by MS
Windows Firewall With Advanced Security extends the features found in Windows Firewall. These extensions allow you to perform the following tasks:
Create and manage separate firewall profiles for domain networks, private networks, and public networks.
Configure both inbound and outbound exceptions.
Use both firewall filtering and IPSec.
The sections that follow discuss how to manage a computer's firewall configuration using Windows Firewall With Advanced Security.
Using Windows Firewall With Advanced Security You can work with Windows Firewall With Advanced Security, shown in Figure 15-7, in several different ways. You can use:
Group Policy For Group Policy–based configurations, you can use the policy settings under Computer Configuration/Windows Settings/Security Settings/Windows Firewall With Advanced Security. Computers running Windows XP with Service Pack 2 (SP2) or Windows Server 2003 with Service Pack 1 (SP1) will ignore the Group Policy settings for Windows Firewall With Advanced Security. The advantage of using Group Policy is that the configuration applies to all computers that process the related Group Policy Object (GPO).
A preconfigured management console The preconfigured tool can be found on the Administrative Tools menu. Click Start, All Programs, Administrative Tools, and then Windows Firewall With Advanced Security. If the Administrative Tools menu isn't accessible, you can access the preconfigured tool by clicking Start and then clicking Control Panel. In Control Panel, click System And Maintenance, Administrative Tools. Then scroll down and click Windows Firewall With Advanced Security. The disadvantage of using the preconfigured tool is that you can only manage firewall settings for the local computer.
An MMC snap-in You can add the snap-in to any updateable Microsoft Management Console (MMC) by following these steps:
In an updateable MMC, click File, select Add/Remove Snap-In, and then double-click Windows Firewall With Advanced Security.
When you are prompted to select a computer to work with, select either Local Computer or Another Computer. If you select Another Computer, type the name or IP address of the computer with which you want to work.
Click Finish and then click OK.
The advantage of using the snap-in is that you can use it to configure firewall settings on remote computers without having to use a remote desktop connection.
Command-line For command-line configuration, you can use the commands in the netsh advfirewall context to configure all basic and advanced firewall settings. This context is not available for computers running Windows XP with SP2 or Windows Server 2003 with SP1.
Figure 15-7: Use Windows Firewall With Advanced Security to configure advanced firewall settings.
With Windows Vista, each network category has a different firewall profile. When you select the Windows Firewall With Advanced Security node in the console tree, you'll see an overview of the current state of the firewall for each profile. You'll also find links to information for working with this tool under Getting Started and Resources. The other nodes in the console tree are as follows:
Inbound Rules Lists the rules for incoming traffic and provides a summary overview of how those rules are configured. Inbound rules either explicitly allow or explicitly block incoming traffic that matches the rule criteria.
Outbound Rules Lists the rules for outgoing traffic and provides a summary overview of how those rules are configured. Outbound rules either explicitly allow or explicitly block outgoing traffic that matches the rule criteria.
Connection Security Rules Lists the rules for protected traffic and provides a summary overview of how those rules are configured.
Monitoring Provides a summary of each firewall profile. By default, the panel for the active (current) profile is expanded and the profile name is modified to include the text "is Active."
Configuring Windows Firewall With Advanced Security requires much more fore-thought and planning than configuring the basic firewall. When you configure Windows Firewall With Advanced Security, you'll need to set firewall profile properties, specify any necessary inbound or outbound exceptions, and define any necessary connection security rules. Each of these tasks is discussed in the sections that follow.
Configuring Firewall Profile Properties When working with Windows Firewall With Advanced Security, you can view and manage each firewall profile separately. The Domain Profile is used when the firewall is enabled and the computer is connected to a network with a domain. The Private Profile is used when the firewall is enabled and the computer is connected to a private network. The Public Profile is used when the firewall is enabled and the computer is connected to a public network.
Each profile has separate settings for the firewall state, blocking or allowing of connections, notification and response behavior, and logging. You can configure profile settings by following these steps:
In Windows Firewall With Advanced Security, select the Windows Firewall With Advanced Security node.
Scroll down in the main pane and then click Windows Firewall Properties.
In the Windows Firewall With Advanced Security On … dialog box, select the profile with which you want to work. (See Figure 15-8.)
Figure 15-8: Manage the settings for each profile separately.
To enable the firewall for the profile, select On (Recommended) and then configure the global default setting for inbound and outbound connections. For inbound connections, select Block, Block All, or Allow as appropriate. For outbound connections, select Block or Allow as appropriate.
Note
The difference between Block and Block All is important. Use Block to block all programs not specifically listed as allow exceptions. Use Block All to block all programs, including those specifically listed as allow exceptions.
Behavior settings determine notification on blocking, response types, and rule merging. To configure profile behavior, click Customize on the Settings panel and then use the options provided to configure the desired behavior. If you are working with Group Policy, you'll be able to specify whether local computer rules should be merged with rules set in Group Policy.
Logging settings determine whether logging is used, such as might be necessary for troubleshooting firewall issues. To enable logging, click Customize on the Logging panel and then set Log Dropped Packets to Yes and Log Successful Connections to Yes. The default path for the log file is %SystemRoot%System32 LogfilesFirewallPfirewall.log. Click OK.
IP Security (IPSec) settings determine how secure connections are established. The same settings are used for all profiles. To configure IPSec settings, click Customize on the Internet Protocol Security (IPSec) panel; use the options provided to manage integrity, privacy, and authentication settings for IPSec; and then click OK.
Creating and Managing Inbound Rules The default configuration for all firewall profiles is to block all inbound connections to a computer unless there are specific inbound rules that allow incoming connections. You can view currently defined inbound rules by selecting the Inbound Rules node in Windows Firewall With Advanced Security.
Although many inbound rules are defined by default, only a few are enabled. You can quickly determine which by clicking the Enabled column twice so that the Enabled-Yes rules are listed first. You can create and enable a new inbound rule by following these steps:
In Windows Firewall With Advanced Security, select the Inbound Rules node.
Under Actions, click New Rule to start the New Inbound Rule Wizard.
Follow the prompts to define the inbound rule. Click Finish to close the wizard.
If you want the inbound rule to be enabled, right-click it and then select Enable Rule.
You can modify and enable an existing inbound rule by following these steps:
In Windows Firewall With Advanced Security, select the Inbound Rules node.
Double-click the inbound rule you want to configure.
Change settings as necessary using the tabs and options provided.
If you w
ant the inbound rule to be enabled, right-click it and then select Enable Rule.
Creating and Managing Outbound Rules
The default configuration for all firewall profiles is to allow all outbound connections from a computer unless there are specific outbound rules that block outgoing connections. You can view currently defined outbound rules by selecting the Outbound Rules node in Windows Firewall With Advanced Security.
By default, many outbound rules are defined. However, only a few outbound rules are enabled. You can quickly determine which by clicking the Enabled column twice so that the Enabled-Yes rules are listed first. To create and enable a new outbound rule, follow these steps:
In Windows Firewall With Advanced Security, select the Outbound Rules node.
Under Actions, click New Rule to start the New Outbound Rule Wizard.
Follow the prompts to define the outbound rule. Click Finish to close the wizard.
If you want the outbound rule to be enabled, right-click it and then select Enable Rule.
You can modify and enable an existing outbound rule by following these steps:
In Windows Firewall With Advanced Security, select the Outbound Rules node.
Double-click the outbound rule you want to configure.
Change settings as necessary using the tabs and options provided.
If you want the outbound rule to be enabled, right-click it and then select Enable Rule.
Creating and Managing Connection Security Rules IPSec provides rules for securing IP traffic. Windows Firewall With Advanced Security uses connection security rules to define IPSec policies. No connection security rules are defined by default. You can create a new connection security rule by following these steps:
In Windows Firewall With Advanced Security, select and then right-click the Connection Security Rules node in the console tree and then click New Rule. This starts the New Connection Security Rule Wizard.
On the Rule Type page, shown in Figure 15-9, you can specify the type of connection security rule to create and then click Next. The types of rules that can be created are as follows:
q Isolation Isolates the computer by restricting connections based on domain membership or health status. With this type of rule, you must specify whether authentication should occur for incoming or outgoing traffic, whether you want to require or only request secure connections, the authentication method for protected traffic, and a name for the rule. Isolating computers based on their health status uses Network Access Protection (NAP) policy.
Real World
NAP is designed to help safeguard the enterprise network from client computers in potentially unhealthy states. NAP uses protection policies configured by enterprise administrators to determine whether a particular local or remote client can connect to the enterprise network. If a client computer running Windows Vista or later isn't deemed "healthy" as defined in the enterprise protection policy, the client computer is either prevented from accessing the network, provided with instructions on how to get updates, or granted limited access to the network.
Administrators can define NAP policy using the NAP Server Configuration tool and then can use the NAP Client Configuration tool to enforce policy. NAP can be applied to both locally connected and remotely connected computers. The health of a computer is determined by the service packs, updates, and other security configurations currently in place.
q Authentication Exemption Defines an authentication exemption for computers that do not have to authenticate themselves or secure their traffic. With this type of rule, you must specify a name for the rule and the computers to exempt according to their IP addresses.
q Server To Server Designates how authentication should be used for communications between specific computers, typically servers. With this type of rule, you must specify the endpoint IP addresses, when authentication should occur, the authentication method for protected traffic, and a name for the rule.
q Tunnel Creates a secure, tunneled connection between computers. Typically, you'll use this type of rule between two secure gateway computers that send packets over the Internet. You must specify the tunnel endpoints by IP address, the authentication method, and a name for the rule.
q Custom Creates a rule with a custom authentication behavior. Use this option when you want to manually configure a rule. You must specify a name for the rule.
Figure 15-9: Specify the type of connection security rule to create.
Once you've configured the rule, click Finish to create and enable the rule.
You can modify the settings of a rule by right-clicking the name of the rule, clicking Properties, and then using the properties dialog box provided to modify the rule settings as necessary. If you want to disable a rule, right-click the rule and then select Disable Rule.
Managing Windows Defender
Windows Defender is the anti-spyware program included with Windows Vista. It protects a computer from harmful and unwanted software in real time by stopping malicious programs from installing themselves and by detecting and blocking the activities of any malicious programs that might have slipped by its defenses. Windows Defender detects spyware programs according to:
How they try to install themselves
How they try to manipulate a computer's files and settings
The types of data they create, record, or send
Collectively, these characteristics are referred to as a spyware program's signature. Like antivirus software, Windows Defender maintains definition files with information on spyware signatures. To protect the computer from an ever-evolving array of spyware, Windows Defender must be updated periodically to the newest definition files regarding spyware signatures. Windows Defender includes an automatic update feature that checks for updates periodically. You can manually check for updates as well. As discussed in Chapter 5, a key component of Windows Defender is Software Explorer, which can be used to terminate a program, block incoming connections to a program, and disable or remove a program. Windows Defender uses Software Explorer to help detect the activities of malicious programs.
Working with Windows Defender
You can open Windows Defender by clicking the Windows Defender link in Windows Security Center. If Windows Defender is turned off, you'll need to turn it on, when prompted, by clicking Enable Now To Turn On Windows Defender and then clicking OK. As shown in Figure 15-10, the Windows Defender home page provides an overview of the current status. You'll see a normal status if Windows Defender's definitions are up-to-date and no known unwanted or harmful software is installed on the computer. You'll see a warning status if Windows Defender's definitions are out of date or known unwanted or harmful software is installed on the computer. You can then retrieve updates over the Internet from the Microsoft Web site and install them automatically by clicking the Check Now button provided as part of the warning.
Figure 15-10: Use Windows Defender to protect a computer from spyware.
When working with Windows Defender, you can use the Status area in the lower portion of the home page to determine the general status according to the following information:
Last Scan The date and time of the last scan as well as the type of scan that was performed
Scan Schedule The schedule for automatic scans, such as Daily at 2:00 A.M
Real-Time Protection The status of real-time protection, as either On or Off
Spyware Signatures The version, time, and date of the most recent definitions file
The general settings of Windows Defender enable you to choose how you want the program to run. You can configure general settings by following these steps:
In Windows Defender, click Tools and then click Options.
On the Options page, the following options panels are provided to configure the way Windows Defender works:
q Automatic Scanning Used to set automatic scanning and automatic updating options. For automatic scanning, select Automatically Scan My Computer (Recommended) and then set the scan frequency, time of day,
and type of scan. To have Windows Defender check for updates before scanning, select Check For Updated Definitions Before Scanning. To apply default actions to detected or suspected spyware programs, select Apply Default Actions To Items Detected During A Scan.
q Default Actions Used to set the default action to take based on the alert level of a detected or suspected spyware program. Spyware with a high alert level are considered to be the most dangerous and have the highest probability of doing damage to a computer. The default action is to apply the recommended action according to the current definition file, which is either to ignore the program or to remove it. If you don't want to use Definition Recommended Action, you can specifically designate that programs should be ignored or removed.
q Real-Time Protection Used to turn on and configure real-time protection. Real-time protection uses individual security agents to determine which areas of the operating system and which components receive real-time protection. Each of these security agents can be enabled or disabled using the check boxes provided. If you want to receive alerts related to real-time protection, you can enable the notification options provided.
q Advanced Options Used to configure advanced techniques for detecting spyware. These options allow you to scan inside archives and use rule-based (heuristic) detection. Enabling these options is particularly important for detecting new spyware, hidden spyware, and software performing possibly malicious actions.
q Administrator Options Used to specify whether Windows Defender is turned on or off, and to specify whether normal users can perform scans and choose actions to apply to potentially unwanted software. If you want to enable Windows Defender, Use Windows Defender must be selected. By default, users who do not have administrator rights can perform scans and specify actions to apply to potentially unwanted software. This is the recommended configuration.
Click Save to save any changes you've made to the configuration.
Scanning the Computer for Spyware
To enhance a computer's security, Windows Defender can and should be used in both real-time protection mode and automatic scan mode. If the computer isn't on when the automated scan should have run, or you suspect spyware installed itself on the computer, you can scan the computer manually using a quick scan, a full scan, or a custom scan: