Logo
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
EPL Standings
 
 
Windows Vista

Securing the Workstation : Applying the Castle Defense System (part 6) - Working with external access - Working with the Windows Firewall with Advanced Security

7/11/2013 6:48:10 PM

5. Layer 5: Working with external access

The final layer of defense involves external access. In PC terms, this means working with the way PCs access your resources when outside your network. As such, this means working with the following items:

  • Windows Firewall with Advanced Security

  • Virtual Private Network (VPN) Connections

  • Public Key Infrastructures

  • Network Access Protection

Each of these is discussed here as they apply to PCs.

5.1 Working with the Windows Firewall with Advanced Security

Vista includes a powerful firewall that helps protect each individual PC running it. In fact, it includes two different firewall products. The first is a basic firewall that focuses on whether or not protection is turned on. The second is a much more comprehensive tool that is once again managed through Group Policy.

Like Windows Defender, the Basic Firewall is accessed through the Security Center (Control Panel => Security => Security Center), just click the link in the left pane to launch the Firewall. You'll also remember that the firewall comes up immediately after you install Windows Vista as part of the initial security configuration of your PC. Of course, you need administrative credentials to view or modify its settings.

As shown in Figure 10, the basic firewall has two main settings: On or Off. You should keep it on at all times. There are also two additional tabs for basic firewall configuration. Exceptions list the type of exceptions you can set on the firewall. Firewalls basically control which of the 65,000 TCP/IP ports are open or not on your machine. You can of course manage the firewall at the port level if you want (just click the Add port button), but it is much easier to manage it at the application level. You want to be able to make Remote Assistance connections to a PC and then allow the application in the basic firewall settings.

Figure 10. Working with the Windows Firewall

Many applications will be Windows Firewall aware — in fact, you should make sure that each application you choose is Firewall aware — and will automatically make the appropriate changes in the firewall when installed. Being Firewall aware is part of the Windows Logo compliance settings Microsoft publishes for independent software vendors so that they can make their applications as compatible to Vista as possible.

The last tab is the Advanced tab. This tab lets you configure different Firewall settings for different network connections if they exist. You need to make sure the Basic Firewall is turned on at all times.

The best way to ensure your firewall is turned on at all times is to use the Windows Firewall with Advanced Security (WFAS). This firewall control center is accessed through Group Policy (Computer Configuration => Policies => Windows Settings => Security Settings => Windows Firewall with Advanced Security). As shown in Figure 11, WFAS provides much more comprehensive control over firewall behavior.

Figure 11. Working with the Windows Firewall with Advanced Security

The first thing you will notice is the network profiles associated with the firewall. Each time Windows Vista connects to a network, it identifies what kind of network you are connecting to. Three choices are possible from the end user point of view: Private, Public, and Home.

Vista configures the firewall settings for the network depending on the choice made by the user. Private networks allow some connections as do Home networks. But Public networks are very restrictive and do not allow inbound connections. For this reason, you should instruct your users to always select Public network when they connect to an unknown network. When they do so, Vista will create the most restrictive connection, protecting their PC from potential malicious content.

WFAS, however, includes one different network profile, the Domain profile. The Domain profile controls firewall behavior when the system is connected to your network. This feature is what makes WFAS so much more comprehensive than the Basic Firewall: being able to control the behavior of the Firewall based on the type of connection profile it is using.

As shown in Figure 11, the Firewall state is not configured by default. You should configure these settings for each of the three profiles even if they are not currently in use. By taking this step, you ensure that your PCs are protected no matter what happens. The three profiles include:

  • Domain: This profile applies when the computer is connected to the network containing an Active Directory with the computer's account, normally your own network.

  • Private: This profile applies when the computer connects to a network that does not contain its account, for example a home network that runs through a Workgroup.

  • Public: This profile applies when the computer connects to an unknown network such as one in airports or coffee shops.

The configurations you should apply in WFAS should become more and more restrictive as you work through the profiles. To configure the settings for each profile, follow these steps:

  1. Launch the Group Policy Management Console by choosing Start Menu => Search => gpmc.msc.

  2. Locate a GPO that applies to all systems. This GPO should be assigned to the PCs OU, right-click it, and select Edit.

  3. Navigate to the WFAS by choosing Computer Configuration => Policies => Windows Settings => Security Settings => Windows Firewall with Advanced Security), expand its contents, and click the Windows Firewall with Advanced Security subnode.

  4. In the Details pane, click Windows Firewall Properties under the list of profiles.

  5. Begin with the Domain Profile. At the very least, use the Recommended and Default settings, as shown in Figure 12. The Firewall should be turned on, Inbound connections should be Blocked unless explicitly allowed, and Outbound connections should be Allowed.

    Figure 12. Working with the Firewall Profile Settings
  6. Click the Customize button under Settings to open a second dialog box that displays several settings. Once again, select the Defaults at the very least.

    • It is a good idea to display notifications, so that users will know when a program is attempting a connection that is blocked.

    • Allow Unicast responses because this option will let the system wait up to three seconds for a response. After three seconds, all responses will be blocked. Note that this does not affect DHCP responses, which are always allowed.

    • Allow local firewall rules only if you want to allow non-GPO rules to apply to the PC as well. The default is to allow them.

    • Allow local connection security rules only if you want to allow non-GPO rules to apply to be defined on the PC as well. The default is to allow them.

    • In most cases, you should set only GPO rules. Although allowing local rules can be convenient when you configure a new application on a PC, it can become quite cumbersome when you are troubleshooting a non-functioning device. If you want to test new applications, do it in a test environment, not in your production network.

  7. Repeat the operation for the Private and Public tabs.

    The last tab focuses on IPsec Settings. Click the Customize button to modify these settings. These settings deal with secure connections from the PC to other systems. Each of the settings in this dialog box is set to defaults. This means that some form of IPsec is turned on by default. To view the default values, click on the What are the default values? link at the bottom of the dialog box. You can change each setting by clicking on Advanced and then the Customize button. Click on OK when done.

    NOTE

    Make sure you verify with your server administrators to coordinate these settings with them. IPsec will be configured on the server as well as on the PC and settings must match for the connection to occur properly.

    If you do modify the IPsec settings, you can also allow exemptions for ICMP from IPsec. This means you could use the PING utility to identify if a computer is awake or not. While this might be useful inside your network, it is definitely not a good idea for portable systems that travel outside your network. The best bet is to leave it off.

  8. Click OK to apply the changes to the profiles.

You can also create Inbound, Outbound and Connection Security Rules for your systems. Each node uses a wizard to generate the rule, as shown in Figure 13. Once again, it is easiest to base rules on programs rather than ports. You can also rely on the Predefined rules that come with the Firewall. Use custom rules only if you have a specific unknown program to install.

Figure 13. Creating Inbound, Outbound, or Connection Security Rules in WFAS

The best way to create Inbound, Outbound, or Connection Security Rules is to work with both Firewalls. Do this through the following steps:

  1. Set up a PC using a typical configuration.

  2. Enable all of the applications you deem necessary for this PC. This may include items such as Remote Assistance, Remote Desktop, and Windows Remote Management among others.

  3. Open the Windows Firewall through Control Panel and move to the Exemptions tab.

  4. Go to your GPO and apply each of the rules found in the Exemptions tab of the Basic Firewall to your Group Policy.

  5. Test the policy before deploying it.

This approach will let you more easily configure the Group Policy and it will ensure your systems are working as they should while protecting them from malicious connections.

NOTE

Virtual Private Network connections rely on IPsec to connect to the system. WFAS allows you to configure both the Firewall and IPsec in the same integrated environment. If you are relying on Windows Server to create the VPN connections, then work with your server team to properly configure these settings. If you are using a third-party VPN tool, then look up the appropriate client from the list found at http://support.microsoft.com/kb/929490.

Other -----------------
- Participating in Internet Newsgroups : Setting News Options - Options for Newsgroups and Messages, Options for Individual Newsgroups
- Participating in Internet Newsgroups : Filtering Newsgroup Messages, Rating Posts
- Participating in Internet Newsgroups : Notes on Working with Newsgroup Messages, Following Up a Message, Posting a New Message
- Participating in Internet Newsgroups : Downloading Messages
- Configuring Startup and Troubleshooting Startup Issues : Understanding the Startup Process (part 3) - Kernel Loading Phase
- Configuring Startup and Troubleshooting Startup Issues : Understanding the Startup Process (part 2) - Windows Boot Manager Phase
- Configuring Startup and Troubleshooting Startup Issues : Understanding the Startup Process (part 1) - Power-on Self Test Phase, Initial Startup Phase
- Participating in Internet Newsgroups : Setting Up a News Account, Working with Newsgroups in Windows Mail
- Participating in Internet Newsgroups : Some Usenet Basics
- Configuring Startup and Troubleshooting Startup Issues : What’s New with Windows Vista Startup
- Managing Client Protection : Microsoft Forefront Client Security
- Managing Client Protection : Using Windows Defender (part 2)
- Managing Client Protection : Using Windows Defender (part 1)
- Securing the Workstation : Beginning with Basic Security
- Managing Client Protection : User Account Control (part 4) - How to Configure User Account Control
- Managing Client Protection : User Account Control (part 3) - UAC Virtualization, UAC and Startup Programs, Compatibility Problems with UAC
- Managing Client Protection : User Account Control (part 2) - UAC User Interface, How Windows Vista Determines Whether an Application Needs Administrative Privileges
- Managing Client Protection : User Account Control (part 1) - UAC for Standard Users, UAC for Administrators
- Maintaining Desktop Health : Using Task Scheduler (part 5) - Scheduled Tasks Events, Troubleshooting Task Scheduler
- Maintaining Desktop Health : Using Task Scheduler (part 4) - Managing Tasks
 
 
Most view of day
- Windows Phone 8 : Configuring Basic Device Settings - Find My Phone
- BizTalk Server 2006 : Starting a New BizTalk Project - Organizing Artifacts in BizTalk 2006
- Microsoft Systems Management Server 2003 : Permissions and Security Objects (part 1)
- Microsoft Exchange Server 2010 : Working with SMTP Connectors, Sites, and Links (part 5) - Configuring Send Connector DNS Lookups, Setting Send Connector Limits
- Maintaining Desktop Health : Using Task Scheduler (part 5) - Scheduled Tasks Events, Troubleshooting Task Scheduler
- Microsoft Word 2010 : Working with Outlines - Creating a Multilevel List
- Participating in Internet Newsgroups : Setting Up a News Account, Working with Newsgroups in Windows Mail
- Maintaining Dynamics GP : Improving stability by Managing Dictionaries
- Microsoft Exchange Server 2010 : Creating and Managing Accepted Domains (part 2) - Creating Accepted Domains
- Maintaining Desktop Health : Monitoring Reliability and Performance (part 6) - Using Reliability Monitor
Top 10
- Windows Server 2012 : DHCP,IPv6 and IPAM - Exploring DHCP (part 3) - Creating IPv4 DHCP Scopes
- Windows Server 2012 : DHCP,IPv6 and IPAM - Exploring DHCP (part 2) - Installing DHCP Server and Server Tools
- Windows Server 2012 : DHCP,IPv6 and IPAM - Exploring DHCP (part 1)
- Windows Server 2012 : DHCP,IPv6 and IPAM - Understanding the Components of an Enterprise Network
- Microsoft OneNote 2010 : Using the Research and Translate Tools (part 3) - Translating Text with the Mini Translator
- Microsoft OneNote 2010 : Using the Research and Translate Tools (part 2) - Translating a Word or Phrase with the Research Pane
- Microsoft OneNote 2010 : Using the Research and Translate Tools (part 1) - Setting Options for the Research Task Pane, Searching with the Research Task Pane
- Microsoft OneNote 2010 : Doing Research with Linked Notes (part 2) - Ending a Linked Notes Session, Viewing Linked Notes
- Microsoft OneNote 2010 : Doing Research with Linked Notes (part 1) - Beginning a Linked Notes Session
- Microsoft OneNote 2010 : Doing Research with Side Notes (part 3) - Moving Side Notes to Your Existing Notes
 
 
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
2015 Camaro