Multiple Active Firewall Profiles in Windows 7
Want to manage multiple firewalls for different domains at the same time? Microsoft Windows 7 makes that possible.
With Windows Vista, Microsoft introduced the concept of network locations, whereby the Network Location Awareness service monitors your computer for changes in network connectivity. If you establish a new connection, for example, by connecting to a wireless hot spot at a coffee shop, Vista prompts you to identify the type of network you are connecting to as either a Home, Work or Public network. In addition, a connection to an Active Directory-based network automatically has its type of network identified as a Domain network.
In Vista, each of these network types has its own Windows Firewall profile. Public networks are protected by the Public firewall profile, which is the most restrictive profile because public networks are typically insecure. For example, Network Discovery is turned off for this profile so that other computers on the public network can’t see your computer. Home and Work networks are protected by the Private firewall profile, which is less restrictive than the Public profile. Finally, Domain networks are protected by the Domain profile, which is the least restrictive profile to allow enterprise applications and management systems full access to client computers.
But Vista can have only one firewall profile active at a time, even if the computer is connected to multiple networks. Furthermore, the active firewall profile is always the most restrictive profile. This often causes problems, especially in virtual private networking (VPN) scenarios.
For example, let’s say a remote user waiting at an airport terminal uses a wireless hot spot to establish a connection to the Internet. Vista identifies this connection as Public, and the firewall profile as Public. Next, the user establishes a VPN connection to his corporate network via the Interne using is domain credentials. Vista then identifies this VPN connection as a Domain connection, but the Public firewall profile remains active. This means Vista applies the Public firewall profile to a Domain-type network, and the result is that some enterprise applications don’t work properly over the VPN connection because the Public profile is too restrictive. For enterprise applications to work properly over a VPN connection, they need the Domain profile applied to the connection.
Windows 7 solves this problem and similar issues by supporting multiple active firewall profiles, which enables each profile (Public, Private and Domain) to be active on the computer simultaneously. Let’s examine this new feature of Windows 7 at work.
Figure 1 shows Windows 7 connected simultaneously to networks CONTOSO and FABRIKAM. The CONTOSO network is a Work network, and the connection is wired using the local-area connection network adapter inside the computer. The FABRIKAM network is a Public network, with a wireless connection to a nearby hot spot. Both networks are currently active, and the user can access the Internet through either of them.
Figure 1: This Windows 7 computer is simultaneously connected to two different types of networks.
Now let’s examine how Windows Firewall is configured on the computer. Figure 2 shows the Windows Firewall Control Panel, which indicates that two firewall profiles are currently active on the computer: Private and Public. The Private firewall profile protects Home or Work network connections, which in this example is the CONTOSO network. The Public firewall profile protects Public network connections, which here is the FABRIKAM network. Each type of network (the CONTOSO Work network and the FABIRKAM Public network) is protected by the appropriate active firewall profile (Private and Public). This means each network connection on the computer receives the degree of firewall protection appropriate to it — more restrictive for the Public (wireless) network and less restrictive for the Work (wired) network.
Figure 2: Each network connection, using Windows 7’s Windows Firewall, has a different active firewall profile protecting it.
To see how Windows Firewall is protecting each network connection, you can click “Allow a program or feature through Windows Firewall.” This opens the Allowed Programs window shown in Figure 3 below. The two columns of check-boxes indicate which firewall exceptions are enabled for the Private and Public firewall profiles. The Core Networking exception is open for both profiles, indicating that core networking functionality (such as support for the TCP, ICMP, IGPM, DHCP and other standard protocols) is enabled for both profiles.
In other words, this computer can communicate over both the wired and wireless networks to which it’s connected. By contrast, certain firewall exceptions such as the File and Printer Sharing exception are only enabled for the Private profile and are disabled for the Public profile, which confirms that the Public firewall profile is more restrictive than the Private one. For instance, in this example, other users at the public wireless hot spot will be unable to browse to any shared folders on the computer or print to any printers connected to the computer. This makes sense because you don’t want untrusted, anonymous users browsing your computer or using up your toner.
Figure 3: Windows Firewall allows exceptions for a standalone Windows 7 computer.
As shown next in Figure 4, for Windows 7 computers that are domain-joined, the Allowed Programs window displays three columns: one for each firewall profile (Domain, Private and Public). The Domain profile is the least restrictive, meaning it has the most firewall exceptions open; the Public profile is the most restrictive, meaning it has the fewest exceptions open. The Private profile is usually in between; for example, the Remote Assistance exception not shown here is enabled for both the Domain and Private profiles but disabled for the Public profile. And all three firewall profiles are active in Windows 7 so that each network connection receives its appropriate level of protection.
Figure 4: Windows Firewall includes exceptions for a domain-joined Windows 7 computer.
Finally, administrators can selectively enable or disable each of the three firewall profiles by targeting Group Policy to the desired Windows computers. The policy setting for doing this is called Windows Firewall with Advanced Security: ldap://cn={guid},cn=policies,cn=system,cn=<domain>,cn=<tld> where {guid} is the globally unique identifier of the Group Policy Object being edited. This policy setting is found under:
Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security
To selectively enable or disable each firewall profile, right-click on this policy setting in the “Group Policy Management Editor” and select Properties, then select the appropriate tab shown in Figure 5 and configure the profile as desired by enabling or disabling the state of the profile and configuring the default behavior for inbound and outbound connections.
Figure 5: Windows 7 lets you configure firewall profiles using Group Policy.
For more information on managing Windows Firewall using Group Policy, see Chapter 26 of the Windows 7 Resource Kit.