Creating a custom rule involves configuring options on the
Endpoints, Requirements, Authentication Method, Protocols And Ports,
and Profile And Name pages. The only new page here is the Protocol
And Ports page shown in Figure 8. You can use
this page to specify which protocol and which port or ports
specified in a network packet match this connection security rule.
Once you have done this, only network traffic that matches the
criteria on this page and the Endpoints page match the rule and will
be subject to its authentication requirements.
Creating connection security rules using Windows
PowerShell
You can also use Windows PowerShell to view, create,
configure, and remove connection security rules either in the policy
store on the local computer, a remote computer, or a GPO. You can do
this using the cmdlets from the NetSecurity module of Windows
PowerShell.
For example, you can use the New-NetIPsecRule to create a new
server isolation rule in the persistent store on the local machine
that requires both inbound and outbound authentication:
PS C:\> New-NetIPsecRule -DisplayName "Server Isolation Rule"`
-InboundSecurity Require -OutboundSecurity Require
IPsecRuleName : {8215b76f-e6f2-42da-a8b9-1f8416b9a358}
DisplayName : Server Isolation Rule
Description :
DisplayGroup :
Group :
Enabled : True
Profile : Any
Platform : {}
Mode : Transport
InboundSecurity : Require
OutboundSecurity : Require
QuickModeCryptoSet : Default
Phase1AuthSet : Default
Phase2AuthSet : Default
KeyModule : Default
AllowWatchKey : False
AllowSetKey : False
LocalTunnelEndpoint :
RemoteTunnelEndpoint :
RemoteTunnelHostname :
ForwardPathLifetime : 0
EncryptedTunnelBypass : False
RequireAuthorization : False
User : Any
Machine : Any
PrimaryStatus : OK
Status : The rule was parsed successfully from the store. (65536)
EnforcementStatus : NotApplicable
PolicyStoreSource : PersistentStore
PolicyStoreSourceType : Local
If you open the Windows Firewall with Advanced Security
snap-in at this point and select the Connection Security Rules node,
you will see the new rule that you created.
You can also use the Get-NetIPsecRule cmdlet to view
connection security rules, Set-NetIPsecRule to modify them, or
Remove-NetIPsecRule to delete them. For more help concerning any of
these cmdlets, use the Get-Help cmdlet.
Configuring authenticated bypass
One of the
configuration options in that wizard was deferred until later
because it had to do with how firewall rules interact with IPsec.
That setting is the Allow The Connection If It Is Secure option on
the Action page. (See Figure 9.)
Selecting this option specifies that only connections
protected by IPsec will be allowed by the new firewall rule. Such
IPsec protection is implemented separately using connection security
rules.
As Figure 9
shows, selecting the Allow The Connection If It Is Secure option
also adds two new wizard pages named Users and Computers to the New
Inbound (or Outbound) Rules Wizard. You can use these two new pages
to specify trusted users, computers, or both that are allowed to
connect to the local computer.
The default behavior of a firewall rule that has the Allow The
Connection If It Is Secure option selected is for network traffic
matching the firewall rule to be allowed if the traffic is both
authenticated and integrity-protected by IPsec. This default option
is supported on computers running Windows Vista, Windows Server
2008, or later.
By clicking Customize on the Action page, you can change this
behavior by selecting a different option on the Customize Allow If
Secure Settings dialog box shown in Figure 10. Specifically,
you can select from the following options:
-
Require The Connections To Be
Encrypted Choosing this option adds the requirement of
data encryption to the default requirements of authentication
and data integrity. If you are creating an inbound rule, you can
also select Allow The Computers To Dynamically Negotiate
Encryption to allow the network connection to send and receive
unencrypted traffic while an IPsec encryption algorithm is being
negotiated after IPsec authentication has been achieved.
-
Allow The Connection To Use Null
Encapsulation Choosing this option requires that
matching network traffic use IPsec authentication, but it does
not require either integrity or encryption protection. You
should select this option only if you have network equipment or
software that is not compatible with either the ESP or AH
integrity protocols.
-
Override Block Rules
Choosing this option allows matching network traffic to override
any firewall rules that would block such traffic. In general,
firewall rules that explicitly block a connection take priority
over firewall rules that explicitly allow the connection. But if
you select the Override Block Rules option, the connection will
be allowed even if a different rule is configured to block
it.
Important
Security warning
If you select the Allow The Computers To Dynamically
Negotiate Encryption check box shown in Figure 10, network
traffic will be sent in clear text while an encryption algorithm
is being negotiated.
Selecting the Override Block Rules option when creating a new
firewall rule is called authenticated bypass,
because it means that matching network traffic is allowed because it
has been authenticated as coming from an authorized and trusted user
or computer. As Figure 11 shows, you
must specify at least one trusted computer when configuring
authenticated bypass for a firewall rule.
Note
Cannot override blocking all connections
If you configured Windows Firewall with Advanced Security to
block all connections, the Override Block Rules option will not
override such behavior.
