In-Depth

The Windows Firewall: You Can Turn It on Now

Too intimidated to enable your Windows XP and Windows Vista Firewall? Be afraid no more.

Some consider it one of Microsoft's greatest blunders. With the release of Windows XP Service Pack 2 (SP2), Microsoft made the conscious decision to turn on the Internet Connection Firewall (ICF) for all connections. Administrators not used to the idea of network security at the desktop scrambled to figure out what to do. Whether due to lack of time, planning or understanding of how that firewall actually worked, many elected to simply turn it off. In one fell swoop, Microsoft's decision put a black eye on the idea of host-based firewalls for a generation of systems administrators.

The problem with Microsoft's decision was not that forcing it on was a bad idea. In many ways, it wasn't. A fully developed, host-based firewall with centralized control is an excellent tool to help secure the otherwise unsecured insides of a corporate network. The problem was in getting it fully developed. Enabling it for computers attached to a domain required a Herculean effort of application testing and configuration tuning. Because of this concerning level of up-front work, the ICF in many environments went disabled with SP2. For many it remains that way today.

On When Off
It's time to turn that firewall back on. But before you snicker and turn the page, this time we're only going to do it when computers aren't connected to your domain. Why this "on when off" policy? Because doing it this way improves the protection of your machines when they're connected to the least protected of networks, while at the same time eliminating firewall-management headaches when they return home.

The Windows firewall in both XP and Vista comes equipped with multiple profiles. You can use these profiles to protect different types of networks. With XP, the firewall includes two profiles. The "Domain Profile" enables protection when the computer is connected to its Active Directory domain. If the computer is connected to the network that contains the domain controllers for its domain and has authenticated to that domain, the Domain Profile is used. The other profile, called the "Standard Profile" protects networks when that computer connects to any other network.

Enabling the firewall for the Domain Profile can be challenging. LAN-based applications expect certain levels of connectivity between client and server. Enabling the ICF without the proper tuning while on the domain can impact that connectivity. Because of this, if your corporate network includes dozens or hundreds of applications, all of which rely on LAN communication for their operation, enabling the ICF's Domain Profile can require a substantial effort in testing and application conflict evaluation.

The Standard Profile is another matter entirely. As the Standard Profile is used when computers are away from the domain, this protects company notebooks that are connected in coffee shops, airports and other unprotected networks. These networks arguably have a greater potential for infecting notebooks than those within your secured internal LAN. Even better, since applications off the network don't have the same expectations for network connectivity, you can take an all-or-nothing approach.

Figure 1
[Click on image for larger view.]
Figure 1. The Windows XP Firewall's 14 possible Group Policy settings.

IneXPensive Firewall
The easiest way to manage your XP firewalls is through Group Policy. If you haven't yet created a Group Policy Central Store, XP's ICF is managed in the Microsoft Management Console's Group Policy Editor through Computer Configuration \ Administrative Templates \ Network \ Network Connections \ Windows Firewall. If you have, you must add the WindowsFirewall.admx policy definition file to your SYSVOL to see this path.

Once there, look directly beneath this location. You'll see configurations for both the Domain and Standard profiles. Clicking on either of these will show you the 14 available firewall configurations shown in Figure 1.

As mentioned ealier, configuring the Domain Profile can be administratively challenging, partially due to the needs of applications on the LAN. These applications can require ports to be opened in the firewall and program exceptions, any of which require testing and evaluation on your part. Conversely, when machines are not connected to your internal LAN, giving them the best protection means going "shields up." This prevents any external traffic from reaching the machine. You can do this by enabling only four settings:

  • Protect all network connections. Setting this to "Enabled" turns on the Windows Firewall for this profile.
  • Do not allow exceptions. Enabling this blocks all external traffic and overrides any other policy settings. This, however, does not block the notebook from initiating connections. Users will still be able to use the Internet and other machine-initiated applications.
  • Allow ICMP exceptions. Enabling this optional setting and all sub-settings allows the notebook to respond to external ICMP ping packets. Though this does open a hole in the firewall, lacking the ability to ping a notebook makes the troubleshooting process challenging.
  • Prohibit notifications. Many firewalls notify the user when a connection is blocked. These notifications can be distracting for non-technical users. As you're blocking everything, user training may be a better solution than showing them a notification. Consider this another optional setting.
  • Additionally, 10 other options are available to further configure the firewall for this profile. In some cases, you may want to incorporate an exception for management servers, remote administration or Remote Desktop. Any of these can be done through the other configurations.

    Once you've completed creating the policy, apply it to a test Organizational Unit and take a look at how the policy applies. You'll see that when the test machine is connected to the network and the Active Directory domain, the firewall is turned off. Once that test machine is disconnected or otherwise can't access the domain, the firewall automatically becomes enabled without any further action by the user.

    Vistas of Improvement
    You'll notice that using Group Policy to manage XP firewalls can be a management headache. Configuring the firewall is a text-based exercise. The process of creating port and program exceptions involves creating sets of text-based lists that grow more difficult to manage as they increase in number.

    Figure 2
    [Click on image for larger view.]
    Figure 2. Vista's firewall configuration using Group Policy is much easier.

    Vista changes all that with a set of improvements to its Group Policy management interface. Specifically, managing Vista firewalls involves a new graphical interface. If you navigate to Computer Configuration \ Windows Settings \ Security Settings \ Windows Firewall with Advanced Security and click on the link for "Windows Firewall Properties," you'll see a screen similar to Figure 2. There, you can enable the firewall and configure the default behavior for inbound and outbound connections through an easy-to-understand GUI.

    You'll also notice that the Standard Profile and Domain Profile from XP have been updated a bit. The Domain Profile remains and behaves in the same way, but the Standard Profile is no more. Replacing it are the "Private Profile" and "Public Profile." This separation was done to provide for a third class of networks we'll think of as semi-trusted environments. Remember that Vista also changes the process by which networks are identified. As the Vista client connects to a new network, the user is prompted to select the type of network. Those labeled "Public Location" are intended for coffee shops, airports and other non-trusted environments. These refer to the Public Profile.

    "At Home" networks are used when the user is in a semi-trusted environment such as a partner network or their home network. These relate to the Private Profile. By default, users are given the choice to select the type of network they're connecting to.

    Breaking apart the Standard Profile allows you, the administrator, to set firewall policy based on the "truthiness" of the network. For networks in the Public Profile, you'll want to retain the same shields-up approach as with the Standard Profile. But now with the Private Profile you can optionally configure the firewall with a few specific exceptions such as file and printer sharing. If users then need to make use of those firewall exclusions from their home or other semi-trusted networks, they can.

    Similar to how we set up our network with XP, here's a way you can minimally configure the firewall in Vista. First, from the Windows Firewall with Advanced Security node, click on "Windows Firewall Properties." For the Domain Profile, set the Firewall State to "Off." Set it to "On" for the Private and Public Profile. For the Public Profile, set Inbound Connections to "Block All Connections." For the Private Profile, set it to "Block (Default)."

    For all three profiles, under the Settings tab, set Display a Notification to "No." Just as with XP, this prevents notifications from distracting users. Under Rule Merging, set both to "No." This prevents users from changing firewall settings locally and overriding your configuration. Lastly, under the IPsec Settings tab, set Exempt ICMP from IPsec to "Yes" to allow the machine to process ICMP ping packets.

    One of the major benefits with the move to Vista involves an improvement to how exclusions are created within Group Policy. Specifically, several pre-defined rules are now available that make easier the process of creating exclusions for inbound or outbound traffic.

    If you right-click on the Inbound Rules node and select "New Rule," you'll be greeted with a wizard for the creation of a new rule. Let's assume that you trust your users to select the Private Profile when they're in their home or business partner networks. In these networks, you want them to be able to do file and printer sharing.

    In this wizard, if you click the radio button for "Predefined Rules," you'll see an entry for File and Printer Sharing. Selecting this button and choosing "Next" configures and shows you the correct inbound rules for doing this. Clicking "Next" again, select "Allow the Connection." The result of doing this enables file and printer sharing across all profiles. By selecting the properties of each resulting rule and navigating to the Advanced tab, it's possible to restrict the rule to just the Private Profile alone.

    This is just one example of how the procedure for creating firewall exemptions has improved in Vista. As you begin working with Vista's firewall you'll discover that its ability to be tuned specifically for your network needs is much enhanced from XP.

    How About Now?
    Forcing the firewall on four years ago might have been an overly bold move on the part of Microsoft. But we've shown here that with just a little bit of work it can be a useful addition to some parts of your network's security. Using easy-to-set up configurations, the Windows firewall in both Vista and XP can help protect your users' equipment when they're on the least secure of networks.

    Obviously, there's still a lot of testing to be done with any of these changes, but it's easy to see that with a couple of keystrokes, the no-cost Windows firewall can be another effective tool you can utilize in protecting your network.

    Now it's up to you to turn it on.

    comments powered by Disqus

    Reader Comments:

    Tue, Apr 29, 2008 M gardler Wisconsin

    Wow, sounds like the security through obscurity rule has and is fully in place. Sure all the malicious users are thanking you for this. Learn the tool, use the tool and protect the many. If configured correctly, could be used as an ultimate security tool, but as I've seen for years in enterprise organizations, easier to just push it aside because it seems to difficult.

    Tue, Apr 8, 2008 M McAll Anonymous

    Actually the problem with the firewall is that it doesn't ask for permission for programs going out to the internet or network.........it only asks permission for incoming connections.......

    Mon, Mar 3, 2008 Greg Shields Anonymous

    You make an excellent point. But the gist of this piece is directed towards those administrators who already have turned off the firewall -- hence the name. Many of those people have already turned it off because they fear the problems it can cause. This piece is designed to help them slowly gain familiarity with it so they feel comfortable with enabling it again. Thanks for the comment!

    Sun, Mar 2, 2008 Peter Anonymous

    I would strongly disagree with turning the host-based firewall off just because it might be difficult to configure.

    Running in LUA mode is difficult too, but that's not a reason to not do it. Since moving to an LUA model and turning on the XP firewall we have seen the number of virus and malware incidents drop to zero.

    If a host-based firewall provides good protection when away from the domain network, it also provides good protection when the machine is connected to a domain network and is an important part of a defense in depth strategy.

    Add Your Comment Now:

    Your Name:(optional)
    Your Email:(optional)
    Your Location:(optional)
    Comment:
    Please type the letters/numbers you see above

    Redmond Tech Watch

    Sign up for our newsletter.

    I agree to this site's Privacy Policy.