Lesson 1: Managing Windows Firewall CHAPTER 7 393
3. If you want to limit the remote IP address that the rule applies to (for example, when
you want the rule to only apply to inbound traffic from a specific subnet), select
the These IP Addresses option under Remote IP Addresses and click Add to specify the
individual IP addresses, network address, or IP address range.
You can use the Advanced options of a rule’s properties to specify which network interfaces
the rule applies to. This is similar to limiting the local IP addresses that the rule applies to,
except it is done by selecting a particular device, not the address attached to that device.
On the Advanced tab, you can also configure how a rule responds to traffic that has passed
through an edge device such as a Network Address Translation (NAT) router. The options are:
n
Block edge traversal When selected, the target of the rule is blocked from receiving
unsolicited traffic from the Internet through a NAT device.
n
Allow edge traversal When selected, the target of the rule will process unsolicited
traffic directly from the Internet through a NAT device.
n
Defer to user When selected, the user receives a message informing them of
incoming traffic from a NAT device. If the user has sufficient privileges, they can block
or allow communication manually.
n
Defer to application When selected, application settings determine whether
incoming traffic from a NAT device is accepted or rejected.
Connection Security Rules
Connection security rules are a special type of rule that deal with authenticated and encrypted
traffic. You can use connection security rules to manage how communication occurs between
different hosts on the network. You use the New Connection Security Rule Wizard, shown in
Figure 7-10, to create connection security rules. Connections can be authenticated using the
Kerberos V5 protocol requiring a domain computer and user account or a domain computer
account. If you select advanced properties, connections can be authenticated using NTLMv2,
computer certificates from a particular certificate authority (CA) or using a pre-shared key.

The different connection security rules work in the following ways:
n
Isolation Isolation rules allow you to limit communication to hosts that are able to
authenticate using specific credentials. For example, you can use an isolation rule to
stop computers communicating with any hosts that are not members of an AD DS
domain. You can configure an isolation rule to request authentication for inbound
and outbound communication, require authentication for inbound communication
and request it for outbound communication, or require authentication for all
communication.
n
Authentication exemption These rules allow you to configure exemptions to
isolation rules. You can configure authentication exemptions to allow a computer
to connect to infrastructure servers, such as DHCP servers and DNS servers, without
having to authenticate.
3 9 4 CHAPTER 7 Windows Firewall and Remote Management
FIGURE 7-10 New connection security rule
n
Server-to-server These rules allow you to protect connections between specific
computers. They differ from isolation rules in that instead of applying to all
connections, they apply to connections between hosts at specific addresses.
n
Tunnel These rules are similar to server-to-server rules, except that they apply to
connections through tunnels to remote sites, such as site-to-site links.
note CONNECTION SECURITY RULES AND IPSec POLICIES
The relationship between connection security rules and IPSec policies is similar to the
relationship between AppLocker and Software Restriction Policies. Both sets of rules do
similar things, but the ones that you use depend on the operating systems used by the
client computers in your organization. All editions of Windows 7 and Windows Vista
support connection security rules, but Windows XP does not.
Importing and Exporting Firewall Configuration

Most organizations that use clients running Windows 7 apply firewall rules through Group
Policy. In the event that you need to support a number of stand-alone clients running
Windows 7, you can replicate complex firewall configurations using the WFAS Import Policy
and Export Policy options. Importing and exporting policy also allows you to save the current
firewall configuration state before you make changes to it. Exported policy files use the .wfw
Lesson 1: Managing Windows Firewall CHAPTER 7 395
extension. Exported policies use a binary format, not Extensible Markup Language (XML)
format like many other Windows 7 configuration files. You can also export and import firewall
policies in the same .wfw format using the netsh advfirewall export or netsh advfirewall import
commands.
Managing WFAS with Netsh
You can use the Netsh.exe command-line utility from an elevated command prompt to
manage WFAS rules. The advantage of this is that you can combine it with Windows Remote
Shell (WinRS), which you will learn about in the next lesson, to manage WFAS rules on
other computers running Windows 7 on your network. You can also use Netsh.exe to script
the creation of firewall rules on stand-alone computers that are not members of an AD DS
domain and hence are not subject to domain-applied Group Policy.
To use Netsh.exe to create WFAS firewall rules, you need to be in the advfirewall firewall
context. The following are some examples of using WFAS to create firewall rules:
n
To create a rule named WebServerRule that applies in the domain profile and allows
inbound traffic on TCP port 80, issue the command netsh advfirewall firewall add
rule name=”WebServerRule” profile=domain protocol=TCP dir=in localport=80
action=allow.
n
To create a rule named AllowCalc that allows inbound traffic to the Calc.exe application
in all network profiles, issue the command netsh advfirewall firewall add rule
name=”Calc” dir=in program=”c:\windows\system32\calc.exe”.
n
To create a rule named BlockFTP that blocks outbound traffic from the Ftp.

exe application, issue the command netsh advfirewall firewall add rule
name=”BlockFTP” dir=out program=”c:\windows\system32\ftp.exe”
action=block.
eXaM tIP
Know when you need to use WFAS to create a rule and when you can use Windows
F i r e w a l l .
Practice Configuring Windows Firewall
In this practice, you use Windows Firewall and WFAS to configure two different firewall
rules. By interacting with the interface, you learn more about the types of rules that you can
configure with each tool.
exercise 1 Configuring Firewall Rules with Windows Firewall
In this exercise, you configure a rule that allows incoming traffic to the Internet Backgammon
application. To complete this exercise, perform the following steps:
1. Log on to Canberra with the Kim_Akers user account.
2. Click Start, Control Panel, and System And Security.
3 9 6 CHAPTER 7 Windows Firewall and Remote Management
3. Under Windows Firewall, click Allow A Program Through Windows Firewall.
4. In the Allow Programs To Communicate Through Windows Firewall dialog box, shown
in Figure 7-11, click Change Settings.
FIGURE 7-11 Allow programs through Windows Firewall
5. Click Allow Another Program. This opens the Add A Program dialog box. Click Browse
and navigate to the Program Files\Microsoft Games\Multiplayer\Backgammon folder.
Select Bckgzm.exe and click Open.
6. Click Network Location Types and verify that the settings match those shown in
Figure 7-12. Click OK and then click Add.
FIGURE 7-12 Choose Network Location Types
Lesson 1: Managing Windows Firewall CHAPTER 7 397
7. Verify that a rule for Internet Backgammon now appears in the list of Allowed
Programs And Features for the Home/Work (Private) profile, but not the Public profile
and then click OK.

exercise 2 Configuring WFAS Rules
In this exercise, you configure a WFAS rule for a hypothetical Internet Relay Chat (IRC) server
hosted on a client running Windows 7. You configure the rule to accept only authenticated
connections from hosts on a specific subnet.
1. If you have not already done so, log on to the computer named Canberra with the
Kim_Akers user account.
2. Click Start. In the Search Programs And Files text box, type Windows Firewall with
Advanced Security, and click Windows Firewall with Advanced Security. This opens
the Windows Firewall With Advanced Security console.
3. Select the Inbound Rules node. In the Actions pane, click New Rule.
4. On the Rule Type page, select Port and then click Next.
5. On the Protocols And Ports page, type 6667 in the Specific Local Ports box, as shown
in Figure 7-13, and then click Next.
FIGURE 7-13 Specify TCP port 6667
6. On the Action page, select Allow The Connection If It Is Secure and then click Customize.
3 9 8 CHAPTER 7 Windows Firewall and Remote Management
7. On the Customize Allow If Secure Settings dialog box, select require The Connections
To Be Encrypted option and then select the Allow The Computers To Dynamically
Negotiate Encryption check box, as shown in Figure 7-14, and click OK.
FIGURE 7-14 Customize secure connection settings
8. Click Next. On the Users page of the New Inbound Rule Wizard, click Next.
9. On the Computers page of the New Inbound Rule Wizard, click Next.
10. On the When Does This Rule Apply page, configure the rule to apply only in the
Domain and Private profiles, and then click Next.
11. On the Name page, enter the name IRC Server Rule and then click Finish.
12. In the list of Inbound Rules, right-click the IRC Server Rule and then choose Properties.
13. Click the Scope tab. In the Remote IP Address section, select These IP Addresses and
then click Add.
14. In the This IP Address Or Subnet text box, enter 10.0.10.0/24 and then click OK.
15. Verify that the IRC Server Rule Properties dialog box matches Figure 7-15, and then

click OK.
Lesson 1: Managing Windows Firewall CHAPTER 7 399
FIGURE 7-15 Configuring rule scope
Lesson Summary
n
Windows Firewall and WFAS work together on a client running Windows 7.
n
Windows Firewall allows for the creation of basic rules that apply to programs and
Windows 7 features. You cannot configure rule scope or authentication settings for
Windows Firewall rules.
n
Network profiles allow different sets of firewall rules to apply depending on the
properties of the network connection. The three network profiles are Domain, Public,
and Home Or Work (Private).
n
Windows Firewall rules can apply selectively to network profiles. Different network
profiles can apply to different network interfaces at the same time.
n
WFAS allows you to configure inbound and outbound firewall rules for ports,
programs, and services.
n
WFAS allows you to configure rule scope and authentication.
4 0 0 CHAPTER 7 Windows Firewall and Remote Management
Lesson Review
You can use the following questions to test your knowledge of the information in Lesson 1,
“Managing Windows Firewall.” The questions are also available on the companion DVD if you
prefer to review them in electronic form.
note ANSWERS
Answers to these questions and explanations of why each answer choice is correct
or incorrect are located in the “Answers” section at the end of the book.

1. You are responsible for managing student laptops that have Windows 7 installed at
a small community college. You want to prevent students from uploading files using
FTP to FTP sites on the Internet but allow them to send outbound e-mail using the
Simple Mail Transfer Protocol (SMTP). Which of the following rules would you configure
to accomplish that goal?
a. Inbound rules
B. Outbound rules
c. Isolation rules
D. Authentication exemption rules
2. You want to create a firewall rule that allows inbound communications on port 80
when your laptop computer with Windows 7 installed is connected to your office
network, but blocks inbound communication on TCP port 80 when you are connected
to your home network. Which of the following tools could you use to create this rule?
(Choose all that apply.)
a. Windows Firewall
B. WFAS
c. Netsh
D. Netstat
3. What does the command netsh advfirewall firewall add rule name=”CustomRule”
profile=domain protocol=TCP dir=in localport=80 action=allow do when executed from
an elevated command prompt?
a. Creates an inbound rule that applies only in the Domain profile that blocks traffic
on port 80
B. Creates an outbound rule that applies only in the Domain profile that blocks traffic
on port 80
c. Creates an inbound rule that applies only in the Domain profile that allows traffic
on port 80
D. Creates an outbound rule that applies only in the Domain profile that allows traffic
on port 80
Lesson 1: Managing Windows Firewall CHAPTER 7 401

4. You are configuring firewall rules on a client running Windows 7. You want to allow
incoming traffic to the application named Application.exe, but only if it is authenticated.
Which of the following steps should you perform to accomplish this goal?
a. Use Windows Firewall to create a rule
B. Use WFAS to create a rule
c. Use the Credential Manager to create a rule
D. Use the Authorization Manager to create a rule
5. You want Windows 7 to send you a message when the firewall blocks a new program
when you are connected to your organization’s domain network. Windows 7 should
not send you a message when the firewall blocks a new program when you are
connected to a public network. Which of the following settings should you configure?
(Choose all that apply; each answer forms part of a complete solution.)
a. In the Home Or Work (Private) Network Location Settings area, select Turn On
Windows Firewall and enable Notify Me When Windows Firewall Blocks A New
Program.
B. In the Home Or Work (Private) Network Location Settings area, select Turn On
Windows Firewall and disable Notify Me When Windows Firewall Blocks A New
Program.
c. In the Public Network Location Settings area, select Turn On Windows Firewall and
enable Notify Me When Windows Firewall Blocks A New Program.
D. In the Public Network Location Settings area, select Turn On Windows Firewall and
disable Notify Me When Windows Firewall Blocks A New Program.
4 0 2 CHAPTER 7 Windows Firewall and Remote Management
Lesson 2: Windows 7 Remote Management
Remote management allows a user in one location to perform management tasks on
a computer in another location. Through remote management, you can perform almost every
task remotely that you can perform when you are sitting directly in front of the computer.
In this lesson, you learn about the remote management technologies that can be used
with Windows 7 including Remote Desktop, Remote Assistance, Windows PowerShell, and
Windows Remote Shell (WinRS).

After this lesson, you will be able to:
n
Use Windows PowerShell for remote management.
n
Use WinRS for remote management.
n
Configure Remote Assistance.
n
Configure Remote Desktop.
Estimated lesson time: 40 minutes
Remote Desktop
Remote Desktop allows you to log on remotely to a computer running Windows 7 and to
interact with that computer it in the same manner as you would if you were sitting in front of
it. Remote Desktop allows you to print using printers connected to the remote computer, or
print to a local printer from an application running on the remote computer. Remote Desktop
functions well as a management tool because it allows employees responsible for managing,
maintaining, and configuring client operating systems to perform many of those tasks remotely.
note REMOTE MANAGEMENT TERMINOLOGY
For the purposes of clarity, when discussing remote management throughout this
lesson, the management computer is the computer that the user is logged on to directly.
The remote computer is the computer to which the user is making a remote desktop
connection. All remote management technologies require that there be network
connectivity between the management computer and the remote computer.
You can perform a logon using Remote Desktop if no one is currently logged on to the
remote computer, though the remote computer does need to be switched on. If Wake On
LAN is configured for the physical network interface, it is possible for the computer to wake
from sleep or hibernate mode when an incoming remote desktop session is detected, though
configuring Windows 7 to support this functionality is beyond the scope of the 70-680 exam.
If a user locks the screen on their client running Windows 7, it is possible for that user to