Microsoft has provided a Firewall for nearly a decade now. The firewall is designed to help protect the local computer against attacks, plus to limit the inbound and outbound communications to that computer. Needless to say, up until now most companies have ignored the local firewall in lieu of a perimeter firewall. If there has been a local firewall put in place and configured for Windows computers, it was a third party firewall. Well, in a radical change of events, Microsoft has not only upgraded the firewall for Windows Server 2008/R2, but they have enabled it and configured it for their Windows Server 2008/R2 domain controllers. The best thing is that it actually works! Here, I will give you a bit of info on the firewall, what the defaults are, and what additional options are available.
Where can I Find the Windows Firewall in Windows Server 2008 R2?
There have been a few changes in Windows Server 2008/R2 as to where to find things. The Windows Firewall is no different. Here, I will show you the best way to view the firewall settings, based on my experience.
In order to view the Windows Firewall, you will want to get into the Server Manager. Server Manager is one of the default Administrative Tools for all Windows Server 2008/R2 computers, including domain controllers. You will find the Server Manager fastest if you go to the Start button, then select Administrative Tools, then Server Manager. When Server Manager starts, it will look like Figure 1.
Figure 1: Server Manager for Windows Server 2008/R2.
Now that you are in Server Manager, you can find the Windows Firewall by opening the Configuration node, then selecting the Windows Firewall with Advanced Security node. After selecting these nodes, you should see a window similar to that in Figure 2.
Figure 2: Windows Firewall with Advanced Security interface.
How Windows Firewall is Better for Windows Server 2008/R2
One of the biggest changes that Microsoft has made to the Windows Firewall over the years is to integrate the firewall settings with IP Security settings. IP Security is one of the most powerful technologies that is around to help protect local computers. IP Security provides options for specifying which computers or networks can communicate with other computers or networks. The options are very granular and IP Security also includes the ability to encrypt the data communications.
For Windows Server 2008/R2 the inclusion of "with Advanced Security" is just this... the inclusion of IP Security with the Windows Firewall.
In addition to IP Security being integrated with the firewall, there is a new summary interface and wizard to help create your firewall rules. You can create Inbound rules, Outbound rules, and Connection Security rules. Inbound and outbound rules seem pretty obvious. Connection security rules are those rules that specify how and when authentication occurs. Connection security rules don't allow or deny connections, that is, where you use inbound or outbound rules.
Default Firewall Configuration
As was stated early in this article, Windows Server 2008/R2 domain controllers come with pre-configured firewall rules. Not only are there inbound rules, but there are outbound rules as well. This is a major step in the right direction with regard to protecting the computer by using the local firewall.
If we take a look at the firewall rules for a standard domain controller, we will see that there are firewall rules as follows:
- Active Directory domain controller
- Core Networking
- File and Printer Sharing
- File Replication
- Kerberos Key Distribution Center
- Remote Desktop
- Windows Management Instrumentation
Of course, there are more details around each of these areas, which a portion of the details can be seen in Figure 3.
Figure 3: List of default firewall rules for a Windows Server 2008/R2 domain controller.
Configuring Windows Firewall with Advanced Security
There are two options for configuring the Windows Firewall settings. Both have advantages, but as an auditor, you will appreciate one over the other. The first is to use the local computer configuration option, which means that each computer will need to be configured individually. The second is to use Group Policy, which allows for a single instance of configuration, which will then target many computers.
To use the local configuration option, you will use the Server Manager interface that we discussed earlier on in this article. From the Windows Firewall with Advanced Security node within Server Manager, you can just right-click on the Inbound, Outbound, or Connection Security node and create a new rule. You will need to know what you want to control, as the wizard will not automatically generate rules. So, for example, you will need to know one or more of the following to create your rules: the program, port, allow or deny action, encryption requirements, and scope of the connection. You can see the wizard in Figure 4.
Figure 4: Windows Firewall rule wizard.
The other option, to use Group Policy, has a very similar wizard to that of the local option. The big difference is that Group Policy can have a single instance for the configuration, but that single instance can affect many computers. To access the Windows Firewall configuration within a Group Policy, you will need to first access the Group Policy Management Console (GPMC), which is one of the Administrative Tools. Once in the GPMC, you can use an existing Group Policy Object, or create a new one. I suggest you create a new GPO by right-clicking on the Group Policy Objects node and selecting New.
After creating your new GPO, you will edit it by right-clicking on it and selecting Edit. This will open up the GPO in the Group Policy Management Editor. From here, you will expand the following nodes to get to the Windows Firewall configuration: Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security, which can be seen in Figure 5.
Figure 5: Windows Firewall with Advanced Security in a GPO.
There is another Windows Firewall with Advanced Security node under the original one, but once you expand past this node, you will see the standard Inbound, Outbound, and Connection Security rules. Each of these has a wizard associated with it, just like the local version. Once these rules are established and saved in the GPO, you then only need to link the GPO to an Active Directory node, such as the domain or an Organizational Unit. (The Domain Admin will need to do this and should know the details on how the GPO application works.)
The Windows Firewall has been an under-utilized tool for many years. The interface has been unfriendly, the configurations confusing, and the overall capabilities less than impressive. Now, with the new integration of IP Security and the Windows Firewall, the capabilities and overall usefulness of the firewall in Windows Server 2008/R2 is not only a benefit, but a default, enabled service. The firewall for your Windows Server 2008/R2 domain controllers come with pre-defined rules, which control both inbound and outbound traffic. In the end, your Windows Server 2008/R2 domain controllers will be more secure from outbound attacks than with any other domain controller before.