Microsoft Virtual Labs

Managing Network Security Using Windows Firewall with Advanced Security

Managing Network Security Using Windows Firewall with Advanced Security

Table of Contents
Managing Network Security Using Windows Firewall with Advanced Security ................... 1
Exercise 1 Implementing an Isolation Policy Using Windows Firewall with Advanced Security ................................2 Exercise 2 Creating a Communications Security Policy for Roaming Users ................................................................7 Exercise 3 Customizing Windows Firewall with Advanced Security Settings............................................................ 11

Managing Network Security Using Windows Firewall with Advanced Security

Managing Network Security Using Windows Firewall with Advanced Security

Objectives
After completing this lab, you will be better able to: Use Windows Firewall with Advanced Security to configure domain isolation with IPsec Configure connection security rules and firewall rules Make advanced configuration changes to IPsec settings to increase network security Perform common Windows Firewall with Advanced Security configuration changes In this lab you will learn to use Windows Firewall with Advanced Security (WFAS) to implement communication security policies in a domain environment. You will first learn to use WFAS to configure domain isolation. You will then learn to configure firewall rules to meet the needs of specific business requirements. Finally you will explore various parts of the WFAS user interface and perform advanced configuration tasks. Note: During the course of this lab you may encounter one or more User Account Control prompts. These prompts will ask you to confirm an action you have just taken. When you encounter a User Account Control prompt, select the option which confirms the action you have taken and you will be able to proceed with the next step in the exercise. A shield icon appears after each instruction which invokes a User Account Control dialog box. Note: The steps in this lab are intended to provide an overview of the technology presented. They are not intended to, and my not follow, Microsoft best practices or guidance on the technology presented. Note: This lab uses pre-release software. While every effort has been taken to ensure the functionality of the steps documented, some steps may still not function as intended at all times. Before working on this lab, you must have: An understanding of network protocols and communication including IPsec. An understanding of firewalls. An understanding of Active Directory service. An understanding of group policy.

Scenario

Prerequisites

Estimated Time to Complete This Lab Computer used in this Lab

60 Minutes NYC-DC-1 NYC-SRV-1 The password for the Woodgrovebank\Administrator account on this computer is: pass@word1.

Page 1 of 13

Managing Network Security Using Windows Firewall with Advanced Security

Exercise 1 Implementing an Isolation Policy Using Windows Firewall with Advanced Security
Scenario
In this exercise you will create an isolation policy and deploy it to all computers which are members of your domain. The security policy requires that only members of the Woodgrovebank domain be able to communicate with servers which are also members of the domain. You must ensure that this restriction is not enforced when users are not connected to the corporate network, allowing them to communicate with other servers and resources. To accomplish these goals you will configure a domain level Windows Firewall with Advanced Security Connection Security Rule. The rule will require that all domain members request IPSec authentication before establishing connections. Once you have verified that this rule is in effect on all domain members, you will elevate the rule to ensure that IPSec security is required for all inbound and outbound connections to domain members and that encryption is required for all connections. You will configure these rules to only apply to the Domain profile. Note: This exercise requires the following computers: NYC-DC-1 and NYC-SRV-1 Tasks Complete the following 2 tasks on: NYC-DC-1 1. Configure Domain Isolation using WFAS Detailed Steps Note: In this task you will configure a Windows Firewall with Advanced Security (WFAS) policy in the default domain policy. By default when WFAS is enabled it prevents most inbound connections from functioning. This means that when WFAS is enabled on a computer such as a domain controller, rules to allow inbound connections have to be manually created. To accomplish domain isolation you must enable WFAS so that connection security rules can be created and applied. In this task you will first enable WFAS and create an allow all traffic rule. This will allow WFAS to function, providing additional security, but still allow all inbound connections to complete. You will then add a connection security rule which will require that all inbound connections be authenticated using a Kerberos credential, ensuring that only domain members can establish connections with other domain members. It is important to note that both a firewall rule and a connection security rule are required to implement domain isolation with IPsec. If only one of the two is configured, the connection will fail. Note: Perform this task on the NYC-DC-1 computer as Woodgrovebank\Administrator a. On the Start menu, in Start Search, type GPMC.MSC and then press ENTER b. In Group Policy Management, navigate to Default Domain Policy, by expand Forest:woodgrovebank.com, expand Domains, expand woodgrovebank.com. c. Select Default Domain Policy, in the Group Policy Mangagement Console Dialog, Click OK, and then on the Action menu, click Edit. d. In Group Policy Object Editor navigate to Computer Configuration/Windows Settings/Security Settings, and then expand Windows Firewall with Advanced Security. e. Select Windows Firewall with Advanced Security LDAP://<DN>, and then under Overview, click Windows Firewall Properties. f. In the Windows Firewall with Advanced Security dialog box, on the Domain Profile tab, make the following configuration changes and then under Settings click Customize. Setting Values .

Page 2 of 13

Managing Network Security Using Windows Firewall with Advanced Security Tasks Detailed Steps Firewall State Inbound connections Outbound connections On (recommended) Block (default) Allow (default)

g. In the Customize Settings for the Domain Profile dialog box, in Rule Merging, Apply local firewall rules, select No, in Apply local connections security rules, click No, and then click OK. h. Click OK to close the Windows Firewall with Advanced Security LDAP://<DN> dialog box. i. In Group Policy Object Editor, expand Windows Firewall with Advanced Security LDAP://<DN> and then click on Inbound Rules. j. On the Action menu, click New Rule. k. Create a new Inbound Rule with the following parameters Setting Rule Type Program Protocol and Ports Scope Action Profile Name Values Custom All programs Any Any Allow the connection Domain only Allow all traffic

l. In Group Policy Object Editor, navigate to Windows Firewall with Advanced Security LDAP://<DN> and then click on Connection Security Rules. m. On the Action menu, click New Rule. n. Create a new Connection Security Rule with the following parameters Setting Rule Type Requirements Authentication Method Profile Name Values Isolation Request authentication for inbound and outbound connections Default Domain only Request connection security

Note: You are using the request connection security so that computers which have not yet refreshed group policy will still be able to connect to NYC-DC-1. Once you have verified that all computers have received the Request connection security policy, you can optionally change the requirement to require authentication o. Close Group Policy Object Editor. p. Close Group Policy Management Console.
2. Apply the New

Group Policy Settings

Note: In this task you will manually refresh Group Policy on the server computer. Note: Perform this task on the NYC-DC-1 computer as Woodgrovebank\Administrator

Page 3 of 13

Managing Network Security Using Windows Firewall with Advanced Security Tasks Detailed Steps a. On the Start menu, click Command Prompt. b. At the command prompt, type the following command and then press ENTER.
Gpupdate /force

Complete the following task on: NYC-SRV-1

3. Test the Domain

Isolation Policy

Note: In this task you will manually refresh Group Policy on the client computer. You will then use the built-in monitoring functions of the WFAS management console to verify that IPsec security associations are being created between NYC-SRV-1 and NYC-DC-1. The presence of security associations indicates the connection security rule is in effect. Note: Perform this task on the NYC-SRV-1 computer as Woodgrovebank\Administrator a. On the Start menu, click Command Prompt. b. At the command prompt, type the following command and then press ENTER.
Gpupdate /force

c. On the Start menu, in Start Search, type WF.msc and then press ENTER. d. In Windows Firewall with Advanced Security, click Inbound Rules. Verify that Allow all traffic is the first rule listed. e. In Windows Firewall with Advanced Security, click Connection Security Rules. Verify that Request connection security is the only rule listed. f. In NY-DC-1, browse to C:\Windows\SYSVOL\. Right-Click on SYSVOL folder, and Click on Share In the SYSVOL Properties Window, under Sharing tab, Click on Advanced Sharing. Check Share This folder check box,and Click on Permissions. In the Permissions for SYSVOL dialog, Click Add. In the Object names to select textbox, enter Administrators, and Click Check Names. Click OK. In the Permissons for Administrators, Check Full Control. Click OK, Click OK, Click Close. g. Switch back to NY-SRV-1, On the Start menu, in Start Search, type \\NYC-DC1\sysvol and then press ENTER. After a brief delay, the contents of the sysvol share will be displayed. h. In Windows Firewall with Advanced Security, navigate to Monitoring\Security Associations and then click Quick Mode. i. Review the contents of the Quick Mode pane. Double click on the displayed quick mode security association to review its details. Complete the following 4 tasks on: NYC-DC-1
4. Configure the

Connection Security Rule to Encrypt IPSec Connections

Note: In this task you will reconfigure the connection security rule you just created to require encryption in addition to authentication. This will ensure that IPsec provides ESP privacy, integrity, and authentication between computers. Encryption is configured globally for WFAS. Once encryption is required, all computers who establish secure connections, regardless of the connection security rule they match, will encrypt IPsec traffic. Note: Perform this task on the NYC-DC-1 computer as Woodgrovebank\Administrator a. On the Start menu, click Run, type GPMC.MSC and then click OK. b. In Group Policy Management, navigate to Default Domain Policy by expanding Forest: woodgrovebank.com, expand Domains, expand woodgrovebank.com. c. Select Default Domain Policy, and then on the Action menu, click Edit. d. In Group Policy Object Editor navigate to Computer Configuration/Windows Settings/Security Settings/Windows Firewall with Advanced Security, and then select Windows Firewall with Advanced Security LDAP://<DN>.

Page 4 of 13

Managing Network Security Using Windows Firewall with Advanced Security Tasks Detailed Steps e. On the Action menu, click Properties. f. In the Windows Firewall with Advanced Security LDAP://<DN> dialog box, on the IPsec Settings tab, click Customize. g. In the IPsec Defaults Settings dialog box click Customize, in Data protection (Quick Mode) select Advanced and then click Customize. h. In the Customize Data Protection Settings dialog box, check Require encryption for all connection security rules that use these settings and then click OK. i. Click OK to close the customize IPsec Settings dialog box. j. Click OK to close the Windows Firewall with Advanced Security LDAP://<DN> dialog box.
5. Configure WFAS to

Require Secure Encrypted Connections

Note: In this task you will reconfigure your inbound firewall rule to require encrypted IPsec connections. It is important to note that configuring this setting on the firewall will not ensure that computers encrypt connections, but rather will prevent connections that are not encrypted with IPsec. The previous task, in which you configured WFAS to encrypt connections, ensures that computers perform the encryption operation. Note: Perform this task on the NYC-DC-1 Computer as Woodgrovebank\Administrator a. In Group Policy Object Editor navigate to Computer Configuration/Windows Settings/Security Settings, and then expand Windows Firewall with Advanced Security. b. Select Inbound Rules, and then in the contents pane, double-click Allow all traffic. c. In the Allow all traffic Properties dialog box, under Action, select Allow only secure connections, check Require encryption and then click OK.

6. Clear all WFAS

Settings

Note: In this task you will remove the WFAS settings in the Default Domain Policy. This is to ensure that future exercises function as expected. Note: Perform this task on the NYC-DC-1 Computer as Woodgrovebank\Administrator a. In Group Policy Object Editor, select Windows Firewall with Advanced Security LDAP://<DN>. b. On the Action menu, click Clear Policy and then in the Windows Firewall with Advanced Security dialog box, click Yes. In the Windows Firewall with Advanced Security Dialog, Click OK. Close the Group Policy Object Editor, and Close Group Policy Management Window.

7. Refresh WFAS on

the NYC-DC-1 Computer

Note: In this task you will manually refresh Group Policy on the server computer. Note: Perform this task on the NYC-DC-1 computer as Woodgrovebank\Administrator a. On the Start menu, click Command Prompt. b. At the command prompt, type the following command and then press ENTER.
Gpupdate /force

Complete the following task on: NYC-SRV-1 8. Refresh WFAS on

Note: In this task you will manually refresh Group Policy on the client computer. Note: Perform this task on the NYC-SRV-1 computer as Woodgrovebank\Administrator a. On the Start menu, in Start Search, type CMD and then press ENTER. b. At the command prompt, type the following command and then press ENTER.

Page 5 of 13

Managing Network Security Using Windows Firewall with Advanced Security Tasks the NYC-SRV-1 Computer Detailed Steps
Gpupdate /force

Page 6 of 13

Managing Network Security Using Windows Firewall with Advanced Security

Exercise 2 Creating a Communications Security Policy for Roaming Users

Scenario
In this exercise you will use Windows Firewall with Advanced Security to enforce a communication security policy for users who roam between your corporate network and client sites. Your company uses a management application which connects to port 3432 on each client computer. You must ensure that the management application functions when users are on the corporate network and that only management servers can connect to the port, but is protected when they are at a client site. You must also ensure that while they are on the corporate network, computers which are considered trusted computers can connect to any port on the client computers. Trusted computers are members of the global group WOODGROVEBANK\Secure_Workstations. You have instructed all users to select the Public profile when they are at any location other than your corporate network. Note: This exercise requires the following computers: NYC-DC-1 and NYC-SRV-1 Tasks Complete the following 5 tasks on: NYC-DC-1 1. Create a Policy for Roaming Users Detailed Steps Note: In this task you will create a new organizational unit and group policy object for roaming users. Note: Perform this task on the NYC-DC-1 Computer as Woodgrovebank\Administrator a. On the Start menu, click Run, type GPMC.MSC and then click OK. b. In Group Policy Management Console, navigate to Woodgrovebank.com. c. Select Woodgrovebank.com, and then on the Action menu, click New Organizational Unit. d. Create a new organizational unit named Roaming Computers. e. Select the Roaming Computers organizational unit, and then on the Action menu, click Create a GPO in this domain, and Link it here. f. Create a new GPO named Roaming Computers WFAS Policy, Click OK. g. Select Roaming Computers WFAS Policy and then on the Action menu, click Edit.
2. Configure Windows

Firewall with Advanced Security

Note: In this task you will configure WFAS settings for all three profiles. By configuring Block (default) on both the Domain and Private profiles, you are ensuring that only network infrastructure protocols such as ICMP will be accepted by these computers. This, however, means that all other applications will be unable to connect. By configuring Block all connections on the public profile, you are ensuring that no connections, including infrastructure protocols such as ICMP, will be accepted by these computers. It is still up to the user to select the correct profile. Note: Perform this task on the NYC-DC-1 Computer as Woodgrovebank\Administrator a. In Group Policy Object Editor navigate to Computer Configuration/Windows Settings/Security Settings, and then expand Windows Firewall with Advanced Security. b. Select Windows Firewall with Advanced Security LDAP://<DN>, and then under Overview, click Windows Firewall Properties.

Page 7 of 13

Managing Network Security Using Windows Firewall with Advanced Security Tasks Detailed Steps c. In the Windows Firewall with Advanced Security dialog box, on the Domain Profile tab, make the following configuration changes. Setting Firewall State Inbound connections Outbound connections Values On (recommended) Block (default) Allow (default)

d. In the Windows Firewall with Advanced Security dialog box, on the Private Profile tab, make the following configuration changes. Setting Firewall State Inbound connections Outbound connections Values On (recommended) Block (default) Allow (default)

e. In the Windows Firewall with Advanced Security dialog box, on the Public Profile tab, make the following configuration changes and then click OK. Setting Firewall State Inbound connections Outbound connections
3. Create Inbound Rule

Values On (recommended) Block all connections Allow (default)

for Management Application in Domain Profile

Note: In this task you will create an inbound rule to allow the management application to connect to computers. This rule is applied to only the domain profile, ensuring that the management application is protected when the computer is connected to a private or a public network. Note: Perform this task on the NYC-DC-1 Computer as Woodgrovebank\Administrator a. In Group Policy Object Editor, navigate to Computer Configuration\Windows Settings\Windows Firewall with Advanced Security LDAP://<DN> and then click on Inbound Rules. b. On the Action menu, click New Rule. c. Create a new Inbound Rule with the following parameters. Setting Rule Type Protocol and Ports Action Users and Computers Profile Name Values Port TCP 3432 Allow the connection if it is secure Only allow connections from these computers: WOODGROVEBANK\Management_Servers Domain only Allow Management Application (Secure)

Page 8 of 13

Managing Network Security Using Windows Firewall with Advanced Security Tasks
4. Create Firewall

Detailed Steps Note: In this task you will create a firewall exemption for domain administrators. This exemption will ensure that all connections from a specific group of computers are allowed, regardless of inbound firewall rules. This rule must be used with care as it is processed before any block or deny rules. In addition, for this rule to function, a connection security rule which uses Kerberos computer authentication, must be in effect. You will also notice that when you select the Override block rules checkbox, you are required to provide a group name for computers which are permitted to use this rule. Note: Perform this task on the NYC-DC-1 Computer as Woodgrovebank\Administrator a. In Group Policy Object Editor, navigate to Windows Firewall with Advanced Security LDAP://<DN> and then click on Inbound Rules. b. On the Action menu, click New Rule. c. Create a new Inbound Rule with the following parameters. Setting Rule Type Program Protocol and Ports Scope Action Users and Computers Profile Name Values Custom All Programs Any Any Allow the connection if it is secure: Override block rules WOODGROVEBANK\Secure_Workstations Domain only Secure Workstation Override

Exemption for Domain Administrators

5. Verify that the

Roaming User Policy is Applied

Note: In this task you will move the NYC-SRV-1 computer account to the Roaming Computers organizational unit to test the application of the policy. Note: Perform this task on the NYC-DC-1 Computer as Woodgrovebank\Administrator a. Click Start, navigate to All Programs/Administrative Tools, and then click Active Directory Users and Computers. b. In Active Directory Users and Computers, navigate to Woodgrovebank.com/Computers. c. Move the NYC-SRV-1 computer account to the Roaming Computers organizational unit, by Right Click on the NYC-SRV-1 computer, and click Move The Move window opens up. And select Roaming Computers, and then Click OK. Note: Perform the following steps on the NYC-SRV-1 computer as Woodgrovebank\Administrator d. On the Start menu, in Start Search, type CMD and then press ENTER. e. At the command prompt, type the following command and then press ENTER.
Gpupdate /force

f. On the Start menu, navigate to All Programs/Administrative Tools, and then click Windows Firewall with Advanced Security. g. In Windows Firewall with Advanced Security click Monitoring.

Page 9 of 13

Managing Network Security Using Windows Firewall with Advanced Security Tasks Detailed Steps h. Verify that Domain Profile is Active is displayed on the top of the Monitoring pane. i. Click View active firewall rules. j. Verify that the Allow Management Application (Secure) and Secure Workstation Override rules are listed.

Page 10 of 13

Managing Network Security Using Windows Firewall with Advanced Security

Exercise 3 Customizing Windows Firewall with Advanced Security Settings

Scenario
In this exercise you will make a series of configuration changes to WFAS to meet various security and configuration requirements. These configuration changes are performed in the context of a scenario or a set of business requirements; they are intended to familiarize you with various parts of the WFAS interface and the purpose of making configuration changes in those areas. You will make the following types of configuration changes. IPSec settings which control the methods that IPSec uses to negotiate authentication Firewall logging which is used for troubleshooting Firewall behavior which manages the way rules are applied and the user experience Clear all WFAS group policy settings Note: This exercise requires the following computers: NYC-DC-1 Tasks Complete the following 4 tasks on: NYC-DC-1 1. Configure IPSec Settings to Increase Connection Security Detailed Steps Note: In this task you will use the WFAS interface to increase the security and encryption requirements of connection security rules. Windows Vista and Windows Longhorn Server support integrity and encryption algorithms that Windows XP and Windows Server 2003 do not support. You can ensure that only Windows Vista and Windows Longhorn Server can meet the requirements of a connection security rule by configuring the rules to use stronger encryption and authentication. Note: Perform this task on the NYC-DC-1 Computer as Woodgrovebank\Administrator a. On the Start menu, click Run, type GPMC.MSC and then click OK. b. In Group Policy Management, navigate to Roaming Computers WFAS Policy. c. Select Roaming Computers WFAS Policy, In the Dialog box, Click OK, and then on the Action menu, click Edit. d. In Group Policy Object Editor navigate to Computer Configuration/Windows Settings/Security Settings, and then expand Windows Firewall with Advanced Security. e. Select Windows Firewall with Advanced Security LDAP://<DN> and then on the Action menu, click Properties. f. In Windows Firewall with Advanced Security LDAP://<DN> dialog box, click the IPsec Settings tab. g. On the IPsec Settings tab, in Exempt ICMP from IPsec, select Yes. Note: By exempting ICMP from IPsec, you can simplify some troubleshooting tasks. h. On the IPsec Settings tab, click Customize. i. In the Customize IPsec Settings dialog box, in Key exchange (Main Mode) select Advanced, and then click Customize. j. In the Customize Advanced Key Exchange Settings dialog box, in Key exchange algorithm, select Elliptic Curve Diffie-Hellman P-384. k. In Security Methods, click Add. l. In the Security Method dialog box, under Encryption algorithm select AES-256 Page 11 of 13

Managing Network Security Using Windows Firewall with Advanced Security Tasks Detailed Steps and then click OK. m. Under Security Methods, select SHA1:AES-256 and then click the Up arrow twice. n. Click OK to close the Customize Advanced Key Exchange Settings dialog box. o. In the IPsec Defaults Settings dialog box click Customize, in Data protection (Quick Mode), select Advanced and then click Customize. p. In the Customize Data Protection Settings dialog box, check Require encryption for all connection security rules that use these settings. q. In the Customize Data Protection Settings dialog box, in Data integrity and encryption, click Add. r. In the Integrity and Encryption Algorithms dialog box, in Encryption Algorithm select AES-256 and then click OK. s. In the Customize Data Protection Settings dialog box, in Data integrity and encryption, remove the following two entries and then click OK. Entry ESP:SHA1:AES128 ESP:SHA1:3DES Action Remove Remove

Note: By removing these settings, you are preventing versions of Windows earlier than Windows Vista or 2008 from meeting the requirements of the connection security rule. This will prevent those computers from establishing inbound connections.
2. Configure WFAS

Logging

Note: WFAS does not enable logging by default to enhance system performance. You can configure logging to assist you in performing troubleshooting tasks or to verify the operation of WFAS. Logging allows you to configure what is logged, as well as the size and location of the log file. In this task you will configure a WFAS logging policy for roaming computers. Note: Perform this task on the NYC-DC-1 Computer as Woodgrovebank\Administrator a. In the Windows Firewall with Advanced Security dialog box, on the Domain Profile tab, under Logging, click Customize. b. In the Customize Logging Settings for the Domain, uncheck Not Configured below Name, In Name, type C:\Firewall.log. c. In Log dropped packets, click Yes d. In Log successful connections, click No (default) and then click OK.

3. Configure WFAS

Settings

Note: In this task you will configure how WFAS applies local firewall rules and local connection security rules. Computer administrators can create local rules on both Windows Vista and Windows Longhorn Server. By configuring WFAS in a group policy object, you can ensure that only group policy based rules are applied, simplifying the implementation of WFAS. Note: Perform this task on the NYC-DC-1 Computer as Woodgrovebank\Administrator a. In the Windows Firewall with Advanced Security dialog box, on the Domain Profile tab, under Settings, click Customize. b. In the Customize Settings for the Domain profile dialog box, in Firewall settings, in Display a notification, select Yes (default). c. In Rule Merging, make the following configuration changes, and then click OK

Page 12 of 13

Managing Network Security Using Windows Firewall with Advanced Security Tasks Detailed Steps Setting Apply local firewall rules Apply local connection security rules New Value No No

d. Click OK to close the Windows Firewall with Advanced Security LDAP://<DN> dialog box.
4. Clear all WFAS

Settings

Note: In this task you will clear all WFAS settings for remote computers. Note: Perform this task on the NYC-DC-1 Computer as Woodgrovebank\Administrator a. In Group Policy Object Editor, select Windows Firewall with Advanced Security LDAP://<DN>. b. On the Action menu, click Clear Policy and then in the Windows Firewall with Advanced Security dialog box, click Yes, if a dialog appears click OK. c. In the Policy has been cleared dialog. Click OK.

Page 13 of 13