Network Security

In the preceding lesson you learned the basics about the Windows Firewall and how to use it. This time we will go deeper into the detailed rules and exceptions that govern the Windows Firewall.

Most users might never need to dig into these settings, and then there may be that one time where you need to allow an application to have access. You will learn about Windows Firewall with Advanced Security, what this special management snap-in is, and how you can use it to truly control everything that the Windows Firewall does.

Before you do that, however, you will have to have a clear understanding of the types of rules existing in the Windows Firewall and their properties. You will also learn what you can monitor using Windows Firewall with Advanced Security.

After that you will finally learn how to manage existing rules in the Windows Firewall and how to create your own outbound and inbound rules.

In case you have played too much with the settings of the Windows Firewall and things are starting to malfunction, you will need to learn how to reset its settings to their defaults. Have no fear, this lesson has you covered and will also share how to reset all the Windows Firewall settings.

Once you’ve completed this lesson, you should have a pretty thorough knowledge of the Windows Firewall.

What is the Windows Firewall with Advanced Security?

Put simply, Windows Firewall with Advanced Security is a management snap-in for the Windows Firewall from which you can control in a very detailed way, all the rules and exceptions that govern how the Windows Firewall works.

In order to access it, you need to open the Windows Firewall as shown in the previous lesson and then click or tap the “Advanced settings” link on the column on the left.

clip_image002

“Windows Firewall with Advanced Security” is now open. This snap-in looks big and scary at first, and for good reason. This is where Windows Firewall stores all its rules at a very detailed level. What we have seen in the previous lesson is only a limited but user-friendly view of the rules that govern its functioning. This is where you get dirty and edit any parameter, no matter how small, for any rule and exception.

clip_image004

Understanding Inbound, Outbound & Connection Security Rules

In Windows Firewall with Advanced Security you will encounter three important types of rules:

  • Inbound rules – they apply to traffic that is coming from the network or the Internet to your Windows computer or device. For example, if you are downloading a file through BitTorrent, the download of that file is filtered through an inbound rule.
  • Outbound rules – these rules apply to traffic that is originating from your computer and going to the network and the Internet. For example, your request to load the How-To Geek website in your web browser is outbound traffic and it is filtered through an outbound rule. When the website is downloaded and loaded by your browser, this is inbound traffic.
  • Connection security rules –less common rules that are used to secure the traffic between two specific computers while it crosses the network. This type of rule is used in very controlled environments with special security requirements. Unlike inbound and outbound rules which are applied only to your computer or device, connection security rules require both computers involved in the communication to have the same rules applied.

All the rules can be configured so that they are specific to certain computers, user accounts, programs, apps, services, ports, protocols, or network adapters.

You can display the rules of a certain type by selecting the appropriate category in the column on the left.

clip_image007

You will see lots of inbound and outbound rules. Some rules will have a green checkmark near their name while others will have a gray one. The rules with the green checkmark are enabled, meaning that they are used by Windows Firewall. Those with a gray checkmark are disabled and they are not used by Windows Firewall.

Windows Firewall rules have the following parameters that can be edited:

  • Name – the name of the rule you are viewing.
  • Group – the group the rule belongs to. Generally, the group describes the app or the Windows feature the rule belongs to. For example, rules that apply to a specific app or program will have the app/program name as the group. Rules that are related to the same networking feature, e.g. File and Printer Sharing, will have as a group name the feature they relate to.
  • Profile – the network location/profile the rule is applied to: private, public, or domain (for business networks with network domains).
  • Enabled – it tells you whether the rule is enabled and applied by Windows Firewall or not.
  • Action – the action can “Allow” or “Block” based on what the rule is supposed to do.
  • Override – tells you whether that rule overrides an existing block rule. By default, all rules should have the value “No” for this parameter.
  • Program – the desktop program the rule applies to.
  • Local address – tells you whether the rule is applied only when your computer has a specific IP address or not.
  • Remote address – tells you whether the rule is applied only when devices with specific IP addresses are connected or not.
  • Protocol – shares the network protocols for which the rule is applied.
  • Local port – tells you whether the rule is applied for connections made on specific local ports or not.
  • Remote port – tells you whether the rule is applied for connections made on specific remote ports or not.
  • Authorized users – the user accounts for which the rule is applied (for inbound rules only).
  • Authorized computers – computers for which the rule is applied.
  • Authorized local principals – the user accounts for which the rule is applied (for outbound rules only).
  • Local user owner – the user account which is set as the owner/creator of the rule.
  • Application package – this applies only to apps from the Windows Store and it shares the package name of the app the rule applies to.

What Can Be Monitored from the Windows Firewall with Advanced Security

Beneath the three types of rules mentioned earlier, you will find a section named “Monitoring.” If you expand it, you can view the active firewall rules, the active connection security rules, and view the active security associations.

clip_image009

A security association is something that most of us will never use. This is the information maintained about a secure encrypted channel on the local computer or device, so that this information can be used for future network traffic to a specific remote computer or device. Here you can view which peers are currently connected to your computer and which protection suite was used by Windows to form the security association.

How to Manage Existing Windows Firewall Rules

The first thing you should keep in mind when working with the rules that are built into the Windows Firewall is that it is better to disable a rule than delete it. In case you do something ill-advised, then it is very easy to repair everything by re-enabling disabled rules. Rules which get deleted cannot be recovered unless you restore all the Windows Firewall settings to their defaults.

To disable a rule, first select it and then press “Disable Rule” on the column on the right.

clip_image011

Alternatively, you can also right click on a rule and select “Disable Rule.”

clip_image012

If you want to edit a rule and the way it works, you can do so by double-clicking on it, selecting it, and then pressing “Properties” in the column on the right or right-clicking on it and selecting “Properties.”

All the parameters we have mentioned earlier in this lesson can be modified in the “Properties” window of that rule.

clip_image013

When you are done making your changes, don’t forget to press “OK,” so that they are applied.

How to Create an Outbound Rule for the Windows Firewall

Creating rules in Windows Firewall with Advanced Security is easier than you would think and it involves using a friendly wizard. To illustrate, let’s create an outbound rule that blocks access to the network and the Internet for Skype, only when you are connected to untrusted public networks.

To do this, go to “Outbound Rules” and press “New Rule” in the column on the right.

clip_image015

This opens the “New Outbound Rule Wizard,” where you will create the new rule in just a couple of steps. First, you are asked to select the type of rule you want to create.

Your choices are:

  • Program – the rule applies to a specific program
  • Port – the rule applies to the network traffic that is performed through a specific port
  • Predefined – rule that controls the connections performed by a specific Windows service or feature
  • Custom – a custom rule that can block both programs and ports or a specific combination of both.

For our example, we have selected “Program” and pressed “Next.”

clip_image017

Depending on what you have chosen at the previous step, you are now asked to select the program or the ports that you want to add to the rule.

For our example, we have selected the executable of the program that we want to block – Skype.exe. When you’ve finished setting things up, press “Next.”

clip_image019

Next, you specify the action that should be taken:

  • Allow the connection – this includes both secure and insecure connections
  • Allow the connection if it is secure – the connection is allowed only if it is made through a secure channel. You can specify the kind of authentication and encryption you want applied by pressing “Customize”
  • Block the connection – blocks the connection, whether it is secure or not

For our example we have selected “Block the connection” and pressed “Next.”

clip_image021

Now you are asked to select when the rule applies. This means the network location when the rule is applied:

  • Domain – the rule is applied only when the computer is connected to a network domain
  • Private – the rule is applied only when the computer is connected to trusted private networks
  • Public – the rule is applied only when the computer is connected to untrusted public networks

For our example we have chosen “Public” because we wanted to block access only when the computer is connected to untrusted public networks.

When done making your choice, press “Next.”

clip_image023

You are asked to enter a name and a description for the newly created rule. Please don’t take the easy way out when you do this. Write something that is very descriptive so that you can understand what’s up with this rule later, when you need to edit the Windows Firewall rules.

Press “Finish” and the rule is created and used by the Windows Firewall.

clip_image025

How to Create an Inbound Rule for the Windows Firewall

In Windows Firewall with Advanced Security, go to “Inbound Rules” and press “New Rule” in the column on the right.

clip_image027

The “New Inbound Rule Wizard” is started. The options it displays are almost the same as the “New Outbound Rule Wizard” so we won’t explain everything again. We will provide more detail only where it makes sense.

To explain, we have created a rule which blocks all inbound traffic made using the TCP protocol on the port 30770. At the first step we selected “Program” and pressed “Next.”

clip_image029

Now we are asked to select the protocol for which the rule applies and the port. The choices for protocols are TCP and UDP. If you want a rule that applies to both, you need to create two rules, one for each protocol.

Then, we had the choice to block all ports or only specific ones. We selected “Specific local ports”, entered “30770,” and pressed “Next.”

clip_image031

Now you are asked to select what action to take when a connection matches the conditions specified earlier. For our example, we have chosen “Block the connection” and pressed “Next.”

clip_image033

Now you have to select the network locations for which the rule applies. Since we wanted to block all TCP traffic on port 30770, we selected all three locations and pressed “Next.”

clip_image035

Finally, enter the name and the description for the newly created rule and press “Finish.”

clip_image037

The rule has been created and it is now used by the Windows Firewall.

How to Restore Windows Firewall to its Defaults

If you have fiddled too much with the rules in Windows Firewall and things have started to work incorrectly, you can easily undo all your settings and restore Windows Firewall to its defaults. This can be done only for an administrator account.

To do this, open the Windows Firewall and from the left column, click or tap “Restore defaults.”

clip_image039

You are now informed of what this resetting will do, when you’re ready, press “Reset defaults.”

clip_image040

You are asked to confirm that you are okay to go ahead with the reset.

clip_image041

You are back to the “Windows Firewall” window. All its settings have been reset to the defaults as if your Windows installation were brand new. You can now reconfigure its settings from scratch and hopefully solve your problems.

Coming up next …

That’s it for this lesson. We hope that you have learned many useful things about the Windows Firewall and that you will now have complete control over the way it works. In the next lesson we will move to another important security feature of Windows: the SmartScreen Filter.