Most organizations have firewall and proxies in place to help protect the internal network from intruders. When users or computers connect indirectly to the Internet through these firewalls and proxies, you can be reasonably sure the computers are protected from attacks and malicious users. When users or computers connect directly to the Internet, however, these protections might not apply. For example, if a user takes a portable computer to an offsite meeting or uses a portable computer on a coffee shop wireless network while at lunch, the computer isn’t automatically protected from attack or intrusion. If the infected computer is reconnected to the internal network, it can infect other computers, bypassing the protection of the firewall or proxy. To help prevent these infection scenarios, you must run a firewall on each computer—not just rely on the firewall or proxy that separates the internal network from the Internet. This is where Windows Firewall and Windows Firewall Group Policy settings enter the picture.
Windows Firewall, the successor to the Internet Connection Firewall (ICF), was released with Windows XP SP2 and Windows Server 2003 SP1. Like ICF, Windows Firewall provides stateful IP port filtering on a per-host basis to protect computers that are running Windows from unauthorized access.
Stateful port filtering means that Windows Firewall keeps track of connections coming into and going out of your Windows computers and lets you dynamically control the flow of traffic. Windows Firewall also allows for exception-based firewall protection. When traffic that does not pass the firewall rules arrives at a Windows Firewall–protected computer, the user has the option to allow or deny that traffic through a pop-up dialog box called a Security Alert.
Windows Firewall differs from ICF in that it is completely manageable and configurable via Group Policy. The default configuration is different for Windows workstations and servers as well. The default configuration of Windows Firewall is more secure, for example, because Windows Firewall is enabled for all network connections by default. Keep the following in mind:
On computers running Windows XP SP2 or later, Windows Firewall is installed and enabled by default. The Windows Firewall/Internet Connection Sharing (ICS) service, which provides the underlying firewall protection service, is configured to start automatically with the operating system. Enabling or disabling Windows Firewall doesn’t change the state of the underlying firewall service.
On computers running Windows Server 2003 SP1 or later, Windows Firewall is installed but disabled by default. The Windows Firewall/Internet Connection Sharing (ICS) service does not start automatically with the operating system and is disabled by default.
You start, stop, and configure Windows Firewall by using the Windows Firewall utility in Control Panel. When you access the utility and the Windows Firewall/Internet Connection Sharing (ICS) service is not running, you are given the opportunity to start the service (Figure 11-17). Click Yes to start the service. Keep in mind that if you later configure exceptions for applications or services that were running before the service was started, you should restart the computer to ensure that these applications and services run properly.
Figure 11-17. Start the Windows Firewall/Internet Connection Sharing (ICS) service if you plan to use Windows Firewall.
When Windows Firewall is enabled, it is also enabled by default on all network connections on a computer. This means that all LAN, wireless, and remote access connections are protected by the firewall when it is enabled. You can, of course, disable Windows Firewall on specific network connections.
Windows Firewall policies are found under Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsWindows Firewall. Windows Firewall policy has two modes of operation. The Domain Profile lets you configure Windows Firewall behavior when a computer is connected to the corporate network. The Standard Profile lets you configure firewall settings that apply when the user is disconnected from the corporate network, such as when a laptop user takes his computer home. The standard profile is useful to ensure that even when your computers are not connected to the corporate network, they are protected.
To determine whether a computer is connected to the corporate network, Windows first compares the DNS suffix of the currently active network connection or connections to the DNS suffix that was found during the last Group Policy processing cycle. Specifically, it looks at the following registry value to determine the DNS suffix the last time Group Policy was processed:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionGroup Policy HistoryNetworkName
If the DNS suffix listed in this registry value is the same as the current active network connection (a network connection that has an IP address assigned to it and is enabled), the computer is assumed to be on the corporate network and the Domain Profile policy is applied. Looking at the DNS suffix of the computer is only one part of the detection algorithm, however.
A computer is assumed to be off the corporate network and the Standard Profile policy is applied when any of the following conditions are true:
If the DNS suffix of the computer’s current active network connection(s) does not match the DNS suffix of the NetworkName registry value, the computer is considered off the corporate network and the Standard profile applies.
If the computer is not part of an Active Directory domain, it is considered to be off the corporate network and the Standard Profile applies.
If the only active network connection for a computer is a dial-up or VPN connection, the computer is considered off the corporate network and the Standard profile applies.
Windows checks for these conditions at computer startup or when a network connection changes (such as when a new connection becomes active or a change is made to an existing connection).
Note
Technically, computers process both the Domain Profile and Standard Profile policy settings and set those policy values in the registry, but they apply the settings (based on the current profile) only at computer startup or a network configuration change. This makes sense: if computers are no longer on the corporate network, they cannot process Group Policy to receive the Standard Profile policy settings. By processing both profiles, computers ensure that the settings are available and are applied whenever and wherever the computer’s network state changes.
To view the current profile that is being applied to a computer, follow these steps:
Access the Windows Firewall utility by double-clicking Windows Firewall in Control Panel or right-clicking a currently active network connection icon in the system notification area and choosing Change Windows Firewall Settings.
If the Windows Firewall/Internet Connection Sharing (ICS) service is turned off or disabled, you are given the opportunity to start the service:
Click Yes to start the service if you want to run Windows Firewall on this computer. The service is started and configured for automatic startup. Windows Firewall is enabled in its default state: off for servers and on for workstations.
Click No to exit the Windows Firewall utility. The status of the Windows Firewall/Internet Connection Sharing (ICS) service will not change and Windows Firewall will not be available for use on this computer.
The options on the General tab specify the state of Windows Firewall and the profile being used (Figure 11-18). In the lower left corner you’ll see one of the following statements:
Windows Firewall Is Using Your Domain Settings. Indicates that the Domain Profile is currently in effect
Windows Firewall Is Using Your Non-Domain Settings. Indicates that the Standard Profile is currently in effect
One limitation of the profile determination process is that it assumes that DNS suffixes are assigned dynamically as network connections change. For example, if you are using DHCP to assign IP configurations to your corporate computers, you might also specify a DNS suffix option. Similarly, when your users roam to external networks, those networks will mostly likely provide their own DNS suffix.
However, if you have computers whose DNS suffix is hard-coded within the DNS properties for a connection, as shown in Figure 11-19, this can short-circuit the profile determination process. Why? Because if that connection is in use on both the corporate and noncorporate networks, it will have the same DNS suffix for each area and will always use the Domain Profile. For this reason, if you plan to implement a different Domain Profile and Standard Profile, you must ensure that DNS suffixes are provided dynamically via DHCP and are not hard-coded.
