Windows Firewall with Advanced Security (Guide for Vista)

[Stem]

Due to requests I have put together a short guide on how to use the Vista "Windows Firewall with Advanced Security"

I was not quite sure as to how to put the info forward, as there is the "Windows Firewall with Advanced Security", but there are 2 other areas that need to be looked at. I decided to jump right in, and first explain the main area:-

Location:-
Start menu- Control panel- System and Maintenance- Administrative Tools- Windows Firewall with Advanced Security.

This brings up an MMC snap in, but I will refer to this as the "Main firewall UI"



By default it will show you the 3 profiles that are used. A profile can be explained as a ruleset for a specific type of location as to where you are connecting

Domain: Connecting to a Domain
Private: This would be used for a trusted LAN, such as an home network where sharing is allowed.
Public: Used if connecting directly to the Internet, or on an untrusted LAN, or simply if you want to keep the PC isolated from other PCs on the LAN

When you first connect to a network, windows will detect what type of connections it is. If a Domain, then that profile will be selected. If not a Domain, then there will be a popup for you to select either "Public" or "Private", so you can then decide what profile(or ruleset) to use. If you change your mind after selecting, you can change this, but you need to go to the "Network and Sharing" to do that. That is one of the other areas we will look at later.

Before we go further. How to enable the outbound control:

If you select "Properties" (as highlighted in above pic), this will bring up the window below:-

[NOTE: I have already changed the default settings, as by default the "outbound connections" are set to "Allow"]



The first 3 tabs show the base settings of each of the profiles, each profile can have different settings for the inbound/outbound, logging etc. So lets look at what the settings are.

Firewall State: Simply to change the firewall to On or Off for that profile
Inbound connections:
Block (Default): This will block all connections that are not specifically allowed. So if you have rules set to allow inbound, maybe for file sharing or a game server etc, then that is the option to use.
Block all connections: This will set the firewall for that profile to "block all without exception". So even if you have inbound allow rules, these will be blocked
Allow: Will allow all connections that have not been specifically blocked. So if you have no inbound blocking rules, then all inbound will be allowed.
Outbound Connections:
Allow(Default): Will allow all outbound for that profile that have not been specifically blocked with rules.
Block: Will block all for that profile that as not been specifically allowed by rules.

Settings: select "Customize" to bring up the popup below:


For an explanation of these settings, just click on the "learn more about these settings" as they are explained

Logging: select "Customize" to bring up the popup below:


Again, for an explanation, just click the "Learn more about logging", it is explain as well as I could put forward.

The "IPsec" tab. That is part of the setup for secure connections. We will go through the basics later when creating rules.

Now lets start to look at the pre-defined rules currently in the firewall. We will look at the current outbound rules.

In the "main firewall UI" select "Outbound"



You will see there are a lot of rules in place, those with a green "tick" show the rule as active, those grayed out are disabled. To get some understanding of what the rules are for, it is better to look at the "Group" column, you will see that various rules are placed together in groups, such as the "File and print sharing" and "Remote assistant". Most users will probably at least know what that is referring to, if not, then it would be advisable to spend a little time online to check. What also should help, is if you look at the "Profile" column,



You will see that each rule is assigned to one or more profiles. So when a rule is active, then it is only active(in use) when that specific profile is in use.

To get an overview of what rules are actually in use, without having to look down the list checking which rule is active and in which profile, go to "monitoring - Firewall". This will show all inbound and outbound rules active for the current profile in use.



Adding outbound rules:

This is what most users want to know. So we will go through a step by step procedure.


First. If for example, a user wants to enable "file and Printer Sharing", then in the "main firewall UI" you have 2 choices. You can go down the list and enable the rules required, or you can simply select "New Rule"



Select "predefined", then select "file and Printer Sharing", press next.



It will show you the rules required, and you can then enable the rules.





This could actually be done easier in the "Network and Sharing" center, which we will look at later.

Adding a rule for a specific application.

There can be 2 parts to adding an application rule, it depends on how tight you want the rule to be.

So lets add a rule for Firefox browser.

In the "main firewall UI" select "outbound" then "New rule"


Select "Program"



Select "This program path" then browse for the application, in this example, Firefox



Select "Allow the connection"



You can then select which profile(s) you want to add the rule to



Then name the rule/ add a description. Then finish



You then have a rule to allow all outbound for Firefox. For some users, that may be sufficiant control for their needs. If you then want to make restrictions you edit the rule.

To add restrictions, double click the rule for FF that you just created, this will bring up the properties for the rule.



Select "Protocols and Ports". For normal HTTP/HTTPs connections, you would set the Protocol as "TCP" then add remote ports 80,443.



If you then wanted to add endpoint restriction as to what IPs can be connected to (if for example this was actually a program that you only wanted it to connect to its update site), then add the IPs to the "Remote IP address"



Adding rules for svchost


There are a number of concerns when adding rules for the services host(svchost). As for example, when adding rules to allow windows updates, there is a need to allow open ended rules for remote ports 80/443. Attempting to make end-point restrictions can be a problem due to the amount of mirror sites used by MS that can constantly change. In the firewall rules, you can add the actual service to the rule, which does add some restriction.

As we did for firefox, you first create an application outbound rule for svchost, during its creation you will get a warning popup:-



Dont concern, just finish the rule, once done, double click the rule you created and bring up the rule properties.

Select the "Programs and Services" tab, then select the "Services- Settings"

In the popup window, select "Apply to this service", then select the "windows update", then OK



You can then go to the "Protocols and Ports" tab, and select protocol TCP and the remote ports.

[Stem]

NOTE:

On a "block all outbound not specifically allowed" policy, a number of user may have problems connecting even after creating correct rules for the application(such as a browser).

You may be getting your DNS lookups blocked if these lookups are made via TCP, as the current DNS rule only allows UDP. If you have the logging of blocked packets enabled and you see blocked packets for TCP remote port 53, then you will need to add a rule for svchost to allow these comms. You can use the current DNS rule as a template to copy, just ensure that if you do create such a rule, that you bind the rule to the DNS client service (as shown with the binding of the windows updates service to its rule)

If you have the windows DNS client disabled, then either an open rule to allow DNS will be required, or the creation of a rule per application for DNS lookups will be required.

[Stem]

Network and Sharing Center.

Location:-
Control Panel- Network and Internet- Network and Sharing Center

This is one of the areas I mentioned earlier. Here you can enable such as "File Sharing" with a simple click, so therefore will effect your policy


The settings in this area are really for use in a private LAN such as an home network as allowing "Network Discovery", "File Sharing" etc in a public location is not advisable.



To enable one of these services, as example "File Sharing" simply press the little down arrow, then select "Turn on File Sharing"



You will notice I have also been given a warning that my current setting of "block all incoming connection" will be disabled if I enable the file sharing. Once this is enabled, then the rules for file sharing in the "main Firewall UI" will be enabled.

A possible problem would be if you where to enable these services within a public network. So if your current policy is "Public" and you select to enable (for example) the File sharing, you will get a further popup to confirm what you want to do:-



If you where already in a Private network, then file sharing would simply be enabled.

Some options, such as "Media Sharing" are not allowed within a "Public" network, and if you attempt to enable while in that public network, you will be denied:-



I think most will understand this area and options, the only other main point I wanted to make was the "Network - Customize":-



Here you can change your network to/from Private/Public.

[Stem]

Windows Firewall

The last main area to look at. This is what most users will already know, as this is the same as from XP. So we will just quickly run through this.

Location:-
Control Panel- Security- Windows Firewall.

This then brings up a windows showing an overview of the current settings



If you then click the "Change Settings" it will bring up the popup that is more familiar. As with XP, you can select to block all inbound (Allow no exceptions) which will over-ride any inbound allowed. If you disable that option, then any rules to allow inbound will then allow that Inbound, and any Inbound to a listening application that does not currently have a rule will cause a popup as we are used to in XP



On the Exceptions tab, again, the same as XP.



The Advanced tab as been cut down, as the options that where here are now within the "main Firewall UI"

[Stem]

ICMP

As you will see from the Windows Firewall Advanced tab above, ICMP is no longer in that tab as it was in XP. To create ICMP rules you will need to go into the "main Firewall UI"

For ICMP first select the direction, then select "New rule" and you will get a popup to create the new rule. In the "Rule Type" select "Custom", then next



Here you can select an application, but I usually just apply ICMP to the system, so I select "All Programs"



For the "Protocol Type" select ICMPv4, then click on the "Customize" button at the bottom of the window



This then brings up the various ICMP settings that can be used, such as allowing an "Echo Request". If the ICMP that you want is not there, then at the bottom of the window you can select the ICMP Type and Code, then select "add" and that type of ICMP will be added to the list and can be then be enabled or disabled.



==========================================================



The thread is still "work in progress" but have opened the thread for questions.


- Stem

[Sully]

Which takes precedence, ipsec or wfw? Suppose you have wfw rulesets in place for browser, to allow 80,8080,443. Simple. But you have no rule for DNS port 53 on either protocol. Then you have wfw set to block all that are not specified (if that is option, I believe it is).

Here then no DNS, because no rule is made.

Now, I use ipsec to limit my machines to only port 53 traffic to only my 3 DNS servers. As a global rule, ipsec filters this. In XP, you have not advanced fw features like vista. So then, if you have wfw set like I describe above, and you also have ipsec rule in place for this filtering, what happens?

Does the DNS get through because ipsec is at a lower level? Or does wfw block it first? I understand that one could deny a program access to port 53 traffic. I am more interested in global rules that apply without having to explicitly state it in wfw, so that no matter the state of wfw, the global ipsec rule still exists.

I apologize, I normally test these myself, but have not yet, nor will be for a few weeks yet.

Sul.

[Stem]

Quote:

Originally Posted by Sully

Then you have wfw set to block all that are not specified (if that is option, I believe it is).

Yes

Quote:

Originally Posted by Sully

Now, I use ipsec to limit my machines to only port 53 traffic to only my 3 DNS servers. As a global rule, ipsec filters this. In XP, you have not advanced fw features like vista. So then, if you have wfw set like I describe above, and you also have ipsec rule in place for this filtering, what happens?

If I understand correctly?

The IPsec is embedded into the firewall rules, rules need to be set up in the firewall to allow the comms, then IPsec rules are then made to control that rule (there is the option in the firewall rule to enable the "allow only secure connections" which need to be enabled, with the extra option of it needing encryption.


- Stem

[Sully]

Knowledge for now is then in hierarchy

WFW >
IPSec
IPSec w/ IKE/Kerberos/CA

In theory then, having generic DNS rule in WFW to allow all, then passes inspection to IPSec, where custom filters would apply.

Meaning, IPSec is no negated to not using advanced firewall (like XP) or if using advanced firewall, IPSec really is tertiary and probably usage only for secure connections. As now wfw has ability to do what XP did not, so no need for IPSec filters.

Interesting.

Sul.

[Stem]

Hi sul,

This is from the firewall help file:-



This also brings up questions concerning IPsec use in 3rd party firewalls, due to the binding of IPsec with the windows firewall rules. But that would be another thread/topic that would need some interaction with 3rd party firewall Vendors.




- Stem

[fblais]

Great stuff, Stem, but is it specific to Vista?
I see none of this in my XPPro FW setup screens.

Regards,
François

[Trespasser]

Alright! I've been waiting for you to do a write up on this subject. I've been using Advanced Security for quite some time but I'm sure I'll learn something from you.

Thanks for this, Stem.

And now to read it....

[Stem]

Quote:

Originally Posted by fblais

but is it specific to Vista?

Yes, it is the addition in Vista of the outbound control and system hardening.


- Stem

[Stem]

Quote:

Originally Posted by Trespasser

I've been using Advanced Security for quite some time

Please let me know if you see any errors.
I still have to add info, which will be added to the top posts on thread.


- Stem

[fblais]

Quote:

Originally Posted by Stem

Yes, it is the addition in Vista of the outbound control and system hardening.


- Stem

Might be a good idea to edit the thread title and add "Vista".
At least it was not obvious to me to begin with.

Best regards,
François

I would like to use vista firewal with advanced security but, that sure seems like a lot of work for all of your apps and services. I can see myself screwing it up and having a lot of trouble with it and taking a long time to get it straightened out. Has microsoft published a user manual for this? I suppose not by evidence of this thread.

[Stem]

Quote:

Originally Posted by JohnnyDollar

.......but, that sure seems like a lot of work for all of your apps

If you have a lot of applications that require Internet access then yes, it could take a little time to fully set up. But on a policy of block all outbound the first steps could just be to allow those applications full outbound access, then if required, you can go back and place restrictions for Protocol/ port etc. If there is inbound for an application, then there will be a popup as with XP(unless that option is disabled)

Quote:

Originally Posted by JohnnyDollar

and services.

A number of services which users would need for an home LAN setup, such as Discovery, file and printer sharing can be enabled with just a couple of mouse clicks, this is done in the "Network and Sharing center". I will be posting info on that a little later.(adding to top posts)

Quote:

Originally Posted by JohnnyDollar

I can see myself screwing it up and having a lot of trouble with it and taking a long time to get it straightened out.

As you will see above, adding a rule for a specific application is quite straight forward. A starting point is to add a rule for the browser, then block all outbound. Most updaters only require HTTP access, so it would just be a case of creating the same rule as the browser but adding the specific application.

Quote:

Originally Posted by JohnnyDollar

Has microsoft published a user manual for this? I suppose not by evidence of this thread.

There is info about, and the help files in Vista may help. I am just making the thread due to requests. I personally thought users where either simply using the firewall or not interested, not that there was any confusion with understanding, as the first request I had for this was only about a week or so ago.

- Stem

[Sully]

Have you found, is it possible to setup a default ruleset comprising all normal activity you would want system owned threads to use, such as svchost. Also perhaps dns and filesharing services. But then, also use in conjunction the basic firewall interface in vista that is like the xp look. This one is much more basic in nature, a program wants to be a server type thing. Can the advanced features work, then also when locked to deny unless matched, the basic interface can also take over? Hard to explain that I think.

Sul.

Thank you for the replies STEM

[Stem]

Hi Sul,

File sharing / Discovery etc can be activated in the "Network and Sharing Center" I have just added some info post 3

The interface that we see in XP for allowing Inbound is still there, and can still be used to allow unsolicted inbound. I will be adding info for that next.

For svchost, there are current default rules for DHCP/ DNS. You would need to add rules for windows updates which I have shown above. If you require other system rules that you do not know how to set up, then just ask and I will post details.


- Stem

[Stem]

Quote:

Originally Posted by fblais

Might be a good idea to edit the thread title and add "Vista".

Done,


- Stem

[tonyseeking]

Quote:

Originally Posted by Stem

ICMP

As you will see from the Windows Firewall Advanced...

Stem, you are a legend, and a very kind person for investing so much time in writing this for everyone else.

Thank you so very much, it is very much appreciated :-)

I am going to read and study now what you wrote.

[zig]

Thank you Stem this is what I have been looking for. I hope you continue to add to this guide.

[Stem]

Hi Zig, Welcome to Wilders,

Quote:

Originally Posted by zig

Thank you Stem this is what I have been looking for. I hope you continue to add to this guide.

Yes, I will be adding more info. If you find you have questions then just ask, I can then always add info based on the questions.


- Stem

[Rain_Train]

Thanks a lot for typing up this guide, Stem . I do have a question, however (and this is a question open to anybody).

Do you think that the Vista Firewall with Advanced Security is adequate protection for a laptop? I'm concerned because I do connect to public hotspots such as airports and hotels, so will the Vista firewall give solid protection against network-attacks? I apologize in advance if I'm not specific; I don't know much of the firewall & network lingo. Maybe an example will help; would I be as protected with this as if I used a third party firewall (firewall component only, no HIPS)?

[Stem]

Hi,

Quote:

Originally Posted by Rain_Train

Do you think that the Vista Firewall with Advanced Security is adequate protection for a laptop?

On its own, I would say no. I would say (which may be obvious to some) there is a need to add extra protection, such as a real time AV and/or some form of sandbox on the browser.

Quote:

Originally Posted by Rain_Train

I'm concerned because I do connect to public hotspots such as airports and hotels, so will the Vista firewall give solid protection against network-attacks? I apologize in advance if I'm not specific;

Without specifics it is difficult to say. My main concerns have always been with windows services and protocols and stopping anything from actually getting on the PC rather than attempting what could be a futile attempt of stopping it destroying your security after it has taken a foothold. I have put forward a number of times my concerns of the filtering of such protocols as DHCP and ARP, but many simply argue that this protection is not actually needed, now I have never been sure that such argument is based on the fact that attacks/spoofs on these protocols no longer happen (doubtful), or the fact that their own favorite security suite/ setup does not protect against such attacks.
With Vista firewall, there is a lot more than simple packet filtering to consider, as we see the integration of services hardening and base control/limitation of communications within specific locations, also the integration of the firewall with IPsec. So personally, as I have put forward when a user is replacing the XP firewall, considerations need to be made as to if the 3rd party application is adding more security, and as important to me, if that 3rd party application is actually removing any security.

Quote:

Originally Posted by Rain_Train

I don't know much of the firewall & network lingo. Maybe an example will help; would I be as protected with this as if I used a third party firewall (firewall component only, no HIPS)?

As mentioned above concerning integration of the firewall/IPsec/services hardening, then I would have to be personally convinced that their implementation was as good if not better than what was already there for me to replace the current vista firewall and the security it is integrated with, and with a number of 3rd party Vendors, I am not yet convinced, although I do still need to sit down and make many more checks on the various implementations currently made by 3rd party vendors, which are changing quite frequently.

At one time I would go out and plug an XP box into an hot spot and monitor all comms to see exactly what was happening, unfortunately the laptop I have would struggle with vista, so that is not an option with Vista at the moment.

Base line for me. I personally would be looking at adding security, rather than attempting to replace it all.



- Stem