Windows 7 multiple active firewall profiles

Michael PietroforteMVP By Michael Pietroforte - Tue, March 10, 2009 - 10 comments google+ icon

Michael Pietroforte is the founder and editor of 4sysops. He is a Microsoft Most Valuable Professional (MVP) with more than 30 years of experience in system administration.

Windows -7-Firewall-multiple-firewall-profiles Windows Firewall was introduced with XP, but only the version for Windows Vista was powerful enough to replace third party desktop firewalls. Actually, Vista’s firewall is better than many of the personal firewalls I have ever seen. Compared to these enhancements, Windows 7 only has a tiny improvement to offer. However, in some environments, it might turn out to be very useful.

You probably know that Windows distinguishes between Public, Home, and Work networks. Whenever you connect to a new network, Windows will ask what type of network it is. Each network has its own firewall profile, which allows you to configure different firewall rules depending on the security requirements of the user’s locations. You can use the Windows Firewall with Advanced Security’s snap-in filter to display only rules for specific locations. The corresponding firewall rule sets are Public (Public), Private (Home / Work), and Domain (when a domain-joined workstation detects  a domain controller) (see comment below).

This works fine as long as you are only connected to one network at a time. As a matter of fact, more and more users now have their own networks at home. The problem is that once they connect to the corpnet, the Domain firewall rule set becomes active, which will break homegroup connections. The solution to this problem seems to be to work with multiple NICs. However, in Windows Vista, only one profile can be active on the computer at a time. Windows Sever 2008 machines that are connected to multiple networks suffer the same problem. In this case, the profile with the most restrictive settings is applied to all adapters on the computer.

Windows-7-Firewall-Protected-Connections Windows 7′s multiple active firewall profiles are the solution to this problem. It is now possible to assign each firewall profile to specific NICs. You can configure this feature in the Windows Firewall properties (right click on the root folder Windows Firewall with Advanced Security snap-in). This allows you to work with a different firewall profile for each network interface. If the computer is connected to multiple networks at a time, Windows Firewall will use the different rule sets for each NIC.

Note that this feature can’t be configured via Group Policy. At least the Group Policy settings of Windows Server 2008 R2 Beta don’t offer a corresponding option. The problem is that you can’t know in advance, for all external computers, which NIC is connected to the home network and which to the domain network. I guess that’s why you will have to configure this manually for each computer.

-1+1 - Rate this post
Loading ... Loading ...
Your question wasn't answered? Ask in the new 4sysops forum!

10 Comments- Leave a Reply

  1. [...] networks at once time and enforce the proper firewall settings on each. See the original post at: 4sysops – Windows 7 multiple active firewall profiles Tags: Firewall Categories: WebLinks Views: 1 views Posted By: Joe Last Edit: 11 Mar 2009 [...]

  2. [...] Read more here:  4sysops – Windows 7 binary astir bfirewall/b profiles [...]

  3. Samantha says:

    If you have a small company and need an all in one solution that I would look at something like unified threat managment also known as a UTM.Cyberoam firewall is the only UTM firewall that embeds user identity in firewall rule matching criteria, enabling enterprises to configure policies and identify users directly by the username rather than through IP addresses. Cyberoam?s powerful hardware firewall provides stateful and deep packet inspection, access control, user authentication, network and application-level protection.

    The ICSA-certified Cyberoam firewall is available along with VPN, gateway anti-virus and anti-spyware, gateway anti-spam, intrusion prevention system, content filtering, bandwidth management and multiple link management, providing comprehensive security to small, medium and large enterprises, including remote and branch offices. Cyberoam is a Check Mark Level 5 certified UTM solution.

    Key Features

    1.Stateful Inspection Firewall
    2.Centralized management for multiple security features
    3.Embeds user identity in rule-matching criteria
    4.Multiple zone security
    5.Granular IM, P2P controls
    6.ICSA certified

  4. William says:

    AFAIK, public = public; private = home+work; domain is applied automatically when a domain controller of the domain the workstation belongs to is detected on the network.

  5. Samantha, thanks!

    William, thanks! I was unsure when I wrote the article, but I didn’t find a clarifying description on the web. I corrected the article now.

  6. Anon says:

    This is a definitely an interesting topic to cover, but I think that the Multiple Active Firewall Profiles feature has been misunderstood.

    It seems that this article is demonstrating the “Windows Firewall with Advanced Security” feature that allows users to configure (per-profile) whether or not each network interface should be protected by Windows Firewall. This is useful in situations where you only want Firewall to be active if your interface is connected to a certain type of network (e.g. protect my wireless interface when I am connected to a Public network, but not when I am connected to a Domain network). This is useful, but it is not the same as Multiple Active Firewall Profiles.

    In Windows Vista only one firewall profile could be active at any time. This meant that even if you were connected to a “private” network and a “public” network on the same machine, the overall firewall policy being enforced on the machine was “public” (public is selected because it is meant to be the more secure profile of the two).

    For example, say my computer has:

    A Wired interface connected to Private network
    and
    A Wireless interface connected to Public network

    On both interfaces the “public” firewall rules would be applied. This isn’t ideal because it means that to get things working correctly on my wired (private) network I might need to add firewall rules to the “public” profile…but then those rules will also apply to the wireless (public) network too…which I may not want!

    In Windows 7 this behavior has been much improved due to a new feature called “Multiple Active Firewall Profiles”. With the new behavior you will see that Firewall is now capable of enforcing different profile policies on each interface!

    If you take the same example as above, the behavior in Windows 7 will be to enforce the “Private” profile firewall policy on the wired interface, and it will enforce the “Public” profile firewall policy on the wireless interface. This is a really great improvement because it means that you can keep your Public networks secured with a restrictive firewall policy while at the same time applying a less-restrictive policy to your private network.

  7. Searching for this for some time now, Thank you.

  8. purk says:

    Hi

    I would like know how would be the behaviour (Network aware profiles) when the system stratsup, and what level of permissions required on the box to set the netwrok profile on NIC.

  9. Simon Drains says:

    The reason why Vista and 7’s firewall is so good, is because it’s based on Windows Server 2003; you’re actually using a firewall whose core was initially designed for use by SysAdmins.

  10. Jeff says:

    I was wondering. I see how you can change which Profiles belong to which NICs, but what if a NIC is checked in two different profiles? Which one will it go with? Say I unchecked “Public” but “Private” and “Domain” are still checked. Which one will it go to?

===Leave a Comment===

Login

Lost your password?