Improvements in the Windows Server 2008 Windows Firewall

Better Management Interface
The most significant improvement is a new graphical interface for managing the Windows Firewall locally and through Active Directory domain-based group policies. The old Control Panel item, Windows Firewall, still provides access to basic controls. The new user interface is a Microsoft Management Console (MMC) snap-in. For controlling local settings you can access Windows Firewall with Advanced Security console in the Administrative Tools folder. This snap-in is also part of the Group Policy editor console for managing the firewall via Active Directory domain group policies. Improvements have also been made to netsh.exe, the command-line tool for managing the firewall and IPsec. The netsh command now has a new context, advfirewall, which you can use to script configuration of the firewall or to manage it on a Server Core installation.

Windows Service Hardening
While many steps have been taken to protect the services themselves, an attacker can possibly still find a way to exploit a Windows system service. If a service is compromised, Windows Service Hardening will help to reduce the impact in several ways: The firewall will block abnormal behavior such as a service that does not need to access the network trying to send out HTTP traffic

Outbound Filtering
After many years observing hand-wringing, hyperventilation, and multi-page walls of text from vendors, pundits, and security experts (both genuine and self-proclaimed), I concluded that in most cases, outbound filtering of network traffic on host firewalls is wasted effort. The key words in that sentence are most cases; I will address what I believe are legitimate uses of outbound filtering in a moment. Outbound filtering is typically nothing more than “security theater.” Inbound filtering is what will stop malicious network traffic such as Nimda, Slammer, Sasser, Blaster, or anything else that sends unwanted network traffic to your server.

A whole lot of bloviating was directed at Microsoft when it released the much-improved firewall in Service Pack 2 for Windows XP because it did not do outbound filtering. I am here to tell you that most of those complaints came from people who do not have a good grasp (to say it politely) of what is feasible in computer security or from organizations marketing their own client firewall products. If an attacker (or a piece of malware) has taken control of your computer, what will stop them from reconfiguring the firewall to allow traffic from whatever applications they want to run? The attacker probably does not even have to reconfigure the firewall—they could simply use whatever ports are already allowed, or take control of an application that can already send out traffic. Another really bad aspect of most client firewall solutions that do outbound filtering is the miserable user experience: After you install the cursed thing you are barraged by hundreds of pop-up dialog boxes asking if you really want to let Internet Explorer open a connection to or if you are absolutely certain it is a good idea for MSN Web Messenger to send traffic to After a week of seeing several score of these dialog boxes, users—including paranoid systems administrators and security experts—tend to either disable the thing completely or become trained to click Yes or
Accept immediately so they can get on with whatever it was they were hoping to accomplish on the computer!

Microsoft’s newest server operating system makes intelligent use of outbound filtering by blocking system services from initiating network connections except for what they require to function properly. If a service is exploited, it is not going to be able to reconfigure the firewall without alerting the user because it is blocked from modifying the firewall settings. By default, the new firewall allows all other outbound network packets. You could change the default behavior to block all outbound traffic, but I do not recommend it because you will spend many hours, days, and perhaps even weeks trying to figure out every exception you need to make to allow your server to do everything you need it to do.

Granular Rules
In Windows Server 2008 and Windows Vista the firewall is enabled for both inbound and outbound connections. The default policies block most inbound traffic and allow most
outbound traffic. The firewall supports filtering any IP protocol number, unlike the
Windows XP firewall that could only filter Transmission Control Protocol (TCP), User
Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP) traffic.You can configure specific rules for blocking or allowing traffic by using IP addresses, IP protocol numbers, Active Directory directory service accounts and groups, system services, UDP and TCP source and destination ports, specific types of interfaces, and ICMP by type and code.

Location-Aware Profiles
Windows Firewall takes advantage of the new TCP/IP stack’s ability to automatically track what network it is connected to. You can configure rules and settings for each of the three profiles: Domain, Private, and Public. The Domain profile applies when all of the computer’s networks include Active Directory domain controllers for the domain that the computer belongs to. The Private profile is used when all active network connections have been designated by an administrator as a private ones protected by a firewall. The public profile is used when the computer is connected directly to the Internet, or the network has not been defined as Private or Domain.

Authenticated Bypass
You can configure rules that allow specific computers or groups of computers to bypass other firewall rules by using IPsec authentication in those rules. This means that you can block a particular type of traffic from all other hosts, but allow a select few systems to bypass that restrictions and access the blocked service. The rules can be even more specific, detailing which ports or programs can receive the traffic.

Active Directory User, Computer, and Groups Support
Rules can include users, computers, and groups defined in Active Directory, but you must secure connections affected by these types of rules with IPsec using an Active Directory account credential.

IPv6 Support
Windows Firewall with Advanced Security fully supports IPv6.

IPsec Integration
In Windows XP and Windows Server 2003, rules for the Windows Firewall and IPsec are configured separately. Because both can block or allow inbound traffic, you could accidentally create redundant or even contradictory rules. These types of configuration errors can be difficult to troubleshoot. The new Windows Firewall combines the configuration of both the firewall and IPsec into the same graphical and command-line tools, which both simplifies management and reduces the risk of misconfiguration.

Source Of Information : Microsoft Press Windows Server 2008 Security Resource Kit.

No comments:

Cloud storage is for blocks too, not just files

One of the misconceptions about cloud storage is that it is only useful for storing files. This assumption comes from the popularity of file...