Table of contents
Microsoft network access protection with NAP and NAQC
Microsoft network endpoint security tips and tactics
Remote access security measures for Windows users
VPN security testing and maintenance
Microsoft Windows Firewall security
|Microsoft Windows Firewall security|
Windows Firewall is Microsoft's overhaul of their previous firewall, Internet Connection Firewall (ICF). In general, according to Windows security expert Mark Minasi, a "firewall refers to any of a number of ways to shield a computer network from other networks." When one of the "other networks" includes the vast space of the internet, it becomes clear that a firewall is a necessary security tool for any Windows network.
Locking up the ports: Windows Firewall
This upgrade to best-selling author Mark Minasi's Mastering Windows Server 2003 covers all the undocumented updates and new features for Windows Firewall in Service Pack 1 and Windows Server 2003 R2. With clear and easy instruction, this book update tells you all about the SP1 and R2, including security enhancements, management and administration tools. If you work with or depend on Windows Server 2003, this book is for you.
Windows Firewall basics
Writing that batch file might be impressive, but, again, it'd be a lot of work. Fortunately, you needn't do that, because of the things that Windows Firewall does. Put briefly, here's an overview of what kind of firewall services it offers and what else might be appealing about it.
- Basically, WF is a stateful packet filter; by default, all packets trying to enter a system with WF enabled will be discarded unless those packets are responses to queries from that system. Unsolicited packets never get past the TCP/IP stack.
- WF lets you create exceptions for particular ports from particular ranges of IP addresses; for example, it's possible to say, "Accept unsolicited packets on port 25, but only from the range of addresses from 192.168.0.1 through 192.168.0.254." When paired with IPsec on Server 2003 and R2, WF can do some impressive things via something called IPsec bypass.
- Windows lets its firewall behave in two different ways ("profiles"): one where the system is inside the corporate firewall, and another when outside the firewall. (Clearly having two different behaviors for WF is of more interest to XP users -- XP SP2 introduced WF—than to server users, as most of us don't carry our servers outside the building.)
The Specific WF "Firewall Rules"
Still wondering if WF is worth looking at? Then let's get very specific about what it blocks and what it can't block, why Microsoft took the time to create this newer WF, and whether or not you should consider enabling Windows Firewall on your 2003 or R2 system (it's disabled by default) or whether to disable it on your XP boxes (it's enabled by default). First, let's more exactly answer the question, "How does WF decide whether to block or pass information?" With just a few rules.
WF Must Be Enabled to Do Anything
First, of course, it's got to be enabled before it'll monitor packets. It is, again, off by default on Server 2003 SP1 and R2 and on by default on XP SP2.
WF Never Blocks Outgoing Traffic
If your computer wants to send out an IP packet of any kind to any system on the Internet, then WF couldn't give a hoot. Now, this turned out to be a fairly controversial issue at Microsoft, and an early version of WF in XP SP2 could block outgoing traffic. The idea was that if the buffer overflow worm du jour entered your system via port 515 (I'm making that up) and, after infecting your system, it tried to communicate with other systems on port 515, then it might be nice to be able to write a group policy that would block any outgoing messages destined for port 515, caging the worm until all of the infected systems could be found and disinfected. It didn't seem like a bad idea at the time, but some folks had an argument against it, and so WF will always pass outgoing packets. (And, in an interesting Part 2 to the story, Vista's version of WF will supposedly allow you to block outgoing packets. We'll see.)
SearchWindowsSecurity.com also features excerpts from this book covering topics such as when you should (or should not) use Windows Firewall, making server apps work with Windows Firewall, IPsec Bypass and permitting Ping.
Managing Microsoft's Windows Firewall
Microsoft's Windows Firewall can give network admins a headache. When can you shut down Windows Firewall? What is the best firewall configuration for your network? Where is the line between security and functionality when it comes to firewall settings for remote users? The list of questions goes on. Check out the advice of our Windows security experts to find out when to use Windows Firewall, how to configure it for remote users and what can cause Windows Firewall to automatically shut down.
Can I disable Windows Firewall
Often, you might choose to run a firewall other than WF and thus disable Windows Firewall entirely. According to Windows security expert Jonathan Hassell:
You can't uninstall any Microsoft Firewall solution as they're built into the respective products: the Internet Connection Firewall for Windows XP Service Pack 1 and the Windows Firewall for XP SP 2. To disable the Windows Firewall, go to Control Panel, Security Center, and then disable the firewall under the appropriate section. If you are still running Service Pack 1, and you have any sort of choice in the matter, install Service Pack 2 immediately.
There are no real risks in using a third-party firewall, although I must question why you'd want to do that. The third-party firewalls have more features, sure, but the Windows Firewall in XP SP 2 does a fantastic job at its core mission and is really all you need if you have an anti-virus program, another firewall on your router or other edge protection, and so on.
Additional information on Windows Firewall:
- Security without firewalls: Sensible or silly?
The San Diego Supercomputer Center has had only one compromise in nearly six years, without using a firewall. The SDSC's security manager explains how.
- Does making Windows SP2 my primary source of virus protection disable the Windows firewall?
When I installed Windows SP2, McAfee asked if I wanted it to be the primary source of virus detection. Since I do not have a McAfee firewall but only a virus scanner, is this disabling the new Windows firewall? Where in Windows is the priority for McAfee over Windows set? How is this priority reversed if required?
- Featured Topic: Windows Firewall:
If you aren't currently running a local firewall on your company's computers, the new Windows Firewall is a great way to secure your computers for free. But, if you've already deployed a third-party firewall, Redmond's offering is not for you.
This was first published in July 2007