When Microsoft created Windows Vista, one of its primary focuses was on creating an operating system that would be far more secure than its predecessors. In doing so, Microsoft completely revamped many Windows security features, including Windows Firewall. For years security experts have bashed Windows Firewall because it does not filter outbound traffic. Without outbound packet filtering, it is possible for malware to steal sensitive information off of a computer and transmit it across the Internet.
If you want to enable the filtering of outbound packets, or if you want to access any of the firewall's other advanced features, you will have to use the Windows Firewall snap-in for Microsoft Management Console. You can access this snap-in by opening a Command Prompt window and entering the MMC command at the command prompt. Upon doing so, Windows will open an empty Microsoft Management Console. When the console opens, select the Add / Remove Snap-In command from the console's File menu. Windows will now open the Add or Remove Snap-Ins dialog box, which displays a list of all of the available snap-ins. Choose the Windows Firewall option from the list and click the Add button. When you do, Windows will ask you if you want the snap-in to manage the local computer or another computer. Verify that the Local Computer option is selected, and click Finish followed by OK. The snap-in should now be loaded.
Before I show you how to configure outbound packet filtering, I want to quickly mention that you can't just create a blanket rule that prevents any traffic from leaving the computer. Doing so would serve the same purpose as unplugging the network cable from the computer. There are a number of internal Windows functions that must be able to send outbound packets in order to perform even the most basic networking functions. Therefore, you will have to be careful about how you filter outbound packets.
With that said, expand the console's Windows Firewall With Advanced Security node and select the Outbound Rules node. When you do, you will see that a number of outbound rules already exist, as shown in Figure A. These rules ensure that the various Windows services are able to communicate through the Windows firewall, and should therefore not be deleted or disabled.
The existing outbound rules ensure that built-in Windows services are able to pass traffic through Windows Firewall.
To create an outbound rule, click the New Rule link found in the Actions pane. When you do, Windows will launch the New Outbound Rule Wizard. As you can see in Figure B, the wizard gives you a choice of creating a rule related to a program or a port. You can also work with any of the predefined rules or create a custom rule.
There are several different types of rules that you can create.
Obviously, the choices that the wizard presents you with from here on out will vary depending on the type of rule that you choose to create. For the purposes of this article, though, I will show you how to create a custom rule since custom rules give you the greatest amount of control over the system.
Select the Custom option, and click Next. At this point, you will see the screen that's shown in Figure C. As you can see in the figure, you have the option of applying the rule to specific applications (based on the path in which the application is installed) or you can apply the rule to a specific service. You also have the option of applying the rule to all programs.
You have the option of creating a rule that applies to a specific path, service or to all programs.
The next screen that you will see asks you which protocols and ports you want to apply the rule to. In Figure D, I chose TCP port 80, which is of course used for HTTP traffic. However, you can choose whichever protocols or ports meet your needs.
The rule will apply to the protocols and ports that you select.
After completing the Protocols and Ports screen, click Next and you will see the Scope screen, shown in Figure E. This screen allows you to choose the local and remote IP address that the rule applies to. The local scope is used in situations in which a computer contains multiple network interface cards (the computer is multi-homed), and you only want to apply the rule to specific network interface cards. Likewise, the rule can be applied to all external IP addresses or to specific addresses. For example, earlier I mentioned that I was creating a rule to regulate outbound traffic on TCP port 80. I could prevent users on the PC from browsing the Web by applying the rule to all external addresses, or I could prevent users from visiting specific Web sites by entering the IP addresses associated with those sites.
The Scope rule will apply to local and external IP addresses that you specify.
The next screen is the Action screen. This screen allows you to decide what should happen if the computer attempts to establish a connection that falls within the parameters of the rule that you are creating. You have three choices: allow the connection; allow the connection if it is secure; or block the connection, as shown in Figure F.
You can choose what happens when the computer attempts to establish a connection that falls within the scope of the rule.
Click Next and you will be taken to the Profile screen. The Profile screen allows you to control the types of situations in which you want the rule to apply. For example, you might not want a rule to apply if a computer is connected to a domain. You can select the profiles for which the rules apply by selecting the check boxes associated with the various profiles, as shown in Figure G.
You must choose the situations in which the rule will apply.
The last screen you encounter asks you to enter a name and an optional description for the new rule. You can enter anything you want, but I recommend using a name that describes what the rule does. You can then use the Description field to enter a more detailed explanation of how the rule behaves. When you are done, click Finish and your new rule will be created.
About the author: Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. He has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, TechTarget, CNET, ZDNet, MSD2D, Relevant Technologies and other technology companies. You can visit his personal Web site at www.brienposey.com.
This was first published in March 2007