Network Location-Aware Host Firewall

Updated: December 1, 2009

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

Many applications connect to the Internet to look for updates, download real-time information, and facilitate collaboration between users. However, creating applications that can automatically adapt to changing network conditions has been difficult for developers. Windows 7, Windows Vista, Windows Server 2008 R2 and Windows Server 2008 alert applications to changes in the detected network connectivity, and applications can then operate differently to provide a seamless experience.

Windows identifies and remembers each of the networks to which it connects. Network Awareness application programming interfaces (APIs) then allow applications to query for characteristics of each of these networks, including:

  • Connectivity.  A network might be disconnected, it might provide access to the local network, the Internet, a corporate network, or any combination of the three.

  • Connections.  The computer might be connected to a network through one or more connections. Network Awareness APIs enable applications to determine which connections the computer is currently using to access a given network.

  • Location.  Each network is assigned a location that identifies its type. Some of the operating system settings change based on the location of the networks to which it is connected. For example, Windows Firewall with Advanced Security can enforce different policies based on the locations of the networks to which the computer is currently connected.

    There are three categories of network locations in Windows:

    • Domain.  The Windows operating system automatically identifies networks on which the computer can authenticate access to a domain controller for the domain to which the computer is joined. You cannot manually assign a network to this location.

    • Public.  With the exception of domain networks, all networks are initially categorized as public. Networks that represent direct connections to the Internet or that are in public places, such as airports and coffee shops, should be left public.

    • Private.  A network will be categorized as private only if a user or application designates it as private. Only networks located behind a private gateway device should be designated as private networks. Users will likely want to designate home or small business networks as private.

When a user connects to a network that is not identifiable as a Domain location, Windows asks the user to designate the network as either Public or Private. The user must be a local administrator of the computer to designate the network as Private. When the type of network to which the computer is connected is identified, Windows can optimize some of its configuration, especially its firewall configuration, for the specified network location.

Windows Firewall with Advanced Security is an example of a network-aware application. The administrator can associate a profile to each network location, with each profile containing different firewall policies. For example, Windows Firewall can automatically allow incoming traffic for a specified desktop management tool when the computer is on a domain network but block that same traffic when the computer is connected to a public or private network. In this way, Network location awareness can provide flexibility on your internal network without sacrificing security when mobile users travel. The Network Location Awareness APIs complement the robust and flexible filtering built into Windows Firewall with Advanced Security, which lets you filter programs, services, or ports for IP address scopes, interface types, users, groups, computers, and levels of protection – all based on which network locations to which the computer is connected. A public network profile should have stricter firewall policies to protect against unauthorized access. A private network profile, on the other hand, might have less restrictive firewall policies to allow file and printer sharing, peer-to-peer discovery, and connectivity with Windows Connect Now devices. Domain profiles typically have the least restrictive rules, because the computers on that network are trusted.

  • Windows Vista and Windows Server 2008 support only a single profile on the computer at a time. If the computer is connected to more than one network, then the network location that requires the most protection is the one applied to all connections on the computer. If a public network is detected, then all connections to the computer are protected by the rules associated with the public profile. If a private network is detected and there are no public networks detected, then the private profile is applied to the computer. Only if a domain network is detected and there are no public or private networks detected is the domain profile applied.

  • Starting with Windows 7 and Windows Server 2008 R2, Windows supports a separate profile for each network connection. If a connection to a public network is detected, then that connection is protected by the rules associated with the public profile. A connection to a domain network on the same computer is protected by the domain profile. All of the profiles can be active at the same time, each protecting the connections according to its network location type.

By default, unsolicited incoming traffic is blocked. You must create rules to allow other authorized traffic to pass through the firewall into the computer. The default settings allow all outgoing traffic. You must specifically block programs or types of traffic that should not be allowed.

You will learn how to configure these profiles and create rules in the section Managing Windows Firewall with Advanced Security.