Understanding Windows Firewall with Advanced Security CHAPTER 26
1253
attempts. For example, a back-end database server might be configured to accept
only authenticated connections from a front-end Web application server. For more
information on how server isolation works and how to implement it, see
See also the Step-by-Step
Guide: Deploying Windows Firewall and IPsec Policies at
/en-us/library/cc732400.aspx for a walkthrough of how to implement a basic server
isolation scenario.
n
Domain isolation Domain isolation involves configuring connection security rules
on both clients and servers so that domain members accept only authenticated (and
optionally, encrypted) connection attempts from other domain members. By default,
connection attempts from non-domain members are not accepted, but you can con-
figure exception rules that allow unauthenticated connections from specific
non-domain members. For more information on how domain isolation works and how
to implement it, see See
also the Step-by-Step Guide: Deploying Windows Firewall and IPsec Policies at
for a walkthrough of how to
implement a basic domain isolation scenario.
n
Network Access Protection Network Access Protection (NAP) is a technology avail-
able in Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008
R2 that enforces health requirements by monitoring and assessing the health of client
computers when they try to connect or communicate on a network. Client computers
that are found to be out of compliance with the health policy can then be provided
with restricted network access until their configuration has been updated and brought
into compliance with policy. Windows Firewall with Advanced Security can be used as
part of a NAP implementation by creating connection security rules that require com-
puter certificates for authentication. Specifically, client computers that are determined
to be in compliance with health policy are provisioned with the computer certificate

needed to authenticate. For more information on how NAP works and how to imple-
ment it, see />n
DirectAccess DirectAccess is a new feature of Windows 7 and Windows Server 2008
R2 that provides users with the experience of being seamlessly connected to their
corporate network any time they have Internet access. Using DirectAccess, users can
securely access internal resources such as e-mail servers and intranet sites without the
need of first establishing a VPN connection with their corporate network. DirectAccess
uses IPv6 together with IPsec tunnels to establish secure, bidirectional communications
between the client computer and the corporate network over the public Internet.
DirectAccess also seamlessly integrates with server and domain isolation scenarios
and NAP implementations enabling enterprises to create comprehensive end-to-end
security, access, and health requirement solutions. For more information on how
DirectAccess works and how to implement it, see />Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 26 Configuring Windows Firewall and IPsec
1254
diReCt FRoM tHe SoURCe
Combining Domain Isolation with Server Isolation
Dave Bishop, Senior Technical Writer
WSUA Networking
Y
ou can easily combine both Domain Isolation and Server Isolation on the same
network. The Domain Isolation rules that configure your computers to authen-
ticate before connecting can also serve as the basis for identifying computers and
users to restrict access to sensitive servers. By default, only computer authentica-
tion is performed, but on computers that are running Windows 7, Windows Vista,
Windows Server 2008, or Windows Server 2008 R2, you can configure the rules to
also require user authentication.
The client rules that support Domain Isolation support Server Isolation as well. To
isolate a server, you configure the server to permit connections from authorized
users and computers only. To do this, add a firewall rule to the isolated server that

uses the Allow The Connection If It Is Secure action. This enables the Users and
Computers tabs, where you can identify the user and computer accounts that are
authorized to connect to the isolated server. No further configuration on the client
computers is required; the user and computer credentials used for authentication
for Domain Isolation are also used for the authorization on the isolated server.
Server Isolation is an important defense-in-depth layer that helps to protect your
sensitive servers, such as Payroll, Personnel, and other servers that must be carefully
guarded.
TYPES OF CONNECTION SECURITY RULES
Depending on the scenario you want to implement or the business need you are trying to
meet, different types of connection security rules may be needed for your environment.
Windows Firewall with Advanced Security allows you to create the following types of
connection security rules:
n
Isolation rules These rules are used to isolate computers by restricting inbound con-
nections based on credentials such as domain membership. Isolation rules are typically
used when implementing a server or domain isolation strategy for your network.
n
Authentication exemption rules These rules are used to identify computers that
do not require authentication when attempting to connect to a domain member when
implementing a domain isolation strategy.
n
Server-to-server rules These rules are used to protect communications between
specific computers. This is basically the same as an isolation rule except that you can
specify the endpoints.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Understanding Windows Firewall with Advanced Security CHAPTER 26
1255
n
Tunnel rules These rules are used to protect communications between gateways on

the public Internet. In Windows 7, you can create dynamic tunnel endpoint rules that
enable Client-to-Gateway and Gateway-to-Client tunnel configurations.
n
Custom rules These rules can be created when the other types of connection secu-
rity rules don‘t meet the needs of your environment.
SUPPORTED IPSEC SETTINGS FOR CONNECTION SECURITY RULES
Connection security rules use IPsec to protect traffic between the local computer and other
computers on the network. IPsec is an industry-standard set of protocols for protecting
communications over IP networks using cryptographic security services. IPsec can
provide network-level peer authentication, data origin authentication, data integrity, data
confidentiality (encryption), and replay protection to ensure the security of traffic as it passes
across a network. For general information concerning IPsec concepts and how IPsec can be
used to protect a network, see the resources available at />The range of IPsec features supported previously in the Windows Vista RTM has been
expanded, first in Windows Vista SP1 and later versions in Windows 7 to include new security
methods, data integrity algorithms, data encryption algorithms, and authentication protocols.
Tables 26-2 through 26-6 summarize the key exchange algorithms, data protection (integrity
or encryption) algorithms, and authentication methods now supported for IPsec communica-
tions in Windows 7. Note that some algorithms are supported only for main mode or quick
mode, and different authentication methods are supported for first and second authentica-
tion. For more information on how to configure IPsec settings in Windows 7, see the section
titled “Creating and Configuring Connection Security Rules” later in this chapter.
TABLE 26-2
Supported Key Exchange Algorithms for IPsec Communications in Windows 7
KEY EXCHANGE ALGORITHM NOTES
Diffie-Hellman Group 1 (DH Group 1) Not recommended.
Provided for backward compatibility only.
DH Group 2 Stronger than DH Group 1.
DH Group 14 Stronger than DH Group 2.
Elliptic Curve Diffie-Hellman P-256 Stronger than DH Group 2.
Medium resource usage.

Compatible only with Windows Vista and later
versions.
Elliptic Curve Diffie-Hellman P-384 Strongest security.
Highest resource usage.
Compatible only with Windows Vista and later
versions.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 26 Configuring Windows Firewall and IPsec
1256
TABLE 26-3
Supported Data Integrity Algorithms for IPsec Communications in Windows 7
DATA INTEGRITY ALGORITHM NOTES
Message-Digest algorithm 5 (MD5) Not recommended.
Provided for backward compatibility only.
Secure Hash Algorithm 1 (SHA-1) Stronger than MD5 but uses more resources.
SHA 256-bit (SHA-256) Main mode only.
Supported on Windows Vista SP1 and later
versions.
SHA-384 Main mode only.
Supported on Windows Vista SP1 and later
versions.
Advanced Encryption Standard-Galois
Message Authentication Code 128 bit
(AES-GMAC 128)
Quick mode only.
Supported on Windows Vista SP1 and later
versions.
Equivalent to AES-GCM 128 for integrity.
AES-GMAC 192 Quick mode only.
Supported on Windows Vista SP1 and later

versions.
Equivalent to AES-GCM 192 for integrity.
AES-GMAC 256 Quick mode only.
Supported on Windows Vista SP1 and later
versions.
Equivalent to AES-GCM 256 for integrity.
AES-GCM 128 Quick mode only.
Supported on Windows Vista SP1 and later
versions.
Equivalent to AES-GMAC 128 for integrity.
AES-GCM 192 Quick mode only.
Supported on Windows Vista SP1 and later
versions.
Equivalent to AES-GMAC 192 for integrity.
AES-GCM 256 Quick mode only.
Supported on Windows Vista SP1 and later
versions.
Equivalent to AES-GMAC 256 for integrity.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Understanding Windows Firewall with Advanced Security CHAPTER 26
1257
TABLE 26-4
Supported Data Encryption Algorithms for IPsec Communications in Windows 7
DATA ENCRYPTION ALGORITHM NOTES
Data Encryption Standard (DES) Not recommended.
Provided for backward compatibility only.
Triple-DES (3DES) Higher resource usage than DES.
Advanced Encryption Standard-Cipher
Block Chaining 128-bit (AES-CBC 128)
Faster and stronger than DES.

Supported on Windows Vista and later versions.
AES-CBC 192 Stronger than AES-CBC 128.
Medium resource usage.
Supported on Windows Vista and later versions.
AES-CBC 256 Strongest security.
Highest resource usage.
Supported on Windows Vista and later versions.
AES-GCM 128 Quick mode only.
Faster and stronger than DES.
Supported on Windows Vista and later versions.
The same AES-GCM algorithm must be speci-
fied for both data integrity and encryption.
AES-GCM 192 Quick mode only.
Medium resource usage.
Supported on Windows Vista and later versions.
The same AES-GCM algorithm must be speci-
fied for both data integrity and encryption.
AES-GCM 256 Quick mode only.
Faster and stronger than DES.
Supported on Windows Vista and later versions.
The same AES-GCM algorithm must be speci-
fied for both data integrity and encryption.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 26 Configuring Windows Firewall and IPsec
1258
TABLE 26-5
Supported First Authentication Methods for IPsec Communications in Windows 7
FIRST AUTHENTICATION METHOD NOTES
Computer (Kerberos V5) Compatible with Microsoft Windows 2000 or
later versions.

Computer (NTLMv2) Use on networks that include systems running
an earlier version of Windows and on stand-
alone systems.
Computer certificate The default signing algorithm is RSA, but
Elliptic Curve Digital Signature Algorithm
(ECDSA)–P256 and ECDSA-P384 are also
supported signing algorithms.
New in Windows 7 is added support for using
an intermediate CA as a certificate store in
addition to using a root CA as was previously
supported in Windows Vista.
Certificate to account mapping is also
supported.
First authentication can also be configured to
accept only health certificates when using a
NAP infrastructure.
Pre-shared key Not recommended.
TABLE 26-6
Supported Second Authentication Methods for IPsec Communications in Windows 7
SECOND AUTHENTICATION METHOD NOTES
User (Kerberos V5) Compatible with Windows 2000 or later
versions.
User (NTLMv2) Use on networks that include systems running
an earlier version of Windows and on stand-
alone systems.
User certificate The default signing algorithm is RSA, but
ECDSA-P256 and ECDSA-P384 are also
supported signing algorithms.
New in Windows 7 is added support for using
an intermediate CA as a certificate store in

addition to using a root CA as was previously
supported in Windows Vista.
Certificate to account mapping is also
supported.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Understanding Windows Firewall with Advanced Security CHAPTER 26
1259
SECOND AUTHENTICATION METHOD NOTES
Computer health certificate The default signing algorithm is RSA, but
ECDSA-P256 and ECDSA-P384 are also
supported signing algorithms.
New in Windows 7 is added support for using
an intermediate CA as a certificate store in
addition to using a root CA as was previously
supported in Windows Vista.
Certificate to account mapping is also
supported.
DEFAULT IPSEC SETTINGS FOR CONNECTION SECURITY RULES
The default IPsec settings for Windows Firewall with Advanced Security are as follows:
n
Default key exchange settings (main mode):
•
Key exchange algorithm: DH Group 2
•
Data integrity algorithm: SHA-1
•
Primary data encryption algorithm: AES-CBC 128
•
Secondary data encryption algorithm: 3DES
•

Key lifetime: 480 minutes/0 sessions
n
Default data integrity settings (quick mode):
•
Primary protocol: Encapsulating Security Payload (ESP)
•
Secondary protocol: Authentication Header (AH)
•
Data integrity algorithm: SHA-1
•
Key lifetime: 60 minutes/100,000 KB
n
Default data encryption settings (quick mode):
•
Primary protocol: ESP
•
Secondary protocol: ESP
•
Data integrity algorithm: SHA-1
•
Primary data encryption algorithm: AES-CBC 128
•
Secondary data encryption algorithm: 3DES
•
Key lifetime: 60 minutes/100,000 KB
The default authentication method used for first authentication of IPsec connections is
Computer (Kerberos V5). By default, no second authentication method is configured for IPsec
connections.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 26 Configuring Windows Firewall and IPsec

1260
By default, these settings are used when creating new connection security rules unless
you select different settings when using the New Connection Security Rule Wizard. For more
information, see the section titled “Creating and Configuring Connection Security Rules” later
in this chapter.
Windows Firewall and Windows PE
B
eginning with Windows 7 and Windows Server 2008 R2, you can now configure
IPsec in Windows Preinstallation Environment (Windows PE) for added security
during desktop and server deployment. While Windows PE 3.0 now supports IPsec
by default, the computer you want to connect to may require additional configu-
ration to allow a connection. The default IPsec settings for Windows PE 3.0 are as
follows:
n
MM Security Offer: AES128-SHA1-ECDHP256, where MM is main mode.
n
MM Authentication Method: Anonymous
n
QM Policy: 3DES-SHA1; AES128-SHA1, where QM is quick mode.
n
QM Authentication Method: NTLMv2
Understanding Default Rules
Default rules specify the default behavior of Windows Firewall with Advanced Security when
traffic does not match any other type of rule. Default rules can be configured on a per-profile
basis. The possible default rules for inbound traffic are:
n
Block (the default for all profiles)
n
Block all connections
n

Allow
The possible default rules for outbound traffic are:
n
Allow (the default for all profiles)
n
Block
From a practical standpoint, the block all connections default rule for inbound traffic can
be interpreted as “shields up” or “ignore all allow and allow-bypass rules.” For information on
configuring default rules, see the section titled “Configuring Firewall Profiles and IPsec Set-
tings by Using Group Policy” later in this chapter.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Understanding Windows Firewall with Advanced Security CHAPTER 26
1261
Understanding WSH Rules
WSH rules are built-in rules that protect Windows services (and thereby also the applications
that use these services) by restricting services from establishing connections in ways other
than they were designed. WSH rules are not exposed to management using the Windows
Firewall with Advanced Security MMC snap-in, the Netsh command, or Group Policy.
Third-party ISVs who create services for Windows can also create WSH rules to protect
those services. For more information on this, see
/aa365491.aspx.
Understanding Rules Processing
If more than one rule matches a particular packet being examined, Windows Firewall with
Advanced Security must decide which of these rules to apply to the packet so as to decide
what action to take. The order in which Windows Firewall with Advanced Security processes
rules is as follows:
1.
WSH rules (this is not configurable by the user)
2.
Connection security rules

3.
Authenticated bypass rules
4.
Block rules
5.
Allow rules
6.
Default rules
When a packet is being examined by Windows Firewall with Advanced Security, the packet
is compared to each of these types of rules in the order they are listed. If the packet matches
a particular rule, that rule is applied, and rule processing stops. In addition, if two rules in the
same group match, then the rule that is more specific (that is, has more matching criteria)
is the one that is applied. For example, if rule A matches traffic to 192.168.0.1 and rule B
matches traffic to 192.168.0.1 TCP port 80, then traffic to port 80 on that server matches rule
B, and its action is the one taken.
By default, the rule processing described previously includes both local rules (firewall and/
or connection security rules configured by the local administrator of the computer) and rules
applied to the computer by Group Policy. If more than one Group Policy object (GPO) applies
to a particular computer, the default rules come from the GPO with the highest precedence.
Merging of local rules can be enabled or disabled using Group Policy. For more information,
see the section titled “Considerations When Managing Windows Firewall Using Group Policy”
later in this chapter.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 26 Configuring Windows Firewall and IPsec
1262
Managing Windows Firewall with Advanced Security
Windows 7 and Windows Server 2008 R2 include tools for configuring and managing
Windows Firewall with Advanced Security in both stand-alone and domain environments.
These tools can be used to perform common tasks such as creating firewall rules to block
or allow traffic, creating connection security rules to protect network traffic using IPsec,

monitoring firewall and connection security activity, and more. The sections that follow
examine the tools that you can use to manage Windows Firewall with Advanced Security and
describe some common management tasks.
Tools for Managing Windows Firewall with Advanced
Security
The following tools can be used for managing Windows Firewall with Advanced Security:
n
Windows Firewall Control Panel item
n
Windows Firewall with Advanced Security MMC snap-in
n
Windows Firewall with Advanced Security Group Policy node
n
Netsh advfirewall command context
The sections that follow summarize the differences in functionality between using these
various tools.
Managing Windows Firewall Using Control Panel
The Windows Firewall utility in Control Panel exposes only a small subset of Windows Firewall
with Advanced Security functionality and is primarily intended for consumers and for users
working in SOHO environments. Using this utility, a user on the local computer can perform
the following tasks:
n
Turning Windows Firewall on or off for each type of network location (domain, private,
or public)
n
Enabling or disabling firewall notifications for each type of network location
n
Verifying which firewall profiles apply to which network connections on the computer
n
Allowing a program or feature to communicate through Windows Firewall for a par-

ticular firewall profile (see Figure 26-7)
n
Restoring the default settings for Windows Firewall
Note that most actions involving Windows Firewall require local administrator credentials
on the computer.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Managing Windows Firewall with Advanced Security CHAPTER 26
1263
FIGURE 26-7
Viewing which firewall profiles allow Remote Assistance to communicate through Windows
Firewall
Managing Windows Firewall Using the Windows Firewall with Advanced
Security Snap-in
The Windows Firewall with Advanced Security MMC snap-in exposes most of the functionality
of Windows Firewall for advanced users and administrators of the local computer (main mode
rules and some advanced global IPsec settings are configurable only by Netsh). To start this
snap-in, do any of the following:
n
From the Start menu, select Control Panel, System And Security, Windows Firewall,
Advanced Settings.
n
Type fire in the Start menu Search box, and then click Windows Firewall With Advanced
Security in the Programs group.
n
Type wf.msc in the Start menu Search box and press Enter.
n
Type mmc in the Start menu Search box and press Enter to open a new MMC console,
and then add the Windows Firewall with Advanced Security snap-in to the console in
the usual way.
The first three methods listed here can be used only to manage Windows Firewall on the

local computer. The last method can be used to manage Windows Firewall on either the local
computer or a specified remote computer. You must have local administrator credentials on
the computer on which you want to manage Windows Firewall when using this snap-in.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 26 Configuring Windows Firewall and IPsec
1264
note
The Windows 7 version of the Windows Firewall with Advanced Security snap-in
can be used to manage Windows Firewall on Windows 7, Windows Vista, Windows Server
2008, and Windows Server 2008 R2.
Using the Windows Firewall with Advanced Security snap-in, you can perform a wide
variety of administrative tasks, including the following:
n
Configuring default settings for each firewall profile
n
Enabling and disabling firewall rules
n
Creating and configuring firewall rules
n
Configuring default IPsec settings
n
Enabling and disabling connection security rules
n
Creating and configuring connection security rules
n
Exporting and importing firewall policy for the computer
n
Restoring the default firewall settings for the computer
n
Configuring firewall logging settings

n
Monitoring the state of the firewall and its configuration
n
Monitoring active firewall rules
n
Monitoring active connection security rules
n
Monitoring security associations for both main mode and quick mode
n
Monitoring event logs associated with Windows Firewall
Many of these management tasks are described in more detail in the section titled “Com-
mon Management Tasks” later in this chapter.
To make it easier to manage large numbers of rules on a computer, the Windows Firewall
with Advanced Security snap-in lets you filter firewall and connection security rules by profile
(domain, private or public) and/or by state (enabled or disabled). In addition, firewall rules
(but not connection rules) can also be filtered by rule group. Figure 26-8 shows all inbound
rules that match the following filtering criteria:
n
Profile: domain
n
State: enabled
n
Group: Remote Assistance
To remove applied filters, select Clear All Filters from the shortcut menu.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Managing Windows Firewall with Advanced Security CHAPTER 26
1265
FIGURE 26-8
You can filter firewall rules by profile, state, and group to make it easier to manage large
numbers of rules.

Managing Windows Firewall Using Group Policy
In enterprise environments, the primary method for managing Windows Firewall on remote
computers (both clients and servers) is to use Group Policy. To manage Windows Firewall on a
collection of computers on your network using Group Policy, do the following:
1.
Create a new GPO and link the GPO to the organizational unit (OU) where the com-
puter accounts for these computers reside.
2.
Open the GPO using the Group Policy Management Editor from the Group Policy
Management Console (GPMC) and navigate to the following location:
Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall
With Advanced Security\
3.
Select the policy node under this location, which should look like this:
Windows Firewall with Advanced Security - LDAP://CN={GUID},CN=POLICIES,CN=
SYSTEM,DC=domain_name,DC=COM
Here GUID is the globally unique identifier for the Group Policy Container (GPC)
associated with the GPO you have opened.
Once you have selected this node, you can configure Group Policy settings for Windows
Firewall using the same graphical user interface for the Windows Firewall with Advanced
Security snap-in described previously (see Figure 26-9).
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 26 Configuring Windows Firewall and IPsec
1266
FIGURE 26-9
Using Group Policy to configure Windows Firewall with Advanced Security on targeted
computers
CONSIDERATIONS WHEN MANAGING WINDOWS FIREWALL USING GROUP POLICY
The following considerations should be kept in mind when managing Windows Firewall using
Group Policy:

n
The state of each firewall profile in the firewall policy of a GPO is initially Not Config-
ured. This means that firewall policy applied to computers targeted by the GPO will
have no effect. For example, if the domain profile of Windows Firewall on a targeted
computer is enabled, it will remain enabled after Group Policy processing has occurred.
Similarly, if the domain profile of Windows Firewall on a targeted computer is disabled,
it will remain disabled after Group Policy processing has taken place on the computer.
So if a local administrator on the targeted computer turns off Windows Firewall on his
computer, it will remain turned off even after Group Policy processing has taken place
on the computer. Therefore, if you want to ensure that the firewall policy in the GPO
applies to targeted computers, you must enable the firewall profiles in the policy. To
do this, right-click the following policy node in the GPO:
Windows Firewall with Advanced Security - LDAP://CN={GUID},CN=POLICIES,CN=
SYSTEM,DC=domain_name,DC=COM
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Managing Windows Firewall with Advanced Security CHAPTER 26
1267
Select Properties from the context menu, and on each profile tab (Domain Profile,
Private Profile, and Public Profile), change the Firewall State policy setting from Not
Configured to On (Recommended).
n
The default inbound and outbound rules for each firewall profile in the firewall policy
of a GPO are also initially Not Configured. Therefore, if you want to ensure that firewall
rules are processed as expected when the GPO is processed by targeted computers,
you should configure the desired default inbound and outbound rules in the policy.
To do this, right-click on the policy node described above and select Properties from
the context menu. Then on each profile tab (Domain Profile, Private Profile, and Public
Profile), change the Inbound Connections and Outbound Connections policy settings
to the values you want to use, which are typically the following.
Note that if multiple GPOs for firewall policy target the same computer and each GPO

has different default rules configured, the default rules for the GPO that has the highest
precedence apply. Note also that if you set outbound connections to Block and then
deploy the firewall policy by using a GPO, computers that receive it will not receive
subsequent Group Policy updates unless you first create and deploy an outbound
rule that enables Group Policy to work. Predefined rules for Core Networking include
outbound rules that enable Group Policy to work. Ensure that these outbound rules are
active, and thoroughly test firewall profiles before deploying the policy
n
By default, rule merging is enabled between local firewall policy on Windows 7 com-
puters and firewall policy specified in GPOs that target those computers. This means
that local administrators can create their own firewall and connection security rules
on their computers, and these rules will be merged with the rules obtained through
Group Policy targeting the computers. Rule merging can be enabled or disabled on a
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 26 Configuring Windows Firewall and IPsec
1268
per-GPO, per-profile basis by opening the Properties of the policy node described pre-
viously, selecting a firewall profile, and clicking Customize under Settings. Then under
Rule Merging in the Customize Settings For The firewall_profile dialog box, change the
Apply Local Firewall Rules and/or Apply Local Connection Security Rules policy settings
from Not Configured to Yes (Default) or No, as shown here.
To ensure that only GPO-supplied rules are applied to computers targeted by the GPO
and that locally defined rules on the computers are ignored, change these two policy
settings from Not Configured to No. If you decide to leave rule merging enabled in the
firewall policy of a GPO by configuring these two policy settings as either Yes (Default)
or Not Configured, you should explicitly configure all firewall policy settings that may
be needed by the targeted computers including firewall and IPsec settings, firewall
rules, and connection security rules. Otherwise, any policy settings that you leave
unconfigured in the GPO can be overridden by the local administrator on the targeted
computer by using the Windows Firewall with Advanced Security snap-in or the Netsh

command.
MoRe inFo
See also the Step-by-Step Guide: Deploying Windows Firewall and IPsec
Policies at for a walkthrough
of how to deploy firewall and connection security rules using Group Policy.
note
For faster processing of GPOs that are used only for applying firewall policy to
targeted computers, disable the User portion of the GPO using the GPMC.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Managing Windows Firewall with Advanced Security CHAPTER 26
1269
Managing Windows Firewall Using the Netsh Command
The Netsh command can be used to manage Windows Firewall either interactively from the
command line or by using scripts. The Netsh command also has been enhanced in Windows 7
to expose almost all aspects of Windows Firewall to viewing and configuration (some settings,
such as global quick mode, can only be configured using the Windows Firewall with Advanced
Security snap-in. By using the netsh advfirewall context of this command, you can display the
status and configuration of Windows Firewall, configure firewall and IPsec settings, create
and configure both firewall and connection security rules, monitor active connections, and
perform other management tasks.
note
You must run the netsh advfirewall command from an elevated command prompt
to set (configure) Windows Firewall settings. You do not need to run it from an elevated
command prompt if you only want to show (view) Windows Firewall settings.
To enter the netsh advfirewall context from the command line, type netsh and press Enter,
then type advfirewall and press Enter.
C:\Windows\System32>netsh
netsh>advfirewall
netsh advfirewall>
The prompt indicates the current context of the command. Typing help at the netsh

advfirewall prompt displays the following additional commands available for this context:
n
consec Changes to the netsh advfirewall consec context, which lets you view and
configure connection security rules.
n
export Exports the current firewall policy to a .wfw file.
n
firewall Changes to the netsh advfirewall firewall context, which lets you view and
configure firewall rules.
n
import Imports a .wfw policy file into the current policy store.
n
mainmode New in Windows 7, this changes to the netsh advfirewall mainmode
context, which lets you view and configure main mode configuration rules.
n
monitor Enhanced with added functionality in Windows 7, this changes to the netsh
advfirewall monitor context, which lets you view the current IPsec, firewall, and main
mode states, and the current quick mode and main mode security associates estab-
lished on the local computer.
n
reset Resets the firewall policy to the default out-of-box policy.
n
set Sets per-firewall profile and global firewall settings.
n
show Displays firewall profiles and global firewall settings.
For example, you can use the show domainprofile command to view the firewall settings
for the domain profile as follows.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 26 Configuring Windows Firewall and IPsec
1270

netsh advfirewall>show domainprofile
Domain Profile Settings:
----------------------------------------------------------------------
State ON
Firewall Policy BlockInbound,AllowOutbound
LocalFirewallRules N/A (GPO-store only)
LocalConSecRules N/A (GPO-store only)
InboundUserNotification Enable
RemoteManagement Disable
UnicastResponseToMulticast Enable
Logging:
LogAllowedConnections Disable
LogDroppedConnections Disable
FileName %systemroot%\system32\LogFiles\Firewall\pfirewall.log
MaxFileSize 4096
To view the global firewall and IPsec settings on the local computer, use the show global
command as follows.
netsh advfirewall>show global
Global Settings:
----------------------------------------------------------------------
IPsec:
StrongCRLCheck 0:Disabled
SAIdleTimeMin 5min
DefaultExemptions NeighborDiscovery,DHCP
IPsecThroughNAT Never
AuthzUserGrp None
AuthzComputerGrp None
StatefulFTP Enable
StatefulPPTP Enable
Main Mode:

KeyLifetime 480min,0sess
SecMethods DHGroup2-AES128-SHA1,DHGroup2-3DES-SHA1
ForceDH No
Categories:
BootTimeRuleCategory Windows Firewall
FirewallRuleCategory Windows Firewall
StealthRuleCategory Windows Firewall
ConSecRuleRuleCategory Windows Firewall
To view full details concerning a particular firewall rule such as the Remote Assistance
(TCP-In) rule, first type firewall and press Enter to change to the netsh advfirwall firewall
context, then use the show rule command as follows.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Managing Windows Firewall with Advanced Security CHAPTER 26
1271
netsh advfirewall firewall>show rule name="Remote Assistance (TCP-In)"
profile=domain,private verbose
Rule Name: Remote Assistance (TCP-In)
----------------------------------------------------------------------
Description: Inbound rule for Remote Assistance traffic.
[TCP]
Enabled: Yes
Direction: In
Profiles: Domain,Private
Grouping: Remote Assistance
LocalIP: Any
RemoteIP: Any
Protocol: TCP
LocalPort: Any
RemotePort: Any
Edge traversal: Defer to application

Program: C:\Windows\system32\msra.exe
InterfaceTypes: Any
Security: NotRequired
Rule source: Local Setting
Action: Allow
You can also pipe Netsh to Findstr to display the names of all inbound rules belonging to
a specific rule group. For example, to display all inbound rules for the Remote Assistance rule
group, use this command.
C:\Windows\system32>netsh advfirewall firewall show rule name=all dir=in |
findstr /I /C:"remote assistance"
Rule Name: Remote Assistance (PNRP-In)
Grouping: Remote Assistance
Rule Name: Remote Assistance (SSDP TCP-In)
Grouping: Remote Assistance
Rule Name: Remote Assistance (SSDP UDP-In)
Grouping: Remote Assistance
Rule Name: Remote Assistance (TCP-In)
Grouping: Remote Assistance
Rule Name: Remote Assistance (DCOM-In)
Grouping: Remote Assistance
Rule Name: Remote Assistance (RA Server TCP-In)
Grouping: Remote Assistance
Rule Name: Remote Assistance (PNRP-In)
Grouping: Remote Assistance
Rule Name: Remote Assistance (TCP-In)
Grouping: Remote Assistance
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 26 Configuring Windows Firewall and IPsec
1272
To show all connection security rules configured on the local computer, type consec to

change to the netsh advfirewall consec context. Then use the show rule command as follows.
netsh advfirewall consec>show rule name=all
Rule Name: Lab Server
----------------------------------------------------------------------
Enabled: Yes
Profiles: Domain
Type: Static
Mode: Transport
Endpoint1: 172.16.11.131/32
Endpoint2: 172.16.11.163/32
Protocol: Any
Action: RequestInRequestOut
Auth1: ComputerPSK
Auth1PSK: test
MainModeSecMethods: DHGroup2-AES128-SHA1,DHGroup2-3DES-SHA1
QuickModeSecMethods: ESP:SHA1-None+60min+100000kb,ESP:SHA1-
AES128+60min+100000kb,ESP:SHA1-3DES+60min+
100000kb,AH:SHA1+60min+100000kb
note
To view all firewall settings including global settings, per-firewall profile settings,
and all active firewall rules on the computer, type netsh advfirewall monitor show firewall
verbose at a command prompt.
Also new in Windows 7 are the following two Netsh contexts:
n
netsh trace Enables ETW tracing and/or Network Diagnostics Framework (NDF)
diagnostics for various features and scenarios including Windows Firewall and IPsec.
n
netsh wfp Enables WFP and Internet Key Exchange (IKE)/AuthIP tracing.
MoRe inFo
For more information concerning Netsh syntax and examples of

usage, see “Netsh Commands for Windows Firewall with Advanced Security” at
/>Common Management Tasks
The sections that follow briefly describe some common management tasks for administering
Windows Firewall with Advanced Security on Windows 7 and Windows Server 2008 R2. For
additional information concerning managing Windows Firewall with Advanced Security, see
the references in the section titled “Related Information” at the end of this chapter.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.