Which of the following tools cannot enable and disable the network discovery firewall rules?

Network Profile Information

Windows Firewall displays basic status information for each network profile. You will be able to see which network profile is currently in use (displayed as Connected vs. Not Connected). You will also see the following information:

Windows Firewall state: This option will let you know if Windows Firewall is on or off for the given network type.

Incoming connections: This option will tell you the current policy in place for connections. You might see Block all connections to apps that are not on the list of allowed apps or Block all connections including apps on the list of allowed apps.

Active <profile type> networks: This option shows the network(s) that you are currently connected to.

Notification state: This option details what notifications have been configured for Windows Firewall.

Note: If you have multiple physical adapters or using virtualization, you may show as being connected to multiple networks simultaneously.

Windows Firewall

Windows Firewall is a stateful firewall that comes installed with most modern versions of Windows by default. On Windows 2008 Server machines, the firewall is enabled by default, blocking many of the ports that cause so much trouble in otherwise unprotected Windows systems. On virtual servers, the Windows Firewall ensures that only the services necessary for the chosen function are exposed (the firewall will automatically configure itself for new server roles, for instance, and when certain server applications are installed). As members of your domain, the Windows Firewall of your virtual servers can be managed remotely, or through Group Policy.

Windows Firewall

The Windows Firewall is used to protect your Windows system from network-based threats. You can control who has access to your system and what access is granted. The Windows Firewall applet allows you to configure these firewall settings. In the Windows Firewall section of the Control Panel, you have two options: Check firewall status and Allow a program through Windows Firewall.

Check firewall status: This option brings up the Windows Firewall window, as seen in Figure 3.17. This option will allow you to see if Windows Firewall is enabled or disabled on your system. You can also see Windows Firewall settings for incoming connections and notifications.

Allow a program through Windows Firewall: This option brings up the Allowed Programs window, as seen in Figure 3.18. Here, you can see what programs are allowed by Windows Firewall. If you want to change these settings, you must choose the Change settings option. You can now select a program to allow access to and what networks the program is allowed to communicate on. The Details option will show you the path to the executable for the application being allowed. If you want to allow a program not listed, you can choose the Allow another program option. You can then specify the location of another program you want to allow through the firewall.

Windows Firewall with Advanced Security Node in Group Policy

Managing the Windows Firewall through Group Policies isn’t that different from managing it via the Windows Firewall with Advanced Security tool, with the exception of the monitoring node and its subnodes missing in Group Policies. To pull up the Group Policies just select Start | Run and type gpedit.exe. In the Group Policy Object Editor, select Computer Configuration | Windows Settings | Security Settings | Windows Firewall with Advanced Security and you will see the same settings you saw with the Windows Firewall with Advanced Security console. Figure 8.9 shows the Group Policy Object Editor highlighting the Windows Firewall with Advanced Security settings.

Basic Firewall Settings

The basic Windows Firewall settings may be accessed and configured straight from the Control Panel console for the Windows Firewall. On the left panel are links to:

Allow a program or feature through Windows Firewall – This configures the rules for applications and features to go through the Windows Firewall depending on the network location.

Change notification settings – This turns the Windows Firewall on or off, can block all incoming connections, and can be set to notify the user when something is blocked.

Turn Windows Firewall on or off – Same as above.

Restore defaults – This restores the Windows Firewall rules and settings to default.

Advanced Settings – This will be referenced in the next section.

To turn the Windows Firewall on or off and change notification settings, do the following:

Open Windows Firewall from the Control Panel

Click Change notification settings or Turn Windows Firewall on or off from the left panel.

Select settings for each network location:

Turn on Windows Firewall – This is recommended if no other firewall is installed.

Block all incoming connections, including those in the list of allowed programs.

Notify me when Windows Firewall blocks a new program.

Turn off Windows Firewall – This is not recommended, ever.

Click OK.

Once Windows Firewall is on, an administrator may need to configure certain applications to be allowed access through the firewall. Carefully evaluate the application that will be allowed access as any traffic it sends or receives will not be blocked. To allow incoming connections through the firewall, do the following:

Open Windows Firewall from the Control Panel.

Click Allow a program or feature through Windows Firewall from the left pane.

Check or uncheck the program or feature that may communicate through the Windows Firewall.

If the program is not in the list, click Allow another program…, select it from that list and click Add. If the program is still not in the Add a Program list, you may click Browse to find the executable for it.

Check or uncheck the program or feature under the network location as shown in Figure 8.26. A check will allow the communication.

Click OK.

In the event that Windows Firewall configurations and settings are misconfigured, the Windows Firewall may be reset to default state. Restoring the Windows Firewall to its default state will remove all the custom settings and even cause some programs that require networking to not work correctly. Most programs that require a Windows Firewall rule will automatically create the rule. Therefore, restoring defaults will remove that rule and may require reinstalling the program or manually adding the rule.

To restore defaults:

Open Windows Firewall from the Control Panel

Click Restore defaults from the left pane.

Click Restore defaults.

Click OK.

Windows Firewall

The Windows Firewall was introduced in Windows XP as an inbound only firewall. Windows 7 now configures the Windows Firewall to block both inbound and outbound traffic. Additionally, it is much more flexible to configure custom firewall settings. These settings may be saved as profiles, another new feature that requires user education. The profile chosen is based on the prompt to Choose a Network when the Windows 7 machine detects a connection to a new network. Depending on the end user's choice of Home, Work, or Public, the proper Windows Firewall profile is set. Public network settings block incoming traffic by default, a setting that may be too high for a Home or Work network. Windows 7 will automatically recognize when the machine is connected to a network it was on before, such as a Work or Home network, and apply the correct profile.

The Windows Firewall can be configured from the Control Panel under the Windows Firewall or Systems and Security consoles as shown in Figure 1.78. The Windows Firewall and other Windows 7 security features and configurations will be discussed in Chapter 8, “Securing Windows 7.”

Configuring Windows Firewall

The Windows Firewall is turned on by default on a Windows Server 2008 machine. You can turn it off with the command netsh firewall set opmode mode=disable. However, this should only be done in a test environment, not in a production environment. If you want to enable the Windows Firewall, use the same syntax but substitute mode=disable with mode=enable. If you install a particular role on a Server Core machine, then the required ports to fulfill the role service will be opened. To enable Remote Administration in Windows Firewall, use the command netsh advfirewall firewall set rule group=”Remote Administration” new enable=yes. This will enable remote management for any MMC snap-in. In some situations, it may be more appropriate to limit the number of MMCs that can connect. This is where Rule Groups come in. Windows Firewall has some default Rule Groups that correspond to MMCs. If you enable a particular Rule Group, then the corresponding firewall rule will be added to the firewall configuration. Table 7.3 shows the Rule Groups defined within Server 2008.

Table 7.3. MMC Snap-ins and the Corresponding Firewall Rule Groups

If you want to allow only specific MMC snap-ins to connect, type netsh advfirewall firewall set rule group=“<rulegroup>” new enable=yes at the command prompt. Replace <rulegroup> with one of the values mentioned in Table 7.3. If you, for example, want to allow other computers or servers to connect to a Server Core machine with eventviewer execute, type in the following command at the command prompt: netsh advfirewall firewall set rule group=“ Remote Event Log Management” new enable=yes.

Configuring Windows Firewall through the command line can prove quite complex in some situations. It's much easier to use the Windows Firewall snap-in from a computer running Windows Vista or Windows Server 2008, and then remotely manage the firewall on a server running a Server Core installation. To accomplish this, first execute the command netsh advfirewall set currentprofile settings remotemanagement enable. After executing this command, you're allowed to connect to the Server Core machine with the Windows Firewall MMC. In Figure 7.11, you can see a regular Windows 2008 server connected to a Server Core machine with IP address 10.0.0.1.

Network Location and Network Discovery

As stated in Chapter 1, “Introduction to Windows 7,” when a Windows 7 computer first connects to a network, it will scan and attempt to determine what network it is connected to. If the computer cannot identify the network, it will prompt the user to select what kind of network the computer is connected to as shown in Figure 6.1. Network discovery settings work with the Windows Firewall settings and depend on the type of network that the computer connects to. It is critical for end users to be educated to select the correct network. If a Home or Work network is selected in a public network, then the Windows Firewall will be configured incorrectly and might allow a potential malicious user access to the system.

The Windows Firewall and networking settings are dependent on the location chosen by the user. There are four categories of network locations:

Home – Computers that are connected to a home network. This enables HomeGroup and easy configuration of a home network.

Work – Computers that are connected to a workgroup where some sharing may occur.

Public – This is for any location that is not trusted. This location has the most secure firewall settings.

Domain – This is for computers connected to a domain infrastructure. The user is not prompted to connect to these as the computer uses the domain relationship to auto discover.

Depending on the location chosen by the user, network discovery may be on. To toggle network discovery, ensure the location is set for Home or Work:

Click Change advanced sharing settings on the left panel of the Network and Sharing Center.

Expand Home or Work settings by clicking the down arrow.

Click the radio button to Turn on network discovery.

Warning

It is not recommended to enable network discovery in a public network. A public network is any network that is not trusted. As an added security measure, it is not recommended to enable any of the advanced settings in a public network: network discovery, file and print sharing, public folder sharing, media streaming, or password protected sharing.

Inbound/Outbound Filters

Windows Server 2008 features a variety of inbound and outbound features that you will need to be able to implement. The old version of Windows Firewall has been upgraded and is now called Windows Firewall with Advanced Security (WFAS).

This new version of WFAS has a number of advanced components that will help with you security needs.

New GUI Interface MMC is a snap-in that is available to help configure the advanced firewall.

Bi-directional Filters Unlike past versions of Windows Firewall, WFAS filters both outbound traffic as well as inbound traffic.

Better IPSec Compatibility WFAS rules and IPSec encryption configurations are both integrated into the same singular interface.

Enhanced Rules Generation Using WFAS, you can create firewall rules for Windows Active Directory service accounts and groups. This includes source/destination IP addresses, protocol numbers, source and destination TCP/User Datagram Protocol (UDP) ports, Internet Control Message Protocol (ICMP), IPv6 traffic, and interface all on the Windows Server.

With the addition to having inbound and outbound filters, the WFAS has advanced rules configuration.

The first concern of any server administrator in using a host-based firewall is “What if it prevents critical server infrastructure applications from functioning? While that is always a possibility with any security measure, WFAS will automatically configure new rules for any new server roles that are added to the server. However, if you run any non-Microsoft applications on your server that need inbound network connectivity, you will have to create a new rule for that type of traffic.

By using the advanced windows firewall, you can better secure your servers from attack and secure your servers from attacking others, and really nail down what traffic is going in and out of your servers.