The Windows Firewall has been enhanced in several ways in the upcoming Windows Vista. Some of these enhancements include more granular firewall rules, support for outbound traffic filtering, location-aware profiles, full IPv6 support, a new management console, new Group Policy support, integrated IPsec functionality, and more. In this article I'll focus on the new management interface for Windows Firewall and how network-aware firewall profiles work. In future articles I'll dig deeper into firewall rules (including outbound rules) and also show you how easy it is now to set up a secure IPsec connection between two Vista machines using Windows Firewall.
While most users will still use the Windows Firewall utility in Control Panel to manage Windows Firewall on their Vista machines, advanced users may want to check out the new Windows Firewall with Advanced Security MMC console (see Figure 1). The simplest way to open this console is to press the WIN+R key combination to open the Run box, type WF.msc and press ENTER. You'll have to respond to a User Account Countrol (UAC) prompt at that point, which means either clicking Continue (if you're a local admin on the machine) or entering admin credentials (if you're a standard user and can do so).
Figure 1: The new Windows Firewall with Advanced Security MMC console. (Click for full-size image.)
The main screen of the console shows the default configuration of the firewall for each profile. A profile is a firewall configuration that is used for a specific networking environment. Windows XP's firewall had only two profiles: Standard and Domain. The Domain profile was the active firewall profile (the firewall profile in use) whenever your computer had a domain DNS suffix (for example, mycomputer.oreilly.com), otherwise the Standard profile was used. Both profiles were identical in terms of which firewall exceptions were allowed out-of-box (OOB), but administrators would usually use Group Policy to configure Standard profiles to be more restrictive than Domain profiles so that users would be better protected when they disconnected their laptop from the corporate network and connected to a public wireless hot spot at a coffee shop.
In Windows Vista however, there are now three different firewall profiles: Domain, Private, and Public. These three profiles match up with the different network categories available in Vista. A network category (or network location type) is the type of network that a Vista computer is currently connected to. There are basically three network categories, though the UI suggests that there are four. When you log on to a Vista computer for the first time, you're presented with a dialog asking you whether your computer will be used at Home, at Work, or at a Public Location. Choosing either Home or Work basically gives the same result--your network category is set to Private. If you choose Public Location, your network category becomes Public. You can manually switch between categories using Network And Sharing Center, or Vista can detect when the network connectivity of your machine changes and switch categories for you. And if you join your computer to a domain, your network category becomes Domain. That means there are three underlying network categories (Domain, Private, and Public) and these correspond one-to-one with the three firewall profiles available and having the same names. (See this this article on TechNet for more information about network location types in Vista).
How does Vista decide which firewall profile to make the active one? Remember, the active profile is the one whose firewall rules are currently used to protect the machine. The firewall profile selection process basically works like this:
Another thing that's different with Vista's version of Windows Firewall is that the set of firewall rules that are enabled by default are different for each firewall profile. Vista uses rules instead of exceptions for its firewall (though the Control Panel utility still displays them as exceptions). A rule (or firewall rule) determines what happens to specific types of network traffic passing through the firewall. Rules can be configured to either Allow or Block the type of traffic that matches the conditions of the rule, and a rule can be either Enabled (which means it allows or blocks traffic matching its conditions) or Disabled (in which case the rule is ignored). And rules can either filter inbound traffic (inbound rules) or outbound traffic (outbound rules).
Rules are grouped together into rule groups, with each rule group matching an experience (a feature or program) for Vista. For example, the Windows Meeting Space rule group must be enabled (i.e., all rules in the rule group must be enabled) for the active firewall profile in order for the Windows Meeting Space program to work properly. (See here for an article I wrote about how to use Windows Meeting Space to collaborate with other users.)
We'll dig deeper into firewall rules and rule groups in Part 2 of this article, but for now let me get back to my point earlier that in Vista the particular firewall rules enabled by default now differ for each profile. Here are the specifics (assuming you just installed Vista and haven't used any of the experiences since using an experience for the first time often punches open firewall rules to enable that experience to work):
Now that you've got a basic grasp of how firewall profiles work in Vista, what's ahead? In Part 2 of this article, we'll examine firewall rules in detail, examining how they work and also the difference between inbound and outbound rules.
Mitch Tulloch is the author of Windows 2000 Administration in a Nutshell, Windows Server 2003 in a Nutshell, and Windows Server Hacks.
Return to the Windows DevCenter.
Copyright © 2009 O'Reilly Media, Inc.