When you access Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows Firewall in Group Policy, you’ll find separate policy sections for the Domain Profile and the Standard Profile. Both policy sections contain the same policies and settings. The only difference is that one set of policies is used to configure Windows Firewall on the corporate network while the other is used to configured Windows Firewall off the corporate network. There is one global policy setting as well, which is found at the same level as these two profile nodes. This global policy setting controls the way Windows Firewall works with IPSec.
When you work with Windows Firewall policy, you should generally determine whether IPSec bypass should be allowed, and if so, configure the computers that should be allowed to use IPSec bypass, and then you should determine whether Windows Firewall should be enabled or disabled in the Domain Profile and the Standard Profile. You should then configure permitted exceptions, notification, and logging for when Windows Firewall is enabled in a profile.
You can use the Windows Firewall: Allow Authenticated IPSec Bypass policy to configure Windows Firewall to allow IPSec-secured communications to bypass the firewall. If you enable this policy, computers using IPSec to communicate with a computer processing this policy will not be subject to firewall restrictions. If you disable or do not configure this policy, no exceptions will be granted for computers using IPSec and they will be subject to the same firewall restrictions as other computers.
To allow IPSec-secured communications to bypass the Windows Firewall, follow these steps:
Access Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows Firewall.
In the rightmost pane, double-click Windows Firewall: Allow Authenticated IPSec Bypass.
Select Enabled, and then specify the IPSec computers to be exempted from the firewall policy by entering a Security Descriptor Definition Language (SDDL) string in the box provided. For more information on SDDL, see Chapter 15.
Note
The SDDL string provides the Security Identifiers (SIDs) of the computers in your organization that should be able to bypass the firewall when using IPSec-secured communications. Typically, you enter the security descriptors for your domain’s Domain Computers and Domain Controllers global security groups. If you have created other domain or OU-specific groups for computers, you enter these instead if you want to limit bypass of IPSec-secured communications to computers within the domain or OU.
Click OK.
Through Group Policy, you can enforce whether Windows Firewall is turned on or turned off across your servers and workstations. For example, you might want servers to have Windows Firewall turned on for the Standard Profile and turned off for the Domain Profile. If you have specific groups of computers that should use Windows Firewall when connected to the corporate network, you might want to create a separate Windows Firewall GPO and apply this GPO selectively using security filtering or WMI filters.
Tip
In some environments, such as a small office with limited hardware firewall protection, you might want Windows Firewall to be enabled in the Domain Profile. In this case, you should also consider configuring the firewall so that computers can be remotely managed. For details, see "Allowing Remote Desktop Exceptions" in this chapter.
In policy, you can control whether Windows Firewall is enabled or disabled by using the Windows Firewall: Protect All Network Connections. Keep the following in mind when working with this policy:
If this policy is enabled, Windows Firewall will be enabled for all network connections on all computers that process the GPO containing this policy setting (according to the profile in which it is enabled).
If this policy is disabled, Windows Firewall will be disabled for all network connections on all computers that process the GPO containing this policy setting (according to the profile in which it is enabled).
Whether this policy is set as Enabled or Disabled, a user on the computer where the policy has been applied will be unable to change the setting. The option to change it will be grayed out.
Note
Although you can use the Advanced tab of the Windows Firewall dialog box on the local computer to specify per-network connection firewall protection, this functionality is not exposed through Group Policy. With Group Policy, you can only enable or disable Windows Firewall for all network connections on a given computer. Group Policy also does not allow you to configure the advanced per-connection settings for services and ICMP configuration.
Another option related to enabling and disabling of Windows Firewall functionality is the allowing of exceptions. You can use exceptions to allow programs to access certain well-known ports on the computer even when Windows Firewall is enabled. By default, a user who is working on a computer that has Windows Firewall enabled receives security alerts when an application attempts to open a port for listening on the computer. Through Group Policy, you can control which applications and ports are allowed to pass through the firewall so the user does not have to make those decisions.
On servers, which typically have no logged on users, the ability to predefine exceptions through Group Policy can be valuable. A number of predefined policies are available for allowing exceptions to known applications. You can also define your own exceptions, based on the application or port that is needed. For most exceptions, you can set the scope of allowed communications by entering any combination of the following identifiers in a comma-separated list:
IPAddress. An actual IP address, such as 192.168.1.10. Allows file and print traffic from this IP address to be accepted by computers that process this GPO.
SubnetAddress. An actual IP subnet address, such as 192.168.1.0/24. Allows file and print traffic from any computers on this IP subnet to be accepted by computers that process this GPO.
localsubnet. Allows file and print traffic from any computers on the local subnet to be accepted by computers that process this GPO.
For example, to allow exceptions for the local subnet, a computer with an IP address of 192.168.1.10, and the subnet 192.168.1.0/24, you would type:
localsubnet, 192.168.1.10, 192.168.1.0/24Tip
You can also use a asterisk (*) to specify that all networks can communicate with a particular application. A good resource for learning about IP subnets and how to specify them is Windows Server 2003 Inside Out.
You can completely control the use of exceptions by using the Windows Firewall: Do Not Allow Exceptions policy. Keep the following in mind:
If you enable this policy, no exceptions will be allowed and any exceptions defined in the Windows Firewall configuration will be ignored. Further, in the Windows Firewall dialog box, the Don’t Allow Exceptions check box will be selected and both users and local administrators will be unable to clear this setting.
If you disable this policy, exceptions defined in policy will be allowed and any exceptions defined in the local Windows Firewall configuration will also be accepted. Further, in the Windows Firewall dialog box, the Don’t Allow Exceptions check box will be cleared and both users and local administrators will be unable to change this setting.
Administrators who log on locally can work around this policy setting by turning off Windows Firewall.
You can use file and printer sharing exceptions to accept or block file and print traffic to and from specific computers. File and printer sharing exceptions manage traffic on these ports:
TCP 139
TCP 445
UDP 137
UDP 138
These ports are used during file and printer sharing. You can manage their use by enabling or disabling the Windows Firewall: Allow File And Printer Sharing Exceptions policy. When working with this policy, keep the following in mind:
If you need to be able to map server shares and printers to a computer (usually a server), you can enable this policy. In the Windows Firewall dialog box, the File And Printer Sharing check box will be selected and both users and local administrators will be unable to clear this setting.
If you want to prevent computers from mapping server shares and printers, you can disable this policy. In the Windows Firewall dialog box, the File And Printer Sharing check box will be cleared and both users and local administrators will be unable to change this setting.
To enable and configure file and printer sharing exceptions, complete the following steps:
Access Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows Firewall.
Access Domain Profile or Standard Profile as appropriate, and then double-click Windows Firewall: Allow File And Printer Sharing Exceptions.
Select Enabled.
Use the Allow Unsolicited Incoming Message From text box to specify the scope of allowed communications. As shown in Figure 11-20, you can type any combination of the following identifiers in a comma-separated list:
IPAddress. An actual IP address, such as 192.168.1.10. Allows file and print traffic from this IP address to be accepted by computers that process this GPO.
SubnetAddress. An actual IP subnet address, such as 192.168.1.0/24. Allows file and print traffic from any computers on this IP subnet to be accepted by computers that process this GPO.
localsubnet. Allows file and print traffic from any computers on the local subnet to be accepted by computers that process this GPO.
Click OK.
Remote administration exceptions open a set of ports that allow remote administrative operations to be performed on computers that allow these exceptions. A good example of a remote administrative function that will fail if this exception is not enabled is the Group Policy Results Wizard. You cannot perform remote RSoP logging on a system that does not have the remote administration exceptions enabled.
You control remote administration exceptions using Windows Firewall: Allow Remote Administration Exception. When you enable this policy, TCP ports 135 (for the RPC port mapper) and 445 (for SMB) are enabled for listening, which allows use of remote procedure calls (RPCs) and Distributed Component Object Model (DCOM). This policy setting also allows Svchost.exe and Lsass.exe to receive incoming messages and allows hosted services to open TCP ports in the 1024 to 1034 range to facilitate RPC communications. If you have any administrative applications that require RPC or SMB, you should enable this exception. If this policy is disabled or not configured, the following MMC snap-in tools cannot remotely access a computer protected by Windows Firewall:
Note
Because malicious users often try to attack computers through RCP and DCOM, you should enable remote administration exceptions only when you are certain they are needed. Also, note that if you allow remote administration exceptions, Windows Firewall allows incoming ICMP echo request (ping) messages on TCP port 445 even if Windows Firewall: Allow ICMP Exceptions policy would otherwise block them.
To enable and configure remote administration exceptions, complete the following steps:
Access Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows Firewall.
Access Domain Profile or Standard Profile as appropriate, and then double-click Windows Firewall: Allow Remote Administration Exceptions.
Select Enabled, and then use the Allow Unsolicited Incoming Message From text box to specify the scope of allowed communications, as described previously.
Click OK.
Remote Desktop exceptions allow users to connect to a remote computer using the Remote Desktop feature. This means TCP port 3389 is excepted, which is the default port that Terminal Services listens on. Keep the following in mind:
If you enable this policy, computers that process this policy can receive Remote Desktop requests from specifically allowed computers. In the Windows Firewall dialog box, the Remote Desktop check box will be selected and both users and administrators will be unable to clear this setting.
If you disable this policy, Windows Firewall will block Remote Desktop requests for all computers that process this policy. In the Windows Firewall dialog box, the Remote Desktop check box will be cleared and both users and administrators will be unable to change this setting.
To enable and configure Remote Desktop exceptions, complete the following steps:
Access Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows Firewall.
Access Domain Profile or Standard Profile as appropriate, and then double-click Windows Firewall: Allow Remote Desktop Exceptions.
Select Enabled, and then use the Allow Unsolicited Incoming Message From text box to specify the scope of allowed communications, as described previously.
Click OK.
UPnP Framework exceptions permit Universal Plug and Play (UPnP) messages to be received by a computer. UPnP messages are used by services such as built-in firewall software to communicate with a Windows computer. When you permit UPnP Framework exceptions, TCP port 2869 and UDP port 1900 are allowed for use by the UPnP Framework services. Keep the following in mind:
If you enable this policy, computers that process this policy can receive UPnP Framework requests from specifically allowed computers. In the Windows Firewall dialog box, the UPnP Framework check box will be selected and both users and administrators will be unable to clear this setting.
If you disable this policy, UPnP Framework requests will be blocked by Windows firewall for all computers that process this policy. In the Windows Firewall dialog box, the UPnP Framework check box will be cleared and both users and administrators will be unable to change this setting.
To enable and configure UPnP Framework exceptions, complete the following steps:
Access Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows Firewall.
Access Domain Profile or Standard Profile as appropriate, and then double-click Windows Firewall: Allow UPnP Framework Exceptions.
Select Enabled, and then use the Allow Unsolicited Incoming Message From text box to specify the scope of allowed communications, as described previously.
Click OK.
In addition to configuring various exceptions for services, you can define exceptions for programs, ICMP messages, and specific ports. When you configure program exceptions, you specify applications for which you want to allow communications rather than services.
Program exceptions are useful if you don’t know the particular port that an application requires. You can simply select the executable name and Windows Firewall will detect the port that the application needs to communicate on. Keep in mind that program exceptions imply that the application is running on the computers for which that you are defining the exception. If the application is not running, the ports are not excepted.
Windows Firewall allows you to define program exception lists in Group Policy and through the Windows Firewall utility in Control Panel. To define program exceptions in Group Policy, you enable and configure the Windows Firewall: Define Program Exceptions policy.
Program exceptions take the form of a free text string that contains a set of parameters in the following format:
PathToProgram:Scope:Status:NameThese parameters are used as follows:
PathToProgram. The path to the executable for which you want to allow exceptions.
Scope. A comma-separated list of IP addresses or IP subnets, or the entire local subnet for which you are configuring the exception. Any computers that process the related GPO are either allowed to communicate or blocked from communicating with the defined program on the designated IP addresses.
Status. Specifies whether communications are allowed or blocked (enabled or disabled).
Name. Sets the name of the exception as displayed on the Exceptions tab in the Windows Firewall dialog box.
To see how this works, consider the following example: Suppose we have a server application that provides stock quotes to client computers on the network. It is located at C:Program filesQuotesQuotes.exe. We want to allow all clients on the subnet at 192.168.3.0/24 to be able to communicate with this application on this server, and we also want to allow another server at IP address 192.168.1.5, which provides the quotes from the Internet, to be able to able to communicate with this application. In this case, the program exception looks like this:
%ProgramFiles%quotesquotes.exe:192.168.3.0/24,192.168.1.5:enabled:Progam Exception for the Quotes Application
We use the environment variable %ProgramFiles% because this policy might need to run on multiple computers and we don’t necessarily know which disk volume the program files folder are on. The scope of 192.168.3.0/24 indicates that we want this exception to apply to all devices on the 192.168.3.0 subnet—/24 indicates a 24-bit subnet mask. If we want to allow all computers on the local subnet to talk with this application, we can use the localsubnet string within the scope portion in addition to any IP subnet or IP addresses that are specified:
192.168.3.0/24,localsubnet,192.168.1.5Tip
You can also use an asterisk (*) to specify that all networks can communicate with a particular application.
To enable and configure program exceptions, complete the following steps:
Access Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows Firewall.
Access Domain Profile or Standard Profile as appropriate, and then double-click Windows Firewall: Define Program Exceptions.
Select Enabled, and then click Show. The Show Contents dialog box lists any currently defined program exceptions (Figure 11-21).
To add a new program exception, click Add. In the Add Item dialog box, type the exception string. Exception strings take the form of a free text string that contains a set of parameters in the following format:
PathToProgram:Scope:Status:NameTo remove an existing program exception, select the exception and then click Remove.
Click OK twice.
Once a program exception is applied to the target computer, it appears on the Exceptions tab of the Windows Firewall configuration but is grayed out so that it cannot be changed. You will also notice that the Group Policy column shows Yes, indicating that the exception is being delivered via Group Policy.
If you define a program exception via Group Policy, users cannot manually define other program exceptions. If you want to allow users to define additional program exceptions, you must also enable Windows Firewall: Allow Local Program Exceptions. If you have not defined any program exceptions through policy, you can disable Windows Firewall: Allow Local Program Exceptions to prevent users from defining any program exceptions themselves.
ICMP exceptions allow you to specify whether the computer will respond to ICMP messages. ICMP is used most commonly by the ping command but can be used by other applications as well to determine whether a computer is available. ICMP is normally completely disabled when Windows Firewall is active, but you can enable certain types of responses that might be needed by your applications.
To enable and configure ICMP exceptions, complete the following steps:
Access Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows Firewall.
Access Domain Profile or Standard Profile as appropriate, and then double-click Windows Firewall: Allow ICMP Exceptions.
Select Enabled, and then use the options provided to allow specific types of ICMP communications (Figure 11-22). For example, if you want to enable a computer to respond to ping requests, you select the Allow Inbound Echo Request check box.
Click OK.
Tip
You can set this policy for outgoing ICMP messages as well as incoming ones. This allows you to allow or block a computer from sending ICMP messages as well as receiving them.
If you disable Windows Firewall: Allow ICMP Exceptions, no ICMP communications are allowed and an administrator cannot set any exceptions. However, if you enabled remote administrative exceptions or the file and printer sharing exceptions as described previously, Allow Inbound Echo Request is allowed for the related ports regardless.
Port exceptions policy works much like program exceptions policy, except that you specify a particular port to allow communications to instead of an application. If you enable this policy, you can add a series of exceptions using the following format:
Port:Transport:Scope:Status:NameThese parameters are used as follows:
Port. Specifies a particular port number.
Transport. Specifies whether the port is UDP or TCP.
Scope. A comma-separated list of IP addresses or IP subnets or the entire local subnet for which you are configuring the exception. Any computers that process the related GPO are either allowed to communicate or blocked from communicating with the defined program on the designated IP addresses.
Status. Specifies whether communications are allowed or blocked (enabled or disabled).
Name. Text that can describe anything about the exception.
To see how this works, consider the following example: Suppose we want to allow TCP port 80 (HTTP) access to a server from the 192.168.1.0/24 subnet. We define the port exception as follows:
80:TCP:192.168.1.0/24:enabled:Allow HTTP AccessTo enable and configure port exceptions, complete the following steps:
Access Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows Firewall.
Access Domain Profile or Standard Profile as appropriate, and then double-click Windows Firewall: Define Port Exceptions.
Select Enabled, and then click Show.
The Show Contents dialog box lists any currently defined port exceptions.
To add a new port exception, click Add. In the Add Item dialog box, type the exception string. Exception strings take the form of a free text string that contains a set of parameters in the following format:
Port:Transport:Scope:Status:NameTo remove an existing port exception, select the exception and then click Remove.
Click OK twice.
Once a port exception is applied to the target computer, it appears on the Exceptions tab of the Windows Firewall configuration but is grayed out so it cannot be changed. You will also notice that the Group Policy column shows Yes, indicating that the exception is being delivered via Group Policy.
If you define a port exception via Group Policy, users cannot manually define other port exceptions. If you want to allow users to define additional port exceptions, you must also enable Windows Firewall: Allow Local Port Exceptions. If you have not defined any program exceptions through policy, you can disable Windows Firewall: Allow Local Port Exceptions to prevent users from defining any program exceptions themselves.
Group Policy also allows you to configure some other settings related to Windows Firewall, as described in the following sections.
The Windows Firewall: Prohibit Notifications policy allows you to prevent the security alert messages that appear when an remote computer is trying to talk to an application on a computer that is blocking communications to that application. This policy is most often enabled on servers because there are typically no users logged on to see these messages.
The Windows Firewall: Allow Logging policy allows to you enforce logging of Windows Firewall activity. You’ll typically want to enable Windows Firewall logging only when you need to troubleshoot a problem. If you disable this policy, users and administrator cannot configure logging locally on computers that process the policy.
To enable and configure logging, complete the following steps:
Access Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows Firewall.
Access Domain Profile or Standard Profile as appropriate, and then double-click Windows Firewall: Allow Logging.
Select Enabled, and then use the following options to configure logging:
Log Dropped Packets. Configures logging of any incoming packets that are blocked due to the firewall. You can use this information to troubleshoot applications that are unable to communicate with a computer.
Log Successful Connections. Configures logging on all incoming and outgoing connections that succeed. This can obviously result in a lot of data, but you can see all traffic going to and from the computer.
Log File Path And Name. Select this option to specify the folder path and filename for the Windows firewall log. The default location for logging is %SystemRoot%pfirewall.log.
Tip
You can specify a different path and filename, including a remote UNC path (as long as the computer logging the data has permissions to that remote path). If you log on to a UNC path, you should include the %ComputerName% environment variable in the filename or path to create a unique log for each computer. Keep in mind, however, that this can generate a lot of network traffic on the remote computer.
Size Limit. Select this option to specify the maximum log file size in kilobytes. When a log file reaches this maximum size, it overwrites older records as needed. Therefore, you must judge the size based on how busy your computers are and what information you are logging. A log file set too small can be overwritten before you have a chance to view the entries, especially on a busy server.
Click OK.
Windows Firewall: Prohibit Unicast Response To Multicast Or Broadcast Requests prevents certain types of network attacks when an infected computer sends a broadcast or multicast message and looks to receive unicast responses from target computers. If this policy is enabled on the infected computer, the unicast responses to broadcasts or multicasts are simply dropped. If this policy is disabled, the computer accepts all unicast responses for the first 3 seconds and then blocks subsequent responses.