The built-in Windows Firewall with Advanced Security provides you with the means and mechanisms for a very strong rule-based security mechanism. It is designed to operate on the deny before allow principle as should all good security software. Using the Windows Firewall with Advanced Security, you can block or allow traffic to your servers on specific IP addresses, ports and to specific programs and base that on the originating system as well.
Many times, when there is a need for more security than just opening or closing a couple of ports on the computer, you spend a lot of money on third party firewall software or hardware, without realizing that there is already much power that is built into the operating system on your computer. True, it may not serve very complicated needs, but it can serve many typical needs. Let’s see how.
Installing and Enabling the Windows Firewall with Advanced Security
Windows Firewall with Advanced Security is a critical security component in the Windows operating system. And it is tightly integrated into the operating system. For this reason, it is installed and enabled by default. Out of the box, it comes with several pre-written rules that block most incoming traffic to the particular system. Therefore, there is nothing to install or enable… just settings to tighten.
New Rules Get Installed with Software
When you install software that uses networking features (like say Microsoft SQL Server or even IIS), they may automatically create new firewall rules and open new ports in your system. When you get the prompt asking you if you want to allow or deny some software from opening a firewall port, this is what is happening. You should be aware of what these programs are and what they are doing.
Note: Firewall ports typically need to be opened only for incoming traffic (when something outside your computer wants to communicate with something inside your computer). Very rarely, you would create rules for outgoing traffic — in fact, you may create rules to prevent outgoing traffic. You should review any rules that are set to Allow traffic (both inbound or outbound) and decide if it is really required.
Launch the Windows Firewall with Advanced Security
You can do this in one of two ways — you can launch it from the Administrative Tools folder of your Start Menu or Control Panel. You can also open the Windows Firewall settings from the Network and Sharing window and then click on “Advanced settings”. You need to be an Administrator user to be able to make changes.
Currently Applied Policies
Once you have opened the window, expand the “Monitoring” item and look in “Firewall” for the list of currently applied policies. Regardless of any other policies defined in the system, these are the firewall rules that are currently active and affecting traffic to your system. The icon on the left-most column (a checkmark or a blocked icons) indicate if the rule is an Allow or a Deny rule. You can also find this written in text under the “Action” column.
Creating a Firewall Rule
Let’s understand the firewall rules by creating a simple firewall rule. Let’s create a rule that will block all outgoing traffic on port 80 (which is used to browse the internet from your web browser… this is the port you need if you are reading this webpage). Once you do this, you will lose Internet connectivity for a while (until you disable or delete the rule), so tread carefully. We choose port 80 because it is one port where you can instantly see the effects of your changes. To test our changes, all you need to do is fire up the installed web browser and go to your favorite website.
- On the left-hand tree view pane, right click on “Outbound Rules” and select “New Rule”. A wizard will pop up. This wizard will let you select common options. After creating the rule using the wizard, you can open up the rule and set up more advanced settings.
- On the first screen, select “port” since we are going to restrict traffic by a specific port number and are not really worried about the program behind it. Click Next.
- Since web traffic happens over TCP and on specific remote port (80), select TCP and “Specific remote ports”. Type in “80” (without the quotes) in the textbox. Click Next.
- Select “Block the connection” on the next screen and click Next again.
- You will get a bunch of checkboxes reading Domain, Public and Private. Ensure all of them are checked ON and click Next.
- You will be prompted for a name. Enter “Block all Outgoing Port 80 Traffic” and click Finish.
Now fire up your web browser (or use an existing window — except this window or tab, otherwise, you will not be able to undo your action!) and go to any website on the Internet that normally works for you on this computer. The browser will spin around for a while and report that it cannot resolve the DNS name (or if you have an internal DNS server that is able to resolve, it will tell you that it cannot find the site).
To undo your change, simply right-click on the rule you created and select Disable Rule. You can find the rule either under Monitoring > Firewall pane or under Outbound Rules.
Restricting Traffic by Program
This is a very powerful feature of the software. When you do this, the inbound or outbound traffic is allowed for or denied to only the specified program. All other programs on your computer are not affected. For instance, in our above example, if you denied port 80 traffic only to the Internet Explorer browser, you will be able to use any other web browser or application that is not Internet Explorer (say Mozilla or Google Chrome) to browse the Internet. As another example, with the above Block Outgoing Port 80 rule in place, if you create an Allow rule for only a particular program for the same port 80, that one program will be allowed outgoing port 80 traffic, but everything else will be denied.
Firewall Rule Groups
There is no way to create a Firewall Rule Group from the GUI, but you can see that other programs that installed rules did so by creating a rule group. You can create your own rule groups using advanced commands in either the NETSH shell or using PowerShell. Both of these are beyond the scope of this particular article — do search to check if we have covered it in a future article.
Enable/Disable Rules
You can enable or disable a rule by opening the rule (double-click) and checking on or off the “Enabled” checkbox and clicking Apply. The change is effective immediately. If you have more than one rule to change, you can select all of them in the view pane, right-click on the selection and select “Disable Rule”. Also, sort your rules on the “Enabled” column to manage rules better. For instance, you may want to disable all WMI inbound ports on your system, simply sort your view so that they appear together, select the bunch of them and disable.
Tip: When an ALLOW rule is disabled, traffic will be denied. When a DENY rule is disabled, traffic will be allowed. This is because you created the rule to perform the opposite!
Rules by Network Profile
There are three types of network profiles: Domain, Public and Private. The Domain profile is applied when the computer detects that you have logged onto an Active Directory Domain network. For the other two types, the network detection happens based on whether you are connected to the Internet and also on the selection you make on the choice provided to you (GUI) when you connect the computer for the first time to any network. If you are never going to connect to a Domain network, then all the domain profile rules on your firewall are completely useless and can be disabled or deleted.
Core Networking Rules
Typically, you should not have to play with the Core Networking group rules. Only change these rules if you have reason to allow or block these ports and traffic differently.
Network Scope (IP address selection)
On the Scope tab of the properties of a particular rule, you can select which local and remote IP addresses will participate in this rule. Similarly, you can choose the rule to apply only to one of many network adapters on the computer by selecting the particular adapters from the Advanced > Interface Types (click on the Customize button).
For instance, if you have a system that you want to be able to remote desktop into only from a particular IP address and you want to use only a particular IP address from the set available on the computer, you can use this to tighten the configuration. To do this, let us assume the Server IP address where you want to allow the RDP connection is 192.168.0.55 and the remote IP address is 192.181.100.55, you would click the “These IP addresses” option on the Local IP addresses area, click on the Add button and enter the local Server IP address (192.168.0.55). Then you would click “These IP addresses” in the Remote IP addresses area, click on Add and enter the remote machine’s IP (192.181.100.55). Of course, for this to rule to take hold you will need to ensure that there are no other rules or settings that are allowing RDP connections with “Any” settings elsewhere in the Firewall rules.
Secure Connection Rules
It is possible to request that even before a connection is attempted, the connection is secured. To do this, you would check the “Allow the connection if it is secure” option on the General tab and use the Customize button to select one of the options. Note that if you are selecting one of the options that require authentication, both systems (the server you are configuring and the system from which you will connect) will need to be part of the same Active Directory domain, as this requires both computers to verify each other through Active Directory. Once you enable connection security, you can then use the “Authorized Computers” tab to allow connections only from specific computers — note again that this only accepts computer names and not IP addresses. You can alternately also use the “Local Principals” tab to specify particular users from the Local system (“connect to”) who would be able to connect. For the principals, you can select either a user from the local system or your Active Directory, or an application principal (application principals are a topic in themselves and we will cover this in a future dedicated topic). The remote users tab is similar to the Local Principals, except that this specifies the users and principals on the remote system (“connect from”) who can connect. You cannot specify Application Principals in the remote users tab since the local system cannot authenticate remote principals.
IMPORTANT: It is vital that you set up and check Secure Connection rules using user accounts and system IP addresses of someone other than yourself before you apply them. Otherwise, you will lock yourself out of the server with no mechanism to get back in to rectify!!!
Typical Ports That You Need to Block
This really depends on where your server sits and what is in front of it controlling traffic to it. If you have a really good firewall or NAT or router system that already routes only specific traffic to your system, you can afford to leave all your ports open. A single Allow Everything rule is enough. However, if your system is exposed to the Internet or is part of the Edge network on your network, then you need to ensure the right rules. The Windows GUI provides really powerful checkboxes on its Network Connections and Sharing > Windows Firewall screen that behind the scenes works with a whole bunch of sub rules. For instance, just turning on “Enable File and Print Sharing” on your Network Connections and Sharing screen can open up all kinds of ports and protocols you may not want open. After any such front-end action that is too easy, do go into the Advanced Settings application and fine tune the access.
