Since its inception, the Windows Server 2003 SP1 firewall has been a basic, inbound-only, host-based, stateful firewall. With Windows Server 2008, the built-in firewall has been dramatically improved. Let's find out how the new advanced firewall can help you and how to configure it using the MMC snap-in.
Why use the Windows host-based firewall?
Many companies today secure their network using the "hard outer shell / gooey center" approach. What this means is that they create a strong perimeter around their network with firewalls and IPS systems, protecting themselves from malicious attackers on the Internet. However, if an attacker could penetrate the outer perimeter and gain access to the internal network, there would only be Windows authentication security to stop them from gaining access to the company's most valuable assets -- their data.
This is because most IT pros don't secure their servers with host-based firewalls. Why is that? We see host-based firewalls as being "more trouble than they are worth."
After reading this article, I hope that many of you will take a second look at the Windows host-based firewall. With Windows Server 2008, the host-based firewall is built in to Windows. It is already installed, now has more features, and is now easier to configure. Plus, it is really one of the best ways to secure a crucial infrastructure server. So, what can the Windows Server Advanced firewall do for you, and how do you configure it? Let's find out.
What does the new advanced firewall offer, and how can it help you?
New with Windows Server 2008, the built-in firewall is now "advanced." And it isn't just me saying that: Microsoft now calls it the "Windows Firewall with Advanced Security" (let's abbreviate that as WFAS).
Here are the new features that help justify that new name:
- New GUI interface: An MMC snap-in is now available to configure the advanced firewall.
- Bi-directional: Filters outbound traffic as well as inbound traffic.
- Works better with IPsec: Now the firewall rules and IPsec encryption configurations are integrated into one interface.
- Advanced rules configuration: You can create firewall rules (exceptions) for Windows Active Directory (AD) service accounts and groups, source/destination IP addresses, protocol numbers, source and destination TCP/UDP ports, ICMP, IPv6 traffic and interfaces on the Windows Server.
With the addition of being a bi-directional firewall, a better GUI and advanced rules configuration, the Windows Advanced firewall is bordering on being as good as traditional host-based firewalls (like ZoneAlarm Pro, for example).
I know that the first concern of any server admin in using a host-based firewall is: what if it prevents critical server infrastructure apps from functioning? While that is always a possibility with any security measure, WFAS will automatically configure new rules for any new server roles that are added to the server. However, if you run any non-Microsoft applications on your server that need inbound network connectivity, you will have to create a new rule for that type of traffic.
By using the advanced windows firewall, you can better secure your servers from attack, your servers from attacking others, and really nail down what traffic is going in and out of your servers. Let's see how it is done.
What are the options for configuring Windows Firewall with Advanced Security?
Previously, with Windows Server, you could configure the Windows firewall when you went to configure your network adaptor, or you could configure it from the control panel. The configuration was very basic.
With Windows Firewall with Advanced Security (WFAS), most admins will configure the firewall either from Windows Server Manager or the MMC with only the WFAS snap-in. Here is what they both look like:
Figure 1: Windows 2008 Server Manager
Figure 2: Windows 2008 Firewall with Advanced Security MMC only
What I have found is that the quickest and easiest way to start the WFAS MMC is to just type firewall in the Start menu search box, like this:
Figure 3: Windows 2008 Firewall with Advanced Security MMC only
There is also a new netsh advfirewall CLI option for configuring WFAS.
What can I configure using the new WFAS MMC snap-in?
Because there are so many possible features you can configure with the new WFAS MMC snap-in, I can't possibly cover them all. If you have ever seen the configuration GUI for Windows 2003 built-in firewall, you will quickly notice how many more options there appear to be with WFAS. However, let me hit on a few of the most frequently used.
When you first go into the WFAS MMC snap-in, by default, you will see that WFAS is ON and blocking inbound connections that don't have a matching outbound rule. In addition, the new outbound firewall is turned off.
Something else you will notice is that there are also different profiles for WFAS (see Figure 4 below).
Figure 4: Profiles now available in Windows 2008 Firewall with Advanced Security
There are a domain profile, private profile and public profile for WFAS. What these different profiles allow you to do is take the many inbound and outbound rules you may have and apply that group of firewall rules to your computer based on where your computer is connected to the network (say the corporate LAN vs. the local coffee shop).
Out of all the improvements we have talked about with WFAS, in my opinion, the most significant improvement is the addition of more sophisticated firewall rules. Take a look at the Windows 2003 Server Firewall option to add an exception (a rule), in Figure 5.
Figure 5: Windows 2003 Server Firewall Exception window
Now, let's compare that to Windows 2008 Server:
Figure 6: Windows 2008 Server Advanced Firewall Exception window
Notice how the Protocols and Ports tab is just a small part of the multi-tabbed window. You can also configure rules to apply to Users and Computers, Programs and Services, and IP address scopes. With this type of sophisticated firewall rules configuration, Microsoft has pushed WFAS more toward Microsoft's IAS server.
The number of default rules offered by WFAS is truly amazing. In Windows 2003 Server, there were the three default exceptions (rules). Not so in Windows Server. WFAS offers about 90 default inbound firewall rules and at least 40 default outbound rules -- Wow!
Figure 7: Windows 2008 Server Advanced Firewall Default Inbound Rules
How to create an inbound custom firewall rule
So, how do you create a rule using the new Windows Advanced Firewall? Let's step through it.
Say that you have installed Apache Web server for Windows on your Windows 2008 Server. If you had used IIS, built-in with Windows, the port would have been automatically opened for you. However, as you are using a third-party Web server and you have the inbound firewall enabled, you must manually open the port.
Here are the steps to follow:
- Identify the protocol you want to filter: In our case, it is going to be TCP/IP (as opposed to UDP/IP or ICMP)
- Identify the source IP address, source port number, destination IP address and destination port number: Our Web traffic will be coming from any IP address and any port number, going to this server, on port 80. (Note that you could also create a rule for a certain program, such as the apache HTTP Server).
- Open the Windows Firewall with Advanced Security MMC
- Add the rule: Click on the New Rule button in Windows Firewall with Advanced Security MMC to bring up the New Inbound Rule Wizard.
Figure 8: Windows 2008 Server Advanced Firewall MMC – new rule button
- Select that you want to create a rule for a port.
- Configure protocol & port number: Take the default of TCP, enter the port number as 80, and click "Next."
- Take the default of "allow this connection," and click "Next."
- Take the default of applying this rule to all profiles, and click "Next."
- Give the rule a name and click "Finish."
At this point, you should have a rule that looks like this:
Figure 9: Windows 2008 Server Advanced Firewall MMC – after rule was created
I tested that my newly installed Apache Web server would not work when just installed with the firewall enabled. However, after the rule, it works great!
With firewall profiles, sophisticated rule configuration, and 30 times more default rules than it predecessor, the Windows 2008 Server firewall truly lives up to its name, showing that it really is the "advanced" firewall that Microsoft claims it to be. I believe that this built-in, free, advanced host-based firewall will make sure that the Windows servers of tomorrow are much more secure. However, it cannot help to secure your server unless it is used. So, I hope you will try out the new Windows Advanced Firewall