Designing a Windows Firewall with Advanced Security Strategy
Updated: January 27, 2010
Applies To: Windows Server 2008, Windows Server 2008 R2
To select the most effective design for helping to protect the network, you must spend time collecting key information about your current computer environment. You must have a good understanding of what tasks the computers on the network perform, and how they use the network to accomplish those tasks. You must understand the network traffic generated by the programs running on the computers.
The information that you gather will help you answer the following questions. The answers will help you understand your security requirements and select the design that best matches those requirements. The information will also help you when it comes time to deploy your design, by helping you to build a deployment strategy that is cost effective and resource efficient. It will help you project and justify the expected costs associated with implementing the design.
What traffic must always be allowed? What are characteristics of the network traffic generated and consumed by the business programs?
What traffic must always be blocked? Does your organization have policies that prohibit the use of specific programs? If so, what are the characteristics of the network traffic generated and consumed by the prohibited programs?
What traffic on the network cannot be protected by IPsec because the computers or devices sending or receiving the traffic do not support IPsec?
For each type of network traffic, does the default configuration of the firewall (block all unsolicited inbound network traffic, allow all outbound traffic) allow or block the traffic as required?
Do you have an Active Directory domain (or forest of trusted domains) to which all your computers are joined? If you do not, then you cannot use Group Policy for easy mass deployment of your firewall and connection security rules. You also cannot easily take advantage of Kerberos V5 authentication that all domain clients can use.
Which computers must be able to accept unsolicited inbound connections from computers that are not part of the domain?
Which computers contain data that must be encrypted when exchanged with another computer?
Which computers contain sensitive data to which access must be restricted to specifically authorized users and computers?
Does your organization have specific network troubleshooting devices or computers (such as protocol analyzers) that must be granted unlimited access to the computers on the network, essentially bypassing the firewall?
If you already have firewall or IPsec rules deployed
Windows Firewall with Advanced Security in Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2 has many new capabilities that are not available in earlier versions of Windows. The IPsec and Windows Firewall policies that you create for computers that are running Windows XP and Windows Server 2003 can still be applied to computers that are running Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2. However, doing this prevents you from taking advantage of all the new features and performance improvements included in Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2.
If you already have a domain and/or server isolation deployment in your organization then you must evaluate and choose between two options:
Option 1: Use the existing GPOs already in place and apply them to computers that are running Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2. If you choose to do this then you must use the Windows Firewall and IPsec guidance applicable to Windows XP and Windows Server 2003. Design and deployment guidance for those technologies is available on the Web at "Server and Domain Isolation Using IPsec and Group Policy" (http://go.microsoft.com/fwlink/?linkid=110400). It is also available in downloadable form at http://go.microsoft.com/fwlink/?linkid=110401.
Option 2: Create new GPOs for computers that are running Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2, and use WMI and group filters to ensure that the correct GPOs apply to your computers. This is the technique discussed in this guide and its accompanying deployment guide.
If you choose this technique, you must ensure that the IPsec policies you apply to your computers that are running different operating systems are compatible with each other. For example, a server that is running Windows Server 2008 R2 can use a broader set of authentication and encryption settings than are available on Windows XP and Windows Server 2003. To ensure that client computers that are running both older and newer operating systems can access the resources on a server, the server must include in its IKE negotiation offers at least one algorithm that each client can use. You can choose to use the newer, more advanced settings to help secure traffic to a client that is running Windows 7, but if the server must also be accessed by computers that are running previous versions of Windows, then the server must also offer authentication methods that those computers can use.
This guide describes how to plan your groups and GPOs for an environment with a mix of operating systems. Details can be found in the section Planning Group Policy Deployment for Your Isolation Zones later in this guide.