70-410 Chapter 19

Connection Security Rules

By default, this branch does not contain any rules. Right-click it and select New Rule to create rules that are used to determine limits applied to connections with remote computers.

___enables you to define IPsec policies that apply to all computers in your AD DS domain, site, or OU. You can also define policies that provide authenticated exceptions for IPsec traffic from authorized computers that crosses the server's firewall. As with other Group Policy settings, you can define these policies in a GPO linked to a site, a domain, or an OU as required.

Group Policy

The Windows Firewall Control Panel applet enables you to configure basic firewall settings for different___. You can enable or disable the Windows Firewall separately for each connection. In doing so, you are able to use Windows Firewall to protect a computer connected to the Internet via one adapter and not use Windows Firewall for the adapter connected to the private network.

network locations

You can configure Windows Firewall with Advanced Security to display notifications when a program is blocked from receiving inbound connections according to the default behavior of Windows Firewall. When you have selected this option and no existing block or allow rule applies to this program, a user is ___when a program is blocked from receiving inbound connections.

notified

In general, you do not need to create rules for filtering ___traffic. Windows Server 2012 and Windows Server 2012 R2 include outbound filters for basic networking services such as DHCP or DNS requests, Group Policy communications, and networking protocols such as IPv6 and Internet Group Management Protocol (IGMP).

outbound

By clicking New Rule under Inbound Rules or Outbound Rules in the Windows Firewall with Advanced Security snap-in, you can create rules that determine

programs or ports that are allowed to pass through the firewall.

When a user communicates with an external computer, the stateful firewall ___this conversation and allows the appropriate reply packets to reach the user.

remembers

Windows Firewall reduces the chance that an attacker will compromise your server, resulting in actions such as crashing your computer, modifying or deleting data, copying unwanted files or information to your computer, creating user accounts with elevated privileges, and using these accounts to access other computers or devices on your network.

riiiiiight

The Windows Firewall with Advanced Security snap-in enables you to perform a comprehensive set of configuration actions. You can configure rules that affect inbound and outbound communication, and you can configure connection security ___and the monitoring of firewall actions.

rules

The SDDL string includes the ____of computer or group accounts for which you want to enable IPsec bypass.

security identifiers (SIDs)

Windows Firewall enables you to specify multiple profiles, each of which is a

series of firewall settings customized according to the environment in which the computer is located.

The Windows Firewall Control Panel applet, found in the System and Security category enables you to

set up firewall rules for each of the same network types introduced earlier in this chapter for configuring network settings.

Windows Firewall is a

stateful host-based firewall that you can configure to allow or block specific network traffic.

Packets from an outside computer that attempts to communicate with a computer on which a stateful firewall is running are dropped unless

the ACL contains rules permitting them.

Outbound rules help prevent

utilities on your computer from performing certain actions, such as accessing network resources or software without your knowledge. They can also help prevent other users of your computer from downloading software or inappropriate files without your knowledge.

Block edge traversal

Blocks the reception of unsolicited Internet traffic through a NAT device

You can use the ___command-line tool to obtain the SIDs of the required accounts.

Getsid.exe

Windows Firewall includes a packet filter that uses an ___specifying parameters (such as IP address, port number, and protocol) that are allowed to pass through.

Access Control List (ACL)

The following edge traversal options are available:

...

The following firewall profiles are available:

...

The following three links are available from the bottom of the details pane:

...

The other tabs of a rule's Properties dialog box enable you to configure the following additional functions related to each firewall rule:

...

This can be useful in some situations; for example, if your company has a customized billing application that uses a specific TCP port, any user that connects to the server across this port can access data that should be available only to authorized users or computers.

...

When the snap-in first opens, it displays a summary of configured firewall settings. From the left pane, you can configure any of the following types of properties:

...

In addition, you can configure IPsec settings from the IPsec Settings tab, including defaults and exemptions.

...yea

All the Windows Firewall with Advanced Security settings that have been discussed in this section, including the domain, private, and public profiles, are included in a policy file with the ___extension.

.wfw

You can allow all authenticated IP traffic from approved computers to bypass Windows Firewall by configuring the Allow authenticated IPsec bypass ___setting or using a Security Descriptor Definition Language (SDDL) string to describe the computers enabled to bypass Windows Firewall.

Group Policy

You can export a configured policy and import it to a new location. These actions are helpful if you decide to restore Windows Firewall with Advanced Security defaults, which you might want to do should problems arise with

firewall settings.

Protocols and Ports tab

Enables you to specify the protocol type and the local and remote ports covered by the rule. A comprehensive list of available protocols and ports is included in the drop-down lists on this tab. You can add a custom protocol by selecting the Custom option and typing any protocol number designated by the Internet Assigned Numbers Authority (IANA). Note that the local port is the port on the computer for which you are configuring the rule and the remote port is the port on any computer that is sending or receiving communications from the local port.

State

Enables you to turn the firewall on or off for the selected profile and block or allow inbound and outbound connections. For inbound connections, you can either block connections with the configured exceptions or block all connections. Click Customize to specify which connections you want Windows Firewall to help protect.

Isolation

Enables you to limit connections according to authentication criteria you define. For example, you can use this rule to isolate domain-based computers from external computers such as those located across the Internet. Such a rule enables you to implement server or domain isolation strategies, which are discussed later in this chapter. You can request or require authentication and specify the authentication method that must be used.

Tunnel

Enables you to secure communications between two computers by means of IPsec tunnel mode. This encapsulates network packets that are routed between the tunnel endpoints. You would typically use this rule type to secure connections across the Internet between security gateways. You can choose from several types of tunnels; you can also exempt IPsec-protected computers from the defined tunnel.

Advanced tab

Enables you to specify the profiles (domain, private, or public) to which the rule applies. You can also specify the interface types (local area network, remote access, and/or wireless) and whether edge traversal (traffic routed through a Network Address Translation [NAT] device) is allowed or blocked for incoming rules.

Programs and Services tab

Enables you to specify the program or service that is permitted to communicate using this rule. By default, all programs that meet conditions specified elsewhere in the rule's properties are allowed to communicate. To limit the programs being used, select the This program option and either type the complete path to the program's executable file or click Browse to locate the required program. To configure customized application settings that can communicate using this rule, click the Settings command button under Application Packages and select the programs and application packages to which the rule should apply. To limit the services that can communicate using the rule, click the Settings command button under Services and select the appropriate services in the Customize Service Settings dialog box.

Security Associations

Displays IPsec main mode and quick mode associations

Inbound Rules

Displays a series of defined inbound rules. Enabled rules are shown with a green check mark icon. If the icon is dark in appearance, the rule is not enabled. To enable a rule, right-click it and select Enable Rule; to disable an enabled rule, right-click it and select Disable Rule. You can also create a new rule by right-clicking Inbound Rules and selecting New Rule. We discuss creation of new rules later in this chapter.

Outbound Rules

Displays a series of defined outbound rules, also with a green check mark icon for enabled rules. You can enable or disable rules and create new rules in the same manner as with inbound rules.

Connection Security Rules

Displays enabled connection security rules you have created

Firewall

Displays enabled inbound and outbound rules

When allowing additional programs to communicate through the Windows Firewall, by default these programs are allowed to communicate through the ___or ___network profiles only. You should retain this default unless you need a program to communicate through the Internet from a public location, which is sometimes true for a client computer but almost never the case for a server.

Domain, Private

Allow edge traversal

Enables applications to receive unsolicited Internet traffic through a NAT device

Defer to application

Enables each application to determine whether Internet traffic will be allowed through a NAT device

Authentication exemption

Enables specified computers, such as DHCP and DNS servers, to be exempted from the need for authentication. Computers listed here do not require authentication to communicate with computers in an isolated domain. You can specify computers by IP address ranges or subnets, or you can include a predefined set of computers. Server-to-server@ Enables you to protect communications between two specified groups of computers (known as endpoints). Specify the endpoints by IP address range or those that are accessible through a specified connection type, such as a wireless connection.

Defer to user

Enables the user to decide whether traffic from the Internet will be allowed through a NAT device when requested by an application

Logging

Enables you to configure logging settings. Click Customize to specify the location and size of the log file and whether dropped packets or successful connections are logged (see Figure 19-7). Figure 19-7 You can customize logging settings for each of the Windows Firewall profiles.

Custom

Enables you to create a rule that requires special settings not covered explicitly in the other options. All wizard pages except those used to create only tunnel rules are available.

Settings

Enables you to customize firewall settings for the selected profile. Click Customize to specify whether to display notifications to users when programs are blocked from receiving inbound connections or allow unicast responses. You can also view, but not modify, how rules created by local administrators are merged with Group Policy-based rules.

This string is formatted similar to the following example: O:DAG:DAD:(A;;CC;;;SID1) (A;;CC;;;SID2) (A;;CC;;;SID3) ...

In this string, SID1, SID2, and so on are the SIDs of the computer or group accounts you want to authorize. Include as many of the SID specifications as required.

Domain Profile

Specifies firewall settings for use when connected directly to an Active Directory Domain Services (AD DS) domain; more specifically, this profile is applied when a computer is able to access a domain controller in its domain. If the network is protected from unauthorized external access, you can specify additional exceptions that facilitate communication across the LAN to network servers and client computers.

Private Profile

Specifies firewall settings for use when connected to a private network location, such as a home or small office. You can open up connections to network computers and lock down external communications as required. Settings in this profile should be more restrictive than those in the domain profile.

Guest or Public Profile

Specifies firewall settings for use when connected to an insecure public network, such as a Wi-Fi access point at a hotel, a restaurant, an airport, or another location where unknown individuals might attempt to connect to your computer. This profile should contain the most restrictive settings of all three profiles. By default, network discovery and file and printer sharing are turned off, inbound connections are blocked, and outbound connections are allowed. Although mentioned for completeness purposes, it is extremely unlikely that you would ever use this profile on a server computer.

A profile is simply a means of

grouping firewall rules so that they apply to the affected computers dependent on where the computer is connected.

Many PowerShell cmdlets are available for configuring Windows Firewall. Table 19-3 outlines a listing of the more common cmdlets used for configuring basic firewall settings. Tip When preparing for the 70-410 exam, you should be familiar with the common cmdlets as outlined in Table 19-3.

http://prntscr.com/dschdb

Windows Firewall enables you to limit inbound connections to users who are members of a specific group for which access has been permitted. This enables you to add access control to custom applications without the need to add specific access-control code to the application. If users or computers are not on the authorized lists you've specified, attempted connections will be dropped___.

immediately

The Remote Users tab is provided for ___rules only; it is not available for ___rules.

inbound, outbound

The Scope tab of a rule's Properties dialog box enables you to

limit the scope of connections from your internal network and also block connections from undesired network segments—internal or external. This helps you to limit access to a specific server to users or computers that have the need to access resources on this server, blocking those with no need to access the server. This can include web servers such as those configured for intranet websites only.

Inbound rules help prevent

actions such as unknown access or configuration of your computer, installation of undesired software, and so on.

Windows Firewall enables you to require that remote users or computers be ___before they can connect to your server.

authorized

When you install a server role, role service, or feature that utilizes incoming or outgoing connections, Windows Server 2012 R2 ___the appropriate firewall rules. For example, Figure 19-3 shows DHCP firewall rules that were automatically added to Windows Firewall when this role was installed, thereby enabling the DHCP server to function properly on the network.

automatically configures

The purpose of the Skip this rule for connections from these (users or computers) option is to

block traffic from users or computers that would otherwise be allowed by virtue of their group membership. For example, if user1 is a member of a group that has been authorized on the Remote Users tab but you want to block this user's communications, include user1 in the Skip this rule section.

IPsec authentication rules enable you to configure bypass rules for specific computers that enable these computers to bypass other Windows Firewall rules. Doing so enables you to block

certain types of traffic while enabling authenticated computers to receive these types of traffic.

Blocking outbound communications can prevent many default Windows features, such as Windows Update, from___. However, you can block malware such as worms, viruses, and Trojan horses from spreading to other computers by using appropriate outbound traffic filters. If you create outbound filters to help secure your network against malware propagation, be sure to test third-party applications running on your network to ensure that they communicate properly.

communicating properly

Doing so ___all firewall settings, firewall rules, and IPsec connection security rules that have been configured on the computer.

deletes