Windows Firewall also lets you loosely define traffic based on its source. So, for example, you can permit other company computers to access a particular computer. Windows Firewall lets you define source IP addresses as Any computer, My network (subnet) only, or Custom list. The My network (subnet) only option specifies the network segment on which the client is installed. If you want to allow file sharing between computers within your company, you can define discrete port rules (such as allowing TCP ports 135 to 139 and port 445), and you can define rules based on source address (such as all computers on the corporate LAN). The Custom list option lets you specify a series of IP addresses or IP address ranges and subnet masks (e.g., 192.168.0.0/255.255.255.0, 192.168.0.10). Allowing multiple subnets and subnetted networks is a boon to midsized and large organizations that use custom subnetting.
Installing and Configuring the Windows Firewall Client
Installing XP SP2 automatically installs the Windows Firewall client and enables the firewall on all network adapters. Later, I show you how to turn off Windows Firewall before you install SP2, which is useful if you already run a third-party host-based firewall.
You locally manage Windows Firewall for all adapters by using the new Control Panel Windows Firewall applet, which Figure 1 shows. You must be a member of the local administrators group to manage the Windows Firewall settings for a computer.
Windows Firewall has three operating states: On (the default), Don't allow exceptions, and Off. As you can guess, Off disables the firewall entirely. Windows Firewall introduces the concept of exceptions, which are simply another name for ACL entries. When you use the firewall in the On state, the firewall protects your computer by using the rules that you define via the Windows Firewall applet Exception tab. However, you can also set the firewall to Don't allow exceptions. In this On mode, the computer blocks all inbound unsolicited communications, with no exceptions. Outbound connections and solicited connections are still permitted.
Configuring Windows Firewall consists primarily of defining the firewall exceptions. To locally manage the exceptions, open the Windows Firewall applet and go to the Exceptions tab, which Figure 2 shows. The Exceptions tab lets you define which applications or ports will be allowed through the firewall.
Windows Firewall manages all network connections for the computer on which it's installed; however, you can disable the firewall for specific adapters by using the Advanced tab. The other configuration options on the Advanced tab let you configure logging and specify rules for allowing Internet Control Message Protocol (ICMP) traffic.
Using Group Policy to Manage Windows Firewall
One of Windows Firewall's most powerful enhancements is the ability to use Group Policy to manage client configurations. You can use Group Policy to configure all your firewall exceptions from one location and apply them to all target computers. You can also configure different firewall configurations for specific groups of users. For example, you might create an organizational unit (OU) named Sales_Laptops that contains all your Sales department laptops. Then you can create a new Group Policy Object (GPO) that enables Windows Firewall on only these computers. The settings are activated when the computers in this OU refresh the GPO. This method lets you specify standard Windows Firewall settings for any domain, site, or OU. A Windows Firewall GPO applies only to XP SP2 computers covered by that GPO.
You can access the new Windows Firewall GPO elements by creating a GPO from an XP SP2 computer. In Group Policy Editor, the Windows Firewall GPO elements are located under Computer Configuration, Administrative Templates, Network, Network Connections, Windows Firewall. If you elect to use Group Policy to manage Windows Firewall, you can effectively block a user from making any local changes--even if the user is a local administrator. The Allow Local Port Exceptions GPO lets you specify whether you want to let local administrators make Windows Firewall port changes on a local computer. Web Figure 1 lists the new Windows Firewall GPOs.
Managing Windows Firewall from the Command Line
You can also manage Windows Firewall clients via the Netsh command-line tool. You can use Netsh to configure network settings through a batch file or directly from the command line. For example, the command
netsh firewall show config
displays the current settings of the Windows Firewall client, as Figure 3 shows. Netsh lets you configure most Windows Firewall settings--good news for scripters, who can now use a logon script to configure and verify Windows Firewall operation.
For example, the following Netsh command will create a local firewall rule to allow certain addresses to telnet into a Windows Firewall-protected computer:
netsh firewall add portopening
protocol = TCP port = 23
name = Telnet mode = ENABLE
scope = CUSTOM addresses =
192.168.0.0/255.255.255.0,
10.0.0.0/255.255.240.0
You can also shorten the command by dropping the attribute names, as the following example shows:
netsh firewall add portopening
TCP 23 Telnet ENABLE CUSTOM
192.168.0.0/255.255.255.0,
10.0.0.0/255.255.240.0
You can view the results of the above command by using the command
netsh firewall show portopening
For more information about using Netsh, see Related Reading.
Domain Profiles vs. Standard Profiles
Another useful Windows Firewall feature is its ability to choose from two security states--standard and domain--depending on which network the computer is connected to. You can configure unique exceptions for each state. For example, you might permit file sharing only while the computer is connected to the domain. Windows Firewall compares the currently connected AD domain name (if one exists) with the IP configuration DNS suffix to determine whether to use the domain or standard profile. To configure the domain and standard profiles, go to the Windows Firewall GPO and select the one you want to configure.
Register
