All these options require
administrative privileges. We don’t go into great detail on what the
various options mean because we assume you are working to comply with
an existing policy.
Caution
If you’re not a professional
administrator, it’s best to stay out of this area altogether. You
certainly don’t want to guess and hack your way through things just to
see what happens. Doing so could alter the Windows Firewall
configuration such that it is wrong, causing you not to be able to
connect to the Internet at all, or leaving you exposed to outside
attacks by hackers.
Open Windows Firewall With Advanced Security
To get to the advanced configuration
options for Windows Firewall, first open Windows Firewall from the
System And Security item in the Control Panel. Then click the Advanced
Settings link in the left pane. The firewall console, shown in Figure 1, opens.
As you can see in the figure, you have three independently configurable profiles to work with:
- Domain Profile: This is active when the computer is logged in to a network domain, such as in a corporation or business setting.
- Private Profile: This applies to computers within a local, private network.
- Public Profile: This protects your computer from the public Internet.
Changing firewall profile properties
Clicking the Windows Firewall
Properties link near the bottom of the console (or the Properties item
in the Actions pane) takes you to the dialog box shown in Figure 2.
Notice that you can use tabs at the top of the dialog box to configure
the Domain, Private, and Public settings. The fourth option applies to
IPsec (IP Security), commonly used with VPNs (Virtual Private
Networks), which are described a little later in this section. By
default, Inbound Connections are set to Block and Outbound Connections
are set to Allow. You can change either setting by clicking the
appropriate button.
Firewall alerts, unicast responses, local administrator control
Each profile tab has a Customize button
in its Settings section. Clicking that button provides an option to
turn off firewall notifications for that profile. Administrators can
also use options on that tab to allow or prevent unicast responses to
multicast and broadcast traffic. There’s also an option to merge local
administrator rules with rules defined through group policy.
Security logging
Each profile tab also offers a Logging
section with a Customize button. Click the Customize button to set a
name and location for the log file and a maximum size, and to choose
whether you want to log dropped packets, successful connections, or
both. You can use that log file to review firewall activity and to
troubleshoot connection problems caused by the firewall configuration.
Customizing IPsec settings
The IPsec Settings tab in the firewall
properties provides a way to configure IPsec (IP Security). Clicking
the Customize button under IPsec Defaults reveals the options shown in Figure 3.
The Default settings in each case cause settings to be inherited from a
higher-level GPO (Group Policy Object). To override the GPO, choose
whichever options you want to apply to the current Windows Firewall
instance. When you override the default, you can choose key exchange
and data integrity algorithms. You can also fine-tune Kerberos V5
authentication through those settings.
Why Outbound Connections Are Set to Allow
Contrary to some common marketing hype
and urban myths, having outbound connections set to Allow by default
does not make your computer more susceptible to security threats.
Firewalls are really about controlling traffic between trusted and
untrusted networks. The Internet is always considered untrusted because
it’s open to the public and anything goes. It’s necessary to block
inbound connections by default so that you can control exactly what
does, and doesn’t, come in from the Internet.
Things that are already inside your
computer (or local network) are generally considered “trusted.” That’s
because, unlike the Internet, you do have control over what’s inside
your own PC or network. Your firewall and anti-malware programs also
help to keep bad stuff out. Therefore, you shouldn’t need to block
outbound connections by default.
There are exceptions, of course. In a
secure setting in which highly sensitive data is confined to secure
workstations in a subnet, it certainly makes sense to block outgoing
connections by default. That way, you can limit outbound connections to
specific hosts, programs, security groups, and so forth. You can also
enforce encryption on outbound connections.
Clicking OK or Cancel in the Customize IPsec
Defaults dialog box takes you back to the IPsec Settings tab. There you
can use the IPsec Exemptions section to exempt ICMP from IPsec, which
may help with connection problems caused by ICMP rules.
Note
IPsec is a set of cryptographic
protocols for securing communications across untrusted networks. It is
commonly associated with tunneling and virtual private networks (VPNs).
That covers the main firewall properties. You can
configure plenty more outside the Properties dialog box. Again, most of
these go far beyond anything the average home user needs to be
concerned with, so we’re being brief here. Advanced users needing more
information can find plenty of information in the Help section for the
firewall.
Inbound and outbound rules
In the left column of the main Windows Firewall With Advanced Security window shown back in Figure 1,
you see Inbound Rules and Outbound Rules links. These provide very
granular control over Windows Firewall rules for incoming and outgoing
connections. Figure 4 shows a small portion of the possibilities there. Use the scrollbars to see them all.
