In this video, we’ll take a look at Windows Firewall and the many ways to configure it. First, let me show you the various ways to access the Firewall. The simplest one is to access it from the Control Panel. You can just go to control panel over here, then System and Security, then windows firewall. You can also access Windows Firewall through the network and internet, then network and sharing center. And then back here in Windows Firewall, we can choose what type of network we connect to. In my case, I’m only connected to the Domain Network. Though, you cannot do much in this interface, aside from turning on/off the firewall and set Firewall exceptions for apps. You also won’t be able to open/close specific ports here.
Generally, we don’t want to turn off the Firewall to protect our computers. If you do a netstat -a in Command Line or Powershell, it will show you all the ports on the server and shows which one is listening and which one is established.
Although, you might want to lockdown the other ports that aren’t supposed to be open. Might as well get to know these ports in the near future. But if we turn off the firewall, our computers will be vulnerable to hackers. The general idea is that they would use the open ports ,such as port 80 or any other port that is open, to perform attacks to gain access and at the same time, making the service running in that port before the attack, unavailable. Without the Firewall on, it’s like leaving the front door unlocked for unwelcome guests. Unless of course if you have a third party firewall turned on. But even if with the third party firewall, you are still susceptible to offline threats like viruses and malwares from thumb drives which could send confidential data to outside hosts.
Notice that there are some check boxes underneath each type of Networks here. One says “Notify me when Windows Firewall blocks a new app”. This feature is already present in the older versions of Windows, but in some cases, when you turn it on, and any time you open something like an email client, which might use a pop email and it checks port 110 using TCP, it will prompt you to allow or disallow. It would then allow the port to open. Which is not good especially to an average user.
Here you may also block all incoming communications. But that’s a little absurd, because there’s no point in adding that computer to the network if you won’t allow it to connect with anything at all. Also, there’s domain, private, and public settings. Which corresponds to this: Home, Work and Public Network.
Public – you choose this settings when connecting to a network like a Hotel Lobby, these settings won’t allow sharing to happen. It will not allow any unsolicited inbound connections and other protections to make sure that no one can hack into your computer externally.
Home is the equivalent of Private. The Admin account has to be able to select this and any user that is not an administrator cannot do this. Generally speaking, you can select this if you have a Firewall configured.
Work which is actually the domain. I guess they called it work to make it more user friendly. It actually has the same settings as Private. The only difference is that, if you are Authenticated by the Domain Controller, it selects this settings automatically. You should also note that its best set up with different Firewall rules for each connection profile, and by the way, when you install windows features the system automatically open certain ports. As you can see here, when I clicked “Allow an app or feature through Windows Firewall”. You might want to disable some of these features for Public Networks. You can also allow certain Apps through Firewall here.
Another way to setup the Firewall is through the Windows Firewall with Advanced Security or WFAS. Which you can access here by clicking Advanced Settings. Here, you’ll see more specific, preset rules which pretty much explain themselves. You’ll also see the same Enabled rules from earlier but in more detail by clicking one of these, for example the World Wide Web Services, which is in port 80 by the way. You can also customize these specific rules by Deselecting “Enabled” over here. But make sure that you enable it after you’re done editing.
Also, here you might notice “Allow the connection if it is secure”. Which works in tandem with “Connection Security Rules” over here. And if you click customize, you can choose the settings that works best for your needs. But for now, I’ll just choose allow connection. Then if you go to Remote Computers, you can allow connections only from certain computers. But you can only do this if you choose “Allow only secure connections” from earlier. Because obviously, you’d need an Authentication method if you want only Authenticated Users to be allowed to make connections. Also, here in the scope tab, you can specify or customize IP addresses that you want to allow connections or you can just choose any if you want to be available to everyone in the web for example.
And if you’re in a huge organization that have multiple number of service the best way to setup a Firewall Rule is through a Group Policy Object and link it to them to the Organizational Unit where the servers are. It is not really recommended that we edit the firewall policy in the domain controller but for demonstrative reasons I’ll just edit this one. And if we go down to:
- Window Settings
- And then Security Settings
- And then down to Windows Firewall with Advanced Security
It will show you the same UI to the one in the local computer, which makes things easier to understand. And if you right click on it and choose properties, you can configure the Connection Profiles.
But if you want to make a new rule, for example an Inbound Rule. Now, if you do this, it would override the default rules. Here you can choose which program would allow certain port to open, or just specify a port not a program, or you could use some pre-defined rule, but for now I’ll just use custom because it’s more flexible. And as you click next, you can choose which programs you want to work with. Then here, you can choose the protocol type, I’d use TCP on this one, and I just want to use a specific port which is port 80. And for remote ports, I’ll just allow all ports. As you click next, you can specify the IP address this rule applies to. For local IP, I’ll just allow any. But for remote IP, my goal here is to allow only one IP address to access this. So for example, I just want to allow this IP address which is 192.168.3.100. Also, you can choose from predefined set of computers over here. And over here, I’ll just allow connection then click next. Here, they won’t really matter at the moment, so I’ll just leave it at that. Then I’ll just name this “Allow HTTP only to 192.168.3.88”.
And for this to work, I need to first disable the existing Policy for the Web Services in the WFAS and then run GPUPDATE. Now if you try to open this IP address in your browser using a computer with an IP other than 192.168.3.88, you won’t be able to view it.
One important thing though, is the IP Sec. You can configure it through the IP Security Policies. In the default settings, there is “Client (Respond Only)” which means that no security will be enabled unless a server replies to one of the policies here, then there is “Secure Server (Require Security)” which won’t allow communication unless the client responds to the IP Sec using Kerberos for Identification. And then the last one which is the Server (Request Security), allows secure connection only to clients that are able to respond to IP Sec Data and Authentication, otherwise, it will use an unsecure connection. The best way to put this is that, you enable Client (Respond Only) to Client computers while Secure Server (Require Security) to Servers for Security Purposes.
Now here in the Connection Security Rules, if you right click and click on new rule, it will show some basic connection security rules. Isolation, is one of the most useful tools because, it will only allow members of the domain to communicate with the server. Although, you might want to make some Authentication exemption for some clients that you want to allow connections with. Then there’s Server to Server if you want to protect the connection between the two. Then the Tunnel, which works similarly with Server to Server but only that it is applied to end-points or between local area networks.
In isolation, you request or require authentication for inbound or outbound connections. Then choose the authentication method to be used. Whether to use Kerberos for Computer and user or just for computers or just go for advanced. Then you can choose to apply to what Connection Profiles. Which generally speaking, should be applied only to the Domain Connection, so other devices outside the domain won’t be able to access. Type in the name, and then Finish. You can also Import/Export these WFAS Policies by right clicking it from the Group Policy Manager Editor.
And that’s the end of this video, thank you for watching and tune in for more Windows Server 2012 Tutorials.
Join over a thousand users and let House of IT help you get started! Get a free quote now!