This is the fourth installment of a five-part series by contributing editor
Greg Shields, which has been taking a hard look at Microsoft's upcoming Windows
Server 2008 operating system, also commonly known as "Longhorn."
The series has been evaluating the product's new technical features in order
to weigh their usefulness to IT admins, as well as how it might affect a range
of other core Microsoft server and desktop products. This month takes a look
at the advantages of Longhorn's updated firewall technology. Click here
to see last month's installment.
There's a lot to be excited about with the Windows Firewall with Advanced Security
in Windows Server 2008. While much of the technology's core functionality is
actually part of the Windows Vista release, Server 2008 adds some much-needed
new features that improve its centralized management. Specifically, Server 2008's
upgrades to Group Policy add new skins and more wizards that make the process
of configuring host firewalls all around your network easier.
Not Exactly New
Let's take a look at what's not exactly new. Server 2008's firewall includes
all of Vista's functionality for enhancing a system's security posture, but
now it has the same for servers in the data center.
First up is the addition of outbound filtering to the types of traffic the
firewall can manage. This additional capability allows for the management of
traffic both in and out of the firewall. It's designed to help prevent the local
computer from connecting to others over particular ports or protocols. If you're
concerned about a particular application or service communicating with other
computers, such as BitTorrent or peer-to-peer file-sharing apps, outbound filtering
lets you specifically prevent that traffic from exiting your servers.
Another feature Server 2008 shares with Windows Vista is the addition of a
third firewall profile. Windows XP provided only two firewall profiles: the
Domain profile when connected to an Active Directory domain, and the Standard
profile when not. Vista and Server 2008 rename one of the profiles, while adding
a third one to the mix. The Domain profile stays the same, while the Standard
profile is renamed to the Public profile.
The Private profile is new. This profile is intended to provide a configuration
for situations that aren't within the protected domain and yet aren't fully
unprotected, either. If you think of the Public profile as for unprotected "coffee
shop" environments, think of the Private profile for semi-protected environments
like in partner company networks or home networks.
Because most servers rarely move between network environments, these new profiles
will likely be of limited use. However, their configuration is the same between
Vista and Server 2008. So setting up the firewall for the desktops can also
protect servers at the same time.
Great Group Policy
Where all of this truly shines is in Server 2008's new configuration screens
for Group Policy. With earlier operating systems, the Group Policy configurations
for configuring the Windows Firewall were difficult to understand and use. Configured
as Administrative Templates, individual program and port exceptions were entered
into the Group Policy Object by hand using a complicated syntax that could easily
cause errors. Due to this steep learning curve, many admins elected to simply
disable the firewall rather than learn its complexities.
Server 2008 streamlines the learning curve by moving the firewalls' Group Policy
configuration out of Administrative Tasks and into Security Settings. There,
under its own node, Firewall settings are configured through a convenient graphical
interface. Each of the three profiles, as well as connection security rules
and firewall rules, get their own wizard. When creating new inbound or outbound
rules, the wizard also includes a set of predefined rules that quickly secure
common needs like File and Printer Sharing or Remote Administration.
Combining Windows Vista with Server 2008 also improves the configuration and
management of server and domain isolation environments. These special configurations
are designed to help protect the insides of a business network from infiltration
by outside computers. They can also be used to add network rules that further
protect data within highly sensitive computers from access by unauthorized personnel.
[This article is based on pre-release information, which may change prior
to the full release -Ed.]
Greg Shields is a senior partner and principal technologist with Concentrated Technology. He also serves as a contributing editor and columnist for TechNet Magazine and Redmond magazine, and is a highly sought-after and top-ranked speaker for live and recorded events. Greg can be found at numerous IT conferences such as TechEd, MMS and VMworld, among others, and has served as conference chair for 1105 Media’s TechMentor Conference since 2005. Greg has been a multiple recipient of both the Microsoft Most Valuable Professional and VMware vExpert award.