properties dialog box for either an inbound an
outbound rule, you can configure settings on the following tabs:
|
•
|
General The rule's name and the rule's action (allow the
connections, allow only secure connections, or block).
|
|
•
|
Programs
and Services The programs or services
to which the rule applies. You can optionally specify both a program
and a service. If you specify both, both must match for the connection
to match the rule.
|
|
•
|
User
and Computers (inbound) or Computers
(outbound) If the rule's action is to allow only secure
connections, the user or computer accounts that are authorized to make
protected connections.
|
|
•
|
Protocols
and Ports The rule's IP protocol,
source and destination TCP or UDP ports, and ICMP or ICMPv6 settings.
|
|
•
|
Scope The rule's source and destination addresses.
|
|
•
|
Advanced The profiles or types of interfaces to which the
rule applies and, for inbound rules, whether you want to allow the
traffic for this exception to pass through your router that is
performing network address translation (edge traversal) using the
Teredo technology.
|
Configuring a
Connection Security Rule
To create a
new connection security rule, right-click Connection Security Rules
in the tree, and then click New Rule. Alternately, click Connection
Security Rules in the tree, and then click New Rule in the
Actions pane.
The New Connection Security Rule wizard starts. The
following figure shows an example.
Click
on picture for larger snapshot.
From the Rule Type page of the New Connection
Security Rule wizard, you can select the following:
|
•
|
Isolation To specify that computers are isolated from other
computers based on membership in a common Active Directory
infrastructure or because they have an updated and current health
status. You must specify when you want authentication to occur (for example,
for incoming or outgoing traffic and whether you want to require or
only request protection), the authentication method for protected
traffic, and a name for the rule. Isolating computers based on their
health status uses the new Network Access Protection platform in
Windows Vista and Windows Server Longhorn
|
|
•
|
Authentication
exemption To specify computers that
do not have to authenticate or protect traffic by their IP addresses.
|
|
•
|
Server
to server To specify traffic
protection between specific computers, typically servers. You must
specify the set of endpoints that will exchange protected traffic by IP
address, when you want authentication to occur, the authentication
method for protected traffic, and a name for the rule.
|
|
•
|
Tunnel To specify traffic protection that is tunneled,
typically used when sending packets across the Internet between two
security gateway computers. You must specify the tunnel endpoints by IP
address, the authentication method, and a name for the rule.
|
|
•
|
Custom To create a rule that does not specify a protection
behavior. You would select this option when you want to manually
configure a rule, perhaps based on advanced properties that cannot be
configured through the pages of the New Connection Security Rule
wizard. You must specify a name for the rule.
|
After the New
Connection Security Rule wizard has completed, there is a new rule with
the name you specified in the details pane of the Connection Security
Rules node. To configure advanced properties for the rule, right-click
the name of the rule, and then click Properties. Alternately,
click the rule name in the details pane, and then click Properties
in the Actions pane.
From the properties dialog box for a rule, you can configure
settings on the following tabs:
|
•
|
General The rule’s name and description and whether the rule
is enabled.
|
|
•
|
Computers The set of computers, by IP address, for which
traffic is protected.
|
|
•
|
Authentication When you want authentication for traffic protection
to occur (for example, for incoming or outgoing traffic and whether you
want to require or only request protection) and the authentication
method for protected traffic.
|
|
•
|
Advanced The profiles and types of interfaces to which the
rule applies and Ipsec tunneling behavior.
|
For more info. on setting up
Vista’s Firewall
http://www.agnitum.com/news/securityinsight/issues/january2007
Third
Party Firewalls that work with Vista
With the beta
versions, look for the beta section.
Safe
Surfing!
|
