Overview of the Windows Server 2008 Firewall with Advanced Security Part 2: Inbound and Outbound Firewall Rules

by [Published on 10 June 2008 / Last Updated on 10 June 2008]

The inbound and outbound firewall rules that you can create to control incoming and outgoing connections to and from the Windows Server 2008 computer.

If you missed the first part in this article series please read

If you would like to be notified when Thomas Shinder releases the next part of this article series please sign up to the WindowSecurity.com Real time article update newsletter.

In the first part of this three part series on configuring the Windows Server 2008 Firewall with Advanced Security, we went over some of the global configuration settings that apply to the firewall. In this article, we’ll take a look at the inbound and outbound firewall rules that you can create to control incoming and outgoing connections to and from the Windows Server 2008 computer.

Inbound and Outbound Rules

To get started, open the Windows Firewall with Advanced Security console from the Administrative Tools menu. In the left pane of the console, you’ll see two nodes, the Inbound Rules and the Outbound Rules nodes. The Inbound Rules node lists the rules that control unsolicited, inbound connections to the server. The Outbound Rules node list the rules that control outbound connections made by the server.


Figure 1

Click on the Inbound Rules node. The rules that you see here will vary depending on what servers and services are installed and enabled on the server. In the figure below you can see that the machine is an Active Directory domain controller, and a number of rules are enabled to support Active Directory operations.

By default, if there is no rule that allow the inbound connection to the server, then the connection attempt is dropped. If there is an allow rule, then the connection is allowed if the characteristics of the connection match the settings in the rule. We’ll look at those characteristics in a little bit.


Figure 2

When you click on the Outbound Rules node, you’ll see rules created that allow outbound connections from the server to other machines. Now, I find this very interesting, because as I mentioned in the first part of this article series, the default configuration for outbound connections is to allow all traffic for which there is no existing Deny rule. So, if we leave the Windows Firewall with Advanced Security with its default settings, why do we need all of these Allow rules?

Well, it’s because it almost works that way. In fact, when the Allow (default) setting is enabled for outbound connections, this determines the behavior for outbound connections that do not match an outbound firewall rule. So, the reason for all of these rules is that if you choose the alternate behavior, which is Block, then if there is no allow rule, the connection will be blocked. So, that’s the reason for all of the allow rules.

Remember, for both inbound and outbound rules, the nature and number of rules is determined by the services and servers installed on the machine. When you install services using the Server Manager, the Server Manager will automatically work with the Windows Firewall with Advanced Security to create the appropriate and most secure firewall rules.


Figure 3

You might have noticed that the rules aren’t numbered, so it gives the impression that there is no order of precedence. This isn’t entirely true, rules are evaluated with the following order of precedence:

  • Authenticated bypass rules (which are rules that override block rules. Authentication takes place using IPsec
  • Block
  • Allow
  • Default profile behavior (that is to say, allow or block a connection, as configured in the Profile tab of the Windows Firewall with Advanced Security Properties dialog box, which you saw in last week’s article)

Another thing to keep in mind regarding how rules are evaluated is that more specific rules are evaluated before more general rules. For example, rules with specific IP addresses included in the source or destination are evaluated before those that allow any source or destination.

In the left pane of the Windows Firewall with Advanced Security console, you can right click on either the Inbound Rules or Outbound Rules node and see that you can quickly filter by Profile, State or Group. Built-in Windows firewall rules are automatically grouped for you, based on the functionality those rules provide. You can see in the picture below that there are a number of groups by which you can filter.


Figure 4

To see the details of a firewall rule configuration, double click on any of the rules in the list. This brings up the Properties dialog box for the rule. On the General tab you’ll see the name of the rule, a description of the rule and also information about whether or not the rule is one of a pre-defined set of rules provided by Windows. For the rules that are part of a pre-defined set, you’ll find that not all elements of the rule are configurable.

The rule is enabled when there is a checkmark in the Enabled checkbox.

In the Actions frame, you have three options:

  • Allow the connections. This indicates that the rule is an Allow rule.
  • Allow only secure connections. When this option is selected, only users or machines that can authenticate with the server will be able to connection. Additionally, if you select this option, you have the opportunity to Require encryption and Override block rules. The Require encryption option requires that not only must the user or machine authenticate, but also must use an encrypted session with the server. If you select the Override block rules option, you can bypass other firewall rules that would otherwise deny the connection. This allows you to create deny rules that block connections to all machines or users who cannot authenticate with the server.
  • Block the connections. This option configure the rule to be a Deny rule.


Figure 5

Click on the Programs and Services tab. Firewall rules can be configured to allow or deny access to services and applications installed on the server. In the example seen in the figure below, you can see that the rule applies to the lsass.exe service. You might be aware that lsass.exe hosts several services. In this case, you could click the Settings button in the Services frame and select the specific service hosted by the lsass.exe executable.


Figure 6

Click on the Users and Computers tab. Here you can configure the rule so that applies to specific users or computers. In order to support user or computer authentication, the user or computer must be a member of your Active Directory domain, and an IPsec policy must be configured to support IPsec security between the two end-points. We’ll see later when we create a firewall rule how this works.


Figure 7

On the Protocols and Ports tab you select what protocols the rules applies to. The options here are:

  • Protocol type. This is the type of protocol, such as UDP, TCP, ICMP, GRE and many other protocols.
  • Protocol number. If you need to support special protocols, you can configure the protocol number. If you use one of the pre-built protocol, then the Protocol number will be filled in for you.
  • Local Port. The sets the local port on the server that the firewall rule applies to. If the rule is an inbound rule, then this is the port that the server is listening on. If the rule is an outbound rule, then this is the port that is the source port the server uses to connect to another machine.
  • Remote port. This is the remote port that applies to the rule. In the case of outbound connection rules, this is the port that the server will try to connect to on another computer. In the case of an inbound rule, this is the source port of the computer that is trying to connect to the server.

The Customize button is used to configure the settings for ICMP protocols.


Figure 8

Click on the Scope tab. Here you can set the Local IP address and the Remote IP address for which this rule applies. The Local IP address is the address on the server that is either accepting the connection or the address that is used as the source address for sending outbound connections. The Remote IP address is the IP address of the remote server that the server is either trying to connect to, in an outbound access scenario, or is the source IP address of the machine that is trying to connect to the server, in the case of an inbound access scenario.


Figure 9

Click on the Advanced tab. Here you can set what profiles should use the rule. In the example in the figure below, you can see that the rule is to be provided for all profiles. As I mentioned in the last article, it’s unlikely that you’re going to have anything but a domain profile for a server, with the exception being non-domain member machines that exist in DMZ and untrusted security zones.

In the Interface type frame, you can choose which interfaces will apply this rule. The figure below shows that the rule is applied to all interfaces, which include the Local area network, remote access and wireless interfaces.

The Edge traversal option is an interesting one, because it’s not documented very well. Here’s what the Help file says:

“Edge traversal This indicates whether edge traversal is enabled (Yes) or disabled (No). When edge traversal is enabled, the application, service, or port to which the rule applies is globally addressable and accessible from outside a network address translation (NAT) or edge device.”

What do you think this might mean? We can make services available across a NAT device by using port forwarding on the NAT device in front of the server. Could this have something to do with IPsec? Could it have something to do with NAT-T? Could it be that the Help file writer for this feature didn’t know either, and made something up that represented a tautology?

I don’t know what this does, but if I find out, I’ll make sure to include this information in my blog.


Figure 10

Creating a Firewall Rule

You can create firewall rules to supplement the rules that are automatically configured by Server Manager when you install servers and services on the machine. Start by clicking the New Rule link in the right pane of the Windows Firewall with Advanced Security console. This brings up the New Inbound Rule Wizard.

The first page of the wizard is the Rule Type page. Here you configure the rule to apply to one of the following:

  • Program. This allows you to control access to or from a specific program. Note that when you try to apply firewall rules to programs and services, the program or service has to be written to the Winsock interface, so that the port requirements can be communicated to the Windows firewall
  • Port. This allows you to configure a rule based on a TCP or UDP port number.
  • Predefined. The Windows firewall can be configured to use a predefined set of protocols or services and apply those to the rule
  • Custom. This option allows you to fine tune your rule outside the parameters available in the other options.

Let’s select the Custom option so that we can see all the configuration options.


Figure 11

The second page of the wizard gives you three options:

  • All programs. The rule will apply to all programs that match the elements of the rule.
  • The program path. This allows you to configure the rule to use a specific program and have it applied only to connections made to, or made from, that program.
  • Services. Some programs serve as a “container” for multiple programs, such as services.exe and the lssas.exe program we saw earlier. When you select one of these programs, you can limit the service that the rule applies to by clicking the Customize button and selecting the program.


Figure 12

When you click the Customize button, you’ll see the Customize Service Settings dialog box. Here you have the options to:

  • Apply to all programs and services. Use this when you want the rule to apply to all programs and services hosted by the .exe file you selected the rule to by applied to
  • Apply to services only. In this case, the rule will be applied only to services provided by the .exe file you selected
  • Apply to this service. When you select this option, you can select the specific service hosted by the .exe file


Figure 13

On the next page of the wizard, you can set what protocol you want the rule to be applied to. Note that when you select a program, you won’t have to configure the protocol manually, since the Windows firewall will be able to obtain protocol information from the Winsock interface. However, if you don’t select a program, you will need to configure the protocol to which this firewall rule applies.

Your options here are:

  • Protocol type. Here you can set the protocol type that applies to this rule. In the figure below you can see that the Windows firewall supports a great number of protocol types.
  • Protocol number. For advanced protocol control, such as IPsec, you will want to select the protocol number.
  • Local Port. This is the port on the server on which this rule is applied. The local port is the port the client computer is trying to connect to in an inbound scenario, and the source port for an outbound connection in an outbound connection scenario.
  • Remote port. This is the port on other machine. The remote port is the port the server is trying to connect to in an outbound scenario, and it’s the source port of a computer that is trying to connect to the server in an inbound scenario.
  • Internet Control Message Protocol (ICMP) settings. If you are configuring ICMP protocols, you can set the type and code here.


Figure 14

In the figure below you can see that I have created a protocol to control IMAP4. I selected TCP for the protocol type and the protocol number was entered for me automatically. The local port, which is the port that IMAP4 clients connect to, is 143. The remote port is set to All Ports because IMAP4 servers don’t care what the source port is of the connecting client.


Figure 15

On the Scope page you can set the local and remote IP address that this rule applies to. You can select Any IP address or These IP addresses. This option allows you some measure of control over what machines can connect to the server and what machines the server can connect to when the connection matches the other elements of the rule.

You also have the option to apply this scope to a specific interface, as seen in the figure below. You can see the Customize Interface Types dialog box when you click the Customize button.


Figure 16

On the Action page, you select what should happen when the connection matches the elements of the firewall rule. The options are:

  • Allow the connection. This makes the rule an Allow rule
  • Allow the connection if it is secure. This allows the connection if there is an IPsec policy that allows the two endpoints to establish a secure connection. You also have the option to encrypt the session between the endpoints by putting a checkmark in the Require the connections to be encrypted. If you want to have this rule override another rule that blocks the connection, you can select the Override block rules option.
  • Block the connection. This makes the rule a Deny rule.


Figure 17

On the Users and Computers page, you can select what users or computers can connect to the machine. In order for this to work, both endpoints need to members of the same Active Directory domain and an IPsec policy must be in place to create the IPsec connection between the endpoints. Windows Firewall with Advanced Security refers to IPsec policies as Connection Security Rules. I’ll go over Connection Security Rules in the next article in this series.

Put a checkmark in the Only allow connections from these computers checkbox if you want to allow connections only from specific computers. Put a checkmark in the Only allow connections from these users checkbox if you want to limit access to specific users or groups of users. Remember that these settings will only work if you if the machines and setup up an IPsec connection between them.


Figure 18

On the Profile page, you set what profiles you want the rule to apply to. In most cases, only the domain profile will be applied to a server, so the other profiles never are activated. However, there’s no problem activating for all of them.


Figure 19

On the last page of the wizard you give the rule a name. Click Finish to create the rule.


Figure 20

That’s all there is to it! There is a Monitoring node for the firewall rules, but it really doesn’t give you much information other than what rules are enabled. There is no information regarding what rule might be triggering at any specific time, which would be an interesting feature that the Windows team might want to consider in a future revision of the Windows Firewall with Advanced Security.

Summary

In this, the second part of our three part series on the Windows Firewall with Advanced Security included with Windows Server 2008, we went over the details of inbound and outbound rules and how to create new firewall rules. In the next and last part of this series, we will take a look at Connection Security Rules and see how they work, what the requirements are, and how to set them up and monitor the connections.

If you missed the first part in this article series please read

If you would like to be notified when Thomas Shinder releases the next part of this article series please sign up to the WindowSecurity.com Real time article update newsletter.

See Also