Understanding Windows Firewall with Advanced Security CHAPTER 26
1253
attempts. For example, a back-end database server might be configured to accept
only authenticated connections from a front-end Web application server. For more
information on how server isolation works and how to implement it, see
See also the Step-by-Step
Guide: Deploying Windows Firewall and IPsec Policies at
/en-us/library/cc732400.aspx for a walkthrough of how to implement a basic server
isolation scenario.
n
Domain isolation Domain isolation involves configuring connection security rules
on both clients and servers so that domain members accept only authenticated (and
optionally, encrypted) connection attempts from other domain members. By default,
connection attempts from non-domain members are not accepted, but you can con-
figure exception rules that allow unauthenticated connections from specific
non-domain members. For more information on how domain isolation works and how
to implement it, see See
also the Step-by-Step Guide: Deploying Windows Firewall and IPsec Policies at
for a walkthrough of how to
implement a basic domain isolation scenario.
n
Network Access Protection Network Access Protection (NAP) is a technology avail-
able in Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008
R2 that enforces health requirements by monitoring and assessing the health of client
computers when they try to connect or communicate on a network. Client computers
that are found to be out of compliance with the health policy can then be provided
with restricted network access until their configuration has been updated and brought
into compliance with policy. Windows Firewall with Advanced Security can be used as
part of a NAP implementation by creating connection security rules that require com-
puter certificates for authentication. Specifically, client computers that are determined
to be in compliance with health policy are provisioned with the computer certificate

uses the Allow The Connection If It Is Secure action. This enables the Users and
Computers tabs, where you can identify the user and computer accounts that are
authorized to connect to the isolated server. No further configuration on the client
computers is required; the user and computer credentials used for authentication
for Domain Isolation are also used for the authorization on the isolated server.
Server Isolation is an important defense-in-depth layer that helps to protect your
sensitive servers, such as Payroll, Personnel, and other servers that must be carefully
guarded.
TYPES OF CONNECTION SECURITY RULES
Depending on the scenario you want to implement or the business need you are trying to
meet, different types of connection security rules may be needed for your environment.
Windows Firewall with Advanced Security allows you to create the following types of
connection security rules:
n
Isolation rules These rules are used to isolate computers by restricting inbound con-
nections based on credentials such as domain membership. Isolation rules are typically
used when implementing a server or domain isolation strategy for your network.
n
Authentication exemption rules These rules are used to identify computers that
do not require authentication when attempting to connect to a domain member when
implementing a domain isolation strategy.
n
Server-to-server rules These rules are used to protect communications between
specific computers. This is basically the same as an isolation rule except that you can
specify the endpoints.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Understanding Windows Firewall with Advanced Security CHAPTER 26
1255
n
Tunnel rules These rules are used to protect communications between gateways on

Compatible only with Windows Vista and later
versions.
Elliptic Curve Diffie-Hellman P-384 Strongest security.
Highest resource usage.
Compatible only with Windows Vista and later
versions.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 26 Configuring Windows Firewall and IPsec
1256
TABLE 26-3
Supported Data Integrity Algorithms for IPsec Communications in Windows 7
DATA INTEGRITY ALGORITHM NOTES
Message-Digest algorithm 5 (MD5) Not recommended.
Provided for backward compatibility only.
Secure Hash Algorithm 1 (SHA-1) Stronger than MD5 but uses more resources.
SHA 256-bit (SHA-256) Main mode only.
Supported on Windows Vista SP1 and later
versions.
SHA-384 Main mode only.
Supported on Windows Vista SP1 and later
versions.
Advanced Encryption Standard-Galois
Message Authentication Code 128 bit
(AES-GMAC 128)
Quick mode only.
Supported on Windows Vista SP1 and later
versions.
Equivalent to AES-GCM 128 for integrity.
AES-GMAC 192 Quick mode only.
Supported on Windows Vista SP1 and later

Supported on Windows Vista and later versions.
AES-CBC 192 Stronger than AES-CBC 128.
Medium resource usage.
Supported on Windows Vista and later versions.
AES-CBC 256 Strongest security.
Highest resource usage.
Supported on Windows Vista and later versions.
AES-GCM 128 Quick mode only.
Faster and stronger than DES.
Supported on Windows Vista and later versions.
The same AES-GCM algorithm must be speci-
fied for both data integrity and encryption.
AES-GCM 192 Quick mode only.
Medium resource usage.
Supported on Windows Vista and later versions.
The same AES-GCM algorithm must be speci-
fied for both data integrity and encryption.
AES-GCM 256 Quick mode only.
Faster and stronger than DES.
Supported on Windows Vista and later versions.
The same AES-GCM algorithm must be speci-
fied for both data integrity and encryption.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 26 Configuring Windows Firewall and IPsec
1258
TABLE 26-5
Supported First Authentication Methods for IPsec Communications in Windows 7
FIRST AUTHENTICATION METHOD NOTES
Computer (Kerberos V5) Compatible with Microsoft Windows 2000 or
later versions.

addition to using a root CA as was previously
supported in Windows Vista.
Certificate to account mapping is also
supported.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Understanding Windows Firewall with Advanced Security CHAPTER 26
1259
SECOND AUTHENTICATION METHOD NOTES
Computer health certificate The default signing algorithm is RSA, but
ECDSA-P256 and ECDSA-P384 are also
supported signing algorithms.
New in Windows 7 is added support for using
an intermediate CA as a certificate store in
addition to using a root CA as was previously
supported in Windows Vista.
Certificate to account mapping is also
supported.
DEFAULT IPSEC SETTINGS FOR CONNECTION SECURITY RULES
The default IPsec settings for Windows Firewall with Advanced Security are as follows:
n
Default key exchange settings (main mode):
•
Key exchange algorithm: DH Group 2
•
Data integrity algorithm: SHA-1
•
Primary data encryption algorithm: AES-CBC 128
•
Secondary data encryption algorithm: 3DES
•

1260
By default, these settings are used when creating new connection security rules unless
you select different settings when using the New Connection Security Rule Wizard. For more
information, see the section titled “Creating and Configuring Connection Security Rules” later
in this chapter.
Windows Firewall and Windows PE
B
eginning with Windows 7 and Windows Server 2008 R2, you can now configure
IPsec in Windows Preinstallation Environment (Windows PE) for added security
during desktop and server deployment. While Windows PE 3.0 now supports IPsec
by default, the computer you want to connect to may require additional configu-
ration to allow a connection. The default IPsec settings for Windows PE 3.0 are as
follows:
n
MM Security Offer: AES128-SHA1-ECDHP256, where MM is main mode.
n
MM Authentication Method: Anonymous
n
QM Policy: 3DES-SHA1; AES128-SHA1, where QM is quick mode.
n
QM Authentication Method: NTLMv2
Understanding Default Rules
Default rules specify the default behavior of Windows Firewall with Advanced Security when
traffic does not match any other type of rule. Default rules can be configured on a per-profile
basis. The possible default rules for inbound traffic are:
n
Block (the default for all profiles)
n
Block all connections
n

3.
Authenticated bypass rules
4.
Block rules
5.
Allow rules
6.
Default rules
When a packet is being examined by Windows Firewall with Advanced Security, the packet
is compared to each of these types of rules in the order they are listed. If the packet matches
a particular rule, that rule is applied, and rule processing stops. In addition, if two rules in the
same group match, then the rule that is more specific (that is, has more matching criteria)
is the one that is applied. For example, if rule A matches traffic to 192.168.0.1 and rule B
matches traffic to 192.168.0.1 TCP port 80, then traffic to port 80 on that server matches rule
B, and its action is the one taken.
By default, the rule processing described previously includes both local rules (firewall and/
or connection security rules configured by the local administrator of the computer) and rules
applied to the computer by Group Policy. If more than one Group Policy object (GPO) applies
to a particular computer, the default rules come from the GPO with the highest precedence.
Merging of local rules can be enabled or disabled using Group Policy. For more information,
see the section titled “Considerations When Managing Windows Firewall Using Group Policy”
later in this chapter.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 26 Configuring Windows Firewall and IPsec
1262
Managing Windows Firewall with Advanced Security
Windows 7 and Windows Server 2008 R2 include tools for configuring and managing
Windows Firewall with Advanced Security in both stand-alone and domain environments.
These tools can be used to perform common tasks such as creating firewall rules to block
or allow traffic, creating connection security rules to protect network traffic using IPsec,

ticular firewall profile (see Figure 26-7)
n
Restoring the default settings for Windows Firewall
Note that most actions involving Windows Firewall require local administrator credentials
on the computer.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Managing Windows Firewall with Advanced Security CHAPTER 26
1263
FIGURE 26-7
Viewing which firewall profiles allow Remote Assistance to communicate through Windows
Firewall
Managing Windows Firewall Using the Windows Firewall with Advanced
Security Snap-in
The Windows Firewall with Advanced Security MMC snap-in exposes most of the functionality
of Windows Firewall for advanced users and administrators of the local computer (main mode
rules and some advanced global IPsec settings are configurable only by Netsh). To start this
snap-in, do any of the following:
n
From the Start menu, select Control Panel, System And Security, Windows Firewall,
Advanced Settings.
n
Type fire in the Start menu Search box, and then click Windows Firewall With Advanced
Security in the Programs group.
n
Type wf.msc in the Start menu Search box and press Enter.
n
Type mmc in the Start menu Search box and press Enter to open a new MMC console,
and then add the Windows Firewall with Advanced Security snap-in to the console in
the usual way.
The first three methods listed here can be used only to manage Windows Firewall on the

n
Monitoring the state of the firewall and its configuration
n
Monitoring active firewall rules
n
Monitoring active connection security rules
n
Monitoring security associations for both main mode and quick mode
n
Monitoring event logs associated with Windows Firewall
Many of these management tasks are described in more detail in the section titled “Com-
mon Management Tasks” later in this chapter.
To make it easier to manage large numbers of rules on a computer, the Windows Firewall
with Advanced Security snap-in lets you filter firewall and connection security rules by profile
(domain, private or public) and/or by state (enabled or disabled). In addition, firewall rules
(but not connection rules) can also be filtered by rule group. Figure 26-8 shows all inbound
rules that match the following filtering criteria:
n
Profile: domain
n
State: enabled
n
Group: Remote Assistance
To remove applied filters, select Clear All Filters from the shortcut menu.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Managing Windows Firewall with Advanced Security CHAPTER 26
1265
FIGURE 26-8
You can filter firewall rules by profile, state, and group to make it easier to manage large
numbers of rules.

n
The state of each firewall profile in the firewall policy of a GPO is initially Not Config-
ured. This means that firewall policy applied to computers targeted by the GPO will
have no effect. For example, if the domain profile of Windows Firewall on a targeted
computer is enabled, it will remain enabled after Group Policy processing has occurred.
Similarly, if the domain profile of Windows Firewall on a targeted computer is disabled,
it will remain disabled after Group Policy processing has taken place on the computer.
So if a local administrator on the targeted computer turns off Windows Firewall on his
computer, it will remain turned off even after Group Policy processing has taken place
on the computer. Therefore, if you want to ensure that the firewall policy in the GPO
applies to targeted computers, you must enable the firewall profiles in the policy. To
do this, right-click the following policy node in the GPO:
Windows Firewall with Advanced Security - LDAP://CN={GUID},CN=POLICIES,CN=
SYSTEM,DC=domain_name,DC=COM
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Managing Windows Firewall with Advanced Security CHAPTER 26
1267
Select Properties from the context menu, and on each profile tab (Domain Profile,
Private Profile, and Public Profile), change the Firewall State policy setting from Not
Configured to On (Recommended).
n
The default inbound and outbound rules for each firewall profile in the firewall policy
of a GPO are also initially Not Configured. Therefore, if you want to ensure that firewall
rules are processed as expected when the GPO is processed by targeted computers,
you should configure the desired default inbound and outbound rules in the policy.
To do this, right-click on the policy node described above and select Properties from
the context menu. Then on each profile tab (Domain Profile, Private Profile, and Public
Profile), change the Inbound Connections and Outbound Connections policy settings
to the values you want to use, which are typically the following.
Note that if multiple GPOs for firewall policy target the same computer and each GPO

command.
MoRe inFo
See also the Step-by-Step Guide: Deploying Windows Firewall and IPsec
Policies at for a walkthrough
of how to deploy firewall and connection security rules using Group Policy.
note
For faster processing of GPOs that are used only for applying firewall policy to
targeted computers, disable the User portion of the GPO using the GPMC.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Managing Windows Firewall with Advanced Security CHAPTER 26
1269
Managing Windows Firewall Using the Netsh Command
The Netsh command can be used to manage Windows Firewall either interactively from the
command line or by using scripts. The Netsh command also has been enhanced in Windows 7
to expose almost all aspects of Windows Firewall to viewing and configuration (some settings,
such as global quick mode, can only be configured using the Windows Firewall with Advanced
Security snap-in. By using the netsh advfirewall context of this command, you can display the
status and configuration of Windows Firewall, configure firewall and IPsec settings, create
and configure both firewall and connection security rules, monitor active connections, and
perform other management tasks.
note
You must run the netsh advfirewall command from an elevated command prompt
to set (configure) Windows Firewall settings. You do not need to run it from an elevated
command prompt if you only want to show (view) Windows Firewall settings.
To enter the netsh advfirewall context from the command line, type netsh and press Enter,
then type advfirewall and press Enter.
C:\Windows\System32>netsh
netsh>advfirewall
netsh advfirewall>
The prompt indicates the current context of the command. Typing help at the netsh

netsh advfirewall>show domainprofile
Domain Profile Settings:
----------------------------------------------------------------------
State ON
Firewall Policy BlockInbound,AllowOutbound
LocalFirewallRules N/A (GPO-store only)
LocalConSecRules N/A (GPO-store only)
InboundUserNotification Enable
RemoteManagement Disable
UnicastResponseToMulticast Enable
Logging:
LogAllowedConnections Disable
LogDroppedConnections Disable
FileName %systemroot%\system32\LogFiles\Firewall\pfirewall.log
MaxFileSize 4096
To view the global firewall and IPsec settings on the local computer, use the show global
command as follows.
netsh advfirewall>show global
Global Settings:
----------------------------------------------------------------------
IPsec:
StrongCRLCheck 0:Disabled
SAIdleTimeMin 5min
DefaultExemptions NeighborDiscovery,DHCP
IPsecThroughNAT Never
AuthzUserGrp None
AuthzComputerGrp None
StatefulFTP Enable
StatefulPPTP Enable
Main Mode:

Program: C:\Windows\system32\msra.exe
InterfaceTypes: Any
Security: NotRequired
Rule source: Local Setting
Action: Allow
You can also pipe Netsh to Findstr to display the names of all inbound rules belonging to
a specific rule group. For example, to display all inbound rules for the Remote Assistance rule
group, use this command.
C:\Windows\system32>netsh advfirewall firewall show rule name=all dir=in |
findstr /I /C:"remote assistance"
Rule Name: Remote Assistance (PNRP-In)
Grouping: Remote Assistance
Rule Name: Remote Assistance (SSDP TCP-In)
Grouping: Remote Assistance
Rule Name: Remote Assistance (SSDP UDP-In)
Grouping: Remote Assistance
Rule Name: Remote Assistance (TCP-In)
Grouping: Remote Assistance
Rule Name: Remote Assistance (DCOM-In)
Grouping: Remote Assistance
Rule Name: Remote Assistance (RA Server TCP-In)
Grouping: Remote Assistance
Rule Name: Remote Assistance (PNRP-In)
Grouping: Remote Assistance
Rule Name: Remote Assistance (TCP-In)
Grouping: Remote Assistance
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 26 Configuring Windows Firewall and IPsec
1272
To show all connection security rules configured on the local computer, type consec to

usage, see “Netsh Commands for Windows Firewall with Advanced Security” at
/>Common Management Tasks
The sections that follow briefly describe some common management tasks for administering
Windows Firewall with Advanced Security on Windows 7 and Windows Server 2008 R2. For
additional information concerning managing Windows Firewall with Advanced Security, see
the references in the section titled “Related Information” at the end of this chapter.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.