Single Computer Management
Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista
Using the Windows Firewall with Advanced Security snap-in
You can navigate to Windows Firewall with Advanced Security by using either of the following procedures.
To open the Windows Firewall with Advanced Security in Control Panel
Click the Start button, and then click Control Panel.
In Control Panel, click System and Security (in Windows 7 or Windows Server 2008 R2), or System and Maintenance (in Windows Vista or Windows Server 2008.
Click Administrative Tools at the bottom of the screen.
Double-click Windows Firewall with Advanced Security.
If you are running Windows 7 or Windows Server 2008 R2, you can also open the Windows Firewall Control Panel program, and then click the Advanced settings link in the left-hand pane.
To add the Windows Firewall with Advanced Security snap-in to MMC
Click Start, and then in the Start Search box, type mmc, and then press ENTER.
If a User Account Control prompt appears, verify the information presented, and then provide the requested permission or credentials.
On the File menu, click Add/Remove Snap-in.
In the Available snap-ins list box, click Windows Firewall with Advanced Security, and then click Add.
If you are running Windows 7 or Windows Server 2008 R2, select either Local computer, or else select Another computer and then type the name of the computer you want to manage. Click Finish when you are done.
Repeat steps 1 through 6 to add Group Policy Management Console or other snap-ins that you want to use. You might also want to add Event Viewer to view audit log files.
Before you close the snap-in, save and name the custom console for future use.
Configuring firewall properties
To configure firewall properties, in the Overview pane, click Windows Firewall Properties. The Windows Firewall with Advanced Security on Local Computer property sheet displays a tab for each of the three available profiles (Domain Profile, Private Profile, and Public Profile) and a tab for IPsec Settings.
Configuring a profile
The tabs for each profile contain identical options. The options on each tab control how Windows Firewall with Advanced Security behaves on a connection that is attached to the specified type of network.
The options that you can configure for each of the three profiles are as follows:
Firewall State. You can turn Windows Firewall with Advanced Security on or off independently for each profile.
Inbound Connections. You can configure inbound connections to follow one of these rules:
Block (default) - Windows Firewall with Advanced Security blocks connections that do not match any active firewall rules.
Block all connections - Windows Firewall with Advanced Security ignores all inbound rules, effectively blocking all inbound connections.
Allow - Windows Firewall with Advanced Security allows inbound connections that do not match an active firewall rule.
Outbound Connections - You can configure outbound connections to follow one of these rules:
Allow (default) - Windows Firewall with Advanced Security allows connections that do not match any active firewall rules.
Block - Windows Firewall with Advanced Security blocks outbound connections that do not match an active firewall rule.
Settings - Click the Customize button in the Settings area to configure the following settings:
Display notifications. This setting determines whether a message is displayed to the user when a program is blocked from receiving inbound communications. This setting controls whether Windows displays a notification letting a user know that an inbound connection has been blocked. If local overrides are permitted, a prompt will appear asking whether to unblock the application or not.
Allow unicast response to multicast or broadcast network traffic. This setting allows the computer to receive unicast responses to its outgoing multicast or broadcast requests.
Apply local firewall rules. Select this option when, in addition to firewall rules applied by Group Policy that are specific to this computer, you want to allow administrators to create firewall rules on this computer. When you clear this option, administrators can still create rules, but the rules will not be applied. This setting is available only when configuring the policy through Group Policy.
Allow local connection security rules. Select this option when, in addition to connection security rules applied by Group Policy that are specific to this computer, you want to allow administrators to create connection security rules on this computer. When this option is cleared, administrators can still create rules, but the rules will not be applied.
Logging. Click the Customize button in the Logging area to configure the following logging options:
Name. By default, the file is stored in %windir%\system32\LogFiles\Firewall\pfirewall.log.
Size limit. By default, the size limit is 4096 KB.
Log dropped packets. By default, dropped packets are not logged.
Log successful connections. By default, successful connections are not logged.
In Windows 7 and Windows Server 2008 R2, Windows Firewall with Advanced Security also logs events in the Event Viewer program, under Applications and Services Logs\Microsoft\Windows\Windows Firewall with Advanced Security. Information about both firewall and IPsec (connection security) events is presented here.
If you are configuring the firewall by using Group Policy, you need to make sure the Windows Firewall service has explicit write access by its service security identifier (SID) to the location that you specify. For more information about setting permissions for the log folder, see Customize Logging Settings for a Firewall Profile (http://go.microsoft.com/fwlink/?linkid=147899).
Configuring IPsec settings
The Customize IPsec Settings dialog box opens when you click the Customize button on the IPsec Settings tab of the Windows Firewall with Advanced Security on Local Computer property sheet. These settings are used when you create computer connection security rules. You can specify the following:
Key Exchange. To enable secure communication, two computers must be able to access the same shared key without transferring that key across the network. Selecting Advanced and then clicking Customize allows you to configure security methods, key exchange algorithms, and key lifetimes.
Data Protection. IPsec data protection defines the algorithms used to provide data integrity and encryption. Data integrity helps to ensure that data is not modified during transit. Windows Firewall with Advanced Security uses the Authentication Header (AH) or Encapsulating Security Payload (ESP) protocol to provide data protection. Data encryption protects data by concealing the information. Windows Firewall with Advanced Security uses the ESP protocol for data encryption.
Authentication Method. This setting lets you configure the default authentication method for IPsec connections on the local computer. The out-of-box authentication method is Kerberos V5, which allows you to restrict connections to domain-joined computers. You can also restrict connections to only those computers that have a certificate from a specified certification authority (CA).
Create firewall rules
Windows Firewall with Advanced Security allows you to create the following types of inbound or outbound firewall rules:
Program. This type of rule allows traffic for a particular program or service. You can identify the program by program path and executable name.
Port. This type of rule allows traffic on a particular TCP or UDP port number or range of port numbers.
Predefined. Windows includes a number of rules that permit common Windows functions that you can enable, such as File and Printer Sharing, Remote Assistance, and Windows Collaboration. Creating a predefined rule actually enables a group of rules that allows the specified Windows functionality to access the network.
Custom. A custom rule allows you to create a rule that you might not be able to create using the other types of rules.
Create connection security rules
A connection security rule describes how two peer computers authenticate before they establish a connection and how they secure information transmitted between the two computers. Windows Firewall with Advanced Security uses IPsec to enforce these rules. You can create the following connection security rule types:
Isolation. An isolation rule isolates computers by restricting connections based on credentials such as domain membership or health status. Isolation rules allow you to implement a server or domain isolation strategy.
Authentication exemption. You can use an authentication exemption rule to designate computers from which network traffic is permitted without authentication. You can designate computers by specific IP address, an IP address range, a subnet, or a predefined group such as gateway.
Server-to-server. A server-to-server rule protects connections between specific computers identified by IP address. This type of rule usually protects connections between servers. When you create the rule, you specify the network endpoints between which communications are protected. You then designate requirements and the authentication you want to use.
Tunnel. A tunnel rule allows you to protect connections between gateway computers and is typically used when connecting across the Internet between two security gateways that each have a private network connected. Network traffic from one private network sent to a computer on the other private network is routed to one end of the tunnel, encapsulated in IPsec for traversing the public network to the other end of the tunnel, and then extracted and routed to the destination. You must specify the tunnel endpoints by IP address and specify the authentication method.
Custom. Use a custom rule to authenticate connections between two endpoints when you cannot set up authentication rules you need by using the other types of rules available.
For more information about configuring profiles and IPsec settings, viewing and creating new rules, and creating connection security rules, see Introduction to Windows Firewall with Advanced Security (http://go.microsoft.com/fwlink/?LinkId=74581) on the Microsoft Web site.