The Windows Firewall was first introduced with Windows XP Service Pack 2 (SP2), and was later added to Windows Server 2003 as part of Service Pack 1 (SP1)and now as part of Windows Vista. The Windows Firewall was a big improvement over its predecessor, which had no built-in, host-based firewall at all.
This initial release was very basic and included only the most fundamental functionality. With the advent of Windows Vista and Windows Server 2008, the Windows Firewall has been given a substantial makeover and is now known as Windows Firewall with Advanced Security (WFAS). Keep reading for a description of the new features in WFAS as well as a step-by-step configuration example.
Here is a list of some of the most important new features in WFAS:
- WFAS is enabled by default in Windows Server 2008
- The firewall now supports both incoming and outgoing rules
- There is a new Microsoft Management Console (MMC) snap-for WFAS and in this new interface the firewall configuration has been merged with Internet Protocol Security (IPSec) configuration
- Command line interface changes
- Configuration of rules/exceptions is much more powerful
- New profile options
When Microsoft added the Windows Firewall to Windows XP SP2, the new feature was enabled by default. This was an amazing leap forward in desktop security. In Windows Server 2003 SP1, it was enabled when users first set up a server, but disabled once they ran Windows Update to patch the server. Now, with Windows Server 2008, the firewall is fully enabled by default. This is a great step forward in locking down the server OS, and Microsoft makes life easy by automatically adding firewall exceptions when new roles (e.g. DNS) are added through the Server Manager interface. Vista, of course, also enables the firewall by default.
A powerful new feature of WFAS is the ability to create outbound firewall rules. The most common use of a firewall is to keep the bad guys out, but administrators can also keep the good guys in. An example of this would be blocking outbound destination ports 80 and 443 so no one can browse the Web from a server. Of course, be careful: You don't want to block your server from getting its monthly dose of patches. NOTE: By default all outbound connections are allowed.
In addition to managing firewall configuration, the new WFAS MMC snap-in replaces both the IP Security Policies and IP Security Monitor MMC snap-ins that were previously used to manage IPSec. They are, however, both included in Windows Server 2008 and Vista. The older snap-ins can be used to manage down-level clients (e.g. Windows 2000, Windows XP, and Windows Server 2003). See figure 1 for a screen shot of the new interface.NOTE: The fastest way to open the WFAS interface is by clicking Start, typing "firewall" into the search area, and pressing Enter. You can also get to the new WFAS MMC snap-in through Server Manager in Windows Server 2008.To manage the new features of WFAS from the command line, you will need to use the new advfirewall context with netsh. You can get to this command line interface by typing netsh advfirewall at a command prompt (see figure 2). If you are using the new Server Core installation of Windows Server 2008 (this is the command line only version of Windows Server 2008) and you want to use the WFAS MMC snap-in, then you will need to run the following command so you can manage WFAS remotely from a Vista workstation or regular installation of Windows Server 2008:
Perhaps the most important update to WFAS is the ability to create much more detailed and powerful exceptions. Here is a list of the new types of exceptions allowed by WFAS:
- based on IP protocol number
- source and destination TCP and UDP ports
- all or multiple ports
- specific types of interfaces (LAN, remote access, or wireless)
- ICMP and ICMPv6 traffic by type and code
- for individual services
Previous to WFAS it was nearly impossible to allow all types of traffic from a particular IP address. You would have to manually add an exception for every single port individually, all 65,536 of them! The updated granularity in exception rules is a very welcome addition to WFAS.
The way that profiles operate in WFAS is a bit different from the previous version. With the old Windows Firewall there are two profiles: Domain and Standard. If your machine is joined to a domain and Windows determines that you are operating on the network associated the Windows domain, then the Domain profile is used. Otherwise the Standard profile is used. This allows for different firewall rules depending on which network you are connected to. The idea is that you may want to have stricter firewall rules if you are away from the home office at a coffee shop, etc. With WFAS there are now three profiles: Domain, Private, and Public. The Domain profile operates as it did before. The Public and Private profiles are used when you are connected to a non-domain network, similar to the legacy Standard profile. The difference is that you can designate a particular network as Public or Private. Public is used by default and has more restrictive rules, but you can switch to the Private profile for a particular network from the Network Sharing Center accessible from the Control Panel. To switch between the Public and Private profiles open the Network Sharing Center and click on "Customize".
March 22, 2008
By Ryan Bass
www.vista123.net, tweak and customize Windows Vista easily.
