ZEDA.nl

ZEDA.nl

Tips & Tweaks for Windows

User Rating:  / 2
PoorBest 

Windows Firewall GPO's

I'm comfortable on the couch writing this article. Like anyone else nowadays, I want to be able to work anywhere I want. Secure ofcourse.

A step in that direction are active directory group policies for Windows Firewall with Advanced Security.

This post describes:

  • The network types: Home, Work, Public and Domain
  • The firewall profiles: Private, Public and Domain
  • Defining default firewall group policy settings
  • Creating inbound and outbound rules
  • Do's & Don'ts

Determine the location

The first important task is to determine the kind of location of the network. I trust my company network more than I trust the one at the local burger company, so it makes sense to tighten the firewall rules there.

The Windows (Vista, 7 and 2008) service NLA - Network Location Awareness - determines the type of network consulting the user. After connecting to a new network, Windows asks the user to define the network. Choices are Work network, Home network and Public network.

If Windows can't distinguish the network at all, it chooses Public network automatically. This happens e.g. when no default gateway is available.

Besides these three options there is a fourth network type that is automatically selected when the computers connects to its domain. This option is called Domain network and can not be choosen or changed by hand.

Different network types in Windows firewall

Windows Firewall with Advanced Security distinguishes three types of networks instead of four. Public and Domain are available, but Home and Work network are combined to Private.

Group policy settings

Now that the types of network are clear, let's take a look at the GPO. The Windows Firewall with Advanced Security settings are found under policies -> Windows Settings -> Security Settings

You can see the inbound and outbound rules here, but first define what happens when no rules are set. To do this open the properties of Windows Firewall with Advanced Security.

The tabs show you polices for the three types of networks, each containing the same settings. So, the default behavior is set at network type level.

Recommended in the GPO for each type of network is to turn the firewall on, block inbound traffic and allow outbound traffic. Outbound traffic is traffic that you (or your computer) initiate yourself while inbound is initiated by others, so the recommended settings make sense. Set these and your halfway there.

I'm slightly more paranoid myself, so in the Public Profile tab, I set the Outbound connections to Block. To make sure I can do anything at a public place I have to create some outbound rules.

Inbound Rules

Although it's safe to block all inbound traffic, I want to allow administrators to manage the computers. For the administrators' VLAN 10.10.10.0/24 I create a rule to allow all inbound access:

1. Right click Inbound Rules en click New rule. A wizard appears to help you create a new rule.

2. I want to allow full access to a certain IP range, but I don't see any predefine option for that, so I choose Custom.

3. The next question is what program to use fro the rule. I choose All programs.

4. I want all traffic allowed so I select Protocol type Any.

5. Next is the part to define the IP-range. I add the network 10.10.10.0/24 to Remote IP addresses.

6. I choose Allow the connection.

7. The administrator's are on the domain netwerk only, so I deselect Private en Public.

8. Give the rule a catchy name and description and finish the wizard. It will be visible in your inbound rules list.

Outbound Rules

The same way I created the inbound rule, I create outbound rules for the public profile to allow the computer DNS access and allow the Internet Explorer program to use HTTP and HTTPS traffic.

Do's and Don'ts

Last, some things to consider.

Don't : Never block all outbound access for the domain and Private profile. At startup the private profile will be used. Only when there is domain connection, will the profile be changed to domain.

If the private profile's connection to the domain is blocked, no domain access will be possible, including GPupdate to collect new settings.

Do : Start with the recommended settings supplemented with inbound rules for administrator access.

Do : Test your settings!

Do : Think about acquiring updates (Windows Update, Virus definitions, etc).

Do : Think about the freedom you allow the users. Think about internet access, chatting, printing, streaming media, VPN, etc. Especially when they are at home.

Don't : Don't get discouraged by these Do's and Don'ts.

This post applies to: Windows 2008, Windows 2008 R2, Windows Vista, Windows 7.

ZEDA.nl

Tips & Tweaks for Windows

Most read:

Ad:

Tools:

EU e-Privacy Directive

This site uses cookies for analytics, advertising and functional purposes. Please accept or decline the use of coockies on this site.

You have declined cookies. This decision can be reversed.

You have allowed cookies to be placed on your computer. This decision can be reversed.