Beruflich Dokumente
Kultur Dokumente
Page 1 of 115
Overview of Windows Firewall with Advanced Security Understanding Firewall Rules Understanding Connection Security Rules Understanding Firewall Profiles Monitoring Windows Firewall with Advanced Security Default Settings for Windows Firewall with Advanced Security Configuring Firewall Rules Resources for Windows Firewall with Advanced Security User Interface: Windows Firewall with Advanced Security
Overview of Windows Firewall with Advanced Security What is Windows Firewall with Advanced Security?
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm 9/29/2011
Page 2 of 115
Windows Firewall with Advanced Security combines a host firewall and Internet Protocol security (IPsec). Unlike a perimeter firewall, Windows Firewall with Advanced Security runs on each computer running this version of Windows and provides local protection from network attacks that might pass through your perimeter network or originate inside your organization. It also provides computer-tocomputer connection security by allowing you to require authentication and data protection for communications. Important Windows Firewall with Advanced Security is designed for use by IT administrators who need to manage network security in an enterprise environment. It is not intended for use in home networks. Home users should consider using the Windows Firewall program available in Control Panel instead. Windows Firewall with Advanced Security is a stateful firewall that inspects and filters all packets for IP version 4 (IPv4) and IP version 6 (IPv6) traffic. In this context, filter means to allow or block network traffic by processing it through administrator-defined rules. By default, incoming traffic is blocked unless it is a response to a request by the host (solicited traffic) or it is specifically allowed (that is, a firewall rule has been created to allow the traffic). You can configure Windows Firewall with Advanced Security to explicitly allow traffic by specifying a port number, application name, service name, or other criteria. Windows Firewall with Advanced Security also allows you to request or require that computers authenticate each other before communicating, and to require the use of data integrity or data encryption when communicating. For more information, see Overview of Windows Firewall with Advanced Security (http://go.microsoft.com/fwlink/?linkid=137800) in the TechNet Library.
Allow the connection. Allow a connection only if it is secured through the use of Internet Protocol security (IPsec). Block the connection.
Rules can be created for either inbound traffic or outbound traffic. The rule can be configured to specify the computers or users, program, service, or port and protocol. You can specify which type of network adapter the rule will be applied to: local area network (LAN), wireless, remote access, such as a virtual private network (VPN) connection, or all types. You can also configure the rule to be applied when any profile is being used or only when a specified profile is being used. As your IT environment changes, you might have to change, create, disable, or delete rules.
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 3 of 115
Additional references
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 4 of 115
the computer is connected to a public network where the security cannot be controlled. Each network adapter is assigned the firewall profile that matches the detected network type. For example, if a network adapter is connected to a public network, then all traffic going to or from that network is filtered by the firewall rules associated with the public profile. Important Windows Server2008R2 and Windows7 provide support for multiple active per-network adapter profiles. In WindowsVista and Windows Server2008, only one profile can be active on the computer at a time. If there are multiple network adapters connected to different networks, then the profile with the most restrictive profile settings is applied to all adapters on the computer. The public profile is considered to be the most restrictive, followed by the private profile; the domain profile is considered to be the least restrictive. If you do not alter the settings for a profile, then its default values are applied whenever Windows Firewall with Advanced Security uses the profile. We recommend that you enable Windows Firewall with Advanced Security for all three profiles. To configure these profiles, in the Windows Firewall with Advanced Security MMC snap-in, right-click Windows Firewall with Advanced Security, and then click Properties. You can also access the properties from the Action menu, the Action pane, or the center pane, when Windows Firewall with Advanced Security is highlighted.
Additional references
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 5 of 115
Key exchange
Settings Value Key lifetimes 480 minutes/0 sessions* Key exchange algorithm Diffie-Hellman Group 2 Security methods (integrity) SHA1 Security methods (encryption) AES-128 (primary)/3-DES (secondary) *A session limit of zero (0) causes rekeys to be determined only by the Key lifetime (minutes) setting.
Data integrity
Setting Value Protocol ESP (primary)/AH (secondary) Data integrity SHA1 Key lifetimes 60 minutes/100,000 kilobytes (KB)
Data encryption
Setting Value Protocol ESP Data integrity SHA1 Data encryption AES-128 (primary)/3-DES (secondary) Key lifetimes 60 minutes/100,000 KB
Authentication method
Computer Kerberosversion 5 authentication is the default authentication method.
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 6 of 115
2. Locally defined policy settings. 3. Service defaults, as shown in the tables in this topic.
Additional references
Additional references
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 7 of 115
Windows Firewall with Advanced Security and IPsec (http://go.microsoft.com/fwlink/? linkid=96525) Windows Firewall with Advanced Security Deployment Guide (http://go.microsoft.com/fwlink/? linkid=98308) Server and Domain Isolation (http://go.microsoft.com/fwlink/?linkid=95395) IPsec (http://go.microsoft.com/fwlink/?linkid=95394) Windows Firewall (http://go.microsoft.com/fwlink/?linkid=95393) Windows Firewall Errors and Events for Windows7 and Windows Server2008R2 (http://go.microsoft.com/fwlink/?linkid=137360)
Windows Firewall with Advanced Security Properties Page Connection Security Rule Wizard Connection Security Rule Properties Page Firewall Rule Wizard Firewall Rule Properties Page Monitored Firewall Rules Properties Page Monitored Connection Security Rules Properties Page Monitored Main Mode Security Associations Monitored Quick Mode Security Associations Dialog Boxes
Page 8 of 115
Use this dialog box to configure the basic firewall properties for each of the network profiles. You can also use the IPsec Settings tab to configure the default values for several IPsec configuration options. To get to this dialog box
In the Windows Firewall with Advanced Security MMC snap-in, perform one of the following steps:
In the navigation pane, right-click Windows Firewall with Advanced Security, and then click Properties. Select the top node in the navigation pane, and then in the center pane, in the Overview section, click Windows Firewall Properties. Select the top node in the navigation pane, and in the Actions pane, click Properties.
State
State selections determine whether Windows Firewall with Advanced Security uses the profile settings and how the profile handles inbound and outbound network messages. Firewall state Select On (recommended) to have Windows Firewall use the settings for this profile to filter network traffic. If you select Off, Windows Firewall will not use any of the firewall rules or connection security rules for this profile. Important If you use Group Policy to disable Windows Firewall, or configure Windows Firewall with a rule that allows all inbound network traffic, then Windows Security Center will alert the user that there are security issues that the user should correct. If the user tries to correct the reported problem by clicking Turn on in Windows Security Center, then an error will be displayed because Windows Security Center cannot enable Windows Firewall. This can generate unwanted support calls to your help desk. If you are managing the security of the computers in your organization and do not want Windows Security Center to alert the user about security issues, then you can disable the Windows Security Center by using the Turn on Security Center (Domain PCs only) Group Policy setting found in Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Security Center. Inbound connections
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 9 of 115
This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The default behavior is to block connections unless there are firewall rules to allow the connection. You can choose the following behavior for inbound connections: Selection Block (default) Block all connections Allow Description Blocks all connections that do not have firewall rules that explicitly allow the connection. Blocks all connections, regardless of any firewall rules that explicitly allow the connection. Allows the connection unless there is a firewall rule that explicitly blocks the connection.
Outbound connections This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The default behavior is to allow connections unless there are firewall rules to block the connection. You can choose the following behavior for outbound connections: Selection Block Description Blocks all connections that do not have firewall rules that explicitly allow the connection. Allows the connection unless there is a firewall rule that explicitly blocks the connection.
Allow (default) Caution If you set Outbound connections to Block and then deploy the firewall policy by using a Group Policy object (GPO), computers that receive it will not receive subsequent Group Policy updates unless you first create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying the policy. Protected network connections Use these settings to specify which network adapters are subject to the configuration of this profile. Click Customize to display the Customize Protected Network Connections for a Firewall Profile dialog box.
Settings
Use these settings to configure settings for notifications, unicast response to multicast or broadcast traffic, and Group Policy rule merging. Click Customize to display the Customize Settings for a Firewall Profile dialog box.
Logging
Use these settings to configure how Windows Firewall with Advanced Security logs events, how big the log file can grow, and where the log file is located. Click Customize to display the Customize Logging Settings for a Firewall Profile dialog box.
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 10 of 115
IPsec defaults
Use these settings to configure the key exchange, data protection, and authentication methods used by IPsec to help protect network traffic. Click Customize to display the Customize IPsec Settings dialog box.
IPsec exemptions
Use this option to determine whether network traffic containing Internet Control Message Protocol (ICMP) messages are protected by IPsec. ICMP is commonly used by network troubleshooting tools and procedures. Many network administrators exempt ICMP packets from IPsec protection to ensure that these messages are not blocked. Important This setting exempts ICMP from the IPsec portion of Windows Firewall with Advanced Security only. To ensure that ICMP packets are allowed through Windows Firewall, you must create and enable an inbound rule. Note If you enable file and printer sharing in the Network and Sharing Center, Windows Firewall with Advanced Security automatically enables firewall rules that allow commonly used ICMP packet types. However, this will also enable network features that are not related to ICMP. If you want to enable ICMP only, then create and enable a rule in Windows Firewall to allow inbound ICMP network packets.
Rule Type
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 11 of 115
Endpoints Requirements Authentication Method Protocols and Ports Exempt Computers Tunnel Type Tunnel Endpoints Custom Configuration Tunnel Endpoints Client-to-Gateway Tunnel Endpoints Gateway-to-Client Profile
Isolation
An isolation rule restricts connections based on authentication criteria that you define. For example, you can use this rule type to isolate computers that are joined to your domain from computers that are outside your domain, such as computers on the Internet. If you select this rule type, then the following pages in addition to the Name page are enabled in the wizard:
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 12 of 115
Authentication exemption
Use this option to create a rule that exempts specified computers from being required to authenticate, regardless of other connection security rules. This rule type is typically used to grant access to infrastructure computers, such as Active Directory domain controllers, certification authorities (CAs), or DHCP servers, that this computer must communicate with before authentication can be performed. It is also used for computers that cannot use the form of authentication you configured for this policy and profile. If you select this rule type, then the following pages in addition to the Name page are enabled in the wizard:
Note Although the computers are exempt from authentication, network traffic from them might still be blocked by Windows Firewall unless a firewall rule allows them to connect.
Server-to-server
Use this rule type to authenticate the communications between two specified computers, between two groups of computers, between two subnets, or between a specified computer and a group of computers or a subnet. You might use this rule to authenticate the traffic between a database server and a businesslayer computer, or between an infrastructure computer and another server. This rule is similar to the isolation rule type, but the Endpoints page will be displayed so that you can identify the computers that are affected by this rule. If you select this rule type, then the following pages in addition to the Name page are enabled in the wizard:
Tunnel
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm 9/29/2011
Page 13 of 115
Use this rule type to secure communications between two computers by using tunnel mode, instead of transport mode, in IPsec. Tunnel mode embeds the entire network packet in a network packet that is routed between two defined endpoints. For each endpoint, you can specify a single computer that receives and consumes the network traffic sent through the tunnel, or you can specify a gateway computer that connects to a private network onto which the received traffic is routed after the receiving tunnel endpoint extracts it from the tunnel. If you select this rule type, then the following pages in addition to the Name page are enabled in the wizard:
Custom
Use this rule type to create a rule that requires special settings. This option enables all of the wizard pages except those that are used only to create tunnel rules.
Additional references
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 14 of 115
included in one of the endpoint definitions, then it can send and receive network packets through this connection to computers that are listed in the other endpoint. An endpoint can be a single computer or a group of computers, defined by an IP address, an IP subnet address, an IP address range, or a predefined set of computers identified by role: default gateway, WINS servers, DHCP servers, DNS servers, or local subnet. The local subnet is the collection of all computers available to this computer, except for any public IP addresses (interfaces). This includes both local area network (LAN) and wireless addresses. To get to this wizard page 1. In the Windows Firewall with Advanced Security MMC snap-in, right-click Connection Security Rules, and then click New Rule. 2. On the Rule Type page, select either Server-to-server or Custom, and then click Next.
Any IP address
Select this option to specify that Endpoint 1 consists of any computer that needs to communicate with a computer in Endpoint 2. Any network traffic to or from a computer in Endpoint 2 matches this rule and is subject to its authentication requirements.
These IP addresses
Select this option to specify the IP addresses of the computers that make up Endpoint 1. Click Add or Edit to display the IP Addresses dialog box to create or modify your entries.
Any IP address
Select this option to specify that Endpoint 2 consists of any computer that needs to communicate with a computer in Endpoint 1. Any network traffic to or from a computer in Endpoint 1 matches this rule and
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 15 of 115
These IP addresses
Select this option to specify the IP addresses of the computers that make up Endpoint 2. Click Add or Edit to display the IP Addresses dialog box to create or modify your entries.
Additional references
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 16 of 115
connection is allowed if authentication fails. This option is typically used in either a low-security environment or an environment with computers that must be able to connect, but cannot perform the types of authentication available with Windows Firewall with Advanced Security. In a server and domain isolation environment, this option is typically used for computers that are in the boundary zone.
Require authentication for inbound connections and request authentication for outbound connections
Select this option to require that all inbound traffic is authenticated. If inbound traffic fails authentication, then the connection is blocked. Outbound traffic is authenticated if possible, but the traffic is allowed if authentication fails. This option is used most in IT environments in which the computers that must be able to connect can perform the types of authentication available with Windows Firewall with Advanced Security. In a server and domain isolation environment, this option is typically used for client computers that are part of the main isolation zone in the domain.
Require authentication for inbound connections. Do not establish tunnels for outbound connections
Use this option when creating a tunnel mode rule on a computer that serves as a tunnel endpoint for remote clients, to specify that the tunnel only applies to inbound network traffic from the clients. The server can make outbound connections that are not affected by this rule. Note This option appears only when you select Tunnel on the Rule Type page and either Custom configuration or Gateway-to-client on the Tunnel Type page.
Do not authenticate
Use this option to create an authentication exemption rule for connections to computers that do not
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 17 of 115
require Internet Protocol security (IPsec) protection. Note This option appears when you select Custom on the Rule Type page or when you select Tunnel on the Rule Type page, and then select either Custom or Client-to-gateway on the Tunnel Type page.
Additional references
Default
This option is available only when you specify an Isolation or Custom rule type. Select this option to use the authentication method currently displayed on the Windows Firewall with Advanced Security Properties dialog box, on the IPsec Settings tab, under Authentication Method.
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 18 of 115
For more information about customizing the default options, see Dialog Box: Customize IPsec Settings.
Computer certificate
This option is available only when you specify a Server-to-server or Tunnel rule type. Select this option to use computer authentication based on a computer certificate. It is equivalent to selecting Advanced, adding Computer certificate for first authentication, and then selecting Second authentication is optional.
Signing algorithm
Specify the signing algorithm used to cryptographically secure the certificate. RSA (default) Select this option if the certificate is signed by using the RSA public-key cryptography algorithm. ECDSA-P256 Select this option if the certificate is signed by using the Elliptic Curve Digital Signature Algorithm (ECDSA) with 256-bit key strength. ECDSA-P384 Select this option if the certificate is signed by using ECDSA with 384-bit key strength.
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 19 of 115
Root CA (default) Select this option if the certificate was issued by a root certification authority (CA) and is stored in the local computers Trusted Root Certification Authorities certificate store. Intermediate CA Select this option if the certificate was issued by an intermediate CA and is stored in the local computers Intermediate Certification Authorities certificate store.
Advanced
This option is available when you specify any rule type. Select this option to configure any available authentication method. You must then click Customize and specify a list of methods for both first authentication and second authentication. For more information, see Dialog Box: Customize Advanced Authentication Methods, Dialog Box: Add or Edit First Authentication Method, and Dialog Box: Add or Edit Second Authentication Method.
Additional references
Page 20 of 115
Use this wizard page to specify which protocol and which port or ports specified in a network packet match this connection security rule. Only network traffic that matches the criteria on this page and the Endpoints page match the rule and are subject to its authentication requirements. To get to this wizard page 1. In the Windows Firewall with Advanced Security MMC snap-in, right-click Connection Security Rules, and then click New Rule. 2. On the Rule Type page, select Custom. 3. In Steps, click Protocol and Ports.
Protocol type
Select the protocol whose network traffic you want protected by this connection security rule. If the protocol you want is not in the list, select Custom, and then type the protocol number in Protocol number. If you choose TCP or UDP from the list, then you can type the TCP or UDP port numbers in Endpoint 1 port and Endpoint 2 port.
Protocol number
When you select a protocol type, the corresponding protocol identification number is automatically displayed in Protocol number and is read-only. If you select Custom for protocol type, then you must type the protocol identification number in Protocol number.
Endpoint 1 port
This option is available only if the protocol is set to TCP or UDP. Use this option to specify the port number used by the computer that is part of Endpoint 1. If you select All ports, then all network traffic for the protocol you selected matches this connection security rule. If you select Specific Ports, then you can type the port numbers in the box under the list. Separate port numbers with commas. Notes
If the Do not authenticate option on the Requirements page has been selected for this rule, then you can type port numbers in a range by separating the low and high values with a hyphen, as shown: 80, 445, 5000-5010
Endpoint 2 port
This option is available only if the protocol is set to TCP or UDP. Use this option to specify the port number used by the computer that is part of Endpoint 2. If you select All ports, then all network traffic for the protocol you selected matches this connection security rule. If you select Specific Ports, then
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 21 of 115
you can type the port numbers in the box under the list. Separate port numbers with commas. Notes
If the Do not authenticate option on the Requirements page has been selected for this rule, then you can type port numbers in a range by separating the low and high values with a hyphen, as shown: 80, 445, 5000-5010
Additional references
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 22 of 115
Exempt Computers
On this wizard page, you add one or more computers or computer groups to the list to exempt them from authentication requirements. Click Add to specify computers by Internet Protocol version 4 (IPv4) or Internet Protocol version 6 (IPv6) address, subnet, IP address range, or by using one of the predefined IP addresses: default gateway, WINS servers, DHCP servers, DNS servers, or local subnet. The local subnet is the collection of all computers available to this computer, except for any public IP addresses (interfaces). This includes both local area network (LAN) and wireless addresses. When you click Add or Edit, the IP Address dialog box is displayed. Note Although the computers listed on this page are exempt from authentication, they might still be blocked by Windows Firewall unless a firewall rule allows them to connect.
Additional references
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 23 of 115
is required because the client and server VPN components of this version of Windows create the rules to secure L2TP traffic automatically. Use this wizard page to configure the type of IPsec tunnel that you want to create. An IPsec tunnel is typically used to connect a private network behind a gateway to either a remote client or a remote gateway with another private network. IPsec tunnel mode protects a data packet by encapsulating the entire data packet inside an IPsec-protected packet and then routing the IPsec-protected packet between the tunnel endpoints. When it arrives at the destination endpoint, the data packet is extracted and then routed to its final destination. To get to this wizard page 1. In the Windows Firewall with Advanced Security MMC snap-in, right-click Connection Security Rules, and then click New Rule. 2. On the Rule Type page, select Tunnel. 3. In Steps, select Tunnel Type.
Custom configuration
Select this option to enable all of the endpoint configuration options on the Tunnel Endpoints Custom Configuration page. You can specify the IP addresses of the computers that serve as the tunnel endpoints and the computers that are located on private networks behind each tunnel endpoint. For more information, see Connection Security Rule Wizard: Tunnel Endpoints Page - Custom Configuration.
Client-to-gateway
Select this option if you want to create a rule for a client computer that must connect to a remote gateway and the computers behind the gateway on a private network. When the client sends a network packet to a computer on the remote private network, IPsec embeds the data packet inside an IPsec packet that is addressed to the remote gateway address. The gateway extracts the packet and then routes it on the private network to the destination computer. If you select this option, then only the public IP address of the gateway computer and the IP addresses of the computers on the private network can be configured. For more information, see Connection Security Rule Wizard: Tunnel Endpoints Page - Client-to-Gateway.
Gateway-to-client
Select this option if you want to create a rule for a gateway computer that is attached to both a private network and a public network from which it receives network traffic from remote clients. When the client sends a network packet to a computer on the private network, IPsec embeds the data packet inside an IPsec packet that is addressed to the public IP address of this gateway computer. When the gateway computer receives the packet, it extracts the packet and then routes it on the private network
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 24 of 115
to the destination computer. When a computer on the remote private network needs to reply to the client computer, the data packet is routed to the gateway computer. The gateway computer embeds the data packet inside an IPsec packet that is addressed to the remote client computer, and then routes the IPsec packet over the public network to the remote client computer. If you select this option, then only the addresses of computers on the private network and the public IP address of the gateway computer can be configured. For more information, see Connection Security Rule Wizard: Tunnel Endpoints Page - Gateway-to-Client.
Yes
Select this option if the connection is already protected by another connection security rule and you do not want the network packet to go through the IPsec tunnel. Any network traffic that is protected by the Encapsulating Security Payload (ESP) protocol, including ESP Null, is prevented from traversing the tunnel.
No
Select this option if you want all network packets that match the tunnel rule to go through the tunnel even when they are protected by another connection security rule.
Additional references
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 25 of 115
To get to this wizard page 1. In the Windows Firewall with Advanced Security MMC snap-in, right-click Connection Security Rules, and then click New Rule. 2. On the Rule Type page, select Tunnel. 3. In Steps, click Tunnel Type, and then select Custom configuration. 4. Click Next until you reach the Tunnel Endpoints page.
What is the local tunnel endpoint (closest to the computers in Endpoint 1)?
The local tunnel endpoint is the gateway to which a computer in Endpoint 1 sends network packets that are addressed to a computer in Endpoint 2. The local tunnel endpoint accepts a network packet from a computer in Endpoint 1, and then encapsulates it in a new network packet that is addressed and routed to the remote tunnel endpoint. The remote tunnel endpoint extracts the encapsulated original packet, places it on the network connected to the computers in Endpoint 2, and then routes the packet to its final destination. You can specify an Internet Protocol version 4 (IPv4) address, an Internet Protocol version 6 (IPv6) address, or both. To add an address, click Edit, and provide the information required in the Customize IPsec Tunneling Settings dialog box. Important If you specify Any, then the computer in Endpoint 1 is also the local tunnel endpoint for the connection. The Endpoint 1 computer encapsulates and routes its own network packets to the remote
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 26 of 115
tunnel endpoint, which extracts and routes the data to the destination computer in Endpoint 2. Note The IP version of the address at each end of the tunnel must match. For example, if you specify an IPv4 address at one end, then the other end must also have an IPv4 address. You can specify both an IPv4 and an IPv6 address, but if you do so at one end, then you must also do so at the other end.
What is the remote tunnel endpoint (closest to the computers in Endpoint 2)?
The remote tunnel endpoint is the gateway to which the local tunnel endpoint sends network packets that are addressed to a computer in Endpoint 2. The remote tunnel endpoint receives a network packet from the local tunnel computer, extracts the encapsulated original packet, and then routes it to the destination computer in Endpoint 2. You can specify an IPv4 address, an IPv6 address, or both. To add an address, click Edit and provide the information required in the Customize IPsec Tunneling Settings dialog box. Important If you specify Any, then the computer in Endpoint 2 that is receiving the data also serves as the remote tunnel endpoint. The Endpoint 2 computer then extracts and processes the original packet. Note The IP version of the address at each end of the tunnel must match. For example, if you specify an IPv4 address at one end, then the other end must also have an IPv4 address. You can specify both and IPv4 and an IPv6 address, but if you do so at one end, then you must also do so at the other end.
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 27 of 115
Additional references
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 28 of 115
To get to this wizard page 1. In the Windows Firewall with Advanced Security MMC snap-in, right-click Connection Security Rules, and then click New Rule. 2. On the Rule Type page, select Tunnel. 3. In Steps, click Tunnel Type, and then select Client-to-gateway. 4. Click Next until you reach the Tunnel Endpoints page.
Client
This option is set to My IP address and cannot be changed. Note In this scenario, the client computer is serving as the only computer in Endpoint 1 and is also the local tunnel endpoint.
Gateway
The gateway is the computer to which the client sends packets that are addressed to a computer in the remote endpoint. The gateway receives a network packet from the client, decapsulates the original packet, and then routes it to the destination computer that is in Endpoint 2. You can specify an Internet Protocol version 4 (IPv4) address, an Internet Protocol version 6 (IPv6) address, or both. Notes
The IP version of the address at each end of the tunnel must match. For example, if you specify an IPv4 address at one end, then the other end must also have an IPv4 address. You can specify both and IPv4 and an IPv6 address, but if you do so at one end, then you must also do so at the other end. Also, you must specify the same version of IP for both the remote tunnel endpoint (the gateway) and the remote endpoints behind the gateway. The gateway computer is referred to as the remote tunnel endpoint on the IPsec Tunneling Settings dialog box, in the Netsh command-line tool, and if you select Custom configuration on the Tunnel Type page.
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 29 of 115
Type page.
Additional references
To get to this wizard page 1. In the Windows Firewall with Advanced Security MMC snap-in, right-click Connection Security Rules, and then click New Rule. 2. On the Rule Type page, select Tunnel.
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 30 of 115
3. In Steps, click Tunnel Type, and then select Gateway-to-client. 4. Click Next until you reach the Tunnel Endpoints page.
Gateway
The local tunnel endpoint is the computer to which the remote client sends packets that are addressed to a computer in Endpoint 1. The local tunnel computer receives a network packet from the remote client, decapsulates the original packet, and then routes it to the destination computer that is in Endpoint 1. You can specify an Internet Protocol version 4 (IPv4) address, an Internet Protocol version 6 (IPv6) address, or both. Note The IP version of the address at each end of the tunnel must match. For example, if you specify an IPv4 address at one end, then the other end must also have an IPv4 address. You can specify both an IPv4 and an IPv6 address, but if you do so at one end, then you must also do so at the other end. Also, you must specify the same version of IP for both the remote tunnel endpoint (the gateway) and the remote endpoints behind the gateway.
Client
This option is set to Any IP address and cannot be changed. The client computer in this scenario is both the remote tunnel endpoint and the only computer in Endpoint 2.
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 31 of 115
Additional references
Domain
The domain profile applies to a network when a domain controller for local computers domain is detected. If you select this box, then the rule applies to network traffic passing through the network adapter connected to this network.
Private
The private profile applies to a network when it is marked private by the computer administrator and it is not a domain network. Newly detected networks are not marked private by default. A network should be marked private only when there is some kind of security device, such as a network address translator or perimeter firewall, between the computer and the Internet. The private profile settings should be more restrictive than the domain profile settings.
Public
The public profile applies to a network when the computer is connected directly to a public network, such as one available in airports and coffee shops. The public profile settings should be the most restrictive because the computer is connected to a public network where security cannot be as tightly controlled as it is in an IT environment.
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 32 of 115
Additional references
Name
Each rule must have a unique name. Do not use the name all because that name conflicts with the all keyword used by the Netsh command-line tool.
Description
We recommend that you provide a comprehensive description for your connection security rule. Include
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 33 of 115
logical names of affected computers because the rule properties contain IP addresses only.
Enabled
Select this option to activate the rule. If you clear this option, then the rule is disabled, but not deleted.
Additional references
To get to this tab 1. In the Windows Firewall with Advanced Security MMC snap-in, click Connection Security Rules. 2. Right-click the rule you want to modify, and then click Properties.
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 34 of 115
Endpoint 1
Endpoint 1 is the collection of computers at the local end of the tunnel that must be able to send data to and receive data from the computers that are part of Endpoint 2. Click Add to add an individual IP address, an IP subnet address, an IP address range, or a predefined set of computers by using the IP Address dialog box. To change an entry in the list, select the item, and then click Edit. To remove an entry, select the item, and then click Remove. If you created this rule by using the Client-to-Gateway tunnel rule type, then Endpoint 1 is set to Any IP address. If you created this rule by using the Gateway-to-Client tunnel rule type, then Endpoint 1 consists of the IP addresses of the computers on the private network behind the local tunnel endpoint (the gateway).
Any IP address
Select this option to specify that Endpoint 1 includes any computer that needs to communicate with a computer that is in Endpoint 2. Any network traffic to or from a computer in Endpoint 2 matches this rule and is subject to its authentication requirements.
These IP addresses
Select this option to specify the IP addresses of the computers that make up Endpoint 1. Click Add or Edit to display the IP Address dialog box where you can create or change your entries.
Endpoint 2
Endpoint 2 is the collection of computers at the remote end of the tunnel that must be able to send and receive data from the computers that are part of Endpoint 1. Click Add to add an individual IP address, an IP subnet address, an IP address range, or a predefined set of computers by using the IP Address dialog box. To change an entry in the list, select the item, and then click Edit. To remove an entry, select the item, and then click Remove. If you created this rule by using the Client-to-Gateway tunnel rule type, then Endpoint 2 consists of the IP addresses of the computers on the private network behind the remote tunnel endpoint (the gateway). If you created this rule by using the Gateway-to-Client tunnel rule type, then Endpoint 2 is set to Any IP address.
Any IP address
Select this option to specify that Endpoint 2 includes any computer that needs to communicate with a computer in Endpoint 1. Any network traffic to or from a computer in Endpoint 1 matches this rule and is subject to its authentication requirements.
These IP addresses
Select this option to specify the IP addresses of the computers that make up Endpoint 2. Click Add or
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 35 of 115
Edit to display the IP Address dialog box where you can create or change your entries.
Additional references
Protocol type
Select the protocol whose network traffic will be protected by this connection security rule. If the protocol you want is not in the list, select Custom, and type the protocol number in Protocol number. If you choose TCP or UDP in the list, then you can specify the TCP or UDP port numbers in Endpoint 1 port and Endpoint 2 port.
Protocol number
When you select a protocol type, the corresponding protocol identification number is automatically displayed in Protocol number and is read-only. If you select Custom for Protocol type, then type the protocol identification number in Protocol number.
Endpoint 1 port
This option is available only if the protocol is set to TCP or UDP. Use this option to specify the port number used by the computer that is part of Endpoint 1. If you select All ports, then all network traffic for the protocol you selected matches this connection security rule. If you select Specific Ports, then
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 36 of 115
you can type the port numbers in the box under the list. Separate port numbers with commas. Notes
If this rule has Do not authenticate on the Authentication tab, then you can type port numbers in a range by separating the low and high values with a hyphen, as shown: 80, 445, 5000-5010
Endpoint 2 port
This option is available only if the protocol is set to TCP or UDP. Use this option to specify the port number used by the computer that is part of Endpoint 2. If you select All ports, then all network traffic for the protocol you selected matches this connection security rule. If you select Specific Ports, then you can type the port numbers in the box under the list. Separate port numbers with commas. Notes
If this rule has Do not authenticate on the Authentication tab, then you can type port numbers in a range by separating the low and high values with a hyphen, as shown: 80, 445, 5000-5010
Additional references
Requirements
Under Authentication mode, select one of the following options to indicate whether authentication of network traffic is required or requested.
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 37 of 115
Description Select this option to make the rule an authentication exemption rule. Network traffic Do not that matches this rule is not authenticated by Internet Protocol security (IPsec) on authenticate this computer. The option is also valid on tunnel mode rules that are created by using the Custom Configuration or Client-to-Gateway options. Request inbound Connections are authenticated if possible, but the connections are allowed if and outbound authentication fails. Require inbound All inbound network connections must be authenticated or they fail. Outbound and request connections are authenticated if possible, but are allowed if authentication fails. outbound Require inbound Only connections that are authenticated are allowed. and outbound All inbound network connections must be authenticated or they fail. Outbound connections are not authenticated. Require inbound and clear Security Note outbound We recommend that you use this setting only when required on an IPsec gateway that must be able to initiate communications with computers that cannot use IPsec on the Internet.
Option
Method
Use these settings to configure the type of authentication used by this connection security rule. For more information about the authentication methods, see IPsec Algorithms and Methods Supported in Windows (http://go.microsoft.com/fwlink/?linkid=129230). If you choose Advanced, then you must click Customize and add the authentication methods by using the Customize Advanced Authentication Methods dialog box.
Additional references
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 38 of 115
Rules. 2. Right-click the rule that you want to modify, and then click Properties. 3. Click the Advanced tab.
Profile
Use these options to specify the profiles to which this rule is applied. Select any combination of profiles that meet your security goals. This version of Windows supports multiple simultaneously active profiles. Each network adapter card attached to a network is assigned one of the following profiles based on what is detected on the attached network. This means that different firewall and connection security rules can affect network traffic, depending on which network adapter receives the traffic.
Domain
The domain profile applies to a network when a domain controller for the local computers domain is detected. If you select this check box, then the rule applies to network traffic passing through the network adapter connected to this network.
Private
The private profile applies to a network when it is marked private by the computer administrator and it is not a domain network. Newly detected networks are not marked private by default. A network should be marked private only when there is some kind of security device, such as a network address translator or perimeter firewall, between the computer and the Internet. The private profile settings should be more restrictive than the domain profile settings.
Public
The public profile applies to a network when the computer is connected directly to a public network, such as one available in airports and coffee shops. The public profile settings should be the most restrictive because the computer is connected to a public network where the security cannot be as tightly controlled as it is in an IT environment.
Interface types
You can use this setting to specify to which interface type this rule applies. You can create rules that apply to certain interface types only. For example, if you specify only the wireless interface type for this rule, then Windows Firewall with Advanced Security will take the action specified by the rule for wireless traffic. The default setting is All interface types. Click Customize to select either all interface types or specific interface types.
IPsec tunneling
You can use this setting to create a rule that uses IPsec tunnel mode to establish a connection between
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 39 of 115
two tunnel endpoints. Use Windows Firewall with Advanced Security to perform Layer 3 tunneling for scenarios in which Layer Two Tunneling Protocol (L2TP) cannot be used. If you are using L2TP for remote communications, no tunnel configuration is required because the client and server virtual private network (VPN) components of this version of Windows create the rules to secure L2TP traffic automatically. To configure the tunnel endpoints, click Customize, and then provide the required information in the Customize IPsec Tunneling Settings dialog box.
Additional references
Rule Type Program Protocol and Ports Port Rule Protocol and Ports Custom Rule Predefined Rules Scope Action Users Computers Profile
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 40 of 115
through Windows Firewall. The same wizard and property pages are used to create both inbound and outbound rules. The choice you make on this page determines which pages are displayed by the Firewall Rule Wizard. You can change the settings for any firewall rule after you create it. To make these changes, right-click the firewall rule in the results pane, and then select Properties. To get to this wizard page 1. In the Windows Firewall with Advanced Security MMC snap-in, right-click Inbound Rules or Outbound Rules, and then click New Rule. 2. The Rule Type page is displayed.
Program
Use this type of firewall rule to allow a connection based on the program that is trying to connect. This is an easy way to allow connections for Microsoft Outlook or other programs. It is also useful if you are not sure of the port or other settings required to allow access. You only need to specify the path to the program executable (.exe) file. By default, the program is allowed to accept connections on any port. To restrict a program rule to allow traffic on specified port numbers only, after you create the rule, use the Protocols and Ports tab to change the rule properties.
Port
Use this type of firewall rule to allow a connection based on the TCP or UDP port number over which the computer is trying to connect. You can specify the protocol (either TCP or UDP) and the local ports. You can specify more than one port number. By default, any program currently running on the computer can accept network traffic on a port opened with this type of rule. To restrict the open port to a specified program only, after you create the rule, use the Programs and Services tab to change the rule properties.
Predefined
Use this type of firewall rule to allow a connection by selecting one of the programs or services from the list. Most of the well known services and programs available on computers running this version of Windows appear in this list. Network programs that you install typically add their own entries to this list so that you can enable and disable them as a group.
Custom
Use this type of firewall rule to create a firewall rule that you can configure to allow a connection based on criteria not covered by the other types of firewall rules.
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 41 of 115
Additional references
All programs
Use this option to match network packets sent or received by any program running on the local computer.
Type the complete path to the program. You can include environment variables, where appropriate. Important We recommend that you do not use environment variable strings that resolve only in the context of a certain user (for example, %USERPROFILE%). When these strings are evaluated by the service at runtime, the service is not running in the context of the user. The use of these strings can produce unexpected results. Click Browse and find the program in the directory.
Note
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 42 of 115
To specify a service in a firewall rule, use the All programs option, and then select the Programs and Services tab on the Firewall Rule Properties dialog box.
Additional references
Firewall Rule Wizard: Protocol and Ports Page Port Rule Type
Use this wizard page to specify which protocol and which port or ports specified in a network packet match this firewall rule. Only network traffic that matches the criteria on this page matches the rule and is subject to its action setting. To get to this wizard page 1. In the Windows Firewall with Advanced Security MMC snap-in, right-click either Inbound Rules or Outbound Rules , and then click New Rule. 2. On the Rule Type page, select Port. 3. Click Next through the wizard until you reach the Protocol and Ports page.
Inbound rules: Does this rule apply to all local ports or specific local ports?
All local ports
Use this option to apply the rule to inbound network traffic that matches any local port number.
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 43 of 115
Outbound rules: Does this rule apply to all remote ports or specific remote ports?
All remote ports
Use this option to apply the rule to outbound network traffic that matches any destination port number.
Additional references
Firewall Rule Wizard: Protocol and Ports Page Custom Rule Type
Use this wizard page to specify which protocols and ports specified in a network packet match this firewall rule. To get to this wizard page 1. In the Windows Firewall with Advanced Security MMC snap-in, right-click either Inbound Rules or Outbound Rules, and then click New Rule. 2. On the Rule Type page, select either Port or Custom.
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 44 of 115
3. Click Next through the wizard until you reach the Protocol and Ports page.
Protocol type
Select the protocol whose network traffic you want to filter with this firewall rule. If the protocol you want is not in the list, select Custom, and then type the protocol number in Protocol number. If you specify TCP or UDP, then you can specify the TCP or UDP port numbers in Endpoint 1 port and Endpoint 2 port. For a list of the protocols, their protocol numbers, and a brief description, see Firewall Rule Properties Page: Protocol and Ports Tab (http://go.microsoft.com/fwlink/?linkid=137823) in the TechNet Library.
Protocol number
When you select a protocol type, the corresponding protocol identification number is automatically displayed in Protocol number and is read-only. If you select Custom for Protocol type, then type the protocol identification number in Protocol number.
Local port
If you are using the TCP or UDP protocol type, you can specify the local port by using one of the choices from the drop-down list, or by specifying a port or a list of ports. The local port is the port on the computer on which the firewall profile is applied. The following options are available for inbound rules:
All Ports. Available for both TCP and UDP on inbound and outbound rules. Selecting this option specifies that all of the ports for the selected protocol match the rule. Specific Ports. Available for both TCP and UDP on inbound and outbound rules. Selecting this option enables the text box where you can type the port numbers that you need. Separate port numbers with commas, and include ranges by separating the low and high values with a hyphen. RPC Endpoint Mapper. Available for TCP on inbound rules only. Selecting this option allows the local computer to receive incoming remote procedure call (RPC) requests on TCP port 135 to the RPC Endpoint Mapper (RPC-EM). A request to the RPC-EM identifies a network service and asks for the port number on which the specified network service is listening. RPC-EM responds with the port number to which the remote computer should send future network traffic for the service. This option also enables RPC-EM to receive RPC over HTTP requests. RPC Dynamic Ports. Available for TCP on inbound rules only. Selecting this option allows the local computer to receive inbound network packets to ports assigned by the RPC runtime. Ports in the RPC ephemeral range are blocked by Windows Firewall unless assigned by the RPC runtime to a specific RPC network service. Only the program to which the RPC runtime assigned the port can receive inbound traffic on that port.
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 45 of 115
Important Creating rules to allow RPC network traffic by using the RPC Endpoint Mapper and RPC Dynamic Ports options allows all RPC network traffic. Windows Firewall cannot filter RPC traffic by the universally unique identifier (UUID) of the destination program. When an application uses RPC to communicate from a client to a server, you must typically create two rules, one for RPC Endpoint Mapper and one for Dynamic RPC. IPHTTPS. Available for TCP only. Available under Local port for inbound rules only. Selecting this option allows the local computer to receive incoming IP over HTTPS (IPTHTTPS) packets from a remote computer. IPHTTPS is a tunneling protocol that supports embedding Internet Protocol version 6 (IPv6) packets in Internet Protocol version 4 (IPv4) HTTPS network packets. This allows IPv6 traffic to traverse some IP proxies that do not support IPv6 or some of the other IPv6 transition technologies, such as Teredo and 6to4. Edge Traversal. Available for UDP on inbound rules only. Selecting this option allows the local computer to receive incoming Teredo network packets.
Remote port
If you are using the TCP or UDP protocol type, you can specify the local port and remote port by using one of the choices from the drop-down list, or by specifying a port or a list of ports. The remote port is the port on the computer that is attempting to communicate with the computer on which the firewall profile is applied. The following options are available for inbound rules:
All Ports. Available for both TCP and UDP on inbound and outbound rules. Selecting this option specifies that all of the ports for the selected protocol match the rule. Specific Ports. Available for both TCP and UDP on inbound and outbound rules. Selecting this option enables the text box where you can type the port numbers that you need. Separate port numbers with commas, and include ranges by separating the low and high values with a hyphen. IPHTTPS. Available for TCP only. Available under Remote port for outbound rules only. Selecting this option allows the local computer to send outbound IPTHTTPS packets to a remote computer. IPHTTPS is a tunneling protocol that supports embedding IPv6 packets in IPv4 HTTPS network packets. This allows IPv6 traffic to traverse some IP proxies that do not support IPv6 or some of the other IPv6 transition technologies, such as Teredo and 6to4.
Page 46 of 115
After you create the firewall rule, you can change these settings in the Firewall Rule Properties dialog box. This dialog box appears when you double-click a rule in Inbound Rules and Outbound Rules. To change these settings, use the Protocols and Ports tab.
Additional references
Additional references
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm 9/29/2011
Page 47 of 115
Any IP address
Select this option to specify that the rule matches a network packet with any address specified as the local IP address. The local computer always matches the rule when this option is selected.
These IP addresses
Select this option to specify that the rule matches only network traffic that has one of the specified addresses in the local IP address field. If the local computer does not have a network adapter configured with one of the specified IP addresses, then the rule does not apply. On the IP Address dialog box, click Add to create a new entry in the list, or Edit to change an existing entry in the list.
Page 48 of 115
Specify the remote IP addresses to which the rule applies. Network traffic matches the rule if the destination IP address is one of the addresses in the list.
Any IP address
Select this option to specify that the rule matches network packets that are addressed from (for inbound rules) or addressed to (for outbound rules) any IP address included in the list.
These IP addresses
Select this option to specify that the rule only matches network traffic that has one of the addresses specified in the Remote IP address field. On the IP Address dialog box, click Add to create a new entry in the list, or Edit to modify an existing entry in the list.
Additional references
Page 49 of 115
Use this option to specify that only connections that are protected by Internet Protocol security (IPsec) are allowed. IPsec settings are defined in separate connection security rules. By default, this setting requires both authentication and integrity protection. To configure the requirements, click Customize. When you choose this option, the Users and Computers pages are automatically added to the wizard. You can use these pages to specify the users or computers to whom you want to grant or deny access, or leave the page blank to allow access to all users and computers. If you choose to specify users or computers, you must use an authentication method that includes user or computer information, as appropriate, because Windows Firewall with Advanced Security will use the authentication method from the connection security rule to match the users and computers you specify. For example, for computers, you can use Computer (Kerberos V5) or Computer Certificate with certificate-to-account mapping enabled. If you do not specify users or computers, you can use any authentication method. For more information about how to customize the IPsec requirements for this option, see the Customize Allow If Secure Settings dialog box. For more information about restricting access to user or computers, see the Users and Computers pages in the wizard.
Additional references
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 50 of 115
1. In the Windows Firewall with Advanced Security MMC snap-in, right-click Inbound Rules, and then click New rule. Note This page is displayed for inbound rules only; it is not available for outbound rules. 2. Click Next through the wizard until you reach the Action page. 3. On the Action page, select Allow the connection if it is secure. 4. Click Next through the wizard until you reach the Users page.
Authorized users
Use this section to identify the user or group accounts that are allowed to make the connection specified by the rule.
Exceptions
Use this section to identify user or group accounts that might be listed in Authorized users, possibly because the user or group account is a member of a group, but whose network traffic must be blocked by Windows Firewall. For example, User A is a member of Group B. Group B is included in Authorized users, so network traffic authenticated as coming from a user who is a member of Group B is allowed. However, by placing User A in the Exceptions list, network traffic authenticated as being from User A is not processed by this rule, and so is blocked by the default firewall behavior unless some other rule allows the traffic.
Page 51 of 115
After you create the firewall rule, you can change these settings in the Firewall Rule Properties dialog box. This dialog box appears when you double-click a rule in Inbound Rules. To change these settings, select the Users tab.
Additional references
Authorized computers
Use this section to identify the computer or group accounts that are allowed to make the connection specified by the rule.
For inbound rules, select Only allow connections from these computers to specify which computers can connect to this computer. Network traffic that is not authenticated as coming from a computer on this list is blocked by Windows Firewall. For outbound rules, select Only allow connections to these computers to specify the computers to which this computer is allowed to connect. Outbound network traffic sent to computers that cannot be authenticated as a computer on the list is blocked by Windows Firewall.
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 52 of 115
If you select the check box, then Add is enabled. Click Add, and then specify the computer or group accounts in the Select Users, Computers and Groups dialog box. To remove a computer or group from the list, select the computer or group, and then click Remove.
Exceptions
Use this section to identify computer or group accounts that might be listed in Authorized computers, possibly because the computer or group account is a member of a group, but whose network traffic must be blocked by Windows Firewall. For example, Computer A is a member of Group B. Group B is included in Authorized computers, so network traffic authenticated as coming from a computer in the group is allowed. By placing Computer A in the Exceptions list, network traffic authenticated as coming from Computer A is not processed by this rule, and so is blocked by the default firewall behavior unless some other rule allows the traffic.
For inbound rules, select Skip this rule for connections from these computers to specify which remote computers are exceptions to this rule. For outbound rules, select Skip this rule for connections to these computers to specify the remote computers that are exceptions to this rule.
If you select the check box, then Add is enabled. Click Add, and then specify the computer or group accounts in Select Users, Computers and Groups dialog box. To remove a computer or group from the list, select the computer or group, and then click Remove.
Additional references
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 53 of 115
depending on which network adapter receives the traffic. To get to this wizard page 1. In the Windows Firewall with Advanced Security MMC snap-in, right-click Inbound Rules or Outbound Rules, and then click New Rule. 2. Click Next through the wizard until you reach the Profile page.
Domain
The domain profile applies to a network when a domain controller is detected for the domain to which the local computer is joined. If you select this box, then the rule applies to network traffic passing through a network adapter connected to this network.
Private
The private profile applies to a network when it is marked private by the computer administrator and it is not a domain network. Newly detected networks are not marked private by default. A network should be marked private only when there is some kind of security device, such as a network address translator or perimeter firewall, between the computer and the Internet. The private profile settings should be more restrictive than the domain profile settings.
Public
The public profile applies to a network when the computer is connected directly to a public network, such as one available in airports and coffee shops. The public profile settings should be the most restrictive because the computer is connected to a public network where the security cannot be as tightly controlled as it is in an IT environment.
Additional references
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 54 of 115
This section describes the tabs on the Firewall Rule Properties page in Windows Firewall with Advanced Security.
General Programs and Services Protocols and Ports Scope Advanced Computers Users
In the Windows Firewall with Advanced Security MMC snap-in, in either Inbound Rules or Outbound Rules, double-click the firewall rule you want to modify, and then click the General tab.
General section
This section contains identifying information about the rule and gives you the ability to enable or disable the rule.
Name
This is the name of the firewall rule. As a best practice, give the firewall rule a unique name. If two rules have the same name, then you cannot easily manage them by using the netsh commands. Do not use the name all for a firewall rule because that is the name of a Netsh command-line tool keyword.
Description (optional)
This is a description of the rule. Use this to provide information about the rule, such as the rule owner, the rule requester, the purpose of the rule, a version number, or the date of creation.
Enabled
Select this check box to enable the rule. Enabling a rule causes Windows Firewall with Advanced
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 55 of 115
Security to compare all network packets to the criteria in this rule and to perform the action specified in Action when a match is found. Disabling the rule does not delete it, but instead causes Windows Firewall with Advanced Security to stop comparing network packets to the rule.
Action section
Select the action that Windows Firewall with Advanced Security will take for network packets that match the firewall rule criteria. When you have multiple firewall rules defined, the order in which they are evaluated for a match depends on the action specified in the rule. Firewall rules are evaluated in the following order: 1. Allow if secure with Override block rules selected in the Customize Allow if Secure Settings dialog box. 2. Block the connection. 3. Allow the connection. 4. Default profile behavior (allow or block as specified on the applicable Profile tab of the Windows Firewall with Advanced Security Properties dialog box). Within each category, rules are evaluated from the most specific to the least specific. A rule that specifies four criteria is selected over a rule that specifies only three criteria. As soon as a network packet matches a rule, its action is triggered, and it is not compared to any additional rules. In other words, even if a network packet matches more than one rule, only the matching rule that is evaluated against the packet first is applied to the packet.
Additional references
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 56 of 115
In the Windows Firewall with Advanced Security MMC snap-in, in either Inbound Rules or Outbound Rules, double-click the firewall rule you want to modify, and then click the Programs and Services tab.
Programs
This section contains information about how network packets from a program will be matched.
This program
Use this option to match network packets going to or from a specified program. If the program is not running, then no packets match the rule. You can select the program in one of two ways:
Type the complete path to the program. You can include environment variables, where appropriate. Important Do not use environment variable strings that resolve only in the context of a certain user (for example, %USERPROFILE%). When these strings are evaluated by the service at runtime, the service is not running in the context of the user. The use of these strings can produce unexpected results. Click Browse and find the program in the directory.
Services
Click Settings to match packets from all program and services on the computer (the default), services only, or a specified service.
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 57 of 115
Additional references
In the Windows Firewall with Advanced Security MMC snap-in, in either Inbound Rules or Outbound Rules, double-click the firewall rule you want to modify, and then click the Protocols and Ports tab.
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 58 of 115
Protocol type
Select the protocol whose network traffic you want to filter with this firewall rule. If the protocol you want is not in the list, then select Custom, and type the protocol number in Protocol number. You can use any protocol number listed by the Internet Assigned Numbers Authority (IANA). If you specify TCP or UDP in the list, then you can specify the TCP or UDP port numbers in Endpoint 1 port and Endpoint 2 port. For a list of the protocols, their protocol numbers and a brief description, see Firewall Rule Properties Page: Protocol and Ports Tab (http://go.microsoft.com/fwlink/?linkid=137823) in the TechNet Library.
Local port
If you are using the TCP or UDP protocol type, you can specify the local port by using one of the choices from the drop-down list or by specifying a port or a list of ports. The local port is the port on the computer on which the firewall profile is applied. The following options are available for inbound rules:
All Ports. Available for both TCP and UDP on inbound and outbound rules. Selecting this option specifies that all of the ports for the selected protocol match the rule. Specific Ports. Available for both TCP and UDP on inbound and outbound rules. Selecting this option enables the text box where you can type the port numbers you need. Separate port numbers with commas and include ranges by separating the low and high values with a hyphen. RPC Endpoint Mapper. Available for TCP on inbound rules only. Selecting this option allows the local computer to receive incoming RPC requests on TCP port 135 to the RPC Endpoint Mapper (RPC-EM). A request to the RPC-EM identifies a network service and asks for the port number on which the specified network service is listening. RPC-EM responds with the port number to which the remote computer should send further network traffic for the service. This option also enables RPC-EM to receive RPC over HTTP requests. RPC Dynamic Ports. Available for TCP on inbound rules only. Selecting this option allows the local computer to receive inbound network packets to ports assigned by the RPC runtime. Ports in the RPC ephemeral range are blocked by Windows Firewall unless assigned by the RPC runtime to a specific RPC network service. Only the program to which the RPC runtime assigned the port can receive inbound traffic on that port. Important Creating rules to allow RPC network traffic by using the RPC Endpoint Mapper and RPC dynamic ports options allows all RPC network traffic. Windows Firewall cannot filter RPC traffic by the universally unique identifier (UUID) of the destination program. When an application uses RPC to communicate from a client to a server, you must typically create two rules, one for RPC Endpoint Mapper and one for Dynamic RPC. IPHTTPS. Available for TCP only. Available under Local port for inbound rules. Selecting this option allows the local computer to receive incoming IP over HTTPS (IPTHTTPS) packets from a remote computer. IPHTTPS is a tunneling protocol that supports the embedding of Internet
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 59 of 115
Protocol version 6 (IPv6) packets in IPv4 HTTPS network packets. This allows IPv6 traffic to traverse some IP proxies that do not support IPv6 or some of the other IPv6 transition technologies, such as Teredo and 6to4.
Edge Traversal. Available for UDP on inbound rules only. Selecting this option allows the local computer to receive incoming Teredo network packets. Teredo is an IPv4-to-IPv6 transition protocol.
Remote port
If you are using the TCP or UDP protocol type, you can specify the local port and remote port by using one of the choices from the drop-down list or by specifying a port or a list of ports. The remote port is the port on the computer that is attempting to communicate with the computer on which the firewall profile is applied. The following options are available for inbound rules:
All Ports. Available for both TCP and UDP on inbound and outbound rules. Selecting this option specifies that all of the ports for the selected protocol match the rule. Specific Ports. Available for both TCP and UDP on inbound and outbound rules. Selecting this option enables the text box where you can type the port numbers that you need. Separate port numbers with commas and include ranges by separating the low and high values with a hyphen. IPHTTPS. Available for TCP only. Available under Remote port for outbound rules. Selecting this option allows the local computer to send outbound IPTHTTPS packets to a remote computer. IPHTTPS is a tunneling protocol that supports embedding IPv6 packets in IPv4 HTTPS network packets. This allows IPv6 traffic to traverse some IP proxies that do not support IPv6 or some of the other IPv6 transition technologies, such as Teredo and 6to4.
ICMP Settings
Click Customize to configure settings for Internet Control Message Protocol (ICMP). The Customize button is enabled only when you choose the ICMPv4 or ICMPv6 protocol types. For more information, see Dialog Box: Customize ICMP Settings.
Additional references
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 60 of 115
In the Windows Firewall with Advanced Security MMC snap-in, in either Inbound Rules or Outbound Rules, double-click the firewall rule you want to modify, and then click the Scope tab.
Local IP address
The local IP address is used by the local computer to determine if the rule applies. The rule applies only to network traffic that goes through a network adapter that is configured to use one of the specified local IP addresses.
Any IP address
Select this option to specify that the rule matches a network packet with any address specified as the local IP address. The local computer always matches the rule when this option is selected.
These IP addresses
Select this option to specify that the rule matches network traffic that has one of the addresses specified in Local IP address. If the local computer does not have a network adapter configured with one of the specified IP addresses, then the rule does not apply. On the IP Address dialog box, click Add to create a new entry in the list or Edit to change an existing entry in the list. You can also delete an entry from the list by selecting the item and then clicking Remove.
Remote IP address
Specify the remote IP addresses to which the rule applies. Network traffic matches the rule if the destination IP address is one of the addresses in the list.
Any IP address
Select this option to specify that the rule matches network packets that are addressed from (for inbound rules) or addressed to (for outbound rules) any IP address included in the list.
These IP addresses
Select this option to specify that the rule matches only network traffic that has one of the addresses specified in Remote IP address. On the IP Address dialog box, click Add to create a new entry in the list or Edit to change an existing entry in the list. You can also delete an entry from the list by selecting the item and then clicking Remove.
Additional references
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 61 of 115
In the Windows Firewall with Advanced Security MMC snap-in, in either Inbound Rules or Outbound Rules, double-click the firewall rule you want to modify, and then click the Advanced tab.
Profiles
A profile is a way of grouping settings, such as firewall rules and connection security rules, that are applied to the computer depending on where the computer is connected. Windows determines a network location type for each network adapter, and then applies the corresponding profile to that network adapter. On computers running this version of Windows, there are three profiles recognized by Windows Firewall with Advanced Security. Description Applies when a computer is connected to a network that contains an ActiveDirectory domain Domain controller in which the computer's domain account resides. Applies when a computer is connected to a network in which the computer's domain account does not reside, such as a home network. The private profile settings should be more restrictive Private than the domain profile settings. A network is assigned the private type by a local administrator. Applies when a computer is connected to a domain through a public network, such as one available in airports and coffee shops. The public profile settings should be the most restrictive Public because the computer is connected to a public network where the security cannot be as tightly controlled as it is in an IT environment. By default, newly discovered networks are assigned the public type. Notes Computers running Windows Server2008 and WindowsVista support only a single profile at a time. If the computer is connected to more than one network, the most restrictive profile is applied to all network adapters. Computers running WindowsXP and Windows Server2003 support only two profiles: standard, which maps to both public and private, and domain. If the computer is connected to more than one network, the profile that is most restrictive is applied to all network adapters. For this purpose, the public profile is considered the most restrictive, followed by the private profile, and then the domain profile. Profile
Interface types
Click Customize to specify the interface types to which the connection security rule applies. The Customize Interface Types dialog box allows you to select All interface types or any combination of Local area network, Remote access, or Wireless types.
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 62 of 115
Edge traversal
Edge traversal allows the computer to accept unsolicited inbound packets that have passed through an edge device, such as a network address translation (NAT) router or firewall. Notes
This option cannot be configured by using the New Inbound Firewall Rule wizard. To configure this setting, you must create the rule by using the wizard and then change it by using this tab. This option applies to inbound rules only; it does not appear on the Advanced tab for an outbound rule.
Defer to user
Let the user decide whether to allow unsolicited traffic from the Internet through a NAT edge device when an application requests it.
Defer to application
Let each application determine whether to allow unsolicited traffic from the Internet through a NAT edge device.
Additional references
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 63 of 115
information, such as Kerberosversion 5, NTLMv2, or a certificate with certificate-to-account mapping enabled. To get to this tab
In the Windows Firewall with Advanced Security MMC snap-in, in either Inbound Rules or Outbound Rules, right-click the firewall rule you want to modify, and then click the Computers tab.
Authorized computers
Use this section to identify the computer or group accounts that are allowed to make the connection specified by the rule.
For inbound rules, select Only allow connections from these computers to specify which computers can connect to this computer. Network traffic that is not authenticated as coming from a computer on this list is blocked by Windows Firewall. For outbound rules, select Only allow connections to these computers to specify the computers to which this computer is allowed to connect. Outbound network traffic sent to computers that cannot be authenticated as a computer on the list is blocked by Windows Firewall.
If you select the check box, then Add is enabled. Click Add, and then specify the computer or group accounts in the Select Users, Computers, or Groups dialog box. To remove a computer or group from the list, select the computer or group, and then click Remove.
Exceptions
Use this section to identify computer or group accounts that might be listed in Authorized computers, possibly because the computer or group account is a member of a group, but whose network traffic must be blocked by Windows Firewall. For example, Computer A is a member of Group B. Group B is included in Authorized computers, so network traffic authenticated as coming from a computer in the group is allowed. By placing Computer A in the Exceptions list, network traffic authenticated as being from Computer A is not processed by this rule, and so is blocked by the default firewall behavior unless some other rule allows the traffic.
For inbound rules, select Skip this rule for connections from these computers to specify the remote computers are exceptions to this rule. For outbound rules, select Skip this rule for connections to these computers to specify the remote computers that are exceptions to this rule.
If you select the check box, then Add is enabled. Click Add, and then specify the computer or group accounts in the Select Users, Computers, or Groups dialog box.
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 64 of 115
To remove a computer or group from the list, select the computer or group, and then click Remove.
Additional references
In the Windows Firewall with Advanced Security MMC snap-in, in Inbound Rules or Outbound Rules, double-click the firewall rule you want to modify, and then click the Users tab.
Authorized users
Use this section to identify the user or group accounts that are allowed to make the connection specified by the rule.
Exceptions
Use this section to identify user or group accounts that might be listed in Authorized users, possibly because the user or group account is a member of a group, but whose network traffic must be blocked by Windows Firewall. For example, User A is a member of Group B. Group B is included in Authorized users, so network traffic authenticated as coming from a user that is a member of Group B is allowed.
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 65 of 115
However, by placing User A in the Exceptions list, network traffic authenticated as being from User A is not processed by this rule, and so is blocked by the default firewall behavior unless some other rule allows the traffic.
Additional references
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 66 of 115
Local IP address
This lists the local IP address, range of addresses, or subnet to which the rule applies, as configured on the Scope tab of the Firewall Rule Properties page.
Remote IP address
This lists the remote IP address, range of addresses, or subnet to which the rule applies, as configured on the Scope tab of the Firewall Rule Properties page.
Direction
This indicates whether the rule is an Inbound or Outbound rule.
Profile
This lists the network location profiles, Domain, Private, Public or All, to which the rule applies, as configured on the Advanced tab of the Firewall Rule Properties page.
Additional references
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 67 of 115
To get to this tab 1. In the Windows Firewall with Advanced Security MMC snap-in, expand Monitoring, and then expand Firewall. 2. Double-click the firewall rule you want to examine, and then click the Programs and Ports tab.
Protocol
This indicates the IP protocol type to which the rule applies, as configured on the Protocols and Ports tab of the Firewall Rule Properties page.
Local port
If you are using the UDP or TCP protocol type, this indicates the UDP or TCP port to which the rule applies, on the computer where the firewall rule is applied, as configured on the Protocols and Ports tab of the Firewall Rule Properties page.
Remote port
If the rule applies to the UDP or TCP protocol, this indicates the UDP or TCP port to which the rule applies, on the remote computer that is attempting to communicate with the computer where the firewall rule is applied, as configured on the Protocols and Ports tab of the Firewall Rule Properties page.
ICMP settings
If the rule applies to the Internet Control Message Protocol (ICMP) version 4 or ICMP version 6 protocol, this indicates the ICMP types and codes that are included, as configured on the Protocols and Ports tab of the Firewall Rule Properties page.
Program
This indicates the program file name and path of the application to which the rule applies, as configured on the Programs and Services tab of the Firewall Rule Properties page.
Service
If the program item is a service container, this indicates the service within the container to which the rule applies, as configured on the Programs and Services tab of the Firewall Rule Properties page.
Additional references
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 68 of 115
Interface types
This is a list of the network interface types to which this rule applies (Local area network, Remote access, Wireless, or All interface types), as configured on the Advanced tab of the Firewall Rule Properties dialog box.
Edge traversal
This indicates whether edge traversal is enabled (Allow edge traversal) or disabled (Block edge traversal). The Defer to user and Defer to application options are used to indicate that the user or application must make the decision to allow unsolicited traffic from the Internet through a network address translation (NAT) edge device. When edge traversal is enabled, the application, service, or port to which the rule applies is globally addressable and accessible from outside a NAT edge device. This setting is configured on the Advanced tab of the Firewall Rule Properties dialog box.
Additional references
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 69 of 115
Endpoint 1 IP Address
This is the IP address or range of IP addresses of the first endpoint as configured on the Computers tab of the Connection Security Rule Properties page. If no endpoint is specified, Any is displayed.
Endpoint 1 port
This is the TCP or UDP port number of the first endpoint computer or group of computers as configured on the Protocols and Ports tab of the Connection Security Rule Properties page. If no port is specified, Any is displayed.
Endpoint 2 IP Address
This is the IP address or range of IP addresses of the second endpoint as configured on the Computers tab of the Connection Security Rule Properties page. If no endpoint is specified, Any is displayed.
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 70 of 115
Endpoint 2 port
This is the TCP or UDP port number of the second endpoint computer or group of computers as configured on the Protocols and Ports tab of the Connection Security Rule Properties page. If no port is specified, Any is displayed.
Protocol
This is the protocol as configured by using the Protocol type option on the Protocols and Ports tab of the Connection Security Rule Properties page. If no protocol is specified, Any is displayed.
Profile
This lists the network location profiles, domain, private or public, to which the rule applies, as configured on the Advanced tab of the Connection Security Rule Properties page.
Additional references
Requirements
This refers to the authentication requirement on connections matching the rule criteria.
First authentication
The first and second authentication methods are used during the main mode phase of Internet Protocol
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 71 of 115
security (IPsec) negotiations. For first authentication, you can view the way the two peer computers authenticate, such as through Kerberosversion 5, NTLMv2, computer certificates, or another method. The Details column displays information for certificates and preshared keys only. For certificates, it displays the issuer details, whether the certificate was issued by a root or intermediate certification authority (CA), and the certificate signing algorithm. For a preshared key, it displays the key in plain text. The authentication information displayed can be configured on the Authentication tab of the Connection Security Rules Properties dialog box.
Second authentication
For second authentication, you can view the user authentication method, such as Kerberosversion 5, NTLMv2, user certificates, or a computer health certificate. The Details column displays information for certificates only. It displays the issuer details, whether the certificate was issued by a root or intermediate CA, and the certificate signing algorithm. The authentication information that is displayed can be configured on the Authentication tab of the Connection Security Rules Properties dialog box.
Additional references
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 72 of 115
Interface types
This indicates the network interface types to which the rule applies, as configured on the Advanced tab of the Connection Security Rule Properties page.
Apply authorization
This indicates whether the use of the tunnel is restricted to only authorized users and computers, as configured on the Customize IPsec Tunneling Settings dialog box. The list of authorized users and computers is configured on the Customize IPsec Tunnel Authorizations dialog box.
Additional references
In the Windows Firewall with Advanced Security MMC snap-in, expand Monitoring, expand Security Associations, and then click Main Mode.
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 73 of 115
The following information is available in the table view of all main mode SAs. To see the information for a single main mode SA, double-click the SA in the list.
Local Address: The local computer IP address. Remote Address: The remote computer or peer IP address. 1st Authentication Method: The authentication method used to create the SA. 1st Authentication Local ID:: The authenticated identity of the local computer used in first authentication. 1st Authentication Remote ID: The authenticated identity of the remote computer used in first authentication. 2nd Authentication Method: The authentication method used in the SA. 2nd Authentication Local ID:: The authenticated identity of the local computer used in second authentication. 2nd Authentication Remote ID: The authenticated identity of the remote computer used in second authentication. Encryption: The encryption method used by the SA to secure quick mode key exchanges. Integrity: The data integrity method used by the SA to secure quick mode key exchanges. Key Exchange: The Diffie-Hellman group used to create the main mode SA.
Any user account can be used to complete this procedure. To add, remove, or reorder a column 1. Right-click in a blank area in the Results pane for the Main Mode folder, select View, and then click Add/Remove Columns. 2. In the Add/Remove Columns dialog box, from the Available columns list, select the column you want to view, and then click Add. You can select only one column name at a time. 3. You can also select columns that you do not want to view. From the Displayed columns list, click Remove. You can select only one column name at a time. 4. To reorder the columns, from left to right, select a column in the Displayed columns list, and then click Move Up or Move Down. You can select only one column name at a time.
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 74 of 115
5. When you are finished, click OK. The view will change to reflect your preferences.
Additional references
Local IP address: The local IP address. Local port: The TCP or UDP port of the local computer used in the filter. Remote IP address: The IP address of the remote computer or peer. Remote port: The TCP or UDP port of the remote computer used in the filter. Protocol: The protocol specified in the filter. AH integrity: The AH protocol-specific data integrity method used for peer communications. ESP integrity: The ESP protocol-specific encryption method used for peer communications.
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 75 of 115
ESP confidentiality: The ESP protocol-specific encryption method used for peer communications.
Any user account can be used to complete this procedure. To add, remove, or reorder a column 1. Right-click in a blank area in the Results pane for the Quick Mode folder, select View, and then click Add/Remove Columns. 2. In the Add/Remove Columns dialog box, from the Available columns list, select the column you want to view, and then click Add. You can select only one column name at a time. 3. You can also select columns that you do not want to view. From the Displayed columns list, click Remove. You can select only one column name at a time. 4. To reorder the columns, from left to right, select a column in the Displayed columns list, and then click Move Up or Move Down. You can select only one column name at a time. 5. When you are finished, click OK. The view will change to reflect your preferences.
Additional references
Dialog Boxes
This section describes the user interface options on the Windows Firewall with Advanced Security dialog boxes. Instructions for locating the dialog box are included in each topic.
Dialog Box: Add or Edit Integrity Algorithms Dialog Box: Add or Edit Integrity and Encryption Algorithms Dialog Box: Add or Edit IP Addresses Dialog Box: Add Security Method Dialog Box: Customize Advanced Authentication Methods Dialog Box: Customize Advanced Key Exchange Settings Dialog Box: Customize Allow If Secure Settings Dialog Box: Customize Data Protection Settings
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 76 of 115
Dialog Box: Customize ICMP Settings Dialog Box: Customize Interface Types Dialog Box: Customize IPsec Settings Dialog Box: Customize IPsec Tunnel Authorization Dialog Box: Customize IPsec Tunneling Settings Dialog Box: Customize Logging Settings for a Firewall Profile Dialog Box: Customize Protected Network Connections for a Firewall Profile Dialog Box: Customize Service Settings Dialog Box: Customize Settings for a Firewall Profile Dialog Box: Add or Edit First Authentication Method Dialog Box: Add or Edit Second Authentication Method
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 77 of 115
4. Under Data protection (Quick Mode), select Advanced, and then click Customize. 5. Under Data integrity, select an algorithm combination from the list, and click Edit or Add.
Protocol
The following protocols are used to embed the integrity information into an IP packet.
ESP (recommended)
ESP provides authentication, integrity, and anti-replay protection for the IP payload. ESP used in transport mode does not sign the entire packet. Only the IP payload, not the IP header, is protected. ESP can be used alone or in combination with AH. With ESP, the hash calculation includes the ESP header, trailer, and payload only. ESP can optionally provide data confidentiality services by encrypting the ESP payload with one of several supported encryption algorithms. Packet replay services are provided through the inclusion of a sequence number for each packet.
AH
AH provides authentication, integrity, and anti-replay for the entire packet (both the IP header and the data payload carried in the packet). It does not provide confidentiality, which means that it does not encrypt the data. The data is readable, but protected from modification. Some fields that are allowed to change in transit are excluded from the hash calculation. Packet replay services are provided through the inclusion of a sequence number for each packet. Important The AH protocol is not compatible with network address translation (NAT) because NAT devices change information in some of the packet headers that are included in the integrity hash. To allow IPsec-based traffic to pass through a NAT device, you must use ESP and ensure that NAT Traversal (NAT-T) is enabled on the IPsec peer computers.
Null encapsulation
Null encapsulation specifies that you do not want to use any integrity or encryption protection on your network traffic. Authentication is still performed as required by the connection security rules, but no other protection is provided to the network packets that are exchanged through this security association. Security Note Because this option provides no integrity or confidentiality protection of any kind, we recommend that you use it only if you must support software or network devices that are not compatible with ESP or AH.
Algorithms
The following integrity algorithms are available to computers running this version of Windows. Some of these algorithms are not available on computers running other versions of Windows. If you must establish IPsec-protected connections with a computer running an earlier version of Windows, then you must include algorithm options that are compatible with the earlier version.
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 78 of 115
For more information, see IPsec Algorithms and Methods Supported in Windows (http://go.microsoft.com/fwlink/?LinkID=129230).
AES-GMAC 256 AES-GMAC 192 AES-GMAC 128 SHA-1 MD5 Caution MD5 is no longer considered secure and should only be used for testing purposes or in cases in which the remote computer cannot use a more secure algorithm. It is provided for backward compatibility only.
Key lifetimes
Lifetime settings determine when a new key is generated. Key lifetimes allow you to force the generation of a new key after a specified time interval or after a specified amount of data has been transmitted. For example, if the communication takes 100 minutes and you specify a key lifetime of 10 minutes, 10 keys will be generated (one every 10 minutes) during the exchange. Using multiple keys ensures that if an attacker manages to gain the key to one part of a communication, the entire communication is not compromised. Note This key regeneration is for quick mode data integrity only. These settings do not affect the key lifetime settings for main mode key exchange.
Minutes
Use this setting to configure how long the key used in the quick mode security association lasts, in minutes. After this interval, a new key will be generated. Subsequent communications will use the new key. The maximum lifetime is 2,879 minutes (48 hours). The minimum lifetime is 5 minutes. We recommend that you rekey only as frequently as your risk analysis requires. Excessively frequent rekeying can impact performance.
KB
Use this setting to configure how many kilobytes (KB) of data are sent using the key. After this threshold is reached, the counter is reset, and the key is regenerated. Subsequent communications will use the new key. The maximum lifetime is 2,147,483,647 KB. The minimum lifetime is 20,480 KB. We recommend that you rekey only as frequently as your risk analysis requires. Excessively frequent rekeying can impact
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 79 of 115
performance.
See Also
Protocol
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 80 of 115
The following protocols are used to embed the integrity and encryption information into an IP packet.
ESP (recommended)
Encapsulating Security Payload (ESP) provides confidentiality (in addition to authentication, integrity, and anti-replay) for the IP payload. ESP in transport mode does not sign the entire packet. Only the IP data payload, not the IP header, is protected. ESP can be used alone or in combination with Authentication Header (AH). With ESP, the hash calculation includes the ESP header, trailer, and payload only. ESP provides data confidentiality services by encrypting the ESP payload with one of the supported encryption algorithms. Packet replay services are provided through the inclusion of a sequence number for each packet.
ESP and AH
This option combines the security of the ESP protocol with the AH protocol. AH provides authentication, integrity, and anti-replay for the entire packet (both the IP header and the data payload carried in the packet). Important The AH protocol is not compatible with network address translation (NAT) because NAT devices need to change information in the packet headers. To allow IPsec-based traffic to pass through a NAT device, you must ensure that NAT Traversal (NAT-T) is supported on your IPsec peer computers.
Algorithms
Encryption algorithm
The following encryption algorithms are available to computers running this version of Windows. Some of these algorithms are not available on computers running earlier versions of Windows. If you must establish IPsec-protected connections with a computer running an earlier version of Windows, then you must include algorithm options that are compatible with the earlier version. For more information, see IPsec Algorithms and Methods Supported in Windows (http://go.microsoft.com/fwlink/?LinkID=129230).
AES-GCM 256 AES-GCM 192 AES-GCM 128 AES-CBC 256 AES-CBC 192 AES-CBC 128 3DES
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 81 of 115
DES
Security Note We recommend that you do not use DES. It is provided for backward compatibility only. Note If you specify an AES-GCM algorithm for encryption, then you must specify the same algorithm for integrity.
Integrity algorithm
The following integrity algorithms are available to computers running this version of Windows. Some of these algorithms are not available on computers running other versions of Windows. If you must establish IPsec-protected connections with a computer running an earlier version of Windows, then you must include algorithm options that are compatible with the earlier version. For more information, see IPsec Algorithms and Methods Supported in Windows (http://go.microsoft.com/fwlink/?LinkID=129230).
AES-GCM 256 AES-GCM 192 AES-GCM 128 AES-GMAC 256 AES-GMAC 192 AES-GMAC 128 SHA-1 MD5
Security Note We recommend that you do not use MD5. It is provided for backward compatibility only. Note If you specify an AES-GCM algorithm for integrity, then you must specify the same algorithm for encryption.
Key lifetimes
Lifetime settings determine when a new key is generated. Key lifetimes allow you to force the generation of a new key after a specified time interval or after a specified amount of data has been transmitted. For example, if the communication takes 100 minutes and you specify a key lifetime of 10 minutes, 10 keys will be generated (one every 10 minutes) during the exchange. Using multiple keys ensures that if an attacker manages to gain the key to one part of a communication, the entire communication is not compromised.
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 82 of 115
Note This key regeneration is for quick mode data integrity and encryption and does not affect the key lifetime settings for main mode key exchange.
Minutes
Use this setting to configure how long the key used in the quick mode security association lasts, in minutes. After this interval, the key will be regenerated. Subsequent communications will use the new key. The maximum lifetime is 2,879 minutes (48 hours). The minimum lifetime is 5 minutes. We recommend that you rekey only as frequently as your risk analysis requires. Excessively frequent rekeying can impact performance.
KB
Use this setting to configure how many kilobytes (KB) of data are sent using the key. After this threshold is reached, the counter is reset, and the key is regenerated. Subsequent communications will use the new key. The maximum lifetime is 2,147,483,647 KB. The minimum lifetime is 20,480 KB. We recommend that you rekey only as frequently as your risk analysis requires. Excessively frequent rekeying can impact performance.
See Also
When creating a firewall rule by using the New Firewall Rule wizard, on the Scope page, select These IP addresses, and then click Add. When modifying an existing firewall rule, on the Scope tab, select These IP addresses, and then click Add. When creating a connection security rule by using the Connection Security Rule wizard, on the Endpoints page, select These IP addresses, and then click Add. When modifying an existing connection security rule, on the Computers tab, select These IP addresses, and then click Add.
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 83 of 115
The number following the forward slash (/) represents the number of bits in the subnet mask. 32 bits are possible. In this example, 24 means that the first three octets are the subnet address and the last octet is the host ID within the subnet. The bits representing the host ID must be 0. The example corresponds to a subnet mask of 255.255.255.0. For an IPv6 address, use the same syntax. The number after the forward slash represents the number of bits in the subnet mask. 128 bits are possible. The bits representing the host ID must be 0. For example:
2001:8e6c:6456:1c99::/64
Default gateway. Uses the IP address currently set as the default gateway of the local computer. WINS servers. Uses the IP addresses for the computers currently configured to provide WINS services to the local computer. DHCP servers. Uses the IP addresses for the computers currently configured to provide DHCP services to the local computer. DNS servers. Uses the IP addresses for the computers currently configured to provide DNS services to the local computer. Local subnet. Uses the IP address and subnet mask of the local computer to dynamically determine addresses that are part of the computers local subnet.
See Also
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 84 of 115
Integrity algorithm
Select one of the following integrity algorithms from the list.
SHA-384 SHA-256 SHA-1 MD5 Caution MD5 is no longer considered secure and should only be used for testing purposes or in cases in which the remote computer cannot use a more secure algorithm. It is included for backward compatibility only.
Encryption algorithm
Select one of the following encryption algorithms from the list.
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 85 of 115
DES Caution DES is no longer considered secure and should only be used for testing purposes or in cases in which the remote computer cannot use a more secure algorithm. It is included for backward compatibility only.
Elliptic Curve Diffie-Hellman P-384 Elliptic Curve Diffie-Hellman P-256 Diffie-Hellman Group 14 Diffie-Hellman Group 2 Diffie-Hellman Group 1 Caution DH1 is no longer considered secure and should only be used for testing purposes or in cases in which the remote computer cannot use a more secure algorithm. It is included for backward compatibility only.
For more information about any of these algorithms, see IPsec Algorithms and Methods Supported in Windows (http://go.microsoft.com/fwlink/?linkid=129230).
See Also
To get to this dialog box to configure the default settings for the computer, perform the following steps. These settings apply to any connection security rule in which Default is selected as the authentication method.
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 86 of 115
1. On the Windows Firewall with Advanced Security MMC snap-in page, in Overview, click Windows Firewall Properties. 2. Click the IPsec Settings tab. 3. Under IPsec defaults, click Customize. 4. Under Authentication method, select Advanced, and then click Customize.
To get to this dialog box when creating a new connection security rule, perform the following steps. These settings apply only to the connection security rule whose properties you are editing. 1. On the Windows Firewall with Advanced Security MMC snap-in page, in the navigation pane, right-click Connection Security Rules, and then click New Rule. 2. Select any rule type except Authentication exemption. 3. Click Next through the wizard until you reach the Authentication Method page. 4. Select Advanced, and then click Customize.
To get to this dialog box to configure the settings for an existing connection security rule, perform the following steps. These settings apply only to the connection security rule whose properties you are editing. 1. On the Windows Firewall with Advanced Security MMC snap-in page, in the navigation pane, click Connection Security Rules. 2. Double-click the rule that you want to modify. 3. Click the Authentication tab. 4. Under Method, select Advanced, and then click Customize.
First authentication
The first authentication method is performed during the main mode phase of Internet Protocol security (IPsec) negotiations. In this authentication, you can specify the way in which the peer computer is authenticated. You can specify multiple methods to use for this authentication. The methods are attempted in the order you specify; the first successful method is used.
To add a method to the list, click Add. To modify a method already in the list, select the method, and then click Edit. To remove a method from the list, select the method, and then click Remove. To reorder the list, select a method, and then click the up and down arrows.
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 87 of 115
For more information about the available first authentication methods, see Dialog Box: Add or Edit First Authentication Method.
Second authentication
With second authentication, you can specify the way in which the user logged on to the peer computer is authenticated. You can also specify a computer health certificate from a specified certification authority (CA). The methods are attempted in the order you specify; the first successful method is used. You can specify multiple methods to use for this authentication.
To add a method to the list, click Add. To modify a method already in the list, select the method, and then click Edit. To remove a method from the list, select the method, and then click Remove. To reorder the list, select a method and then click the up and down arrows. You must use either all user-based authentication methods or all computer-based authentication methods. No matter where it appears in the list, you cannot use the second authentication method if you are using a preshared key for the first authentication method.
Notes
For more information about the available second authentication methods, see Dialog Box: Add or Edit Second Authentication Method.
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 88 of 115
optional, but preferred, when both peers support it. For example, if you want to require computer-based Kerberosversion 5 authentication and you would like to use user-based Kerberosversion 5 authentication when possible, you can select Computer (KerberosV5) as the first authentication, and then select User (KerberosV5) as the second authentication with Second authentication is optional selected. Caution Do not configure both the first authentication and second authentication to be optional. This is equivalent to turning authentication off. Important In a tunnel mode rule, if you select Second authentication is optional, then the resulting IPsec policy is implemented as IKE only and does not use Authenticated Internet Protocol (AuthIP). Any authentication methods specified in Second authentication are ignored. In a transport mode rule, the second authentication methods are still used, as expected.
See Also
Security methods
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 89 of 115
Security methods are combinations of integrity algorithms and encryption algorithms that protect the key exchange. You can have as many combinations as you need and you can arrange them in preferred order in the list. The combinations are attempted in the order in which they are displayed. The first set to be agreed upon by both peer computers is used. If the peer computer cannot use any of the combinations you define, the connection attempt fails. Some algorithms are supported only by computers running this version of Windows. For more information, see IPsec Algorithms and Protocols Supported by Windows (http://go.microsoft.com/fwlink/?LinkID=129230). To add a combination to the list, click Add to use the Add or Edit Security Method dialog box. To reorder the list, select a combination, and then click the up or down arrows. Note As a best practice, order the combinations from highest security at the top of the list to lowest security at the bottom. This ensures that the most secure method that both peers can support is used.
Key lifetimes
Lifetime settings determine when a new key is generated. Key lifetimes allow you to force the generation of a new key after a specified time interval or after a specified number of sessions have been protected by using the current key. Using multiple keys ensures that if an attacker manages to gain access to one key, only a small amount of information is exposed before a new key is generated and the network traffic is protected once again. You can specify the lifetime in both minutes and number of sessions. The first threshold reached is used and the key is regenerated. Note This key regeneration is for main mode key exchange only. These settings do not affect the key lifetime settings for quick mode data protection.
Minutes
Use this setting to configure how long the key used in main mode security association lasts, in minutes. After this interval, a new key is generated. Subsequent main mode sessions use the new key. The maximum lifetime is 2,879 minutes (48 hours). The minimum lifetime is 1 minute. We recommend that you rekey only as frequently as your risk analysis requires. Excessively frequent rekeying can impact performance.
Sessions
A session is a distinct message or set of messages protected by a quick mode SA. This setting specifies how many quick mode key generating sessions can be protected using the same main mode key information. After this threshold is reached, the counter is reset, and a new key is generated. Subsequent communications will use the new key. The maximum value is 2,147,483,647 sessions. The minimum value is 0 sessions. A session limit of zero (0) causes the generation of a new key to be determined only by the Key lifetime
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 90 of 115
(in minutes) setting. Use caution when setting very different key lifetimes for main mode and quick mode keys. For example, setting a main mode key lifetime of 8 hours and a quick mode key lifetime of 2 hours might leave a quick mode SA in place for almost 2 hours after the main mode SA has expired. This occurs when the quick mode SA is generated shortly before main mode SA expiration. Important The higher the number of sessions allowed per main mode key, the greater the chance of the main mode key being discovered. If you want to limit the number of times this reuse occurs, you can specify a quick mode key limit. Security Note To configure main mode perfect forward secrecy (PFS), set Key lifetime in sessions to 1. Although this configuration provides significant additional protection, it also carries a significant computational and network performance penalty. Every new quick mode session regenerates the main mode keying material, which in turn causes the two computers to reauthenticate. We recommend that you enable PFS only in environments where IPsec traffic might be exposed to sophisticated attackers who might try to compromise the strong cryptographic protection provided by IPsec.
See Also
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 91 of 115
You must select one of the first three options described below. The last option, Override block rules, can be selected independently of the other options. To get to this dialog box
When creating a firewall rule by using the New Firewall Rule wizard, on the Action page, click Allow the connection if it is secure, and then click Customize. When modifying an existing firewall rule, on the General tab, select Allow the connection if it is secure, and then click Customize.
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 92 of 115
Authentication Header (AH) integrity protocols. Note This setting is supported when applied to computers running Windows7 or Windows Server2008R2. It does not apply to computers running earlier versions of Windows.
See Also
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 93 of 115
Note A best practice is to list the algorithms in order of greatest security at the top to least security at the bottom. This way, the most secure algorithm in common between the two negotiating computers is used. The less secure algorithms can be used for backward compatibility. How to get to this dialog box 1. On the Windows Firewall with Advanced Security MMC snap-in, in the navigation pane, click Windows Firewall with Advanced Security, and then in Overview, click Windows Firewall Properties. 2. Click the IPsec Settings tab. 3. Under IPsec defaults, click Customize. 4. Under Data protection (Quick Mode), select Advanced, and then click Customize.
Require encryption for all connection security rules that use these settings
Select this check box to require all connection security rules to require encryption. If you select this check box, the Data integrity section is disabled, and you can only specify algorithm combinations in the Data integrity and encryption section.
Data integrity
This list shows the currently configured data integrity algorithms. When negotiating the details of the quick mode SA with another computer, the algorithms are proposed in the order shown. Use the up and down arrows to arrange the algorithms into the preferred order. You should place the algorithms with stronger protection at the top of the list, and those with weaker protection at the bottom of the list. Include weaker algorithms only if required to support computers that cannot use the stronger algorithms. If you select Require encryption for all connection security rules that use these settings, then this section is disabled.
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 94 of 115
To add an algorithm to the list, click Add. To modify an algorithm that is already in the list, select the algorithm, and then click Edit. To remove an algorithm from the list, select the algorithm, and then click Remove.
Additional references
User Interface: Windows Firewall with Advanced Security Dialog Box: Add or Edit Integrity Algorithms
When creating a new firewall rule using the wizard, follow these steps: 1. On the Rule Type page, select Custom. 2. On the Protocol and Ports page, in Protocol type, select either ICMPv4 or ICMPv6. 3. Click Customize.
When modifying an existing firewall rule using the Firewall Rule Properties dialog box, follow these steps: 1. Click the Protocols and Ports tab.
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 95 of 115
Type
This is a number that correlates to an ICMP message type. For example, 3 is the number for the "Destination Unreachable" message. The message type is an integer from 0 to 255.
Code
This is a number that correlates to a code for an ICMP message type. These codes are details that are useful for troubleshooting and understanding the circumstances that prompted the sending of the message. The same code number can mean different things for different message types. For example, 3 is the code for "Port Unreachable" for the "Destination Unreachable" message, but it is also the code for "Redirect Datagram for the Type of Service and Host" for the "Redirect" message type. The code can be an integer from 0 to 255, or the value Any. By combining the message type and code, you can specify very detailed criteria for the exception. This can be useful when you need to make sure specified ICMP messages pass through Windows Firewall with Advanced Security for remote troubleshooting, while other ICMP messages are blocked.
See Also
Page 96 of 115
Use this dialog box to specify to which interface types the rule is applied. You can specify the local area network (that is, wired network adapters), wireless network adapters, remote access connections, or all network connection types. To get to this dialog box 1. In the Windows Firewall with Advanced Security MMC snap-in, double-click the firewall rule you want to modify, and then click the Advanced tab. 2. Under Interface types, click Customize.
Remote access
The rule applies only to communications sent through remote access, such as a virtual private network (VPN) connection or dial-up connection that you have configured on the computer.
Wireless
The rule applies only to communications sent through wireless network adapters that you have configured on the computer.
See Also
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 97 of 115
authentication settings used whenever a connection security rule uses the Default settings. Important If you are configuring Windows Firewall with Advanced Security on the local computer and you select Default for any of the settings, any Group Policy objects (GPOs) that apply to this computer can specify the settings. If you are configuring a GPO and you select Default for any of the settings, any GPOs of higher precedence that apply to this computer can specify the settings. To get to this dialog box 1. In the Windows Firewall with Advanced Security MMC snap-in, in Overview, click Windows Firewall Properties. 2. Click the IPsec Settings tab. 3. Under IPsec defaults, click Customize.
Default
Select this option to use the key exchange settings that are installed by default or configured as defaults through Group Policy. This setting is used for all key exchanges. For more information, see Default Settings for Windows Firewall with Advanced Security.
Advanced
Select this option to specify the key exchange settings that are applied to all key exchanges. This setting overrides the installed defaults. After selecting this option, click Customize and use the Customize Advanced Key Exchange Settings dialog box to select the settings to use.
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 98 of 115
context. For more information, see Netsh Commands for Windows Firewall with Advanced Security (http://go.microsoft.com/fwlink/?linkid=111237).
Default
Select this option to use the data integrity and encryption settings that are installed by default or configured as defaults through Group Policy. For more information, see Default Settings for Windows Firewall with Advanced Security.
Advanced
Use this option to specify data integrity and encryption settings that are available for negotiating the quick mode SA. This setting overrides the installed defaults. After selecting this option, click Customize and use the Customize Data Protection Settings dialog box to select the data protection settings to use.
Authentication method
Authentication method settings you select here apply only to connection security rules that have Default selected as the authentication method.
Default
Select this option to use the authentication settings that are installed by default or configured as defaults by using Group Policy. For more information, see Default Settings for Windows Firewall with Advanced Security.
Advanced
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 99 of 115
You can use this option to create a method that is specific to your needs. If you select this option, you must click Customize to use the Customize Advanced Authentication Methods dialog box to specify the authentication methods to use.
See Also
Computers tab
Use this tab to identify computers or computer groups that are authorized to create tunnel mode connections to the local computer.
Authorized computers
Only allow connections from these computers Select this option to specify which computers can create a tunnel mode connection to the local computer. If you select the check box, then Add is enabled. Click Add, and then specify the computer or group accounts in the Active Directory Object Picker dialog box. To remove a computer or group from the list, select the computer or group, and then click Remove.
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Exceptions
Use this section to identify computer or group accounts that are denied permissions to create tunnel mode connections to the local computer. If a computer attempting a connection is listed in both the Authorized computers and Exceptions boxes, either directly or as a member of a group, the exception takes priority and the connection is blocked. Deny connections from these computers Select this option to specify which computers are prohibited from creating a tunnel mode connection to this computer. If you select the check box, then Add is enabled. Click Add, and then specify the computer or group accounts in the Active Directory Object Picker dialog box. To remove a computer or group from the list, select the computer or group, and then click Remove.
Users tab
Use this tab to identify users or user groups that are authorized to create tunnel mode connections to the local computer.
Authorized users
Only allow connections from these users Select this option to specify which users can create a tunnel mode connection to this computer. If you select the check box, then Add is enabled. Click Add, and then specify the user or group accounts in the Active Directory Object Picker dialog box. To remove a user or group from the list, select the user or group, and then click Remove.
Exceptions
Use this section to identify user or group accounts that are denied permissions to create tunnel mode connections to the local computer. If a user attempting a connection is listed in both the Authorized users and Exceptions boxes, either directly or as a member of a group, the exception takes priority and the connection is blocked. Deny connections from these computers Select this option to specify which users are prohibited from creating a tunnel mode connection to this computer. If you select the check box, then Add is enabled. Click Add, and then specify the user or group accounts in the Active Directory Object Picker dialog box. To remove a user or group from the list, select the user or group, and then click Remove.
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
See Also
Apply authorization
Select this option to specify that the computer or user in Endpoint 1 must authenticate with the local tunnel endpoint before any packets can be sent through the tunnel. To specify the computers or users that are authorized to send traffic through the tunnel, follow these steps: To specify users and computers authorized to send network traffic through the tunnel 1. In the Windows Firewall with Advanced Security MMC snap-in, in the navigation pane, select Windows Firewall with Advanced Security. 2. In Overview, click Windows Firewall Properties. 3. Select the IPsec Settings tab. 4. In IPsec tunnel authorization, click Advanced, and then click Customize. 5. Add users and computers to the lists according to your design. For more information, see Dialog Box: Customize IPsec Tunnel Authorization.
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Sometimes a network packet might match more than one connection security rule. If one of the rules establishes an IPsec tunnel, you can choose whether to use the tunnel or send the packet outside of the tunnel protected by the other rule. Select the option to specify that network traffic that matches another IPsec connection security rule does not go through the IPsec tunnel.
See Also
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
To get to this dialog box 1. From the Windows Firewall with Advanced Security MMC snap-in, in Overview, click Windows Firewall properties. 2. Select the tab that corresponds to the firewall profile for which you want to configure logging. 3. In Logging, click Customize.
Name
Enter the path and name of the file in which you want Windows Firewall to write its log information. If you are configuring a Group Policy object (GPO) for deployment to multiple computers, use the available environment variables, such as %windir%, to ensure that the location is correct for each computer on your network. Just specifying a file location does not start logging. You must also select one of the two check boxes to log dropped packets or successful connections. Important If you are configuring the setting for a computer that is running WindowsVista or later version of Windows, and you specify a location other than the default, you must ensure that the Windows Firewall service has permissions to write to that location. To grant write permissions for the log folder to the Windows Firewall service 1. Locate the folder that you specified for the logging file, right-click it, and then click Properties. 2. Click the Security tab, and then click Edit. 3. Click Add, in Enter object names to select, type NT SERVICE\mpssvc, and then click OK. 4. In the Permissions dialog box, verify that MpsSvc has Write access, and then click OK.
Size limit
Specify the maximum size to which the file is permitted to grow. The value must be between 1 and 32,767 kilobytes (KB). When the specified size limit is reached, Windows Firewall with Advanced Security closes the log file and renames it by adding ".old" to the end of the file name. It then creates and uses a new log file that has the original log file name. Only two files are kept at a time. If the second file reaches the maximum size, then it is renamed by adding .old, and the original .old file is discarded.
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Event log
The Windows Firewall with Advanced Security operational event log is another resource you can use to view Windows Firewall policy changes. The operational log is always on and contains events for both firewall rules and connection security rules. To view the Windows Firewall with Advanced Security event log 1. Open Event Viewer. Click Start, click Administrative Tools, and then click Event Viewer. 2. In the navigation pane, expand Applications and Services Logs, expand Microsoft, expand Windows, and then expand Windows Firewall with Advanced Security. 3. Click either ConnectionSecurity, ConnectionSecurityVerbose, Firewall, or FirewallVerbose. The logs marked verbose are not enabled by default. To enable them, in Actions, click Enable Log.
See Also
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
The list contains the network connections that are currently configured on the computer. By default, all network connections are selected and therefore protected. You typically see one connection for each wired network adapter, each wireless network adapter, and each configured remote network connection (such as a VPN). Select the box next to the entry for each connection that you want protected by the rules that are assigned to the currently selected profile (the currently selected tab). Each entry is shown by its descriptive name. If you clear the check box, then that network connection is not subject to the rules in the current profile when that network connection is connected to a network that matches the profile. For more information about a particular network connection, use the Network and Sharing Center. To open the Network and Sharing Center, click Start, click Control Panel, click Network and Internet, and then click Network and Sharing Center. To rename a network connection, click Change adapter settings, right-click the adapter, click Rename, and then type a descriptive name for the network connection. The Network and Sharing Center also allows you to reclassify a public network to private, and vice versa. You cannot reclassify a network to or from the domain type.
See Also
When creating a firewall rule by using the New Firewall Rule wizard, follow these steps. 1. On the Rule Type page, click Custom. 2. On the Program page, next to Services, click Customize.
When modifying an existing firewall rule, on the Programs and Services tab, click Customize. You can specify both a program and a service in the same firewall rule. Both conditions must be met for the rule to apply to the requested connection. When you select the Apply to services only option, any service running as the LocalSystem or NetworkService accounts have appropriate access. When you select an option where you specify one or more services, the security identifier (SID) for the specified service is given access.
Notes
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
See Also
Select this option to have Windows Firewall with Advanced Security display a notification to the user when a program is blocked from receiving inbound connections. The notification appears when all of the following conditions are true:
This option is selected. There is no existing block or allow rule for this program. If a block rule exists, then the program is blocked without displaying the notification to the user. The program is blocked by the default behavior of Windows Firewall.
The user is given the option to unblock the program, as long as the user has network operator or administrator permissions. Selecting the option to unblock the program automatically creates an inbound program rule for the program that was blocked.
Rule merging
Use these options when using Group Policy to configure firewall and connection security rules on the local computer. Disabling the options prevents a local user with network operator or administrator permissions from creating firewall or connection security rules that might conflict with the rules deployed by Group Policy.
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
See Also
When modifying the system-wide default settings: 1. In the Windows Firewall with Advanced Security MMC snap-in, in Overview, click Windows Firewall Properties. 2. Click the IPsec Settings tab, and then under IPsec defaults, click Customize. 3. Under Authentication Method, select Advanced, and then click Customize. 4. Under First authentication, select a method, and then click Edit or Add.
When creating a new connection security rule: 1. In the Windows Firewall with Advanced Security MMC snap-in, right-click Connection Security Rules, and then click New Rule. 2. On the Rule Type page, select any type except Authentication exemption. 3. On the Authentication Method page, select Advanced, and then click Customize. 4. Under First authentication, select a method, and then click Edit or Add.
When modifying an existing connection security rule: 1. In the Windows Firewall with Advanced Security MMC snap-in, click Connection Security Rules.
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
2. Double-click the connection security rule that you want to modify. 3. Click the Authentication tab. 4. Under Method, click Advanced, and then click Customize. 5. Under First authentication, select a method, and then click Edit or Add.
Computer (NTLMv2)
NTLMv2 is an alternative way to authenticate peer computers that have computer accounts in the same domain or in separate domains that have a trust relationship.
Signing algorithm
Specify the signing algorithm used to cryptographically secure the certificate. RSA (default) Select this option if the certificate is signed by using the RSA public-key cryptography algorithm. ECDSA-P256 Select this option if the certificate is signed by using the Elliptic Curve Digital Signature Algorithm (ECDSA) with 256-bit key strength. ECDSA-P384 Select this option if the certificate is signed by using ECDSA with 384-bit key strength.
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Specify the type of certificate by identifying the store in which the certificate is located. Root CA (default) Select this option if the certificate was issued by a root CA and is stored in the local computers Trusted Root Certification Authorities certificate store. Intermediate CA Select this option if the certificate was issued by an intermediate CA and is stored in the local computers Intermediate Certification Authorities certificate store.
You can use preshared keys for authentication. This is a shared, secret key that is previously agreed on by two users. Both parties must manually configure IPsec to use this preshared key. During security negotiation, information is encrypted by using the shared key before transmission and decrypted by using the same key on the receiving end. If the receiver can decrypt the information, identities are considered to be authenticated. Caution Preshared key methodology is provided for interoperability purposes and to adhere to IPsec standards. You should use the preshared key for testing purposes only. Regular use of preshared key authentication is not recommended because the authentication key is stored in an unprotected state in the IPsec policy. If a preshared key is used for the main mode authentication, second authentication cannot be used.
See Also
When modifying the system-wide default settings: 1. In the Windows Firewall with Advanced Security MMC snap-in, in the navigation pane, click Windows Firewall with Advanced Security, and then in Overview, click Windows Firewall Properties. 2. Click the IPsec Settings tab, and then under IPsec defaults, click Customize. 3. Under Authentication Method, select Advanced, and then click Customize. 4. Under Second authentication, select a method, and then click Edit or Add.
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
When creating a new connection security rule: 1. In the Windows Firewall with Advanced Security MMC snap-in, in the navigation pane, right-click Connection Security Rules, and then click New Rule. 2. On the Rule Type page, select any type except Authentication exemption. 3. On the Authentication Method page, select Advanced, and then click Customize. 4. Under Second authentication, select a method, and then click Edit or Add.
When modifying an existing security rule: 1. In the Windows Firewall with Advanced Security MMC snap-in, in the navigation pane, click Connection Security Rules. 2. Double-click the connection security rule that you want to modify. 3. Click the Authentication tab. 4. Under Method, click Advanced, and then click Customize. 5. Under Second authentication, select a method, and then click Edit or Add.
User (KerberosV5)
You can use this method to authenticate a user logged on to a remote computer that is part of the same domain or in separate domains that have a trust relationship. The logged-on user must have a domain account and the computer must be joined to a domain in the same forest.
User (NTLMv2)
NTLMv2 is an alternative way to authenticate a user logged on to a remote computer that is part of the same domain or in a domain that has a trust relationship to the domain of the local computer. The user account and the computer must be joined to domains that are part of the same forest.
User certificate
Use a public key certificate in situations that include external business partner communications or computers that do not run the Kerberosversion 5 authentication protocol. This requires that at least one trusted root certification authority (CA) is configured on or accessible through your network and that client computers have an associated computer certificate. This method is useful when the users are not in the same domain or are in separate domains without a two-way trust relationship, and Kerberosversion 5 cannot be used.
Signing algorithm
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Specify the signing algorithm used to cryptographically secure the certificate. RSA (default) Select this option if the certificate is signed by using the RSA public-key cryptography algorithm. ECDSA-P256 Select this option if the certificate is signed by using the Elliptic Curve Digital Signature Algorithm (ECDSA) with 256-bit key strength. ECDSA-P384 Select this option if the certificate is signed by using ECDSA with 256-bit key strength.
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
certificate-to-account mapping process is not completed properly, authentication will fail and IPsecprotected connections will be blocked.
Signing algorithm
Specify the signing algorithm used to cryptographically secure the certificate. RSA (default) Select this option if the certificate is signed by using the RSA public-key cryptography algorithm. ECDSA-P256 Select this option if the certificate is signed by using the Elliptic Curve Digital Signature Algorithm (ECDSA) with 256-bit key strength. ECDSA-P384 Select this option if the certificate is signed by using ECDSA with 384-bit key strength.
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
by the IPsec peer corresponds to an active computer or user account in the domain, and that the certificate is one that should be used by that account. Certificate-to-account mapping can only be used for accounts that are in the same forest as the computer performing the mapping. This provides much stronger authentication than simply accepting any valid certificate chain. For example, you can use this capability to restrict access to accounts that are within the same forest. Certificate-to-account mapping, however, does not ensure that a specific trusted account is being allowed IPsec access. Certificate-to-account mapping is especially useful if the certificates come from a PKI that is not integrated with your ADDS deployment, such as if business partners obtain their certificates from nonMicrosoft certificate providers. You can configure the IPsec policy authentication method to map certificates to a domain account for a specific root CA. You can also map all certificates from an issuing CA to one computer or user account. This allows IKE certificate authentication to be used to limit which forests are allowed IPsec access in an environment where many forests exist and each performs autoenrollment under a single internal root CA. If the certificate-to-account mapping process is not completed properly, authentication will fail and IPsec-protected connections will be blocked.
Additional references
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011