If you access the Internet using a broadband -- cable modem or DSL -- service, chances are that you have an always-on connection, which means there's a much greater chance that a malicious hacker could find your computer and have his way with it. You might think that with millions of people connected to the Internet at any given moment, there would be little chance of a "script kiddy" finding you in the herd. Unfortunately, one of the most common weapons in a black-hat hacker's arsenal is a program that runs through millions of IP addresses automatically, looking for live connections. The fact that many cable systems and some DSL systems use IP addresses in a narrow range compounds the problem by making it easier to find always-on connections.
When a cracker finds your address, he has many avenues from which to access your computer. Specifically, your connection uses many different ports for sending and receiving data. For example, the File Transfer Protocol (FTP) uses ports 20 and 21, web data and commands typically use port 80, email uses ports 25 and 110, the domain name system (DNS) uses port 53, and so on. In all, there are dozens of these ports, and each one is an opening through which a clever cracker can gain access to your computer.
As if that weren't enough, attackers can check your system for the installation of some kind of Trojan horse or virus. (Malicious email attachments sometimes install these programs on your machine.) If the hacker finds one, he can effectively take control of your machine (turning it into a zombie computer) and either wreck its contents or use your computer to attack other systems.
Again, if you think your computer is too obscure or worthless for someone else to bother with, think again. For a typical computer connected to the Internet all day long, hackers probe for vulnerable ports or installed Trojan horses at least a few times every day.
Make sure Windows Firewall is up to par
If you want to see just how vulnerable your computer is, several good sites on the Web will test your security:
The good news is that Windows includes the Windows Firewall tool, which is a personal firewall that can lock down your ports and prevent unauthorized access to your machine. In effect, your computer becomes invisible to the Internet (although you can still surf the Web and work with email normally). Other firewall programs exist out there, but Windows Firewall does a good job. For example, Figure 14.5 shows the output of the Shields Up tool from Gibson Research after probing a typical Windows 7 computer. As you can see, Windows Firewall held its own.
Create a Windows Firewall exception
I just told you how important a firewall is for a secure computer, so it may seem more than a little strange that I'm now going to show you how to poke holes in that firewall. Actually, this kind of thing is fairly routine, at least behind the scenes, where programs such as Microsoft Office Outlook and iTunes often configure Windows Firewall to allow them to access the Internet. That's fine, but why would you want to do something like this? There are many reasons, but they mostly boil down to needing some sort of data to get though the firewall. For example, if you want to perform administrative duties on a computer on your network, that computer's firewall needs to be configured to allow the Remote Assistance service through. Similarly, if you activate Windows 7's built-in web server, you need to configure that PC to allow data through port 80.
These are examples of firewall exceptions, and there are actually three types of exceptions you can set up:
- Enable an existing exception. Windows maintains a list of programs and services that are often used as exceptions and you can toggle these on and off.
- Add a program or as a new exception. If the program you want to use isn't in the list, you can add it yourself.
- Add a port as a new exception. You can also configure a port as an exception, and the firewall will allow data to pass back and forth through the port.
The next three sections show you how to create the three types of firewall exceptions.
Activate an existing exception
Windows Firewall maintains a list of programs, services, and sometimes ports that are currently enabled as exceptions, or that are commonly enabled but currently are not. This is the easiest way to set up an exception because all you have to do is activate a check box or two:
- Select Start, type firewall, and then click Allow a Program Through Windows Firewall in the search results. The Allowed Programs window appears.
- Click Change Settings. Windows Firewall enables the exceptions, as shown in Figure 14.6.
- Activate the Home/Work (Private) check box beside the exception you want to enable.
- If you also connect to public networks (such as wireless hotspots) and you also want the exception enabled on those networks, activate the Public check box beside the exception you want to enable
- Click OK to put the exception into effect.
Add a program as a new exception
If you don't see the program or port you want to work with, you can add it by hand. Here's how:
- Select Start, type firewall and then click Allow a Program Through Windows Firewall in the search results. The Allowed Programs window appears.
- Click Change Settings. Windows Firewall enables the exceptions.
- Click Allow Another Program. The Add a Program dialog box appears.
- If you see your program in the list, click it. Otherwise, click Browse, use the Browse dialog box to select the program's executable file, and then click Open.
- Click Add. Windows Firewall adds the program to the list.
- Activate the Home/Work (Private) check box.
- If you also connect to public networks (such as wireless hot spots) and you want the program allowed through on those networks, activate the Public check box.
- Click OK to put the exception into effect.
You can prevent computers on your network from adding program exceptions if you're worried about security. On the other computer, log on as an administrator, open the Group Policy Editor (see Chapter 9, "Policing Windows 7 with Group Policies"), and open the following branch: Computer Configuration, Administrative Templates, Network, Network Connections, Windows Firewall, Standard Profile. Enable the Windows Firewall: Do Not Allow Exceptions policy and the Windows Firewall: Protect All Network Connections policies.
Add a port as a new exception
If you need to open a port on your computer, you can't do it via the Allowed Programs windows. Instead, you need to work with a Microsoft Management Console snap-in called Windows Firewall with Advanced Security (WFAS). To load it, select Start, wf.msc, and then press Enter User Account Control credentials. Figure 14.7 shows the WFAS snap-in.
The home page of the snap-in presents an overview of the current firewall settings, as well as a number of links to configure and learn about WFAS. This snap-in configures the firewall by setting policies and storing them in three profiles. The domain profile is used when your computer is connected to a network domain, the private profile is used when your computer is connected to a private network, and the public profile is used when your computer is connected to a public network. To change the settings for the profiles, click the Windows Firewall Properties link, and then use the Domain Profile, Private Profile, and Public Profile tabs to modify the settings (although the defaults should be fine for most people).
The scope pane contains four main sub-branches:
- Inbound Rules. This branch presents a list of defined rules for inbound connections. In most cases, the rules aren't enabled. To enable a rule, you right-click it and then click Enable Rule (or you can click the rule and then click Enable Rule in the Action pane). You can create your own rule (as you'll soon see) by right-clicking Inbound Rules and then clicking New Rule (or clicking New Rule in the Action pane). This launches the New Inbound Rule Wizard.
- Outbound Rules. This branch presents a list of defined rules for outbound connections. As with inbound connections, you can enable the rules you want to use and create your own rules. Note, too, that you can customize any rule by double-clicking it to display its property sheet. With this property sheet, you can change the program executable to which the exception is applied, allow or block a connection, set the computer and user authorization, change the ports and protocols, and specify the interface types and services.
- Connection Security Rules. This branch is where you create and manage authentication rules, which determine the restrictions and requirements that apply to connections with remote computers. Right-click Computer Connection Security and then click New Rule (or click New Rule in the Action pane) to launch the New Connection Security Rule Wizard.
- Monitoring. This branch shows the enabled firewall settings. For example, the Firewall sub-branch shows the enabled inbound and outbound firewall rules, and the Connection Security Rules sub-branch shows the enabled authentication rules.
Here are the steps to follow to use WFAS to create a port exception:
- Click Inbound Rules.
- In the Actions pane, click New Rule to launch the New Inbound Rule Wizard.
- Click Port and then click Next. The Protocol and Ports dialog box appears.
- Click the data protocol you want the exception to use: TCP or UDP. (If you're not sure, choose TCP.)
- Activate the Specific Local Ports option and use the text box to type the port you want to set up as an exception.
- Click Next. The Action dialog box appears.
- Click Allow the Connection and then click Next. The Profile dialog box appears.
- Activate the check box beside each profile you use (Domain, Private, or Public), and then click Next. The Name dialog box appears.
- Use the Name text box to make up a name for this exception. This is the name that appears in the Exceptions tab, so make it reasonably descriptive (for example, Port 80 for Web Server).
- Click Finish to put the exception into effect.
If you're worried about someone on your network adding a port as an exception and possibly opening up a security hole (for example, by forgetting to change the scope to something local), you can disable new port exceptions on that computer. Log on as an administrator, open the Group Policy Editor, and open the following branch: Computer Configuration, Administrative Templates, Network, Network Connections, Windows Firewall, Standard Profile. Disable the Windows Firewall: Allow Local Port Exceptions policy.
How to secure Microsoft Windows 7
Part 3: Manage Microsoft Windows Firewall