16StepbyStep Guide to Deploying Policies for Windows Firewall with Advanced Security.docx
《16StepbyStep Guide to Deploying Policies for Windows Firewall with Advanced Security.docx》由会员分享,可在线阅读,更多相关《16StepbyStep Guide to Deploying Policies for Windows Firewall with Advanced Security.docx(79页珍藏版)》请在冰点文库上搜索。
![16StepbyStep Guide to Deploying Policies for Windows Firewall with Advanced Security.docx](https://file1.bingdoc.com/fileroot1/2023-5/15/b5a411bf-4c6d-49dc-be5c-d8e7a9ec4528/b5a411bf-4c6d-49dc-be5c-d8e7a9ec45281.gif)
16StepbyStepGuidetoDeployingPoliciesforWindowsFirewallwithAdvancedSecurity
Step-by-StepGuidetoDeployingPoliciesforWindowsFirewallwithAdvancedSecurity
MicrosoftCorporation
Published:
October2007
Author:
DaveBishop
Editor:
ScottSomohano
TechnicalReviewers:
SarahWahlert,TomBaxter,SiddharthPatil,L.JoanDevraun
MVPReviewers:
MichaelGotch,RodrigoImmaginario,RobertStuczynski
Abstract
ThisguideshowsyouhowtocentrallyconfigureanddistributecommonlyusedsettingsandrulesforWindowsFirewallwithAdvancedSecuritybydescribingtypicaltasksinacommonscenario.yougethands-onexperienceinalabenvironmentusingGroupPolicymanagementtoolstocreateandeditGPOstoimplementtypicalfirewallsettings.YoualsoconfigureGPOstoimplementcommonserveranddomainisolationscenariosandseetheeffectsofthosesettings.
TheinformationcontainedinthisdocumentrepresentsthecurrentviewofMicrosoftCorporationontheissuesdiscussedasofthedateofpublication.BecauseMicrosoftmustrespondtochangingmarketconditions,itshouldnotbeinterpretedtobeacommitmentonthepartofMicrosoft,andMicrosoftcannotguaranteetheaccuracyofanyinformationpresentedafterthedateofpublication.
ThisStep-by-StepGuideisforinformationalpurposesonly.MICROSOFTMAKESNOWARRANTIES,EXPRESS,IMPLIEDORSTATUTORY,ASTOTHEINFORMATIONINTHISDOCUMENT.
Complyingwithallapplicablecopyrightlawsistheresponsibilityoftheuser.Withoutlimitingtherightsundercopyright,nopartofthisdocumentmaybereproduced,storedinorintroducedintoaretrievalsystem,ortransmittedinanyformorbyanymeans(electronic,mechanical,photocopying,recording,orotherwise),orforanypurpose,withouttheexpresswrittenpermissionofMicrosoftCorporation.
Microsoftmayhavepatents,patentapplications,trademarks,copyrights,orotherintellectualpropertyrightscoveringsubjectmatterinthisdocument.ExceptasexpresslyprovidedinanywrittenlicenseagreementfromMicrosoft,thefurnishingofthisdocumentdoesnotgiveyouanylicensetothesepatents,trademarks,copyrights,orotherintellectualproperty.
Unlessotherwisenoted,thecompanies,organizations,products,domainnames,e-mailaddresses,logos,people,places,andeventsdepictedinexampleshereinarefictitious.Noassociationwithanyrealcompany,organization,product,domainname,e-mailaddress,logo,person,place,oreventisintendedorshouldbeinferred.
©2007MicrosoftCorporation.Allrightsreserved.
MicrosoftWindows Server,Windows Vista,andWindows XParetrademarksoftheMicrosoftgroupofcompanies.
Allothertrademarksarepropertyoftheirrespectiveowners.
Contents
Step-by-StepGuidetoDeployingPoliciesforWindowsFirewallwithAdvancedSecurity5
ScenarioOverview5
TechnologyReviewforDeployingWindowsFirewallwithAdvancedSecurity8
NetworkLocationAwareness8
HostFirewall10
ConnectionSecurityandIPsec11
GroupPolicy12
RequirementsforPerformingtheScenarios13
ExaminingDefaultSettingsonClientsandServers17
Step1:
StartingWindowsFirewallinControlPanel18
Step2:
ExaminingtheBasicOptionsAvailablebyUsingtheControlPanelInterface19
Step3:
ExaminingtheBasicOptionsbyUsingtheNetshCommand-LineTool21
Step4:
ExaminingtheBasicOptionsAvailableWhenUsingtheWindowsFirewallwithAdvancedSecurityMMCsnap-in22
DeployingBasicSettingsbyUsingGroupPolicy23
Step1:
CreatingOUsandPlacingComputerAccountsinThem24
Step2:
CreatingtheGPOstoStoreSettings25
Step3:
AddingtheGPOSettingtoEnabletheFirewallonMemberClientComputers26
Step4:
DeployingtheInitialGPOwithTestFirewallSettings27
Step5:
AddingtheSettingthatPreventsLocalAdministratorsfromApplyingConflictingRules28
Step6:
ConfiguringtheRestofYourClientComputerFirewallSettings31
Step7:
CreatingWMIandGroupFilters33
Step8:
EnablingFirewallLogging37
CreatingRulesthatAllowRequiredInboundNetworkTraffic38
Step1:
ConfiguringPredefinedRulesbyUsingGroupPolicy38
Step2:
AllowingUnsolicitedInboundNetworkTrafficforaSpecificProgram40
Step3:
AllowingInboundTraffictoaSpecificTCPorUDPPort43
Step4:
AllowingInboundNetworkTrafficthatUsesDynamicRPC44
Step5:
ViewingtheFirewallLog48
CreatingRulesthatBlockUnwantedOutboundNetworkTraffic50
Step1:
BlockingNetworkTrafficforaProgrambyUsinganOutboundRule50
Step2:
DeployingandTestingYourOutboundRule51
DeployingaBasicDomainIsolationPolicy52
Step1:
CreatingaConnectionSecurityRulethatRequestsAuthentication53
Step2:
DeployingandTestingYourConnectionSecurityRules54
Step3:
ChangingtheIsolationRuletoRequireAuthentication57
Step4:
TestingIsolationwithaComputerThatDoesNotHavetheDomainIsolationRule57
Step5:
CreatingExemptionRulesforComputersthatareNotDomainMembers58
IsolatingaServerbyRequiringEncryptionandGroupMembership59
Step1:
CreatingtheSecurityGroup60
Step2:
ModifyingaFirewallRuletoRequireGroupMembershipandEncryption60
Step3:
CreatingaFirewallRuleontheClienttoSupportEncryption61
Step4:
TestingtheRuleWhenCLIENT1IsNotaMemberoftheGroup63
Step5:
AddingCLIENT1totheGroupandTestingAgain63
CreatingRulesthatAllowSpecificComputersorUserstoBypassFirewallBlockRules64
Step1:
AddingandTestingaFirewallRulethatBlocksAllTelnetTraffic65
Step2:
ModifyingYourTelnetAllowRuletoOverrideBlockRules66
Summary67
AdditionalReferences67
Step-by-StepGuidetoDeployingPoliciesforWindowsFirewallwithAdvancedSecurity
Thisstep-by-stepguideillustrateshowtodeployActiveDirectory®GroupPolicyobjects(GPOs)toconfigureWindowsFirewallwithAdvancedSecurityinWindows Vista®andWindows Server® 2008.AlthoughyoucanconfigureasingleserverlocallybyusingGroupPolicyManagementtoolsdirectlyontheserver,thatmethodisnotconsistentorefficientwhenyouhavemanycomputerstoconfigure.Whenyouhavemultiplecomputerstomanage,createandeditGPOs,andthenapplythoseGPOstothecomputersinyourorganization.
ThegoalofaWindowsFirewallwithAdvancedSecurityconfigurationinyourorganizationistoimprovethesecurityofeachcomputerbyblockingunwantednetworktrafficfromenteringthecomputer.NetworktrafficthatdoesnotmatchtherulesetofWindowsFirewallwithAdvancedSecurityisdropped.Youcanalsorequirethatthenetworktrafficwhichisallowedmustbeprotectedbyusingauthenticationorencryption.TheabilitytomanageWindowsFirewallwithAdvancedSecuritybyusingGroupPolicyallowsanadministratortoapplyconsistentsettingsacrosstheorganizationinawaythatisnoteasilycircumventedbytheuser.
Inthisguide,yougethands-onexperienceinalabenvironmentusingGroupPolicymanagementtoolstocreateandeditGPOstoimplementtypicalfirewallsettings.YoualsoconfigureGPOstoimplementcommonserveranddomainisolationscenariosandseetheeffectsofthosesettings.
ScenarioOverview
Inthisguide,youlearnabouthowtocreateanddeploysettingsforWindowsFirewallwithAdvancedSecuritybysteppingthroughproceduresthatillustratethecommontasksyouhavetoperforminatypicalscenario.
Specifically,youconfiguresettingsinGPOstocontrolthefollowingWindowsFirewallwithAdvancedSecurityoptions:
∙EnableordisabletheWindowsFirewall,andconfigureitsbasicbehavior.
∙Determinewhichprogramsandnetworkportsareallowedtoreceiveinboundnetworktraffic.
∙Determinewhichoutboundnetworktrafficisallowedorblocked.
∙Supportnetworktrafficthatusesmultipleordynamicports,suchasthosethatuseRemoteProcedureCall(RPC),ortheFileTransferProtocol(FTP).
∙RequirethatallnetworktrafficenteringspecificserversbeprotectedbyInternetProtocolsecurity(IPsec)authenticationandoptionallyencrypted.
Youworkwithseveralcomputersthatperformcommonrolesfoundinatypicalnetworkenvironment.Theseincludeadomaincontroller,amemberserver,andaclientcomputer,asshowninthefollowingillustration.
Thescenariodescribedinthisguideincludesviewingandconfiguringfirewallsettings,andconfiguringadomainisolationenvironment.Italsoincludesserverisolation,whichrequiresgroupmembershiptoaccessaserverandcanoptionallyrequirethatalltraffictotheserverisencrypted.Finally,itincludesamechanismtoallowtrustednetworkdevicestobypassfirewallrulesfortroubleshooting.
Eachofthescenariostepsaredescribedinthefollowingsections.
Examiningdefaultsettingsonclientsandservers
Inthissection,youuseWindowsFirewallsettingsinControlPanel,thenetshcommand-linetool,andtheWindowsFirewallwithAdvancedSecurityMicrosoftManagementConsole(MMC)snap-intoexaminethedefaultWindowsFirewallwithAdvancedSecuritysettingsontheboththeCLIENT1andMBRSVR1computers.Usingthetoolsdirectlyonalocalcomputerisusefultoseethecurrentconfigurationandthefirewallandconnectionsecurityrulesthatareactiveonthecomputer.
DeployingbasicsettingsbyusingGroupPolicy
Inthissection,youcreateaGroupPolicyobject(GPO)thatcontainsbasicfirewallsettings,andthenassignthatGPOtotheorganizationalunit(OU)thatcontainstheclientcomputer.ToensurethatonlythecorrectcomputerscanapplytheGPOsettings,youuseWindowsManagementInstrumentation(WMI)andsecuritygroupfilteringtorestrictapplyingtheGPOtocomputersthatarerunningthecorrectversionofWindows.
TheGPOthatyouconfigureincludessomeofthebasicWindowsFirewallwithAdvancedSecuritysettingsthatarepartofatypic