Overview of the Windows Server 2008 Firewall with Advanced Security Part 1: Setting the Firewall and IPsec Connection Security Defaults

by [Published on 28 May 2008 / Last Updated on 28 May 2008]

The general settings to configure the Windows Firewall with Advanced Security.

If you would like to read the other parts in this article series please go to:

If you would like to be notified when Thomas Shinder releases the next part of this article series please sign up to the WindowSecurity.com Real time article update newsletter.

Windows Server 2003 included a basic host based firewall that protected the machine from external connections that you did not want to make to the server. While this was very helpful in protecting the Windows Server 2003 machine, it was relatively unsophisticated and did not allow for granular control of both inbound and outbound access to and from the Windows Server 2003 computer. In addition, the firewall included with Windows Server 2003 was not tightly integrated with installed services, so you had to manually configure the firewall whenever you added a new server or service to the machine.

Windows Server 2008 introduces a new and improved firewall; the Windows Firewall with Advanced Security. The new Windows firewall introduces many improvements and is very similar to the firewall that was included with Windows Vista. Features included with the new Windows Firewall with Advanced Security include:

  • Granular inbound access control
  • Granular outbound access control
  • Tight integration with the Windows Server 2008 Server Manager, with automatic configuration of the firewall when services are installed using the Server Manager
  • Highly improved IPsec policy configuration and management, and a name change. IPsec policies are now referred to as Connection Security Rules
  • Improved monitoring of firewall policy
  • Improved monitoring of IPsec policies (now called Connection Security Rules)
  • Improved centralized monitoring of Main and Quick Mode Security Associations

There are many configuration options included with the Windows Firewall, so this article will be split into three parts, this first part is about basic general configuration options for the firewall and for IPsec policies. The second part will focus on how to create inbound and outbound rules, and the third part will hone in how to create connection security rules.

The Windows Firewall with Advanced Security console can be opened from the Administrative Tools menu. When you open the console, you’ll see the left pane as seen in the figure below.


Figure 1

The middle pane of the console will provide information about the Domain, Private and Public profiles. The default values for each profile are:

  • Windows Firewall is on
  • Inbound connection that do not match a rule are blocked
  • Outbound connection that do not match a rule are allowed

For firewall admins, the last one might sound a bit confusing, since on network firewalls, if there isn’t a rule allowing a connection, a default “clean up” rule is triggered and the connection is blocked. However, in the context of the host-based Windows Firewall with Advanced Security, the Outbound connection that do not match a rule are allowed means that there are no outbound access control in place by default.


Figure 2

In the left pane of the Windows Firewall with Advanced Security console, right click on the Windows Firewall with Advanced Security node at the top of the left pane of the console and click Properties. This brings up the Windows Firewall with Advanced Security Properties dialog box.

The Domain Profile tab is the first one to appear in the Windows Firewall with Advanced Security Properties dialog box. The Domain Profile is the one that applies when the machine is connected to the corporate network and can contact the domain. Since servers don’t typically move around from network to network, only the domain profile is going to apply in the major of cases. The exception will be when the server is not a member of a domain, in which case the Private Profile will apply to it.

In the State frame you configure the following:

  • Firewall state. This can be either off or on. It’s on by default and should stay that way.
  • Inbound connections. The default setting is to Block (default). This means that connections that do not have an allow rule will be blocked. There are two other options: Allow, which allows all inbound connections and Block all connections, which blocks all inbound connections. Be careful with both of these alternate settings, because the Allow one could get your server p0wnD and the other can block all inbound connectivity, which will make it hard to manage the machine from over the network
  • Outbound connections. The default setting is to Allow (default) connection outbound. The other option is to block outbound connections. I suggest you leave the default, or else the machine won’t be able to connection to other machines. There are exceptions, such as Internet connected devices that should only be responding to inbound connections and should not be establishing new outbound connections.

In the Settings frame you configure settings that control some general firewall behavior. Click the Customize button now.


Figure 3

This brings up the Customize Settings for the Domain Profile dialog box. In the Firewall settings frame, you configure whether or not you want have notification displayed when an inbound connection is blocked. The default setting is No and you should leave it that way. Otherwise you’ll go insane by all the notifications for unsolicited connections to the server.

In the Unicast response frame, you configure how you want the machine to respond to multicast and broadcast network traffic. The default value is Yes (default), which enables the server to provide unicast responses to the multicast requests. If you’re in an environment where you don’t depend on multicast or broadcast messages (you don’t have multicast applications on the server and the server doesn’t depend on broadcast based protocols such as NetBIOS over TCP/IP), then you can turn this to No.

The last frame isn’t configurable through the console and has to be configured through Group Policy. The Rule Merging frame shows how the clients should deal with rules that come from the local firewall rule set and firewall rules that are configured via Group Policy. The default settings in Group Policy is to apply both local firewall rules and local connection security rules. As with other Group Policy settings, order of precedence is determined by LSDOU.


Figure 4

On the Windows Firewall with Advanced Security Properties dialog box, in the Logging frame you can configure some logging options for the Windows Firewall. Click Customize.


Figure 5

This brings up the Customize Logging Settings for the Domain Profile dialog box. The name of the log file is pfireall.log by default, and is stored in a default location on the local hard disk. You can change this location if you like by typing a new path in the Name text box or by clicking the Browse button.

The default Size limit (KB) value for the log file size is 4 MB (4096 KB). You can reduce or increase this if you like. After the log fills up, the old entries will be deleted and new entries will be added.

By default, the Log dropped packets and Log successful connections are set to No (default). Note that if you configure both of these to not log, then there won’t be anything to record in the log file. J


Figure 6

On the Private Profile tab you configure the same firewall settings you did on the Domain Profile tab, but these settings only take effect when the computer is connected to a private network location that isn’t connected to the domain. These settings are never applied when a domain member server is a member of the domain, since it wouldn’t be moved on and off the network, so it would always be domain connected, otherwise it wouldn’t function at all.


Figure 7

On the Public Profile tab, you configure settings that apply when the computer is connected to a public network. This would never apply to servers, since these settings are used when the computer is connected to a public network.


Figure 8

On the IPsec Settings tab, there are two frames:

  • IPsec defaults. These are the default IPsec settings that are applied when you create Connection Security rules (the new name for IPsec policies). Note that when you create Connection Security Rules that you will have the option to change the settings on each rule from the defaults.
  • IPsec exemptions. By default, IPsec exemptions are disabled. However, you might find network troubleshooting using Ping, tracert and other ICMP dependent tools a lot easier if you change it from the default No (default) to Yes.

Click the Customize button in the IPsec defaults frame.


Figure 9

On the Customize IPsec Settings dialog box, you can configure the following:

  • Key Exchange (Main Mode)
  • Data Protection (Quick Mode)
  • Authentication Method

Each of these options is configured with a set of default values that Microsoft considered to be preferred. However, for each of these, you can customize the values. For Key exchange (Main Mode) and Data Protection (Quick Mode) you need to select the Advanced option. For the Authentication Method options, you can choose another option or use the Advanced option to get finer tuned control over the authentication methods.

In the Key exchange (Main Mode) frame, click the Advanced option and then click the Customize button.


Figure 10

This bring up the Customize Advanced Key Exchange Settings dialog box. The default settings are shown here. As you can see, AES-128 is the preferred method used for key exchange, and if not available on the other end, it will fall back to 3DES. The key lifetimes are also configured on this page. The Key exchange algorithm is set to Diffie-Hellman Group 2 by default. Group 1 is 768 bits, Group 2 is 1024 bits and Group 14 is 2048 bits.

Note that Elliptic Curve algorithms and Group 14 will not work with previous versions of Windows. They will only work with Windows Vista and Windows Server 2008 machines.

Click Cancel on the Customize Advanced Key Exchange Settings page.


Figure 11

This takes us back to the Customize IPsec Settings page. In the Data Protection frame, select the Advanced option and click Customize.


Figure 12

On the Customize Data Protection Settings page, you configure the Data Integrity and encryption options. By default, ESP is used for data integrity and ESP with AES-128 encryption is used for data encryption. Note that AES-128 is not supported in previous versions of Windows, so the configuration settings enable fallback to triple DES (3DES).


Figure 13

On any of the integrity and encryption protocols, you can click the Edit button after selecting the protocol to see the protocol settings. When you double click on the ESP integrity protocol, you can see that ESP is selected and is the recommend protocol The reason why it’s recommended is that ESP can pass through NAT devices when IPsec NAT traversal is enabled on both devices. The SHA1 hash algorithm is used by default because it’s more secure than MD5.


Figure 14

If you double click on the ESP encryption entry, you’ll see the configuration dialog box for that option. Here you can see that ESP only is selected by default, because of AH’s inability to pass through NAT devices. However, note that if you don’t have NAT devices in the path between the IPsec connected peers, then you can add to the security of your connection rules by enabling AH. However, this is probably something you should do as a customization when you’re creating connection rules.

The default is set to use AES-128, but as you saw in the data integrity and encryption frame, there is a fallback to triple DES if you need to connect to downlevel Windows clients and servers.


Figure 15

The last option you can configure the defaults for is the Authentication Method. To see the details of the authentication methods available, click the Advanced option and then click Customize.


Figure 16

Here you see the Customize Advanced Authentication Methods dialog box. You can see the default setting is to enable Computer (Kerberos V5) authentication only. This is referred to here as the First Authentication. You also have the option of enable User Authentication for a Second Authentication. As you’ll see later when we create Connection Security Policies, you can set authentication to be for the computer, for the user, or for both the user and computer.


Figure 17

Summary

In this article we took a look at the general settings you can make for the Windows Firewall with Advanced Security. We covered the default firewall settings for the Domain, the Public and the Private Profiles, and then we took a closer look at the default settings you can create for IPsec policies. Again, these are the default settings. We will see in part 3 of the article series how to create a connection security policy. See you then! –Tom.

If you would like to read the other parts in this article series please go to:

If you would like to be notified when Thomas Shinder releases the next part of this article series please sign up to the WindowSecurity.com Real time article update newsletter.

Featured Links