Since the introduction of the first firewall built into the operating system (Internet Connection Firewall) of Windows XP, Microsoft has steadily improved the firewall in each subsequent incarnation of Windows. While the Windows Firewall included in the newest client OS, Windows 7 is more evolutionary than revolutionary, it does provide some nice tweaks to make it more user-friendly and at least one big change that makes a difference to mobile users. In this article, we will take a look at the Windows Firewall in Windows 7 and show you how to configure it with multiple active firewall policies.
The Evolution of the Windows Firewall
The firewall software in Windows XP was simple and rudimentary and protected incoming traffic only, blocking any inbound connections that had not been initiated by your computer - and it was turned off by default. Service Pack 2 turned it on by default and made it possible for administrators to enable it via Group Policy. The Vista firewall was built on a new Windows Filtering Platform (WFP) and added the ability to filter outbound traffic via the Advanced Security MMC snap-in. With Windows 7, Microsoft has tweaked the firewall further and made it much more useable, especially on mobile computers, by adding support for multiple active firewall policies.
Introducing the Windows 7 Firewall
As with Vista, the basic settings for the Windows 7 firewall are accessed via the Control Panel applet. Unlike Vista, you can also access the advanced settings (including configuration of filtering for outbound connections) through the Control Panel instead of having to create an empty MMC and add a snap-in. Just click the Advanced Settings link in the left panel, as shown in Figure 1.
Figure 1: In Windows 7, you can get to the advanced firewall settings through the Control Panel applet
More Network Options
The Vista firewall allows you to choose whether you are on a public or private network. With Windows 7, you have three choices - public network, home network or work network. The two latter options are treated as private networks.
If you select the "home network" option, you can set up a Homegroup. In this case, network discovery is automatically turned on so you will be able to see the other computers and devices on the network and they will be able to see your computer. Computers that belong to the Homegroup can share picture, music, video and document libraries and can share hardware devices such as printers. If there are folders in your libraries that you do not want to share, you can exclude them.
If you select "work network," network discovery is on by default but you would not be able to create or join a Homegroup. If you join the computer to a Windows domain (via Control Panel | System | Advanced System Settings | Computer Name tab) and are authenticated to the domain controller, the firewall will automatically recognize the network as a domain network.
"Public network" is the appropriate selection when you are connected to a public wi-fi network at an airport, hotel or coffee shop or using a mobile broadband network. Network discovery will be turned off by default so that other computers on the network can not see yours and you cannot create or belong to a Homegroup.
With all network types, by default the Windows 7 firewall blocks connections to programs that are not on the list of allowed programs. Windows 7 allows you to configure the settings for each network type separately, as shown in Figure 2.
Figure 2: Windows 7 allows you to configure settings separately for each network type
Multiple Active Profiles
With Vista, even though you had profiles for both public and private networks, only one of them was allowed to be active at a given time. If your computer happened to be connected to two different networks, you were out of luck. The most restrictive profile got applied to all connections, which meant you might not be able to do everything you needed to do on your local (private) network because you were operating under the rules for the public network. With Windows 7 (and Server 2008 R2), a different profiles can be active for each network adapter. The connection to the private network is subject to the private network rules while traffic coming to or from the public has those rules applied.
The Little Things That Count
In many cases, greater usability hinges on small changes and Microsoft has been listening to users and incorporated some of those "little things that count" into the Windows 7 firewall. For example, in Vista when you created firewall rules, you had to list port numbers and IP addresses individually. Now you can specify ranges, which shaves time off of the performance of this common administrative task.
You can also create connection security rules that specify which ports or protocols are subject to IPsec requirements right there in the firewall console, instead of having to use the netsh command. For those who prefer the GUI, this is a handy improvement.
The connection security rules also support dynamic encryption. That means that if a server gets an unencrypted (but authenticated) message from a client computer, a security association can be negotiated "on the fly" to require encryption, making for more secure communications.
Configuring Profiles with Advanced Settings
Using the Advanced Settings console, you can configure the options for each of network type profiles, as shown in Figure 3.
Figure 3: You can configure options for each profile using the Advanced Settings console
For each profile, you can configure the following
On/off status of the Windows firewall
Inbound connections (block, block all connections, or allow)
Outbound connections (allow or block)
Display notifications (whether or not to notify you when a program is blocked)
Allow unicast response to multicast or broadcast traffic
Apply local firewall rules created by the local administrator in addition to Group Policy firewall rules
Allow local connection security rules created by local administrators in addition to Group Policy connection security rules
The Vista firewall can be configured to log events to a file (by default, Windows\System32\LogFiles\Firewall\pfirewall.log). In Windows 7, the events are also logged in the Event Viewer's Applications and Services section, making it easier to access. To access this log, open the Event Viewer and in the left pane, click Applications and Services Log | Microsoft | Windows | Windows Firewall with Advanced Security, as shown in Figure 4.
Figure 4: Windows 7 logs firewall events in the Event Viewer as well as a file
In the Event Viewer log, you can create a custom view, filter the log, search the log or enable verbose logging.
The Netsh Command
Windows 7 contains the netsh firewall context for backward compatibility, but if you run it, you will get a message that says "IMPORTANT "netsh firewall" is deprecated; use "netsh advfirewall firewall" instead. You can find out more about the new command here.
The Windows 7 Firewall refines the much-improved firewall that was included in Windows Vista, and brings its "hidden" advanced features out into the open. Many users, including some IT professionals, were unaware that you could filter outbound traffic, monitor and otherwise perform advanced configuration tasks for the Vista firewall, because none of that was apparent from the Firewall applet in Control Panel. With Windows 7, Microsoft has created a built-in host firewall that is much more functional than its predecessors and now poses a viable alternative to third party host firewall products.