Help: Windows Firewall overview
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Windows Firewall overview
To protect your network from the growing number of malicious network attacks, you need to adopt a defense-in-depth strategy. A defense-in-depth strategy incorporates a variety of network security technologies into your security architecture and implements those technologies in a layered structure that extends from your perimeter network (outer layer) to every computer in your organization (inner layer). By providing host firewall protection on the innermost layer of your network, Windows Firewall, a new security component in Windows XP with Service Pack 2 and Windows Server 2003 with Service Pack 1, can be an effective part of your defense-in-depth security strategy.
What is Windows Firewall?
Windows Firewall is a host firewall technology, so it runs on each of your clients and servers, providing protection from network attacks that pass through your perimeter network or originate inside your organization, such as Trojan horse attacks, port scanning attacks, and worms. Like many firewall technologies, Windows Firewall is a stateful firewall, so it inspects and filters all TCP/IP version 4 (IPv4) and TCP/IP version 6 (IPv6) traffic. Unsolicited incoming traffic is dropped unless it is a response to a request by the host (solicited traffic) or it is specifically allowed (that is, has been added to the exceptions list). You can specify traffic to be added to the exceptions list according to port number, application name, or service name by configuring Windows Firewall settings. With the exception of some Internet Control Message Protocol (ICMP) messages, Windows Firewall allows all outgoing traffic.
You cannot use Windows Firewall as a perimeter firewall solution and you should not use it as a substitute for other network security technologies. Windows Firewall is designed to be a supplemental security solution; it should be part of a security architecture that implements a variety of security technologies, such as border routers, perimeter firewalls, virtual private networking (VPN), and Internet Protocol security (IPSec).
How does Windows Firewall work?
When an incoming packet reaches your computer, Windows Firewall inspects the packet and determines whether it meets criteria specified on the exceptions list. If the packet matches an entry in the list, Windows Firewall passes the packet to the TCP/IP protocol for further processing. If the packet does not match an entry in the list, Windows Firewall silently discards the packet and creates an entry in the Windows Firewall logging file (if the logging file is enabled). The entries in the exceptions list can consist of program names, system service names, TCP ports, and UDP ports. There is no way to create an entry in the exceptions list based on the IP Protocol field in the IP header.
There are only two conditions under which traffic can pass through Windows Firewall:
When the incoming traffic corresponds to a recent outgoing request, in which case the response traffic is then considered incoming solicited traffic.
An example of this occurs when a Domain Name System (DNS) Name Query Request message is sent to a DNS server. Windows Firewall adds an entry to the state filter table so that the corresponding DNS Name Query Response message sent by the DNS server can be passed to the TCP/IP protocol for further processing.
When you configure Windows Firewall for exceptions, in which case you allow a computer using Windows Firewall to accept unsolicited incoming traffic when acting as a server, a listener, or a peer.
An example of this occurs when your computer is acting as a Web server. In this case, you must configure Windows Firewall to allow Web traffic so that the computer can respond to requests from Web clients. You can configure exceptions based on programs, in which case the ports opened by the program are added to the exceptions list automatically, or on TCP or UDP ports, in which case the ports are opened whether the application or services using them is active or not.
Common Windows Firewall scenarios
With a few exceptions, Windows Firewall can be enabled on all configurations of Windows XP with SP2 or Windows Server 2003 with SP1. Therefore, it is recommended that you enable Windows Firewall on every client and server in your organization, including bastion hosts and other servers in your perimeter network, mobile and remote clients that connect to your network, and all clients and servers in your internal network. In addition, Windows Firewall can be enabled for any network architecture. Therefore, it is also recommended that you enable Windows Firewall regardless of how you have designed and implemented your perimeter network or your internal network.
There are a few circumstances that might require you to disable Windows Firewall.
Servers that are running Routing and Remote Access
You should not enable Windows Firewall on a server that is running Routing and Remote Access. Routing and Remote Access has its own firewall, which makes Windows Firewall redundant and unnecessary, and Routing and Remote Access might not run if you have Windows Firewall enabled.
Servers that are running perimeter firewalls
You should not run Windows Firewall on a server that is running a perimeter firewall, such as Microsoft Internet Security and Acceleration (ISA) Server 2004. The protection that Windows Firewall provides in this situation is redundant and unnecessary. In addition, Windows Firewall can cause perimeter firewalls such as ISA Server to function improperly.
Computers that are running non-Microsoft host firewalls
You should disable Windows Firewall on a computer that is running a non-Microsoft host firewall. Although it is possible to run two host firewalls on a single computer, it is not recommended that you do so. Host firewall implementations vary widely and there is no guarantee that a non-Microsoft host firewall and Windows Firewall will work well together. Also, using multiple host firewalls on a single computer does not necessarily decrease your attack surface because the configuration settings (traffic rules) for each firewall would likely be the same and therefore redundant. Also, the use of multiple host firewalls on a single computer increases your operational overhead without any substantial gain in security.
In addition, you might want to disable Windows Firewall if a client or server requires you to open numerous ports or allow a large number of applications and services to receive unsolicited traffic. Because a significant volume of network traffic will be allowed to pass through Windows Firewall anyway, by disabling Windows Firewall, you eliminate the operational overhead associated with Windows Firewall configuration and maintenance. You also avoid any performance impact related to Windows Firewall. However, you should closely evaluate the design of any client or server that requires you to open numerous ports. Clients and servers that are configured for numerous roles or are configured to provide numerous services can be a critical point of failure in your organization and usually indicate poor infrastructure design.
Windows Firewall impacts
When it is enabled in its default configuration, Windows Firewall blocks all unsolicited incoming network traffic on all network connections. While blocking unsolicited incoming traffic reduces your attack surface and increases your level of security, it can cause some applications and services to stop working properly. For this reason, you might need to configure Windows Firewall so that unsolicited incoming traffic is allowed on certain ports or for certain applications and services. Configuration changes are usually not required on clients that are running Windows XP because the applications and services that run on a client do not often need to receive unsolicited incoming traffic. However, configuration changes are usually required on servers that are running Windows Server 2003 because many of the applications and services that run on servers, by their nature, need to receive and process unsolicited incoming traffic.
Impacts on Windows XP
Windows Firewall affects only the applications and services that listen for and respond to unsolicited incoming network traffic. There are not many applications and services that do this on clients because clients are typically configured as service consumers, not service providers. In other words, most of the network traffic that passes through a client computer is initiated by the client in the form of an outgoing request to another computer. Therefore, on clients, you usually do not need to configure Windows Firewall settings. There are, however, some scenarios for which you might have to create Windows Firewall exceptions:
File and Printer Sharing
If you want to share files, folders, or printers so that other computers can access these resources on a client computer, you need to configure Windows Firewall on the client computer so that unsolicited incoming traffic is allowed on TCP ports 139 and 445, and UDP ports 137 and 138.
Remote Assistance
If you want administrators and help desk technicians to use Remote Assistance to administer clients, you need to configure Windows Firewall on your clients so that the Remote Assistance application is allowed to process unsolicited incoming traffic.
Remote Desktop
If you want administrators and help desk technicians to use Remote Desktop to administer clients, you need to configure Windows Firewall on your clients so that unsolicited incoming traffic is allowed on TCP port 3389.
UPnP
If your clients need to process UPnP requests from other computers, you need to configure Windows Firewall on your clients so that unsolicited incoming traffic is allowed on TCP port 2869 and UDP port 1900.
In addition, you might have to configure Windows Firewall settings on clients that run certain types of e-mail and antivirus programs. E-mail programs that connect to an Exchange server typically receive unsolicited incoming traffic when the Exchange server sends a message to the client informing the client that new mail has arrived. Centrally-managed antivirus programs typically receive unsolicited traffic when new virus signatures are pushed down to clients from a server.
Impacts on Windows Server 2003
Unlike clients, servers typically run numerous applications and services that listen for and respond to unsolicited incoming network traffic. Therefore, on servers, you usually need to configure some Windows Firewall settings so that unsolicited traffic is not blocked by Windows Firewall. The configuration changes that you need to make to Windows Firewall vary according to the server role and the applications and services that are running on the server. The following are some common server roles that require you to configure Windows Firewall settings:
| Server role | Configuration required |
|---|---|
DHCP server |
Allow unsolicited traffic through TCP port 67. |
DNS server |
Allow unsolicited traffic through TCP port 53. |
POP3 server |
Allow unsolicited traffic through TCP port 110. If you are securing POP3 traffic with Secure Sockets Layer (SSL), allow unsolicited traffic through TCP port 995. |
Telnet server |
Allow unsolicited traffic through TCP port 23. |
In addition to configuring Windows Firewall for various server roles, applications, and services, you need to configure Windows Firewall settings on every server that you intend to manage remotely. If you are managing the server by using the Administration Tools Pack on a client running Windows XP, then you need to configure Windows Firewall settings on the server to ensure that Windows Firewall allows the unsolicited traffic from the remote computer to reach the applications and services that are running on the server.
Notes
Windows Firewall is not included in the original release of the Windows Server 2003 operating systems.
Internet Connection Firewall is included only in the original releases of Windows Server 2003, Standard Edition, and Windows Server 2003, Enterprise Edition.
See Also
Concepts
Help: Windows Firewall How To...
Help: Understanding Windows Firewall
Help: Administering Windows Firewall