Windows Server 2008: Windows Firewall with Advanced Security

Michael PietroforteMVP By Michael Pietroforte - Fri, May 25, 2007 - 11 comments google+ icon

Michael Pietroforte is the founder and editor of 4sysops. He is a Microsoft Most Valuable Professional (MVP) with more than 30 years of experience in system administration.

Today, I played a little with the new features of Windows Firewall. If you are familiar with the desktop firewall in Windows Vista, you already know the most important new features. There are, however, some server-related peculiarities.

First of all, you might ask, why a server needs a personal firewall, if all your servers are behind a gateway firewall, anyway. It seems superfluous to have another firewall running on the servers.

It is interesting to note that the firewall in Windows Server 2008 is activated by default. Only an upgraded Windows Server 2003 will maintain its operational state. It seems that Microsoft’s software engineers are thinking that Windows Firewall brings some extra security on servers, too.

I fully agree! Think of it as another line of defense. The more barriers you have, the more secure your network is. This corresponds to the general trend to enforce security inside the perimeter network. Please, check out a former discussion on 4sysops about the pro and contra for personal firewalls.

A disadvantage certainly is when one of your applications fails to work due to an incorrectly configured Windows firewall. However, this applies to all security measures. They make your network more complicated, therefore, more prone to errors.

Windows Server 2008 firewall has a nice feature which alleviates this problem. Whenever you add a new role to your server, the firewall is automatically configured, accordingly. For instance, if you configure your Windows server as a domain controller, the corresponding ports are opened automatically.

Windows FirewallIf you run third party applications on your servers, you have to configure the firewall yourself. For this, you have to use the “Windows Firewall with Advanced Security MMC snap-in“. You can launch it by typing “firewall” on the Start search prompt. You’ll also see the “simple” Windows Firewall tool from the Control Panel. This tool can only be used to disable the firewall and to enable exceptions for Windows programs.

It is also possible to remotely manage the firewall settings using the MMC snap-in on a Vista machine. But if you try to connect remotely to change the firewall settings, you’ll get the message “The Windows Firewall with advanced Security snap-in failed to load. Restart the Windows Firewall service on the computer that you are managing. Error code: 0X6D9“. Well, restarting the firewall service won’t help. What you really have to do is enable remote management:

Open a command prompt with admin privileges and enter: netsh advfirewall set allprofiles settings remotemanagement enable. This should also work on a Server Core system. It allows you to manage the firewall settings with much more comfort than on the command shell.

Like in Vista, the Windows Server 2008 firewall offers three different profiles: Domain, Private and Public. If a computer is a domain member, the location type is set automatically to Domain. It is not possible to change this setting. Only the firewall rules for the Domain profile apply then. If a computer is not in any domain, you can choose between the Private and the Public location types. You can change the location type in the Network and Sharing Center if you click on “Customize” beside the network connection.

The default setting for a Windows 2008 domain controller is “Public” and domain members can only use the Domain location type. Thus, on the domain controller, you will usually configure Public rules for third party applications and on domain members you will work with Domain rules. The difference between Private and Public doesn’t matter for servers in my view. I doubt that you will grab one of your servers and connect it at Starbucks to download some patches during your coffee break. You’ll find more information about the differences between the location types in the help file of Windows Firewall.

To disable or change other general settings of the firewall for a certain profile, you have to right click on “Windows Firewall with Advanced Security on Local Computer” and then choose “Properties”. Of course, you also can use Group Policy to configure Windows Firewall.

Like Vista, Windows Server 2008 also supports outbound filtering. By default, outbound connections are allowed, though. It probably is too much hassle to configure outbound filtering manually on server systems. Another change compared to the firewall in Windows Server 2003 SP1 is that IPsec rules can now be configured with the same snap-in. This certainly makes sense because it reduces the risk of conflicting settings.

-1+1 - Rate this post
Loading ... Loading ...
Disclaimer
Your question wasn't answered? Please ask in the new 4sysops forum!

11 Comments- Leave a Reply

  1. Nikola says:

    opk when i try that to do with my server it sends me sam message: An error occurred contacting the firewall. Make sure that the Windows Firewall s
    ervice is running and try your request again.
    I even cant start services for firewall. please help me!!!

  2. [...] with the GUI-less Server Core  A few commands to get started with Windows Server Core  Windows Server 2008: Windows Firewall with Advanced Security Posted: Thursday, April 03, 2008 11:32 AM by Sander Berkouwer Filed under: System Administration, [...]

  3. Rotaluclac says:

    Call it paranoia – I set up the firewall to block all outbound traffic by default, and to allow traffic only if it meets a rule.

    I experimented with ping and tracert from the command prompt.

    Normally, they both don’t work. When I create a rule to allow outbound ICMP traffic, they do work. That’s what I expect.

    Now I change the rule. Instead of allowing ICMP for any program, I change the program to C:\Windows\System32\PING.EXE , and I leave the ICMP part as it was. I expect that ping still works, but tracert doesn’t.

    However, neither ping nor tracert works. WHY? To state my question differently: is there a way to allow outbound ICMP for ping, but to disallow it for tracert (or the other way round)?

  4. Michael Pietroforte Michael says:

    Rotaluclac, yes I think it is possible. To allow ping and disallow traceroute you have to block the ICMP type 30. You can configure ICMP types if you click on “customize” when you specify the protocol type (ICMPv4). Check out Wikipedia for the other ICMP types.

  5. Rotaluclac says:

    Michael, thanks for your quick response. I understand what you mean, but you do not address the underlying problem (which is probably my fault of not expressing myself clearly enough).

    Let’s say there are two programs that send out ICMP Echo Requests. One is ping.exe ; let’s call the other pong.exe . I do trust ping.exe but I don’t trust pong.exe . Can I allow ping.exe to send out ICMP packets, but forbid pong.exe to do the same?

    The interface of Vista’s firewall rules suggests that this is possible. The firewall’s behaviour is different. It seems that you may specify a program (first page of the New Rule Wizard), but this program path+filename is only taken into account when the rest of the rule is about TCP or UDP traffic. The specified program seems to be ignored when the rest of the rule is about ICMP traffic.

  6. Michael Pietroforte Michael says:

    I understand what you mean now, but I have never tried this. However, I think it should work. It would be very strange if one could configure it, but this doesn’t show an effect. Maybe it has something to do with the programs you used in your test. Maybe they behave differently than you think.

  7. Anushka says:

    I have come across a problem where i have configured a rule in the DC to allow incoming traffic for third party program (port 45580) which is installed in the DC.

    The problem is that the communication to this program clients stops after around 40 minutes of server uptime. Any clues form the firewalls’ point of view?Thanks in advance.

  8. Anushka, this doesn’t sound like a firewall problem because there are no time related settings. You can use a packet sniffer to see if the packets come through for this port.

  9. Sherwin Bidania says:

    What was the resolution on the first comment? im having the same issue right now with my server 2008 DC – firewall wont start.

    thanks,

  10. Smith McKenzie says:

    If I stop the windows firewall on my W2K8 R2 server I can no longer RDP to the server or ping the server. Is this by design? an extra security feature

  11. sreeju says:

    how i dwld firewall full

Please share your thoughts in a comment!

Login

Lost your password?