Windows 7 security: the new Windows Firewall with Advanced Security

Neil Roiter

If your company took a pass on Microsoft Vista but expects to migrate from Windows XP to Windows 7, plan on taking advantage of the host-based Windows Firewall with Advanced Security (WFAS) on your client PCs. WFAS is already in Vista and Windows Server 2008, but with Windows 7, you will be able to extend its advanced security features to end-user machines and improve your defense in depth.

As in previous versions of Windows, you will want to create policies -- in this case on a Windows 2008 Server -- and push them to computers on the network through Group Policy Objects. Windows Firewall with Advanced Security is administered as a Microsoft Management Console snap-in, which presents a straightforward GUI for policy creation. You can use that snap-in to create GPOs within the Group Policy Management Console.

Using GPOs, you can take advantage of all WFAS features, including profile settings and security connection rules. The clients in a given domain request policy updates, so you can make changes and distribute them automatically.

With Windows 7, WFAS brings a set of granular, highly extensible security settings previously reserved to Windows Server 2008 and those organizations that actually deployed Vista. Let's examine a few of the key security capabilities.

WFAS packs a lot of features that make it a much more powerful security tool than Windows firewalls. Most important, perhaps, is the ability to automatically adapt security to the computer's environment, whether it is connected to the corporate network, at home or on the road.

Ideally, you want the most restrictive security policies when the PC is outside the company firewall. Inside the network, you can set rules and policies that give the user full range to the applications and data sources they need and secure them against unknown and potentially malicious connections.

The advanced firewall addresses this with three profile options: Domain, Private and Public. You can configure all three profile types for each group and set different policies for each profile.

The Domain profile is used when the computer is on the corporate network, connecting to an Active Directory domain to which it belongs. The Private profile is generally for home networks, and the Public profile is used when the computer is connected directly to the Internet, or a network it doesn't recognize as trusted. The Public profile is the default, the highest security posture for an uncontrolled environment.

You can configure a wide range of settings for each profile, including inbound and outbound allow/block rules, display notifications, local firewall rules and logging options

These profile options are possible because WFAS is a network location aware application. That is, newer versions of Windows detect the type of network the PC is connecting to and apply the appropriate profile. Compare that to a one-policy-fits-all security scenario, in which the same rules that apply inside the corporate cocoon are in place when the laptop hits the road.

The firewall is also integrated with IPsec protection, reducing the chances of conflict between the two and adding a number of network options. In practice, through the firewall interface, you use IPsec to configure secure custom communication deployments.

This IPsec integration is the key to WFAS-enabled domain isolation, which allows you to create a logical domain for certain computers, restricting access from other computers, even if they are on the same physical network.

Because IPsec provides secure, authenticated connections, it allows a variety of firewall rule options. For example, you can create firewall rules that filter by Active Directory users or groups. You can configure bypass rules to allow authorized computers to ignore block rules. These bypass rules can be highly granular, controlling which ports, programs, computers and computer groups have access.

A third major enhancement is the ability to filter outbound traffic, limiting the applications clients can use to communicate to the Internet or even to other computers on your network, enforcing policy. Defaults are to block most inbound connections and allow most outbound connections.