Windows Security With Advanced Security

Windows Firewall with Advanced Security
Page 1 of 115

You can use Windows Firewall with Advanced Security to help you protect the computers on your network. Windows Firewall with Advanced Security includes a stateful firewall that allows you to determine which network traffic is permitted to pass between your computer and the network. It also includes connection security rules that use Internet Protocol security (IPsec) to protect traffic as it travels across the network. Important Windows Firewall with Advanced Security is designed for administrators of a managed network to secure network traffic in an enterprise environment. Home users should use the Windows Firewall program in Control Panel instead. To start the Windows Firewall program, click Start, click Control Panel, click System and Security, and then click Windows Firewall. You can access Help for the Windows Firewall program either by pressing the F1 key on the main Windows Firewall page, or by clicking the links found on many of the Windows Firewall dialog boxes. For more information about Windows Firewall with Advanced Security, see Windows Firewall with Advanced Security Content Roadmap (http://go.microsoft.com/fwlink/?linkid=64342) in the Windows Server TechCenter.
Overview of Windows Firewall with Advanced Security Understanding Firewall Rules Understanding Connection Security Rules Understanding Firewall Profiles Monitoring Windows Firewall with Advanced Security Default Settings for Windows Firewall with Advanced Security Configuring Firewall Rules Resources for Windows Firewall with Advanced Security User Interface: Windows Firewall with Advanced Security
Overview of Windows Firewall with Advanced Security What is Windows Firewall with Advanced Security?
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm 9/29/2011
Page 2 of 115
Windows Firewall with Advanced Security combines a host firewall and Internet Protocol security (IPsec). Unlike a perimeter firewall, Windows Firewall with Advanced Security runs on each computer running this version of Windows and provides local protection from network attacks that might pass through your perimeter network or originate inside your organization. It also provides computer-tocomputer connection security by allowing you to require authentication and data protection for communications. Important Windows Firewall with Advanced Security is designed for use by IT administrators who need to manage network security in an enterprise environment. It is not intended for use in home networks. Home users should consider using the Windows Firewall program available in Control Panel instead. Windows Firewall with Advanced Security is a stateful firewall that inspects and filters all packets for IP version 4 (IPv4) and IP version 6 (IPv6) traffic. In this context, filter means to allow or block network traffic by processing it through administrator-defined rules. By default, incoming traffic is blocked unless it is a response to a request by the host (solicited traffic) or it is specifically allowed (that is, a firewall rule has been created to allow the traffic). You can configure Windows Firewall with Advanced Security to explicitly allow traffic by specifying a port number, application name, service name, or other criteria. Windows Firewall with Advanced Security also allows you to request or require that computers authenticate each other before communicating, and to require the use of data integrity or data encryption when communicating. For more information, see Overview of Windows Firewall with Advanced Security (http://go.microsoft.com/fwlink/?linkid=137800) in the TechNet Library.
Understanding Firewall Rules

You create firewall rules to allow this computer to send traffic to, or receive traffic from, programs, system services, computers, or users. Firewall rules can be created to take one of three actions for all connections that match the rule's criteria:
Allow the connection. Allow a connection only if it is secured through the use of Internet Protocol security (IPsec). Block the connection.
Rules can be created for either inbound traffic or outbound traffic. The rule can be configured to specify the computers or users, program, service, or port and protocol. You can specify which type of network adapter the rule will be applied to: local area network (LAN), wireless, remote access, such as a virtual private network (VPN) connection, or all types. You can also configure the rule to be applied when any profile is being used or only when a specified profile is being used. As your IT environment changes, you might have to change, create, disable, or delete rules.
file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm
9/29/2011
Page 3 of 115
Additional references
Understanding Firewall Rules (http://go.microsoft.com/fwlink/?linkid=137808) Configuring Firewall Rules
Understanding Connection Security Rules

Connection security involves the authentication of two computers before they begin communications and the securing of information sent between two computers. Windows Firewall with Advanced Security uses Internet Protocol security (IPsec) to achieve connection security by using key exchange, authentication, data integrity, and, optionally, data encryption. Note Unlike firewall rules, which operate unilaterally, connection security rules require that both communicating computers have a policy with connection security rules or another compatible IPsec policy. Connection security rules use IPsec to secure traffic while it crosses the network. You use connection security rules to specify that connections between two computers must be authenticated or encrypted. You might still have to create a firewall rule to allow network traffic protected by a connection security rule. For more information, see Understanding Connection Security Rules (http://go.microsoft.com/fwlink/? linkid=137809) in the TechNet Library.
Understanding Firewall Profiles

A firewall profile is a way of grouping settings, such as firewall rules and connection security rules, that are applied to the computer depending on where the computer is connected. On computers running this version of Windows, there are three profiles for Windows Firewall with Advanced Security: Description Applied to a network adapter when it is connected to a network on which it can detect a Domain domain controller of the domain to which the computer is joined. Applied to a network adapter when it is connected to a network that is identified by the administrator as a private network. A private network is one that is not connected directly to Private the Internet, but is behind some kind of security device, such as a network address translation (NAT) router or hardware firewall. The private profile settings should be more restrictive than the domain profile settings. Applied to a network adapter when it is connected to a public network such as those available Public in airports and coffee shops. A public network is one that has no security devices between the computer and the Internet. The public profile settings should be the most restrictive because Profile
9/29/2011
Page 4 of 115
the computer is connected to a public network where the security cannot be controlled. Each network adapter is assigned the firewall profile that matches the detected network type. For example, if a network adapter is connected to a public network, then all traffic going to or from that network is filtered by the firewall rules associated with the public profile. Important Windows Server2008R2 and Windows7 provide support for multiple active per-network adapter profiles. In WindowsVista and Windows Server2008, only one profile can be active on the computer at a time. If there are multiple network adapters connected to different networks, then the profile with the most restrictive profile settings is applied to all adapters on the computer. The public profile is considered to be the most restrictive, followed by the private profile; the domain profile is considered to be the least restrictive. If you do not alter the settings for a profile, then its default values are applied whenever Windows Firewall with Advanced Security uses the profile. We recommend that you enable Windows Firewall with Advanced Security for all three profiles. To configure these profiles, in the Windows Firewall with Advanced Security MMC snap-in, right-click Windows Firewall with Advanced Security, and then click Properties. You can also access the properties from the Action menu, the Action pane, or the center pane, when Windows Firewall with Advanced Security is highlighted.
Windows Firewall with Advanced Security Properties Page
Monitoring Windows Firewall with Advanced Security

The Monitoring item in the Windows Firewall with Advanced Security MMC snap-in allows you to monitor the active firewall rules and connection security rules on the computer. Policies created using the IP Security Policy snap-in cannot be viewed using Windows Firewall with Advanced Security. The overview page shows which profiles are active (domain, private, public) and the current settings for each of the active profiles. Note Only rules that apply to the currently active profiles are displayed. A rule for another profile might be enabled, but if the profile to which it is assigned is not active, then neither is the rule. For more information, see Monitoring Windows Firewall with Advanced Security (http://go.microsoft.com/fwlink/?linkid=137811) in the TechNet Library.
9/29/2011
Page 5 of 115
Default Settings for Windows Firewall with Advanced Security

The following tables list the default values for Internet Protocol security (IPsec) settings.
Key exchange
Settings Value Key lifetimes 480 minutes/0 sessions* Key exchange algorithm Diffie-Hellman Group 2 Security methods (integrity) SHA1 Security methods (encryption) AES-128 (primary)/3-DES (secondary) *A session limit of zero (0) causes rekeys to be determined only by the Key lifetime (minutes) setting.
Data integrity
Setting Value Protocol ESP (primary)/AH (secondary) Data integrity SHA1 Key lifetimes 60 minutes/100,000 kilobytes (KB)
Data encryption
Setting Value Protocol ESP Data integrity SHA1 Data encryption AES-128 (primary)/3-DES (secondary) Key lifetimes 60 minutes/100,000 KB
Authentication method
Computer Kerberosversion 5 authentication is the default authentication method.
How default settings work with Group Policy

Policies created using the Windows Firewall with Advanced Security snap-in and distributed with Group Policy are applied in this order: 1. Highest precedence Group Policy object (GPO).
9/29/2011
Page 6 of 115
2. Locally defined policy settings. 3. Service defaults, as shown in the tables in this topic.
Configuring Firewall Rules

Because Windows Firewall with Advanced Security blocks all incoming unsolicited network traffic by default, you need to configure program, port, or system service rules for programs or services that are acting as servers, listeners, or peers. Program, port, and system service rules are managed on an ongoing basis as your server roles or configurations change. The roles and features that you can install by using Server Manager typically create and enable firewall rules for you when the role or feature is installed. They also remove or disable the rules when the role or feature is removed. A growing number of other, non-Microsoft programs and services also automatically configure Windows Firewall with a set of rules to permit their operation. Important Each filtering criteria that you add to a firewall rule adds increasing levels of restriction. For example, if you do not specify a program or service on the Program and Services tab, all programs and services will be allowed to connect, if their network traffic matches the other criteria in the rule. Adding more detailed criteria makes the rule progressively more restrictive and less likely to be matched. For more information, see Configuring Firewall Rules (http://go.microsoft.com/fwlink/?linkid=137813) in the TechNet Library.
Windows Firewall with Advanced Security Understanding Firewall Rules
Resources for Windows Firewall with Advanced Security

For more information about Windows Firewall with Advanced Security, see the following resources on the Microsoft Web site:
9/29/2011
Page 7 of 115
Windows Firewall with Advanced Security and IPsec (http://go.microsoft.com/fwlink/? linkid=96525) Windows Firewall with Advanced Security Deployment Guide (http://go.microsoft.com/fwlink/? linkid=98308) Server and Domain Isolation (http://go.microsoft.com/fwlink/?linkid=95395) IPsec (http://go.microsoft.com/fwlink/?linkid=95394) Windows Firewall (http://go.microsoft.com/fwlink/?linkid=95393) Windows Firewall Errors and Events for Windows7 and Windows Server2008R2 (http://go.microsoft.com/fwlink/?linkid=137360)
User Interface: Windows Firewall with Advanced Security

This section describes each of the pages in the user interface for Windows Firewall with Advanced Security.
Windows Firewall with Advanced Security Properties Page Connection Security Rule Wizard Connection Security Rule Properties Page Firewall Rule Wizard Firewall Rule Properties Page Monitored Firewall Rules Properties Page Monitored Connection Security Rules Properties Page Monitored Main Mode Security Associations Monitored Quick Mode Security Associations Dialog Boxes
Windows Firewall with Advanced Security Properties Page

Page 8 of 115
Use this dialog box to configure the basic firewall properties for each of the network profiles. You can also use the IPsec Settings tab to configure the default values for several IPsec configuration options. To get to this dialog box
In the Windows Firewall with Advanced Security MMC snap-in, perform one of the following steps:
In the navigation pane, right-click Windows Firewall with Advanced Security, and then click Properties. Select the top node in the navigation pane, and then in the center pane, in the Overview section, click Windows Firewall Properties. Select the top node in the navigation pane, and in the Actions pane, click Properties.
Domain, Private, and Public Profile tabs

You can configure any profile, even one that is not currently being applied. If you do not alter profile settings, their default values are applied whenever Windows Firewall with Advanced Security uses the profile. We recommend that you enable Windows Firewall with Advanced Security on all three profiles. You can configure the following settings on each profile tab:
State
State selections determine whether Windows Firewall with Advanced Security uses the profile settings and how the profile handles inbound and outbound network messages. Firewall state Select On (recommended) to have Windows Firewall use the settings for this profile to filter network traffic. If you select Off, Windows Firewall will not use any of the firewall rules or connection security rules for this profile. Important If you use Group Policy to disable Windows Firewall, or configure Windows Firewall with a rule that allows all inbound network traffic, then Windows Security Center will alert the user that there are security issues that the user should correct. If the user tries to correct the reported problem by clicking Turn on in Windows Security Center, then an error will be displayed because Windows Security Center cannot enable Windows Firewall. This can generate unwanted support calls to your help desk. If you are managing the security of the computers in your organization and do not want Windows Security Center to alert the user about security issues, then you can disable the Windows Security Center by using the Turn on Security Center (Domain PCs only) Group Policy setting found in Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Security Center. Inbound connections
9/29/2011
Page 9 of 115
This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The default behavior is to block connections unless there are firewall rules to allow the connection. You can choose the following behavior for inbound connections: Selection Block (default) Block all connections Allow Description Blocks all connections that do not have firewall rules that explicitly allow the connection. Blocks all connections, regardless of any firewall rules that explicitly allow the connection. Allows the connection unless there is a firewall rule that explicitly blocks the connection.
Outbound connections This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The default behavior is to allow connections unless there are firewall rules to block the connection. You can choose the following behavior for outbound connections: Selection Block Description Blocks all connections that do not have firewall rules that explicitly allow the connection. Allows the connection unless there is a firewall rule that explicitly blocks the connection.
Allow (default) Caution If you set Outbound connections to Block and then deploy the firewall policy by using a Group Policy object (GPO), computers that receive it will not receive subsequent Group Policy updates unless you first create and deploy an outbound rule that enables Group Policy to work. Predefined rules for Core Networking include outbound rules that enable Group Policy to work. Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying the policy. Protected network connections Use these settings to specify which network adapters are subject to the configuration of this profile. Click Customize to display the Customize Protected Network Connections for a Firewall Profile dialog box.
Settings
Use these settings to configure settings for notifications, unicast response to multicast or broadcast traffic, and Group Policy rule merging. Click Customize to display the Customize Settings for a Firewall Profile dialog box.
Logging
Use these settings to configure how Windows Firewall with Advanced Security logs events, how big the log file can grow, and where the log file is located. Click Customize to display the Customize Logging Settings for a Firewall Profile dialog box.
9/29/2011
Page 10 of 115
IPsec Settings tab

Use this tab to configure the IPsec default and system-wide settings.
IPsec defaults
Use these settings to configure the key exchange, data protection, and authentication methods used by IPsec to help protect network traffic. Click Customize to display the Customize IPsec Settings dialog box.
IPsec exemptions
Use this option to determine whether network traffic containing Internet Control Message Protocol (ICMP) messages are protected by IPsec. ICMP is commonly used by network troubleshooting tools and procedures. Many network administrators exempt ICMP packets from IPsec protection to ensure that these messages are not blocked. Important This setting exempts ICMP from the IPsec portion of Windows Firewall with Advanced Security only. To ensure that ICMP packets are allowed through Windows Firewall, you must create and enable an inbound rule. Note If you enable file and printer sharing in the Network and Sharing Center, Windows Firewall with Advanced Security automatically enables firewall rules that allow commonly used ICMP packet types. However, this will also enable network features that are not related to ICMP. If you want to enable ICMP only, then create and enable a rule in Windows Firewall to allow inbound ICMP network packets.
IPsec tunnel authorization

Use this option when you have a connection security rule that creates an IPsec tunnel mode connection from a remote computer to the local computer, and you want to specify the users and computers that are permitted or denied access to the local computer through the tunnel. Select Advanced, and then click Customize to display the Customize IPsec Tunnel Authorizations dialog box. The authorizations you specify here are in effect only for those tunnel rules on which the Apply authorization option has been selected on the Customize IPsec Tunneling Settings dialog box.
Connection Security Rule Wizard

This section describes the Connection Security Rule Wizard pages in Windows Firewall with Advanced Security.
Rule Type
9/29/2011
Page 11 of 115
Endpoints Requirements Authentication Method Protocols and Ports Exempt Computers Tunnel Type Tunnel Endpoints Custom Configuration Tunnel Endpoints Client-to-Gateway Tunnel Endpoints Gateway-to-Client Profile
Connection Security Rule Wizard: Rule Type Page

You can use the New Connection Security Rule wizard to create Internet Protocol security (IPsec) rules to meet different network security goals. Use this page to select the type of rule that you want to create. The wizard provides four predefined rule types. You can also create a custom rule. Note As a best practice, give each connection security rule a unique name so that you can later use the Netsh command-line tool to manage your rules. Do not name a security rule all because that name conflicts with the all keyword in the netsh command. To get to this wizard page 1. In the Windows Firewall with Advanced Security MMC snap-in, right-click Connection Security Rules, and then click New Rule. 2. The Rule Type page is displayed.
Isolation
An isolation rule restricts connections based on authentication criteria that you define. For example, you can use this rule type to isolate computers that are joined to your domain from computers that are outside your domain, such as computers on the Internet. If you select this rule type, then the following pages in addition to the Name page are enabled in the wizard:
9/29/2011
Page 12 of 115
Requirements Authentication Method Profile
Authentication exemption
Use this option to create a rule that exempts specified computers from being required to authenticate, regardless of other connection security rules. This rule type is typically used to grant access to infrastructure computers, such as Active Directory domain controllers, certification authorities (CAs), or DHCP servers, that this computer must communicate with before authentication can be performed. It is also used for computers that cannot use the form of authentication you configured for this policy and profile. If you select this rule type, then the following pages in addition to the Name page are enabled in the wizard:
Exempt Computers Profile
Note Although the computers are exempt from authentication, network traffic from them might still be blocked by Windows Firewall unless a firewall rule allows them to connect.
Server-to-server
Use this rule type to authenticate the communications between two specified computers, between two groups of computers, between two subnets, or between a specified computer and a group of computers or a subnet. You might use this rule to authenticate the traffic between a database server and a businesslayer computer, or between an infrastructure computer and another server. This rule is similar to the isolation rule type, but the Endpoints page will be displayed so that you can identify the computers that are affected by this rule. If you select this rule type, then the following pages in addition to the Name page are enabled in the wizard:
Endpoints Requirements Authentication Method Profile
Tunnel
Page 13 of 115
Use this rule type to secure communications between two computers by using tunnel mode, instead of transport mode, in IPsec. Tunnel mode embeds the entire network packet in a network packet that is routed between two defined endpoints. For each endpoint, you can specify a single computer that receives and consumes the network traffic sent through the tunnel, or you can specify a gateway computer that connects to a private network onto which the received traffic is routed after the receiving tunnel endpoint extracts it from the tunnel. If you select this rule type, then the following pages in addition to the Name page are enabled in the wizard:
Tunnel Type Requirements Tunnel Endpoints Authentication Method Profile
Custom
Use this rule type to create a rule that requires special settings. This option enables all of the wizard pages except those that are used only to create tunnel rules.
Endpoints Requirements Authentication Method Protocols and Ports Profile
Connection Security Rule Wizard: Endpoints Page

Use the settings on this wizard page to specify the computers that can participate in connections created by this connection security rule. The connection security rule applies to communications between any computer in Endpoint 1 and any computer in Endpoint 2. If the local computer has an IP address that is
9/29/2011
Page 14 of 115
included in one of the endpoint definitions, then it can send and receive network packets through this connection to computers that are listed in the other endpoint. An endpoint can be a single computer or a group of computers, defined by an IP address, an IP subnet address, an IP address range, or a predefined set of computers identified by role: default gateway, WINS servers, DHCP servers, DNS servers, or local subnet. The local subnet is the collection of all computers available to this computer, except for any public IP addresses (interfaces). This includes both local area network (LAN) and wireless addresses. To get to this wizard page 1. In the Windows Firewall with Advanced Security MMC snap-in, right-click Connection Security Rules, and then click New Rule. 2. On the Rule Type page, select either Server-to-server or Custom, and then click Next.
Which computers are in Endpoint 1?

Use this section to define the computers that are part of Endpoint 1 and can use this rule to communicate with the computers that are part of Endpoint 2.
Any IP address
Select this option to specify that Endpoint 1 consists of any computer that needs to communicate with a computer in Endpoint 2. Any network traffic to or from a computer in Endpoint 2 matches this rule and is subject to its authentication requirements.
These IP addresses
Select this option to specify the IP addresses of the computers that make up Endpoint 1. Click Add or Edit to display the IP Addresses dialog box to create or modify your entries.
Customize the interface types to which this rule applies

Click Customize to display the Customize Interface Types dialog box to select the network adapter types to which this rule applies. The default is to apply this rule to all network adapters of any type.

Use this section to define the computers that are part of Endpoint 2 and can use this rule to communicate with the computers that are part of Endpoint 1.
Any IP address
Select this option to specify that Endpoint 2 consists of any computer that needs to communicate with a computer in Endpoint 1. Any network traffic to or from a computer in Endpoint 1 matches this rule and
9/29/2011
Page 15 of 115
is subject to its authentication requirements.
These IP addresses
Select this option to specify the IP addresses of the computers that make up Endpoint 2. Click Add or Edit to display the IP Addresses dialog box to create or modify your entries.
How to change these settings

After you create the connection security rule, you can change these settings in the Connection Security Rule Properties dialog box. This dialog box opens when you double-click a rule in Connection Security Rules. To change the computers that are in Endpoint 1 or Endpoint 2, click the Computers tab. To change the interface types to which this rule applies, click the Advanced tab, and then under Interface types, click Customize.
Connection Security Rule Wizard: Requirements Page

Use the settings on this wizard page to specify how authentication is applied to inbound and outbound connections that match this connection security rule. If you request authentication, then the connection is allowed even if authentication fails. If you require authentication, then the connection is dropped if authentication fails. Use the Authentication Method page of the wizard to configure the credentials used for authentication. Some of the following options appear only when you are configuring certain rule types. To get to this wizard page 1. In the Windows Firewall with Advanced Security MMC snap-in, right-click Connection Security Rules, and then click New Rule. 2. Click Next until you reach the Requirements page.
Request authentication for inbound and outbound connections

Select this option to specify that all inbound and outbound traffic is authenticated if possible, but that the
9/29/2011
Page 16 of 115
connection is allowed if authentication fails. This option is typically used in either a low-security environment or an environment with computers that must be able to connect, but cannot perform the types of authentication available with Windows Firewall with Advanced Security. In a server and domain isolation environment, this option is typically used for computers that are in the boundary zone.
Require authentication for inbound connections and request authentication for outbound connections
Select this option to require that all inbound traffic is authenticated. If inbound traffic fails authentication, then the connection is blocked. Outbound traffic is authenticated if possible, but the traffic is allowed if authentication fails. This option is used most in IT environments in which the computers that must be able to connect can perform the types of authentication available with Windows Firewall with Advanced Security. In a server and domain isolation environment, this option is typically used for client computers that are part of the main isolation zone in the domain.
Require authentication for inbound and outbound connections

Use this option to require that all inbound and outbound traffic is authenticated. If any network traffic fails authentication, then it is blocked. This option is typically used in higher-security IT environments where traffic flow must be secured and controlled and where the computers that must be able to connect can perform the types of authentication available with Windows Firewall with Advanced Security. In a server and domain isolation environment, this option is typically used for servers in the main isolation zone in the domain.
Require authentication for inbound connections. Do not establish tunnels for outbound connections
Use this option when creating a tunnel mode rule on a computer that serves as a tunnel endpoint for remote clients, to specify that the tunnel only applies to inbound network traffic from the clients. The server can make outbound connections that are not affected by this rule. Note This option appears only when you select Tunnel on the Rule Type page and either Custom configuration or Gateway-to-client on the Tunnel Type page.
Do not authenticate
Use this option to create an authentication exemption rule for connections to computers that do not
9/29/2011
Page 17 of 115
require Internet Protocol security (IPsec) protection. Note This option appears when you select Custom on the Rule Type page or when you select Tunnel on the Rule Type page, and then select either Custom or Client-to-gateway on the Tunnel Type page.

After you create the connection security rule, you can change these settings in the Connection Security Rule Properties dialog box. This dialog box opens when you double-click a rule in Connection Security Rules. To change the authentication requirements for this rule, click the Authentication tab.
Connection Security Rule Wizard: Authentication Method Page

Use these settings to configure the type of authentication used by this connection security rule. Note Not all of the authentication methods listed here are available for all connection security rule types. The authentication methods available for the rule type are displayed on the Authentication Method page of the New Connection Security Rule Wizard and on the Authentication tab on the Connection Security Rule Properties page. For more information about the authentication methods, see IPsec Algorithms and Methods Supported in Windows (http://go.microsoft.com/fwlink/?linkid=129230). To get to this wizard page 1. In the Windows Firewall with Advanced Security MMC snap-in, right-click Connection Security Rules, and then click New Rule. 2. Click Next until you reach the Authentication Method page.
Default
This option is available only when you specify an Isolation or Custom rule type. Select this option to use the authentication method currently displayed on the Windows Firewall with Advanced Security Properties dialog box, on the IPsec Settings tab, under Authentication Method.
9/29/2011
Page 18 of 115
For more information about customizing the default options, see Dialog Box: Customize IPsec Settings.
Computer and user (Kerberos V5)

This option is available only when you specify an Isolation or Custom rule type. Select this option to use both computer and user authentication with the Kerberosversion 5 protocol. It is equivalent to selecting Advanced, adding Computer (KerberosV5) for first authentication and User (KerberosV5) for second authentication, and then clearing both First authentication is optional and Second authentication is optional.
Computer (Kerberos V5)

This option is available only when you specify an Isolation or Custom rule type. Select this option to use computer authentication with the Kerberosversion 5 protocol. It is equivalent to selecting Advanced, adding Computer (KerberosV5) for first authentication, and then selecting Second authentication is optional.
Computer certificate
This option is available only when you specify a Server-to-server or Tunnel rule type. Select this option to use computer authentication based on a computer certificate. It is equivalent to selecting Advanced, adding Computer certificate for first authentication, and then selecting Second authentication is optional.
Signing algorithm
Specify the signing algorithm used to cryptographically secure the certificate. RSA (default) Select this option if the certificate is signed by using the RSA public-key cryptography algorithm. ECDSA-P256 Select this option if the certificate is signed by using the Elliptic Curve Digital Signature Algorithm (ECDSA) with 256-bit key strength. ECDSA-P384 Select this option if the certificate is signed by using ECDSA with 384-bit key strength.
Certificate store type

Specify the type of certificate by identifying the store in which the certificate is located.
9/29/2011
Page 19 of 115
Root CA (default) Select this option if the certificate was issued by a root certification authority (CA) and is stored in the local computers Trusted Root Certification Authorities certificate store. Intermediate CA Select this option if the certificate was issued by an intermediate CA and is stored in the local computers Intermediate Certification Authorities certificate store.
Accept only health certificates

This option restricts the use of computer certificates to those that are marked as heath certificates. Health certificates are published by a CA in support of a Network Access Protection (NAP) deployment. NAP lets you define and enforce health policies so that computers that do not comply with network requirements, such as computers without antivirus software or those that do not have the latest software updates, are less likely to access your network. To implement NAP, you need to configure NAP settings on both server and client computers. NAP Client Management, a Microsoft Management Console (MMC) snap-in, helps you configure NAP settings on your client computers. For more information, see the NAP MMC snap-in Help. To use this option, you must have a NAP server set up in the domain.
Advanced
This option is available when you specify any rule type. Select this option to configure any available authentication method. You must then click Customize and specify a list of methods for both first authentication and second authentication. For more information, see Dialog Box: Customize Advanced Authentication Methods, Dialog Box: Add or Edit First Authentication Method, and Dialog Box: Add or Edit Second Authentication Method.

After you create the connection security rule, you can change these settings in the Connection Security Rule Properties dialog box. This dialog box opens when you double-click a rule in Connection Security Rules. To change the authentication methods used by this rule, select the Authentication tab.
Connection Security Rule Wizard: Protocols and Ports Page

Page 20 of 115
Use this wizard page to specify which protocol and which port or ports specified in a network packet match this connection security rule. Only network traffic that matches the criteria on this page and the Endpoints page match the rule and are subject to its authentication requirements. To get to this wizard page 1. In the Windows Firewall with Advanced Security MMC snap-in, right-click Connection Security Rules, and then click New Rule. 2. On the Rule Type page, select Custom. 3. In Steps, click Protocol and Ports.
Protocol type
Select the protocol whose network traffic you want protected by this connection security rule. If the protocol you want is not in the list, select Custom, and then type the protocol number in Protocol number. If you choose TCP or UDP from the list, then you can type the TCP or UDP port numbers in Endpoint 1 port and Endpoint 2 port.
Protocol number
When you select a protocol type, the corresponding protocol identification number is automatically displayed in Protocol number and is read-only. If you select Custom for protocol type, then you must type the protocol identification number in Protocol number.
Endpoint 1 port
This option is available only if the protocol is set to TCP or UDP. Use this option to specify the port number used by the computer that is part of Endpoint 1. If you select All ports, then all network traffic for the protocol you selected matches this connection security rule. If you select Specific Ports, then you can type the port numbers in the box under the list. Separate port numbers with commas. Notes
If the Do not authenticate option on the Requirements page has been selected for this rule, then you can type port numbers in a range by separating the low and high values with a hyphen, as shown: 80, 445, 5000-5010
Endpoint 2 port
This option is available only if the protocol is set to TCP or UDP. Use this option to specify the port number used by the computer that is part of Endpoint 2. If you select All ports, then all network traffic for the protocol you selected matches this connection security rule. If you select Specific Ports, then
9/29/2011
Page 21 of 115
you can type the port numbers in the box under the list. Separate port numbers with commas. Notes
If the Do not authenticate option on the Requirements page has been selected for this rule, then you can type port numbers in a range by separating the low and high values with a hyphen, as shown: 80, 445, 5000-5010

After you create the connection security rule, you can change these settings in the Connection Security Rule Properties dialog box. This dialog box opens when you double-click a rule in Connection Security Rules. To change the protocols and port numbers, click the Protocols and Ports tab.
Connection Security Rule Wizard: Exempt Computers Page

Use this wizard page to exempt computers or computer groups from being required to authenticate, regardless of other connection security rules. This rule type is commonly used to grant access to infrastructure computers that this computer must communicate with before authentications can be performed. It is also used for other computers that cannot use the form of authentication you configure for this policy and profile. Infrastructure computers, such as ActiveDirectory domain controllers, certification authorities (CAs), or DHCP servers, might be allowed to communicate with this computer before authentication can be performed. To create an authentication exemption rule, you only need to specify the computers or a group or range of IP addresses (computers) and give the rule a name and, optionally, a description. To get to this wizard page 1. In the Windows Firewall with Advanced Security MMC snap-in, right-click Connection Security Rules, and then click New Rule. 2. On the Rule Type page, select Authentication Exemption. 3. In Steps, click Exempt Computers.
9/29/2011
Page 22 of 115
Exempt Computers
On this wizard page, you add one or more computers or computer groups to the list to exempt them from authentication requirements. Click Add to specify computers by Internet Protocol version 4 (IPv4) or Internet Protocol version 6 (IPv6) address, subnet, IP address range, or by using one of the predefined IP addresses: default gateway, WINS servers, DHCP servers, DNS servers, or local subnet. The local subnet is the collection of all computers available to this computer, except for any public IP addresses (interfaces). This includes both local area network (LAN) and wireless addresses. When you click Add or Edit, the IP Address dialog box is displayed. Note Although the computers listed on this page are exempt from authentication, they might still be blocked by Windows Firewall unless a firewall rule allows them to connect.

After you create the connection security rule, you can change these settings in the Connection Security Rule Properties dialog box. This dialog box opens when you double-click a rule in Connection Security Rules. To change the computers that are exempt, click the Computers tab. The setting that indicates that this is an exemption rule appears on the Authentication tab. Authentication mode is set to Do not authenticate.
Connection Security Rule Wizard: Tunnel Type Page

IPsec tunnel mode is used primarily for interoperability with routers, gateways, or end systems that do not support Layer Two Tunneling Protocol (L2TP)/Internet Protocol security (IPsec) or Point-to-Point Tunneling Protocol (PPTP) VPN tunneling. IPsec tunnel mode is supported only in gateway-to-gateway tunneling scenarios and for certain server-to-server or server-to-gateway configurations. IPsec tunnel mode is not supported for remote access VPN scenarios. L2TP/IPsec or PPTP should be used for remote access VPN connections. An IPsec tunnel must be defined at both ends of the connection. At each end, the entries for the local tunnel computer and remote tunnel computer must be swapped (because the local computer at one end of the tunnel is the remote computer at the other end, and vice versa). Use Windows Firewall with Advanced Security to perform Layer 3 tunneling for scenarios in which L2TP cannot be used. If you are using L2TP for remote communications, no IPsec tunnel configuration
9/29/2011
Page 23 of 115
is required because the client and server VPN components of this version of Windows create the rules to secure L2TP traffic automatically. Use this wizard page to configure the type of IPsec tunnel that you want to create. An IPsec tunnel is typically used to connect a private network behind a gateway to either a remote client or a remote gateway with another private network. IPsec tunnel mode protects a data packet by encapsulating the entire data packet inside an IPsec-protected packet and then routing the IPsec-protected packet between the tunnel endpoints. When it arrives at the destination endpoint, the data packet is extracted and then routed to its final destination. To get to this wizard page 1. In the Windows Firewall with Advanced Security MMC snap-in, right-click Connection Security Rules, and then click New Rule. 2. On the Rule Type page, select Tunnel. 3. In Steps, select Tunnel Type.
Custom configuration
Select this option to enable all of the endpoint configuration options on the Tunnel Endpoints Custom Configuration page. You can specify the IP addresses of the computers that serve as the tunnel endpoints and the computers that are located on private networks behind each tunnel endpoint. For more information, see Connection Security Rule Wizard: Tunnel Endpoints Page - Custom Configuration.
Client-to-gateway
Select this option if you want to create a rule for a client computer that must connect to a remote gateway and the computers behind the gateway on a private network. When the client sends a network packet to a computer on the remote private network, IPsec embeds the data packet inside an IPsec packet that is addressed to the remote gateway address. The gateway extracts the packet and then routes it on the private network to the destination computer. If you select this option, then only the public IP address of the gateway computer and the IP addresses of the computers on the private network can be configured. For more information, see Connection Security Rule Wizard: Tunnel Endpoints Page - Client-to-Gateway.
Gateway-to-client
Select this option if you want to create a rule for a gateway computer that is attached to both a private network and a public network from which it receives network traffic from remote clients. When the client sends a network packet to a computer on the private network, IPsec embeds the data packet inside an IPsec packet that is addressed to the public IP address of this gateway computer. When the gateway computer receives the packet, it extracts the packet and then routes it on the private network
9/29/2011
Page 24 of 115
to the destination computer. When a computer on the remote private network needs to reply to the client computer, the data packet is routed to the gateway computer. The gateway computer embeds the data packet inside an IPsec packet that is addressed to the remote client computer, and then routes the IPsec packet over the public network to the remote client computer. If you select this option, then only the addresses of computers on the private network and the public IP address of the gateway computer can be configured. For more information, see Connection Security Rule Wizard: Tunnel Endpoints Page - Gateway-to-Client.
Exempt IPsec-protected connections

Sometimes a network packet might match more than one connection security rule. If one of the rules establishes an IPsec tunnel, you can choose whether to use the tunnel or send the packet outside of the tunnel protected by the other rule.
Yes
Select this option if the connection is already protected by another connection security rule and you do not want the network packet to go through the IPsec tunnel. Any network traffic that is protected by the Encapsulating Security Payload (ESP) protocol, including ESP Null, is prevented from traversing the tunnel.
No
Select this option if you want all network packets that match the tunnel rule to go through the tunnel even when they are protected by another connection security rule.
Connection Security Rule Wizard: Tunnel Endpoints Page - Custom Configuration

Use this wizard page to configure the endpoint options for an IPsec tunnel rule. If you select Custom configuration on the Tunnel Type page, you can configure all of the details of the tunnel on the Tunnel Endpoints page. The following diagram shows the components that you can configure by using this wizard page.
9/29/2011
Page 25 of 115
To get to this wizard page 1. In the Windows Firewall with Advanced Security MMC snap-in, right-click Connection Security Rules, and then click New Rule. 2. On the Rule Type page, select Tunnel. 3. In Steps, click Tunnel Type, and then select Custom configuration. 4. Click Next until you reach the Tunnel Endpoints page.

Endpoint 1 is the collection of computers at the local end of the tunnel that must be able to send data to and receive data from the computers that are part of Endpoint 2. Click Add to add an individual IP address, an IP subnet address, an IP address range, or a predefined set of computers by using the IP Address dialog box. To change an entry in the list, select the item, and then click Edit. To remove an entry, select the item, and then click Remove.
What is the local tunnel endpoint (closest to the computers in Endpoint 1)?
The local tunnel endpoint is the gateway to which a computer in Endpoint 1 sends network packets that are addressed to a computer in Endpoint 2. The local tunnel endpoint accepts a network packet from a computer in Endpoint 1, and then encapsulates it in a new network packet that is addressed and routed to the remote tunnel endpoint. The remote tunnel endpoint extracts the encapsulated original packet, places it on the network connected to the computers in Endpoint 2, and then routes the packet to its final destination. You can specify an Internet Protocol version 4 (IPv4) address, an Internet Protocol version 6 (IPv6) address, or both. To add an address, click Edit, and provide the information required in the Customize IPsec Tunneling Settings dialog box. Important If you specify Any, then the computer in Endpoint 1 is also the local tunnel endpoint for the connection. The Endpoint 1 computer encapsulates and routes its own network packets to the remote
9/29/2011
Page 26 of 115
tunnel endpoint, which extracts and routes the data to the destination computer in Endpoint 2. Note The IP version of the address at each end of the tunnel must match. For example, if you specify an IPv4 address at one end, then the other end must also have an IPv4 address. You can specify both an IPv4 and an IPv6 address, but if you do so at one end, then you must also do so at the other end.
Apply IPsec tunnel authorization

Select this option to specify that the computer or user in Endpoint 1 must authenticate with the local tunnel endpoint before any packets can be sent through the tunnel. To specify the computers or users that are authorized to send traffic through the tunnel, follow these steps: Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. To specify users and computers that are authorized or denied permission to send network traffic through the tunnel 1. In the Windows Firewall with Advanced Security MMC snap-in, in the navigation pane, select Windows Firewall with Advanced Security. 2. In Overview, click Windows Firewall Properties. 3. Select the IPsec Settings tab. 4. In IPsec tunnel authorization, click Advanced, and then click Customize. 5. Add users and computers to the lists, as appropriate for your design. For more information, see Dialog Box: Customize IPsec Tunnel Authorization.
What is the remote tunnel endpoint (closest to the computers in Endpoint 2)?
The remote tunnel endpoint is the gateway to which the local tunnel endpoint sends network packets that are addressed to a computer in Endpoint 2. The remote tunnel endpoint receives a network packet from the local tunnel computer, extracts the encapsulated original packet, and then routes it to the destination computer in Endpoint 2. You can specify an IPv4 address, an IPv6 address, or both. To add an address, click Edit and provide the information required in the Customize IPsec Tunneling Settings dialog box. Important If you specify Any, then the computer in Endpoint 2 that is receiving the data also serves as the remote tunnel endpoint. The Endpoint 2 computer then extracts and processes the original packet. Note The IP version of the address at each end of the tunnel must match. For example, if you specify an IPv4 address at one end, then the other end must also have an IPv4 address. You can specify both and IPv4 and an IPv6 address, but if you do so at one end, then you must also do so at the other end.
9/29/2011
Page 27 of 115

Endpoint 2 is the collection of computers at the remote end of the tunnel that must be able to send and receive data from the computers that are part of Endpoint 1. Click Add to add an individual IP address, an IP subnet address, an IP address range, or a predefined set of computers by using the IP Address dialog box. To change an entry in the list, select the item, and then click Edit. To remove an entry, select the item, and then click Remove.

After you create the connection security rule, you can change these settings in the Connection Security Rule Properties dialog box. This dialog box opens when you double-click a rule in Connection Security Rules. To change the computers that are in Endpoint 1 and Endpoint 2, select the Computers tab. To change the authorization setting or the computers that serve as tunnel endpoints, select the Advanced tab, and then under IPsec tunneling, click Customize.
Connection Security Rule Wizard: Tunnel Endpoints Page - Client-to-Gateway

Select Client-to-gateway on the Tunnel Type page if the connection security rule is for a client computer that must communicate with a remote gateway and the computers behind the gateway on a private network. You can use this page to configure the IP address of the remote tunnel endpoint (the gateway) and the computers that are behind the remote tunnel endpoint on a private network. The following figure shows the components that you can configure by using this wizard page.
9/29/2011
Page 28 of 115
To get to this wizard page 1. In the Windows Firewall with Advanced Security MMC snap-in, right-click Connection Security Rules, and then click New Rule. 2. On the Rule Type page, select Tunnel. 3. In Steps, click Tunnel Type, and then select Client-to-gateway. 4. Click Next until you reach the Tunnel Endpoints page.
Client
This option is set to My IP address and cannot be changed. Note In this scenario, the client computer is serving as the only computer in Endpoint 1 and is also the local tunnel endpoint.
Gateway
The gateway is the computer to which the client sends packets that are addressed to a computer in the remote endpoint. The gateway receives a network packet from the client, decapsulates the original packet, and then routes it to the destination computer that is in Endpoint 2. You can specify an Internet Protocol version 4 (IPv4) address, an Internet Protocol version 6 (IPv6) address, or both. Notes
The IP version of the address at each end of the tunnel must match. For example, if you specify an IPv4 address at one end, then the other end must also have an IPv4 address. You can specify both and IPv4 and an IPv6 address, but if you do so at one end, then you must also do so at the other end. Also, you must specify the same version of IP for both the remote tunnel endpoint (the gateway) and the remote endpoints behind the gateway. The gateway computer is referred to as the remote tunnel endpoint on the IPsec Tunneling Settings dialog box, in the Netsh command-line tool, and if you select Custom configuration on the Tunnel Type page.
What are the remote endpoints?

The remote endpoints are the computers at the remote end of the tunnel on the other side of the gateway that must be able to send and receive data from the client. Click Add to add an individual IP address, an IP subnet address, an IP address range, or a predefined set of computers by using the IP Address dialog box. To change an entry in the list, select the item, and then click Edit. To remove an entry, select the item, and then click Remove. Note The gateway computer is referred to as the remote tunnel endpoint on the IPsec Tunneling Settings dialog box, in the Netsh command-line tool, and if you select Custom configuration on the Tunnel
9/29/2011
Page 29 of 115
Type page.

After you create the connection security rule, you can change these settings in the Connection Security Rule Properties dialog box. This dialog box opens when you double-click a rule in Connection Security Rules. To change the computers that are accessible behind the remote tunnel endpoint, use the Computers tab and configure the settings for Endpoint 2. To change the remote tunnel endpoint (the gateway), from the Advanced tab, under IPsec Tunneling, click Customize, and then modify the Remote tunnel endpoint.
Connection Security Rule Wizard: Tunnel Endpoints Page - Gateway-to-Client

Select Gateway-to-client on the Tunnel Type page if the connection security rule is for a computer that will be the local tunnel endpoint (gateway) to the computers on a private network. You can use this page to configure the IP addresses of the remote clients that can establish a tunnel to this gateway, and the computers that are behind the gateway on the private network. The following figure shows the components that you can configure by using this wizard page.
To get to this wizard page 1. In the Windows Firewall with Advanced Security MMC snap-in, right-click Connection Security Rules, and then click New Rule. 2. On the Rule Type page, select Tunnel.
9/29/2011
Page 30 of 115
3. In Steps, click Tunnel Type, and then select Gateway-to-client. 4. Click Next until you reach the Tunnel Endpoints page.
What are the local endpoints?

The local endpoints are computers on the private network behind the gateway that must be able to send data to and receive data from the remote client through the tunnel. Click Add to add an individual IP address, an IP subnet address, an IP address range, or a predefined set of computers by using the IP Addresses dialog box. To change an entry in the list, select the item, and then click Edit. To remove an entry, select the item, and then click Remove. Note The local endpoints are referred to as Endpoint 1 on the IPsec Tunneling Settings dialog box, in the Netsh command-line tool, and if you select Custom configuration on the Tunnel Type page.
Gateway
The local tunnel endpoint is the computer to which the remote client sends packets that are addressed to a computer in Endpoint 1. The local tunnel computer receives a network packet from the remote client, decapsulates the original packet, and then routes it to the destination computer that is in Endpoint 1. You can specify an Internet Protocol version 4 (IPv4) address, an Internet Protocol version 6 (IPv6) address, or both. Note The IP version of the address at each end of the tunnel must match. For example, if you specify an IPv4 address at one end, then the other end must also have an IPv4 address. You can specify both an IPv4 and an IPv6 address, but if you do so at one end, then you must also do so at the other end. Also, you must specify the same version of IP for both the remote tunnel endpoint (the gateway) and the remote endpoints behind the gateway.
Client
This option is set to Any IP address and cannot be changed. The client computer in this scenario is both the remote tunnel endpoint and the only computer in Endpoint 2.

After you create the connection security rule, you can change these settings in the Connection Security Rule Properties dialog box. This dialog box opens when you double-click a rule in Connection Security Rules. To change the computers that are accessible behind the local tunnel endpoint, use the Computers tab and configure the settings for Endpoint 1. To change the local tunnel endpoint (the gateway), from the Advanced tab, under IPsec Tunneling, click Customize, and then change Local tunnel endpoint.
9/29/2011
Page 31 of 115
Connection Security Rule Wizard: Profile Page

Use this wizard page to specify the profiles to which this rule is applied. Select any combination of profiles that meet your security goals. This version of Windows supports multiple simultaneously active profiles. Each network adapter card attached to a network is assigned one of the following profiles based on what is detected on the attached network. This means that different firewall and connection security rules can affect network traffic, depending on which network adapter receives the traffic. To get to this wizard page 1. In the Windows Firewall with Advanced Security MMC snap-in, right-click Connection Security Rules, and then click New Rule. 2. Click Next until you reach the Profile page.
Domain
The domain profile applies to a network when a domain controller for local computers domain is detected. If you select this box, then the rule applies to network traffic passing through the network adapter connected to this network.
Private
The private profile applies to a network when it is marked private by the computer administrator and it is not a domain network. Newly detected networks are not marked private by default. A network should be marked private only when there is some kind of security device, such as a network address translator or perimeter firewall, between the computer and the Internet. The private profile settings should be more restrictive than the domain profile settings.
Public
The public profile applies to a network when the computer is connected directly to a public network, such as one available in airports and coffee shops. The public profile settings should be the most restrictive because the computer is connected to a public network where security cannot be as tightly controlled as it is in an IT environment.
9/29/2011
Page 32 of 115

After you create the connection security rule, you can change these settings in the Connection Security Rule Properties dialog box. This dialog box opens when you double-click a rule in Connection Security Rules. To change the profiles to which the rule applies, select the Advanced tab.
Connection Security Rule Properties Page

This section describes the tabs that appear on the Connection Security Rule Properties page in Windows Firewall with Advanced Security.
General Computers Protocols and Ports Authentication Advanced
Connection Security Rule Property Page: General Tab

This tab has general information about the rule, including its name, a description, and whether the rule is enabled.
Name
Each rule must have a unique name. Do not use the name all because that name conflicts with the all keyword used by the Netsh command-line tool.
Description
We recommend that you provide a comprehensive description for your connection security rule. Include
9/29/2011
Page 33 of 115
logical names of affected computers because the rule properties contain IP addresses only.
Enabled
Select this option to activate the rule. If you clear this option, then the rule is disabled, but not deleted.
Connection Security Rule Properties Page: Computers Tab

Use the settings on this tab of the Connection Security Rule Properties dialog box to specify the computers that can participate in connections protected by this connection security rule. The connection security rule applies to communications between any computer in Endpoint 1 and any computer in Endpoint 2. If the local computer has an IP address that is included in one of the endpoint definitions, then it can send and receive network packets through this connection to computers that are listed as part of the other endpoint. An endpoint can consist of a single computer or a group of computers, defined by an IP address, an IP subnet address, an IP address range, or a predefined set of computers identified by role: default gateway, WINS servers, DHCP servers, DNS servers, or local subnet. The local subnet is the collection of all computers available to this computer, except for any public IP addresses (interfaces). This includes both local area network (LAN) and wireless addresses. The following figure shows the components that you can configure by using this tab.
To get to this tab 1. In the Windows Firewall with Advanced Security MMC snap-in, click Connection Security Rules. 2. Right-click the rule you want to modify, and then click Properties.
9/29/2011
Page 34 of 115
3. Click the Computers tab.
Endpoint 1
Endpoint 1 is the collection of computers at the local end of the tunnel that must be able to send data to and receive data from the computers that are part of Endpoint 2. Click Add to add an individual IP address, an IP subnet address, an IP address range, or a predefined set of computers by using the IP Address dialog box. To change an entry in the list, select the item, and then click Edit. To remove an entry, select the item, and then click Remove. If you created this rule by using the Client-to-Gateway tunnel rule type, then Endpoint 1 is set to Any IP address. If you created this rule by using the Gateway-to-Client tunnel rule type, then Endpoint 1 consists of the IP addresses of the computers on the private network behind the local tunnel endpoint (the gateway).
Any IP address
Select this option to specify that Endpoint 1 includes any computer that needs to communicate with a computer that is in Endpoint 2. Any network traffic to or from a computer in Endpoint 2 matches this rule and is subject to its authentication requirements.
These IP addresses
Select this option to specify the IP addresses of the computers that make up Endpoint 1. Click Add or Edit to display the IP Address dialog box where you can create or change your entries.
Endpoint 2
Endpoint 2 is the collection of computers at the remote end of the tunnel that must be able to send and receive data from the computers that are part of Endpoint 1. Click Add to add an individual IP address, an IP subnet address, an IP address range, or a predefined set of computers by using the IP Address dialog box. To change an entry in the list, select the item, and then click Edit. To remove an entry, select the item, and then click Remove. If you created this rule by using the Client-to-Gateway tunnel rule type, then Endpoint 2 consists of the IP addresses of the computers on the private network behind the remote tunnel endpoint (the gateway). If you created this rule by using the Gateway-to-Client tunnel rule type, then Endpoint 2 is set to Any IP address.
Any IP address
Select this option to specify that Endpoint 2 includes any computer that needs to communicate with a computer in Endpoint 1. Any network traffic to or from a computer in Endpoint 1 matches this rule and is subject to its authentication requirements.
These IP addresses
Select this option to specify the IP addresses of the computers that make up Endpoint 2. Click Add or
9/29/2011
Page 35 of 115
Edit to display the IP Address dialog box where you can create or change your entries.
Connection Security Rule Properties Page: Protocols and Ports Tab

Use this tab of the Connection Security Rule Properties dialog box to specify which protocols and ports in a network packet match this connection security rule. Only network traffic that matches the criteria on both this tab and the endpoints on the Computers tab match the rule and are subject to its authentication requirements. To get to this tab 1. In the Windows Firewall with Advanced Security MMC snap-in, click Connection Security Rules. 2. Right-click the rule that you want to modify, and then click Properties. 3. Click the Protocols and Ports tab.
Protocol type
Select the protocol whose network traffic will be protected by this connection security rule. If the protocol you want is not in the list, select Custom, and type the protocol number in Protocol number. If you choose TCP or UDP in the list, then you can specify the TCP or UDP port numbers in Endpoint 1 port and Endpoint 2 port.
Protocol number
When you select a protocol type, the corresponding protocol identification number is automatically displayed in Protocol number and is read-only. If you select Custom for Protocol type, then type the protocol identification number in Protocol number.
Endpoint 1 port
This option is available only if the protocol is set to TCP or UDP. Use this option to specify the port number used by the computer that is part of Endpoint 1. If you select All ports, then all network traffic for the protocol you selected matches this connection security rule. If you select Specific Ports, then
9/29/2011
Page 36 of 115
you can type the port numbers in the box under the list. Separate port numbers with commas. Notes
If this rule has Do not authenticate on the Authentication tab, then you can type port numbers in a range by separating the low and high values with a hyphen, as shown: 80, 445, 5000-5010
Endpoint 2 port
This option is available only if the protocol is set to TCP or UDP. Use this option to specify the port number used by the computer that is part of Endpoint 2. If you select All ports, then all network traffic for the protocol you selected matches this connection security rule. If you select Specific Ports, then you can type the port numbers in the box under the list. Separate port numbers with commas. Notes

If this rule has Do not authenticate on the Authentication tab, then you can type port numbers in a range by separating the low and high values with a hyphen, as shown: 80, 445, 5000-5010
Connection Security Rule Properties Page: Authentication Tab

Use this tab of the Connection Security Rule Properties dialog box to specify the authentication requirements and protocols that are used to protect network traffic that matches this rule. To get to this tab 1. In the Windows Firewall with Advanced Security MMC snap-in, click Connection Security Rules. 2. Right-click the rule that you want to modify, and then click Properties. 3. Click the Authentication tab.
Requirements
Under Authentication mode, select one of the following options to indicate whether authentication of network traffic is required or requested.
9/29/2011
Page 37 of 115
Description Select this option to make the rule an authentication exemption rule. Network traffic Do not that matches this rule is not authenticated by Internet Protocol security (IPsec) on authenticate this computer. The option is also valid on tunnel mode rules that are created by using the Custom Configuration or Client-to-Gateway options. Request inbound Connections are authenticated if possible, but the connections are allowed if and outbound authentication fails. Require inbound All inbound network connections must be authenticated or they fail. Outbound and request connections are authenticated if possible, but are allowed if authentication fails. outbound Require inbound Only connections that are authenticated are allowed. and outbound All inbound network connections must be authenticated or they fail. Outbound connections are not authenticated. Require inbound and clear Security Note outbound We recommend that you use this setting only when required on an IPsec gateway that must be able to initiate communications with computers that cannot use IPsec on the Internet.
Option
Method
Use these settings to configure the type of authentication used by this connection security rule. For more information about the authentication methods, see IPsec Algorithms and Methods Supported in Windows (http://go.microsoft.com/fwlink/?linkid=129230). If you choose Advanced, then you must click Customize and add the authentication methods by using the Customize Advanced Authentication Methods dialog box.
Connection Security Rule Properties Page: Advanced Tab

Use the settings on this tab to select the network profile and interface types to which the connection security rule applies. You can also configure an IPsec tunnel between the endpoints. To get to this tab 1. In the Windows Firewall with Advanced Security MMC snap-in, click Connection Security
9/29/2011
Page 38 of 115
Rules. 2. Right-click the rule that you want to modify, and then click Properties. 3. Click the Advanced tab.
Profile
Use these options to specify the profiles to which this rule is applied. Select any combination of profiles that meet your security goals. This version of Windows supports multiple simultaneously active profiles. Each network adapter card attached to a network is assigned one of the following profiles based on what is detected on the attached network. This means that different firewall and connection security rules can affect network traffic, depending on which network adapter receives the traffic.
Domain
The domain profile applies to a network when a domain controller for the local computers domain is detected. If you select this check box, then the rule applies to network traffic passing through the network adapter connected to this network.
Private
Public
The public profile applies to a network when the computer is connected directly to a public network, such as one available in airports and coffee shops. The public profile settings should be the most restrictive because the computer is connected to a public network where the security cannot be as tightly controlled as it is in an IT environment.
Interface types
You can use this setting to specify to which interface type this rule applies. You can create rules that apply to certain interface types only. For example, if you specify only the wireless interface type for this rule, then Windows Firewall with Advanced Security will take the action specified by the rule for wireless traffic. The default setting is All interface types. Click Customize to select either all interface types or specific interface types.
IPsec tunneling
You can use this setting to create a rule that uses IPsec tunnel mode to establish a connection between
9/29/2011
Page 39 of 115
two tunnel endpoints. Use Windows Firewall with Advanced Security to perform Layer 3 tunneling for scenarios in which Layer Two Tunneling Protocol (L2TP) cannot be used. If you are using L2TP for remote communications, no tunnel configuration is required because the client and server virtual private network (VPN) components of this version of Windows create the rules to secure L2TP traffic automatically. To configure the tunnel endpoints, click Customize, and then provide the required information in the Customize IPsec Tunneling Settings dialog box.
Firewall Rule Wizard

This section describes the pages on the Inbound and Outbound Firewall Rule Wizard in Windows Firewall with Advanced Security.
Rule Type Program Protocol and Ports Port Rule Protocol and Ports Custom Rule Predefined Rules Scope Action Users Computers Profile
Firewall Rule Wizard: Rule Type Page

Windows Firewall with Advanced Security provides four basic types of firewall rules. By using one of these firewall rule types, you can create exceptions to explicitly allow or explicitly deny a connection
9/29/2011
Page 40 of 115
through Windows Firewall. The same wizard and property pages are used to create both inbound and outbound rules. The choice you make on this page determines which pages are displayed by the Firewall Rule Wizard. You can change the settings for any firewall rule after you create it. To make these changes, right-click the firewall rule in the results pane, and then select Properties. To get to this wizard page 1. In the Windows Firewall with Advanced Security MMC snap-in, right-click Inbound Rules or Outbound Rules, and then click New Rule. 2. The Rule Type page is displayed.
Program
Use this type of firewall rule to allow a connection based on the program that is trying to connect. This is an easy way to allow connections for Microsoft Outlook or other programs. It is also useful if you are not sure of the port or other settings required to allow access. You only need to specify the path to the program executable (.exe) file. By default, the program is allowed to accept connections on any port. To restrict a program rule to allow traffic on specified port numbers only, after you create the rule, use the Protocols and Ports tab to change the rule properties.
Port
Use this type of firewall rule to allow a connection based on the TCP or UDP port number over which the computer is trying to connect. You can specify the protocol (either TCP or UDP) and the local ports. You can specify more than one port number. By default, any program currently running on the computer can accept network traffic on a port opened with this type of rule. To restrict the open port to a specified program only, after you create the rule, use the Programs and Services tab to change the rule properties.
Predefined
Use this type of firewall rule to allow a connection by selecting one of the programs or services from the list. Most of the well known services and programs available on computers running this version of Windows appear in this list. Network programs that you install typically add their own entries to this list so that you can enable and disable them as a group.
Custom
Use this type of firewall rule to create a firewall rule that you can configure to allow a connection based on criteria not covered by the other types of firewall rules.
9/29/2011
Page 41 of 115
Firewall Rule Wizard: Program Page

Use this wizard page to specify one of the ways in which Windows Firewall with Advanced Security matches network packets. If this and all other criteria are matched, Windows Firewall with Advanced Security will take the action that you specify on the Action page. Note To specify a service by using the wizard, choose the Custom option on the Rule Type page of the wizard. To get to this wizard page 1. In the Windows Firewall with Advanced Security MMC snap-in, right-click either Inbound Rules or Outbound Rules , and then click New Rule. 2. On the Rule Type page, select either Program or Custom. 3. Click Next through the wizard until you reach the Program page.
All programs
Use this option to match network packets sent or received by any program running on the local computer.
This program path

Use this option to match network packets going to or from a specified program. You can select the program in one of two ways:
Type the complete path to the program. You can include environment variables, where appropriate. Important We recommend that you do not use environment variable strings that resolve only in the context of a certain user (for example, %USERPROFILE%). When these strings are evaluated by the service at runtime, the service is not running in the context of the user. The use of these strings can produce unexpected results. Click Browse and find the program in the directory.
Note
9/29/2011
Page 42 of 115
To specify a service in a firewall rule, use the All programs option, and then select the Programs and Services tab on the Firewall Rule Properties dialog box.

After you create the firewall rule, you can change these settings in the Firewall Rule Properties dialog box. This dialog box appears when you double-click a rule in Inbound Rules and Outbound Rules. To change the program path, use the Programs and Services tab.
Firewall Rule Wizard: Protocol and Ports Page Port Rule Type
Use this wizard page to specify which protocol and which port or ports specified in a network packet match this firewall rule. Only network traffic that matches the criteria on this page matches the rule and is subject to its action setting. To get to this wizard page 1. In the Windows Firewall with Advanced Security MMC snap-in, right-click either Inbound Rules or Outbound Rules , and then click New Rule. 2. On the Rule Type page, select Port. 3. Click Next through the wizard until you reach the Protocol and Ports page.
Does this rule apply to TCP or UDP?

Select the protocol whose network traffic you want to filter with this firewall rule. If you need to filter based on a protocol other than TCP or UDP, then you must use the Custom rule type on the Rule Type page.
Inbound rules: Does this rule apply to all local ports or specific local ports?
All local ports
Use this option to apply the rule to inbound network traffic that matches any local port number.
9/29/2011
Page 43 of 115
Specific local ports

Use this option to apply the rule only to inbound network traffic that matches a local port number listed in the text box. You can specify multiple port numbers, separated by commas. You can also include a range of port numbers by separating the low and high values with a hyphen.
Outbound rules: Does this rule apply to all remote ports or specific remote ports?
All remote ports
Use this option to apply the rule to outbound network traffic that matches any destination port number.
Specific remote ports

Use this option to apply the rule only to network traffic that matches a destination port number listed in the text box. You can specify multiple port numbers, separated by commas. You can also include a range of port numbers by separating the low and high values with a hyphen.

After you create the firewall rule, you can change these settings in the Firewall Rule Properties dialog box. This dialog box appears when you double-click a rule in Inbound Rules and Outbound Rules. To change the protocols and port numbers for this rule, select the Protocols and Ports tab.
Firewall Rule Wizard: Protocol and Ports Page Custom Rule Type
Use this wizard page to specify which protocols and ports specified in a network packet match this firewall rule. To get to this wizard page 1. In the Windows Firewall with Advanced Security MMC snap-in, right-click either Inbound Rules or Outbound Rules, and then click New Rule. 2. On the Rule Type page, select either Port or Custom.
9/29/2011
Page 44 of 115
3. Click Next through the wizard until you reach the Protocol and Ports page.
Protocol type
Select the protocol whose network traffic you want to filter with this firewall rule. If the protocol you want is not in the list, select Custom, and then type the protocol number in Protocol number. If you specify TCP or UDP, then you can specify the TCP or UDP port numbers in Endpoint 1 port and Endpoint 2 port. For a list of the protocols, their protocol numbers, and a brief description, see Firewall Rule Properties Page: Protocol and Ports Tab (http://go.microsoft.com/fwlink/?linkid=137823) in the TechNet Library.
Protocol number
When you select a protocol type, the corresponding protocol identification number is automatically displayed in Protocol number and is read-only. If you select Custom for Protocol type, then type the protocol identification number in Protocol number.
Local port
If you are using the TCP or UDP protocol type, you can specify the local port by using one of the choices from the drop-down list, or by specifying a port or a list of ports. The local port is the port on the computer on which the firewall profile is applied. The following options are available for inbound rules:
All Ports. Available for both TCP and UDP on inbound and outbound rules. Selecting this option specifies that all of the ports for the selected protocol match the rule. Specific Ports. Available for both TCP and UDP on inbound and outbound rules. Selecting this option enables the text box where you can type the port numbers that you need. Separate port numbers with commas, and include ranges by separating the low and high values with a hyphen. RPC Endpoint Mapper. Available for TCP on inbound rules only. Selecting this option allows the local computer to receive incoming remote procedure call (RPC) requests on TCP port 135 to the RPC Endpoint Mapper (RPC-EM). A request to the RPC-EM identifies a network service and asks for the port number on which the specified network service is listening. RPC-EM responds with the port number to which the remote computer should send future network traffic for the service. This option also enables RPC-EM to receive RPC over HTTP requests. RPC Dynamic Ports. Available for TCP on inbound rules only. Selecting this option allows the local computer to receive inbound network packets to ports assigned by the RPC runtime. Ports in the RPC ephemeral range are blocked by Windows Firewall unless assigned by the RPC runtime to a specific RPC network service. Only the program to which the RPC runtime assigned the port can receive inbound traffic on that port.
9/29/2011
Page 45 of 115
Important Creating rules to allow RPC network traffic by using the RPC Endpoint Mapper and RPC Dynamic Ports options allows all RPC network traffic. Windows Firewall cannot filter RPC traffic by the universally unique identifier (UUID) of the destination program. When an application uses RPC to communicate from a client to a server, you must typically create two rules, one for RPC Endpoint Mapper and one for Dynamic RPC. IPHTTPS. Available for TCP only. Available under Local port for inbound rules only. Selecting this option allows the local computer to receive incoming IP over HTTPS (IPTHTTPS) packets from a remote computer. IPHTTPS is a tunneling protocol that supports embedding Internet Protocol version 6 (IPv6) packets in Internet Protocol version 4 (IPv4) HTTPS network packets. This allows IPv6 traffic to traverse some IP proxies that do not support IPv6 or some of the other IPv6 transition technologies, such as Teredo and 6to4. Edge Traversal. Available for UDP on inbound rules only. Selecting this option allows the local computer to receive incoming Teredo network packets.
Remote port
If you are using the TCP or UDP protocol type, you can specify the local port and remote port by using one of the choices from the drop-down list, or by specifying a port or a list of ports. The remote port is the port on the computer that is attempting to communicate with the computer on which the firewall profile is applied. The following options are available for inbound rules:
All Ports. Available for both TCP and UDP on inbound and outbound rules. Selecting this option specifies that all of the ports for the selected protocol match the rule. Specific Ports. Available for both TCP and UDP on inbound and outbound rules. Selecting this option enables the text box where you can type the port numbers that you need. Separate port numbers with commas, and include ranges by separating the low and high values with a hyphen. IPHTTPS. Available for TCP only. Available under Remote port for outbound rules only. Selecting this option allows the local computer to send outbound IPTHTTPS packets to a remote computer. IPHTTPS is a tunneling protocol that supports embedding IPv6 packets in IPv4 HTTPS network packets. This allows IPv6 traffic to traverse some IP proxies that do not support IPv6 or some of the other IPv6 transition technologies, such as Teredo and 6to4.
Internet Control Message Protocol (ICMP) Settings

If you want to create a rule that allows or blocks ICMP packets, in the Protocol type list, select ICMPv4 or ICMPv6, and then click Customize. Use the Customize ICMP Settings dialog box to configure the settings.

Page 46 of 115
After you create the firewall rule, you can change these settings in the Firewall Rule Properties dialog box. This dialog box appears when you double-click a rule in Inbound Rules and Outbound Rules. To change these settings, use the Protocols and Ports tab.
Firewall Rule Wizard: Predefined Rules Page

Use this wizard page to enable or disable rules that are part of a predefined rule group. Predefined rules provide network connectivity for Microsoft Windows programs and services. The rules displayed on this page are determined by the group you select in the list on the Rule Type page. To get to this wizard page 1. In the Windows Firewall with Advanced Security MMC snap-in, right-click either Inbound Rules or Outbound Rules, and then click New Rule. 2. On the Rule Type page, select Predefined. 3. From the list, select the group that contains the predefined rules that you want to manage, and then click Next.
Which rules would you like to create?

Select each rule that you want to create or, if the rule already exists, enable. The list on the Predefined Rules wizard page shows the rules in the selected group and the properties of each of the rules. Most of the well-known Windows services and programs available on computers running this version of Windows appear in this list. By default, when you use this page to configure a Group Policy object (GPO), all of the check boxes for rules in a group are selected. By default, when you use this page to edit the local computers active configuration, all of the check boxes for rules in a group are cleared. If you select a rule where No appears in the Rule Exists column, and then complete the steps in the wizard, the rule is created with the properties shown in the list, and enabled. If you select a rule where Already exists appears in the Rule Exists column, and then complete the steps in the wizard, the new settings overwrite the existing settings, and the rule is enabled.
Page 47 of 115
Firewall Rule Wizard: Scope Page

Use this wizard page to specify the local and remote IP addresses whose network traffic matches this rule. If the local computer is listed in the local IP addresses, then all network traffic going to or from any of the remote IP addresses matches this rule. To get to this wizard page 1. In the Windows Firewall with Advanced Security MMC snap-in, right-click either Inbound Rules or Outbound Rules, and then click New Rule. 2. On the Rule Type page, select Custom. 3. Click Next through the wizard until you reach the Scope page.
Which local IP addresses does this rule apply to?

The local IP address is used by the local computer to determine if the rule applies. The rule only applies to network traffic that goes through a network adapter that is configured to use one of the specified addresses.
Any IP address
Select this option to specify that the rule matches a network packet with any address specified as the local IP address. The local computer always matches the rule when this option is selected.
These IP addresses
Select this option to specify that the rule matches only network traffic that has one of the specified addresses in the local IP address field. If the local computer does not have a network adapter configured with one of the specified IP addresses, then the rule does not apply. On the IP Address dialog box, click Add to create a new entry in the list, or Edit to change an existing entry in the list.
Customize the interface types to which this rule applies

Click Customize to display the Customize Interface Types dialog box. Use this dialog box to configure which network interface types match the rule. By default, all network interface types are included.
Which remote IP addresses does this rule apply to?

Page 48 of 115
Specify the remote IP addresses to which the rule applies. Network traffic matches the rule if the destination IP address is one of the addresses in the list.
Any IP address
Select this option to specify that the rule matches network packets that are addressed from (for inbound rules) or addressed to (for outbound rules) any IP address included in the list.
These IP addresses
Select this option to specify that the rule only matches network traffic that has one of the addresses specified in the Remote IP address field. On the IP Address dialog box, click Add to create a new entry in the list, or Edit to modify an existing entry in the list.

After you create the firewall rule, you can change these settings in the Firewall Rule Properties dialog box. This dialog box appears when you double-click a rule in Inbound Rules and Outbound Rules. To change these settings, use the Scope tab.
Firewall Rule Wizard: Action Page

Use this wizard page when creating a firewall rule to specify the action Windows Firewall with Advanced Security will take for incoming or outgoing packets that match the rule criteria. To get to this wizard page 1. In the Windows Firewall with Advanced Security MMC snap-in, right-click either Inbound Rules or Outbound Rules, and then click New Rule. 2. This page is available on all rule types. Click Next through the wizard until you reach the Action page.
Allow the connection

Use this option to allow network packets that match all criteria in the firewall rule.
Allow the connection if it is secure

Page 49 of 115
Use this option to specify that only connections that are protected by Internet Protocol security (IPsec) are allowed. IPsec settings are defined in separate connection security rules. By default, this setting requires both authentication and integrity protection. To configure the requirements, click Customize. When you choose this option, the Users and Computers pages are automatically added to the wizard. You can use these pages to specify the users or computers to whom you want to grant or deny access, or leave the page blank to allow access to all users and computers. If you choose to specify users or computers, you must use an authentication method that includes user or computer information, as appropriate, because Windows Firewall with Advanced Security will use the authentication method from the connection security rule to match the users and computers you specify. For example, for computers, you can use Computer (Kerberos V5) or Computer Certificate with certificate-to-account mapping enabled. If you do not specify users or computers, you can use any authentication method. For more information about how to customize the IPsec requirements for this option, see the Customize Allow If Secure Settings dialog box. For more information about restricting access to user or computers, see the Users and Computers pages in the wizard.
Block the connection

Use this option to explicitly block any network packet that matches the firewall rule criteria. The block action takes precedence over the allow action, unless the Override block rules option is selected when the firewall rule is created.

After you create the firewall rule, you can adjust these settings in the Firewall Rule Properties dialog box. This dialog box appears when you double-click a rule in Inbound Rules and Outbound Rules. To change these settings, select Action on the General tab.
Firewall Rule Wizard: Users Page

Use these settings to specify which users or user groups can connect to the local computer. Important To use these options, the firewall rule action must be set to Allow the connection if it is secure. To be considered secure, the network traffic must be protected by a connection security rule that requires authentication by using a method that includes user identification information, such as Kerberosversion 5, NTLMv2, or a certificate with certificate-to-account mapping enabled. To get to this wizard page
9/29/2011
Page 50 of 115
1. In the Windows Firewall with Advanced Security MMC snap-in, right-click Inbound Rules, and then click New rule. Note This page is displayed for inbound rules only; it is not available for outbound rules. 2. Click Next through the wizard until you reach the Action page. 3. On the Action page, select Allow the connection if it is secure. 4. Click Next through the wizard until you reach the Users page.
Authorized users
Use this section to identify the user or group accounts that are allowed to make the connection specified by the rule.
Only allow connections from these users

Select this option to specify which users can connect to this computer. Network traffic that is not authenticated as coming from a user on this list is blocked by Windows Firewall. If you select the check box, then Add is enabled. Click Add, and then specify the user or group accounts in the Select Users, Computers, or Groups dialog box. To remove a user or group from the list, select the user or group, and then click Remove.
Exceptions
Use this section to identify user or group accounts that might be listed in Authorized users, possibly because the user or group account is a member of a group, but whose network traffic must be blocked by Windows Firewall. For example, User A is a member of Group B. Group B is included in Authorized users, so network traffic authenticated as coming from a user who is a member of Group B is allowed. However, by placing User A in the Exceptions list, network traffic authenticated as being from User A is not processed by this rule, and so is blocked by the default firewall behavior unless some other rule allows the traffic.
Skip this rule for connections from these users

Select this option to specify users or groups whose network traffic is an exception to this rule. Network traffic that is authenticated as coming from a user in this list is not processed by the rule, even if the user is also in Authorized users. If you select the check box, then Add is enabled. Click Add, and then specify the user or group accounts in the Select Users, Computers, or Groups dialog box. To remove a user or group from the list, select the user or group, and then click Remove.

Page 51 of 115
After you create the firewall rule, you can change these settings in the Firewall Rule Properties dialog box. This dialog box appears when you double-click a rule in Inbound Rules. To change these settings, select the Users tab.
Firewall Rule Wizard: Computers Page

For inbound rules, use these settings to specify which computers or computer groups can connect to the local computer. For outbound rules, use these settings to specify the computers or computer groups to which this computer can connect. Important To use these options, the firewall rule action must be set to Allow the connection if it is secure. To be considered secure, the network traffic must be protected by a connection security rule that requires authentication by using a method that includes computer identification information, such as Kerberosversion 5, NTLMv2, or a certificate with certificate-to-account mapping enabled. To get to this wizard page 1. From the Windows Firewall with Advanced Security MMC snap-in, right-click Inbound Rules or Outbound Rules, and then click New rule. 2. Click Next through the wizard until you reach the Action page. 3. On the Action page, select Allow the connection if it is secure. 4. Click Next through the wizard until you reach the Computers page.
Authorized computers
Use this section to identify the computer or group accounts that are allowed to make the connection specified by the rule.
Only allow connections from/to these computers
For inbound rules, select Only allow connections from these computers to specify which computers can connect to this computer. Network traffic that is not authenticated as coming from a computer on this list is blocked by Windows Firewall. For outbound rules, select Only allow connections to these computers to specify the computers to which this computer is allowed to connect. Outbound network traffic sent to computers that cannot be authenticated as a computer on the list is blocked by Windows Firewall.
9/29/2011
Page 52 of 115
If you select the check box, then Add is enabled. Click Add, and then specify the computer or group accounts in the Select Users, Computers and Groups dialog box. To remove a computer or group from the list, select the computer or group, and then click Remove.
Exceptions
Use this section to identify computer or group accounts that might be listed in Authorized computers, possibly because the computer or group account is a member of a group, but whose network traffic must be blocked by Windows Firewall. For example, Computer A is a member of Group B. Group B is included in Authorized computers, so network traffic authenticated as coming from a computer in the group is allowed. By placing Computer A in the Exceptions list, network traffic authenticated as coming from Computer A is not processed by this rule, and so is blocked by the default firewall behavior unless some other rule allows the traffic.
Skip this rule for connections from/to these computers
For inbound rules, select Skip this rule for connections from these computers to specify which remote computers are exceptions to this rule. For outbound rules, select Skip this rule for connections to these computers to specify the remote computers that are exceptions to this rule.
If you select the check box, then Add is enabled. Click Add, and then specify the computer or group accounts in Select Users, Computers and Groups dialog box. To remove a computer or group from the list, select the computer or group, and then click Remove.

After you create the firewall rule, you can change these settings in the Firewall Rule Properties dialog box. This dialog box appears when you double-click a rule in either Inbound Rules or Outbound Rules. To change these settings, select the Computers tab.
Firewall Rule Wizard: Profile Page

Use this wizard page to specify the profiles to which this rule is applied. Select any combination of profiles that meet your security goals. This version of Windows supports multiple simultaneously active profiles. Each network adapter card attached to a network is assigned one of the following profiles based on what is detected on the attached network. This means that different firewall and connection security rules can affect network traffic,
9/29/2011
Page 53 of 115
depending on which network adapter receives the traffic. To get to this wizard page 1. In the Windows Firewall with Advanced Security MMC snap-in, right-click Inbound Rules or Outbound Rules, and then click New Rule. 2. Click Next through the wizard until you reach the Profile page.
Domain
The domain profile applies to a network when a domain controller is detected for the domain to which the local computer is joined. If you select this box, then the rule applies to network traffic passing through a network adapter connected to this network.
Private
Public
The public profile applies to a network when the computer is connected directly to a public network, such as one available in airports and coffee shops. The public profile settings should be the most restrictive because the computer is connected to a public network where the security cannot be as tightly controlled as it is in an IT environment.

After you create the firewall rule, you can change these settings in the Firewall Rule Properties dialog box. This dialog box opens when you double-click a rule in either Inbound Rules or Outbound Rules. To change the profiles to which the rule applies, select the Advanced tab.
Firewall Rule Properties Page
9/29/2011
Page 54 of 115
This section describes the tabs on the Firewall Rule Properties page in Windows Firewall with Advanced Security.
General Programs and Services Protocols and Ports Scope Advanced Computers Users
Firewall Rule Properties Page: General Tab

Use Use this tab to name, enable, and specify the action of a firewall rule. To get to this tab
In the Windows Firewall with Advanced Security MMC snap-in, in either Inbound Rules or Outbound Rules, double-click the firewall rule you want to modify, and then click the General tab.
General section
This section contains identifying information about the rule and gives you the ability to enable or disable the rule.
Name
This is the name of the firewall rule. As a best practice, give the firewall rule a unique name. If two rules have the same name, then you cannot easily manage them by using the netsh commands. Do not use the name all for a firewall rule because that is the name of a Netsh command-line tool keyword.
Description (optional)
This is a description of the rule. Use this to provide information about the rule, such as the rule owner, the rule requester, the purpose of the rule, a version number, or the date of creation.
Enabled
Select this check box to enable the rule. Enabling a rule causes Windows Firewall with Advanced
9/29/2011
Page 55 of 115
Security to compare all network packets to the criteria in this rule and to perform the action specified in Action when a match is found. Disabling the rule does not delete it, but instead causes Windows Firewall with Advanced Security to stop comparing network packets to the rule.
Action section
Select the action that Windows Firewall with Advanced Security will take for network packets that match the firewall rule criteria. When you have multiple firewall rules defined, the order in which they are evaluated for a match depends on the action specified in the rule. Firewall rules are evaluated in the following order: 1. Allow if secure with Override block rules selected in the Customize Allow if Secure Settings dialog box. 2. Block the connection. 3. Allow the connection. 4. Default profile behavior (allow or block as specified on the applicable Profile tab of the Windows Firewall with Advanced Security Properties dialog box). Within each category, rules are evaluated from the most specific to the least specific. A rule that specifies four criteria is selected over a rule that specifies only three criteria. As soon as a network packet matches a rule, its action is triggered, and it is not compared to any additional rules. In other words, even if a network packet matches more than one rule, only the matching rule that is evaluated against the packet first is applied to the packet.
Allow the connection

Use this option to allow a network packet that matches all criteria in the firewall rule.
Allow the connection if it is secure

Use this option to specify that only network packets that are protected by Internet Protocol security (IPsec) are allowed. IPsec settings must be defined in separate connection security rules. By default, this setting requires both authentication and integrity to be included, but it does not require encryption. To configure the requirements, click Customize, and then select an option on the Customize Allow If Secure Settings dialog box.
Block the connection

Use this option to explicitly block any network packet that matches the firewall rule criteria. The block action takes precedence over the allow action, unless the Override block rules option is selected when the firewall rule is created.
9/29/2011
Page 56 of 115
Firewall Rule Properties Page: Programs and Services Tab

Use this tab to specify the way in which Windows Firewall with Advanced Security matches criteria based on which program or service on the local computer is sending the packets to the peer computer. If this and all other criteria are matched, Windows Firewall with Advanced Security will take the action that you specify in Action on the General tab. To get to this tab
In the Windows Firewall with Advanced Security MMC snap-in, in either Inbound Rules or Outbound Rules, double-click the firewall rule you want to modify, and then click the Programs and Services tab.
Programs
This section contains information about how network packets from a program will be matched.
All programs that meet the specified conditions

Use this option to match network packets being sent or received by any program.
This program
Use this option to match network packets going to or from a specified program. If the program is not running, then no packets match the rule. You can select the program in one of two ways:
Type the complete path to the program. You can include environment variables, where appropriate. Important Do not use environment variable strings that resolve only in the context of a certain user (for example, %USERPROFILE%). When these strings are evaluated by the service at runtime, the service is not running in the context of the user. The use of these strings can produce unexpected results. Click Browse and find the program in the directory.
Services
Click Settings to match packets from all program and services on the computer (the default), services only, or a specified service.
9/29/2011
Page 57 of 115
More about program and service settings

To add a program to the rule, you must specify the executable (.exe) file used by the program. A system service that runs within its own unique .exe file and is not hosted by a service container is considered to be a program and can be added to the rule. In the same way, a program that behaves like a system service and runs whether or not a user is logged on to the computer is also considered a program as long as it runs within its own unique .exe file. Security Note Do not add service containers or programs that host services, such as Svchost.exe, Dllhost.exe, and Inetinfo.exe, to the rules list without specifying the individual service that is to be allowed or blocked. Specifying only the service container as a program might compromise the security of the computer. When you add a program to the rule, Windows Firewall with Advanced Security dynamically opens (unblocks) and closes (blocks) the ports required by the program. When the program is running and listening for incoming traffic, Windows Firewall with Advanced Security opens the required ports; when the program is not running or is not listening for incoming traffic, Windows Firewall with Advanced Security closes the ports. Because of this dynamic behavior, adding programs to a rule is the recommended method for allowing unsolicited incoming traffic through Windows Firewall with Advanced Security. Note You can use program rules to allow unsolicited incoming traffic through Windows Firewall with Advanced Security only if the program uses the Windows Sockets (Winsock) application programming interface (API) to create port assignments. If a program does not use Winsock to assign ports, you must determine which ports the program uses and add those ports to the rules list.
Firewall Rule Properties Page Dialog Box: Customize Service Settings
Firewall Rule Properties Page: Protocols and Ports Tab

Use this tab to specify which protocols and ports in a network packet match this firewall rule. To get to this tab
In the Windows Firewall with Advanced Security MMC snap-in, in either Inbound Rules or Outbound Rules, double-click the firewall rule you want to modify, and then click the Protocols and Ports tab.
9/29/2011
Page 58 of 115
Protocol type
Select the protocol whose network traffic you want to filter with this firewall rule. If the protocol you want is not in the list, then select Custom, and type the protocol number in Protocol number. You can use any protocol number listed by the Internet Assigned Numbers Authority (IANA). If you specify TCP or UDP in the list, then you can specify the TCP or UDP port numbers in Endpoint 1 port and Endpoint 2 port. For a list of the protocols, their protocol numbers and a brief description, see Firewall Rule Properties Page: Protocol and Ports Tab (http://go.microsoft.com/fwlink/?linkid=137823) in the TechNet Library.
Local port
If you are using the TCP or UDP protocol type, you can specify the local port by using one of the choices from the drop-down list or by specifying a port or a list of ports. The local port is the port on the computer on which the firewall profile is applied. The following options are available for inbound rules:
All Ports. Available for both TCP and UDP on inbound and outbound rules. Selecting this option specifies that all of the ports for the selected protocol match the rule. Specific Ports. Available for both TCP and UDP on inbound and outbound rules. Selecting this option enables the text box where you can type the port numbers you need. Separate port numbers with commas and include ranges by separating the low and high values with a hyphen. RPC Endpoint Mapper. Available for TCP on inbound rules only. Selecting this option allows the local computer to receive incoming RPC requests on TCP port 135 to the RPC Endpoint Mapper (RPC-EM). A request to the RPC-EM identifies a network service and asks for the port number on which the specified network service is listening. RPC-EM responds with the port number to which the remote computer should send further network traffic for the service. This option also enables RPC-EM to receive RPC over HTTP requests. RPC Dynamic Ports. Available for TCP on inbound rules only. Selecting this option allows the local computer to receive inbound network packets to ports assigned by the RPC runtime. Ports in the RPC ephemeral range are blocked by Windows Firewall unless assigned by the RPC runtime to a specific RPC network service. Only the program to which the RPC runtime assigned the port can receive inbound traffic on that port. Important Creating rules to allow RPC network traffic by using the RPC Endpoint Mapper and RPC dynamic ports options allows all RPC network traffic. Windows Firewall cannot filter RPC traffic by the universally unique identifier (UUID) of the destination program. When an application uses RPC to communicate from a client to a server, you must typically create two rules, one for RPC Endpoint Mapper and one for Dynamic RPC. IPHTTPS. Available for TCP only. Available under Local port for inbound rules. Selecting this option allows the local computer to receive incoming IP over HTTPS (IPTHTTPS) packets from a remote computer. IPHTTPS is a tunneling protocol that supports the embedding of Internet
9/29/2011
Page 59 of 115
Protocol version 6 (IPv6) packets in IPv4 HTTPS network packets. This allows IPv6 traffic to traverse some IP proxies that do not support IPv6 or some of the other IPv6 transition technologies, such as Teredo and 6to4.
Edge Traversal. Available for UDP on inbound rules only. Selecting this option allows the local computer to receive incoming Teredo network packets. Teredo is an IPv4-to-IPv6 transition protocol.
Remote port
If you are using the TCP or UDP protocol type, you can specify the local port and remote port by using one of the choices from the drop-down list or by specifying a port or a list of ports. The remote port is the port on the computer that is attempting to communicate with the computer on which the firewall profile is applied. The following options are available for inbound rules:
All Ports. Available for both TCP and UDP on inbound and outbound rules. Selecting this option specifies that all of the ports for the selected protocol match the rule. Specific Ports. Available for both TCP and UDP on inbound and outbound rules. Selecting this option enables the text box where you can type the port numbers that you need. Separate port numbers with commas and include ranges by separating the low and high values with a hyphen. IPHTTPS. Available for TCP only. Available under Remote port for outbound rules. Selecting this option allows the local computer to send outbound IPTHTTPS packets to a remote computer. IPHTTPS is a tunneling protocol that supports embedding IPv6 packets in IPv4 HTTPS network packets. This allows IPv6 traffic to traverse some IP proxies that do not support IPv6 or some of the other IPv6 transition technologies, such as Teredo and 6to4.
ICMP Settings
Click Customize to configure settings for Internet Control Message Protocol (ICMP). The Customize button is enabled only when you choose the ICMPv4 or ICMPv6 protocol types. For more information, see Dialog Box: Customize ICMP Settings.
Firewall Rule Properties Page: Scope Tab

Use this tab to specify the local and remote IP addresses whose network traffic matches this rule. If the local computer is listed in the local IP addresses, then all network traffic going to or from any of the
9/29/2011
Page 60 of 115
remote IP addresses matches this rule. To get to this tab
In the Windows Firewall with Advanced Security MMC snap-in, in either Inbound Rules or Outbound Rules, double-click the firewall rule you want to modify, and then click the Scope tab.
Local IP address
The local IP address is used by the local computer to determine if the rule applies. The rule applies only to network traffic that goes through a network adapter that is configured to use one of the specified local IP addresses.
Any IP address
Select this option to specify that the rule matches a network packet with any address specified as the local IP address. The local computer always matches the rule when this option is selected.
These IP addresses
Select this option to specify that the rule matches network traffic that has one of the addresses specified in Local IP address. If the local computer does not have a network adapter configured with one of the specified IP addresses, then the rule does not apply. On the IP Address dialog box, click Add to create a new entry in the list or Edit to change an existing entry in the list. You can also delete an entry from the list by selecting the item and then clicking Remove.
Remote IP address
Specify the remote IP addresses to which the rule applies. Network traffic matches the rule if the destination IP address is one of the addresses in the list.
Any IP address
Select this option to specify that the rule matches network packets that are addressed from (for inbound rules) or addressed to (for outbound rules) any IP address included in the list.
These IP addresses
Select this option to specify that the rule matches only network traffic that has one of the addresses specified in Remote IP address. On the IP Address dialog box, click Add to create a new entry in the list or Edit to change an existing entry in the list. You can also delete an entry from the list by selecting the item and then clicking Remove.
9/29/2011
Page 61 of 115
Firewall Rule Properties Page: Advanced Tab

Use this tab to configure the profiles and interface types to which this firewall rule will be applied. To get to this tab
In the Windows Firewall with Advanced Security MMC snap-in, in either Inbound Rules or Outbound Rules, double-click the firewall rule you want to modify, and then click the Advanced tab.
Profiles
A profile is a way of grouping settings, such as firewall rules and connection security rules, that are applied to the computer depending on where the computer is connected. Windows determines a network location type for each network adapter, and then applies the corresponding profile to that network adapter. On computers running this version of Windows, there are three profiles recognized by Windows Firewall with Advanced Security. Description Applies when a computer is connected to a network that contains an ActiveDirectory domain Domain controller in which the computer's domain account resides. Applies when a computer is connected to a network in which the computer's domain account does not reside, such as a home network. The private profile settings should be more restrictive Private than the domain profile settings. A network is assigned the private type by a local administrator. Applies when a computer is connected to a domain through a public network, such as one available in airports and coffee shops. The public profile settings should be the most restrictive Public because the computer is connected to a public network where the security cannot be as tightly controlled as it is in an IT environment. By default, newly discovered networks are assigned the public type. Notes Computers running Windows Server2008 and WindowsVista support only a single profile at a time. If the computer is connected to more than one network, the most restrictive profile is applied to all network adapters. Computers running WindowsXP and Windows Server2003 support only two profiles: standard, which maps to both public and private, and domain. If the computer is connected to more than one network, the profile that is most restrictive is applied to all network adapters. For this purpose, the public profile is considered the most restrictive, followed by the private profile, and then the domain profile. Profile
Interface types
Click Customize to specify the interface types to which the connection security rule applies. The Customize Interface Types dialog box allows you to select All interface types or any combination of Local area network, Remote access, or Wireless types.
9/29/2011
Page 62 of 115
Edge traversal
Edge traversal allows the computer to accept unsolicited inbound packets that have passed through an edge device, such as a network address translation (NAT) router or firewall. Notes
This option cannot be configured by using the New Inbound Firewall Rule wizard. To configure this setting, you must create the rule by using the wizard and then change it by using this tab. This option applies to inbound rules only; it does not appear on the Advanced tab for an outbound rule.
Select one of the following options from the list:
Block edge traversal (default)

Prevent applications from receiving unsolicited traffic from the Internet through a NAT edge device.
Allow edge traversal

Allow applications to receive unsolicited traffic directly from the Internet through a NAT edge device.
Defer to user
Let the user decide whether to allow unsolicited traffic from the Internet through a NAT edge device when an application requests it.
Defer to application
Let each application determine whether to allow unsolicited traffic from the Internet through a NAT edge device.
Firewall Rule Properties Page: Computers Tab

Use these settings to specify which computers or computer groups can connect to the local computer. This tab is available on both inbound and outbound firewall rules. Important To use these options, the firewall rule action must be set to Allow the connection if it is secure on the General tab. To be considered secure, the network traffic must be protected by a connection security rule that requires authentication by using a method that includes computer identification
9/29/2011
Page 63 of 115
information, such as Kerberosversion 5, NTLMv2, or a certificate with certificate-to-account mapping enabled. To get to this tab
In the Windows Firewall with Advanced Security MMC snap-in, in either Inbound Rules or Outbound Rules, right-click the firewall rule you want to modify, and then click the Computers tab.
Use this section to identify the computer or group accounts that are allowed to make the connection specified by the rule.
Only allow connections from/to these computers
For inbound rules, select Only allow connections from these computers to specify which computers can connect to this computer. Network traffic that is not authenticated as coming from a computer on this list is blocked by Windows Firewall. For outbound rules, select Only allow connections to these computers to specify the computers to which this computer is allowed to connect. Outbound network traffic sent to computers that cannot be authenticated as a computer on the list is blocked by Windows Firewall.
If you select the check box, then Add is enabled. Click Add, and then specify the computer or group accounts in the Select Users, Computers, or Groups dialog box. To remove a computer or group from the list, select the computer or group, and then click Remove.
Exceptions
Use this section to identify computer or group accounts that might be listed in Authorized computers, possibly because the computer or group account is a member of a group, but whose network traffic must be blocked by Windows Firewall. For example, Computer A is a member of Group B. Group B is included in Authorized computers, so network traffic authenticated as coming from a computer in the group is allowed. By placing Computer A in the Exceptions list, network traffic authenticated as being from Computer A is not processed by this rule, and so is blocked by the default firewall behavior unless some other rule allows the traffic.
Skip this rule for connections from/to these computers
For inbound rules, select Skip this rule for connections from these computers to specify the remote computers are exceptions to this rule. For outbound rules, select Skip this rule for connections to these computers to specify the remote computers that are exceptions to this rule.
If you select the check box, then Add is enabled. Click Add, and then specify the computer or group accounts in the Select Users, Computers, or Groups dialog box.
9/29/2011
Page 64 of 115
To remove a computer or group from the list, select the computer or group, and then click Remove.
Firewall Rule Properties Page: Users Tab

Use these settings to specify which users or user groups can connect to the local computer. Important These options are only available when the firewall rule action is set to Allow the connection if it is secure. To be considered secure, the network traffic must be protected by a connection security rule that requires authentication by using a method that includes user identification information, such as Kerberosversion 5, NTLMv2, or a certificate with certificate-to-account mapping enabled. Note This tab is displayed for inbound rules only; is not available for outbound rules. To get to this tab
In the Windows Firewall with Advanced Security MMC snap-in, in Inbound Rules or Outbound Rules, double-click the firewall rule you want to modify, and then click the Users tab.
Authorized users
Use this section to identify the user or group accounts that are allowed to make the connection specified by the rule.
Only allow connections from these users

Select Only allow connections from these users to specify which users can connect to this computer. Network traffic that is not authenticated as coming from a user on this list is blocked by Windows Firewall. If you select the check box, then Add is enabled. Click Add, and then specify the user or group accounts in the Select Users, Computers, or Groups dialog box. To remove a user or group from the list, select the user or group, and then click Remove.
Exceptions
Use this section to identify user or group accounts that might be listed in Authorized users, possibly because the user or group account is a member of a group, but whose network traffic must be blocked by Windows Firewall. For example, User A is a member of Group B. Group B is included in Authorized users, so network traffic authenticated as coming from a user that is a member of Group B is allowed.
9/29/2011
Page 65 of 115
However, by placing User A in the Exceptions list, network traffic authenticated as being from User A is not processed by this rule, and so is blocked by the default firewall behavior unless some other rule allows the traffic.
Skip this rule for connections from these users

Select Skip this rule for connections from these users to specify users or groups whose network traffic is an exception to this rule. Network traffic that is authenticated as coming from a user in this list is not processed by the rule, even if the user is also in the Authorized users list. If you select the check box, then Add is enabled. Click Add, and then specify the user or group accounts in the Select Users, Computers, or Groups dialog box. To remove a user or group from the list, select the user or group, and then click Remove.
Monitored Firewall Rules Properties Page

This section describes the tabs on the Firewall Rule Properties page for rules displayed in Monitoring in Windows Firewall with Advanced Security. To get to this page 1. In the Windows Firewall with Advanced Security MMC snap-in, expand Monitoring, and then expand Firewall. 2. Double-click the firewall rule that you want to examine. Note Only active firewall rules, those assigned to currently active network profiles, are displayed in Monitoring. For a description of each tab on the property page, see the following topics:
General Programs and Ports Advanced
9/29/2011
Page 66 of 115
Monitor Firewall Rules - General

This tab shows basic information about an inbound or outbound firewall rule that is being applied to the computer. To get to this tab 1. In the Windows Firewall with Advanced Security MMC snap-in, expand Monitoring, and then expand Firewall. 2. Double-click the firewall rule you want to examine, and then click the General tab.
Local IP address
This lists the local IP address, range of addresses, or subnet to which the rule applies, as configured on the Scope tab of the Firewall Rule Properties page.
Remote IP address
This lists the remote IP address, range of addresses, or subnet to which the rule applies, as configured on the Scope tab of the Firewall Rule Properties page.
Direction
This indicates whether the rule is an Inbound or Outbound rule.
Profile
This lists the network location profiles, Domain, Private, Public or All, to which the rule applies, as configured on the Advanced tab of the Firewall Rule Properties page.
Monitor Firewall Rules - Programs and Ports Page

This tab shows information about the protocols and ports that are used to match network packets to an inbound or outbound firewall rule that is being applied to the computer.
9/29/2011
Page 67 of 115
To get to this tab 1. In the Windows Firewall with Advanced Security MMC snap-in, expand Monitoring, and then expand Firewall. 2. Double-click the firewall rule you want to examine, and then click the Programs and Ports tab.
Protocol
This indicates the IP protocol type to which the rule applies, as configured on the Protocols and Ports tab of the Firewall Rule Properties page.
Local port
If you are using the UDP or TCP protocol type, this indicates the UDP or TCP port to which the rule applies, on the computer where the firewall rule is applied, as configured on the Protocols and Ports tab of the Firewall Rule Properties page.
Remote port
If the rule applies to the UDP or TCP protocol, this indicates the UDP or TCP port to which the rule applies, on the remote computer that is attempting to communicate with the computer where the firewall rule is applied, as configured on the Protocols and Ports tab of the Firewall Rule Properties page.
ICMP settings
If the rule applies to the Internet Control Message Protocol (ICMP) version 4 or ICMP version 6 protocol, this indicates the ICMP types and codes that are included, as configured on the Protocols and Ports tab of the Firewall Rule Properties page.
Program
This indicates the program file name and path of the application to which the rule applies, as configured on the Programs and Services tab of the Firewall Rule Properties page.
Service
If the program item is a service container, this indicates the service within the container to which the rule applies, as configured on the Programs and Services tab of the Firewall Rule Properties page.
9/29/2011
Page 68 of 115
Monitor Firewall Rules - Advanced

This tab displays information about authenticated users and computers whose network traffic is affected by this rule. This tab should be used only when the action for the rule is set to Allow if secure. To get to this tab 1. In the Windows Firewall with Advanced Security MMC snap-in, expand Monitoring, and then expand Firewall. 2. Double-click the firewall rule you want to examine, and then click the Advanced tab.
Authorized users and computers

This is a list of the users or groups of users authorized by this rule, as configured on the Users and Computers tabs of the Firewall Rule Properties dialog box.
Excepted users and computers

This is a list of the users or groups of users who are not subject to this rule, as configured on the Users and Computers tabs of the Firewall Rule Properties dialog box. If a user or computer appears under both Authorized and Excepted, the exception takes priority, and the network traffic from that user or computer is not subject to this rule.
Interface types
This is a list of the network interface types to which this rule applies (Local area network, Remote access, Wireless, or All interface types), as configured on the Advanced tab of the Firewall Rule Properties dialog box.
Edge traversal
This indicates whether edge traversal is enabled (Allow edge traversal) or disabled (Block edge traversal). The Defer to user and Defer to application options are used to indicate that the user or application must make the decision to allow unsolicited traffic from the Internet through a network address translation (NAT) edge device. When edge traversal is enabled, the application, service, or port to which the rule applies is globally addressable and accessible from outside a NAT edge device. This setting is configured on the Advanced tab of the Firewall Rule Properties dialog box.
9/29/2011
Page 69 of 115
Monitored Connection Security Rules Properties Page

This section describes the tabs on the Connection Security Rule Properties page for rules displayed in Monitoring in Windows Firewall with Advanced Security.
General Authentication Advanced
Monitor Connection Security Rules - General

This tab shows basic information about a connection security rule that is being applied to the computer. To get to this tab 1. In the Windows Firewall with Advanced Security MMC snap-in, expand Monitoring, and then expand Connection Security Rules. 2. Double-click the rule you want to examine, and then click the General tab.
Endpoint 1 IP Address
This is the IP address or range of IP addresses of the first endpoint as configured on the Computers tab of the Connection Security Rule Properties page. If no endpoint is specified, Any is displayed.
Endpoint 1 port
This is the TCP or UDP port number of the first endpoint computer or group of computers as configured on the Protocols and Ports tab of the Connection Security Rule Properties page. If no port is specified, Any is displayed.
Endpoint 2 IP Address
This is the IP address or range of IP addresses of the second endpoint as configured on the Computers tab of the Connection Security Rule Properties page. If no endpoint is specified, Any is displayed.
9/29/2011
Page 70 of 115
Endpoint 2 port
This is the TCP or UDP port number of the second endpoint computer or group of computers as configured on the Protocols and Ports tab of the Connection Security Rule Properties page. If no port is specified, Any is displayed.
Protocol
This is the protocol as configured by using the Protocol type option on the Protocols and Ports tab of the Connection Security Rule Properties page. If no protocol is specified, Any is displayed.
Profile
This lists the network location profiles, domain, private or public, to which the rule applies, as configured on the Advanced tab of the Connection Security Rule Properties page.
Monitor Connection Security Rules Authentication

This tab shows basic information about authentication methods used by a connection security rule that is applied to the computer. To get to this tab 1. In the Windows Firewall with Advanced Security MMC snap-in, expand Monitoring, and then expand Connection Security Rules. 2. Double-click the rule you want to examine, and then select the Authentication tab.
Requirements
This refers to the authentication requirement on connections matching the rule criteria.
First authentication
The first and second authentication methods are used during the main mode phase of Internet Protocol
9/29/2011
Page 71 of 115
security (IPsec) negotiations. For first authentication, you can view the way the two peer computers authenticate, such as through Kerberosversion 5, NTLMv2, computer certificates, or another method. The Details column displays information for certificates and preshared keys only. For certificates, it displays the issuer details, whether the certificate was issued by a root or intermediate certification authority (CA), and the certificate signing algorithm. For a preshared key, it displays the key in plain text. The authentication information displayed can be configured on the Authentication tab of the Connection Security Rules Properties dialog box.
Second authentication
For second authentication, you can view the user authentication method, such as Kerberosversion 5, NTLMv2, user certificates, or a computer health certificate. The Details column displays information for certificates only. It displays the issuer details, whether the certificate was issued by a root or intermediate CA, and the certificate signing algorithm. The authentication information that is displayed can be configured on the Authentication tab of the Connection Security Rules Properties dialog box.
Monitor Connection Security Rules - Advanced

If the rule specifies an Internet Protocol security (IPsec) tunnel, this tab shows information about the tunnel endpoints and whether computer or user authorization is required. To get to this tab 1. In the Windows Firewall with Advanced Security MMC snap-in, expand Monitoring, and then expand Connection Security Rules. 2. Double-click the rule you want to examine, and then click the Advanced tab.
Local tunnel endpoint

If the connection security rule is a tunnel rule, then this indicates the address of the tunnel endpoint that is closest to the local computer, as configured on the Customize IPsec Tunneling Settings dialog box. If the connection security rule is not a tunnel rule, then None is displayed.
9/29/2011
Page 72 of 115
Remote tunnel endpoint

If the connection security rule is a tunnel rule, then this indicates the address of the tunnel endpoint that is farthest from the local computer, as configured on the Customize IPsec Tunneling Settings dialog box. If the connection security rule is not a tunnel rule, then None is displayed.
Interface types
This indicates the network interface types to which the rule applies, as configured on the Advanced tab of the Connection Security Rule Properties page.
Apply authorization
This indicates whether the use of the tunnel is restricted to only authorized users and computers, as configured on the Customize IPsec Tunneling Settings dialog box. The list of authorized users and computers is configured on the Customize IPsec Tunnel Authorizations dialog box.
Exempt IPsec protected connections

This indicates whether network packets addressed to a computer in Endpoint 2 that are already protected by IPsec are sent through the tunnel. This includes any network packet with an ESP header, including ESP NULL. This setting is configured on the Customize IPsec Tunneling Settings dialog box.
Monitored Main Mode Security Associations

Main mode negotiation establishes a secure channel between two computers by determining a set of cryptographic protection suites, exchanging keying material to establish a shared secret key, and authenticating computer and user identities. A security association (SA) is the information maintained about that secure channel on the local computer so that it can use the information for future network traffic to the remote computer. You can monitor main mode SAs for information like which peers are currently connected to this computer and which protection suite was used to form the SA. To get to this view
In the Windows Firewall with Advanced Security MMC snap-in, expand Monitoring, expand Security Associations, and then click Main Mode.
9/29/2011
Page 73 of 115
The following information is available in the table view of all main mode SAs. To see the information for a single main mode SA, double-click the SA in the list.
Main mode SA information

You can add, remove, reorder, and sort by these columns in the Results pane:
Local Address: The local computer IP address. Remote Address: The remote computer or peer IP address. 1st Authentication Method: The authentication method used to create the SA. 1st Authentication Local ID:: The authenticated identity of the local computer used in first authentication. 1st Authentication Remote ID: The authenticated identity of the remote computer used in first authentication. 2nd Authentication Method: The authentication method used in the SA. 2nd Authentication Local ID:: The authenticated identity of the local computer used in second authentication. 2nd Authentication Remote ID: The authenticated identity of the remote computer used in second authentication. Encryption: The encryption method used by the SA to secure quick mode key exchanges. Integrity: The data integrity method used by the SA to secure quick mode key exchanges. Key Exchange: The Diffie-Hellman group used to create the main mode SA.
Any user account can be used to complete this procedure. To add, remove, or reorder a column 1. Right-click in a blank area in the Results pane for the Main Mode folder, select View, and then click Add/Remove Columns. 2. In the Add/Remove Columns dialog box, from the Available columns list, select the column you want to view, and then click Add. You can select only one column name at a time. 3. You can also select columns that you do not want to view. From the Displayed columns list, click Remove. You can select only one column name at a time. 4. To reorder the columns, from left to right, select a column in the Displayed columns list, and then click Move Up or Move Down. You can select only one column name at a time.
9/29/2011
Page 74 of 115
5. When you are finished, click OK. The view will change to reflect your preferences.
Monitored Quick Mode Security Associations
Monitored Quick Mode Security Associations

A quick mode negotiation establishes a secure channel between two computers to protect user data exchanged between them. During quick mode negotiation, keying material is refreshed or, if necessary, new keys are generated. A protection suite that protects the IP data traffic is also selected. The exchange of information required to negotiate a quick mode SA is performed within the context of the main mode SA. After the quick mode SA is established, then the two computers can exchange network packets within the context of the quick mode SA. There is only one main mode SA between a pair of computers, but there can be many quick mode SAs. Monitoring quick mode SAs can provide information about which peers are currently connected to this computer, and which protection suite is protecting the data exchanged between them. Separate SAs are created for Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6) connections. To get to this view 1. In the Windows Firewall with Advanced Security MMC snap-in, expand Monitoring, expand Security Associations, and then click Quick Mode. The following information is available in the table view of all quick mode SAs. To see the information for single quick mode SA, double-click the item in the list.
Quick mode SA information

You can add, remove, reorder, and sort by these columns in the Results pane:
Local IP address: The local IP address. Local port: The TCP or UDP port of the local computer used in the filter. Remote IP address: The IP address of the remote computer or peer. Remote port: The TCP or UDP port of the remote computer used in the filter. Protocol: The protocol specified in the filter. AH integrity: The AH protocol-specific data integrity method used for peer communications. ESP integrity: The ESP protocol-specific encryption method used for peer communications.
9/29/2011
Page 75 of 115
ESP confidentiality: The ESP protocol-specific encryption method used for peer communications.
Any user account can be used to complete this procedure. To add, remove, or reorder a column 1. Right-click in a blank area in the Results pane for the Quick Mode folder, select View, and then click Add/Remove Columns. 2. In the Add/Remove Columns dialog box, from the Available columns list, select the column you want to view, and then click Add. You can select only one column name at a time. 3. You can also select columns that you do not want to view. From the Displayed columns list, click Remove. You can select only one column name at a time. 4. To reorder the columns, from left to right, select a column in the Displayed columns list, and then click Move Up or Move Down. You can select only one column name at a time. 5. When you are finished, click OK. The view will change to reflect your preferences.
Monitored Main Mode Security Associations
Dialog Boxes
This section describes the user interface options on the Windows Firewall with Advanced Security dialog boxes. Instructions for locating the dialog box are included in each topic.
Dialog Box: Add or Edit Integrity Algorithms Dialog Box: Add or Edit Integrity and Encryption Algorithms Dialog Box: Add or Edit IP Addresses Dialog Box: Add Security Method Dialog Box: Customize Advanced Authentication Methods Dialog Box: Customize Advanced Key Exchange Settings Dialog Box: Customize Allow If Secure Settings Dialog Box: Customize Data Protection Settings
9/29/2011
Page 76 of 115
Dialog Box: Customize ICMP Settings Dialog Box: Customize Interface Types Dialog Box: Customize IPsec Settings Dialog Box: Customize IPsec Tunnel Authorization Dialog Box: Customize IPsec Tunneling Settings Dialog Box: Customize Logging Settings for a Firewall Profile Dialog Box: Customize Protected Network Connections for a Firewall Profile Dialog Box: Customize Service Settings Dialog Box: Customize Settings for a Firewall Profile Dialog Box: Add or Edit First Authentication Method Dialog Box: Add or Edit Second Authentication Method
Dialog Box: Add or Edit Integrity Algorithms

Use this dialog box to configure a data integrity algorithm offer that is available when negotiating quick mode security associations. You must specify both the protocol and the algorithm used to protect the integrity of the data in the network packet. Internet Protocol security (IPsec) provides integrity by calculating a hash generated from the data in the network packet. The hash is then cryptographically signed (encrypted) and embedded in the IP packet. The receiving computer uses the same algorithm to calculate the hash and compares its result to the hash that is embedded in the received packet. If it matches, then the information received is exactly the same as the information sent, and the packet is accepted. If it does not match, then the packet is dropped. Using an encrypted hash of the transmitted message makes it computationally infeasible to change the message without causing a mismatch of the hash. This is critical when data is exchanged over an unsecured network, such as the Internet, because it provides a way to know that the message was not changed during transit. How to get to this dialog box 1. On the Windows Firewall with Advanced Security MMC snap-in page, in Overview, click Windows Firewall Properties. 2. Click the IPsec Settings tab. 3. Under IPsec defaults, click Customize.
9/29/2011
Page 77 of 115
4. Under Data protection (Quick Mode), select Advanced, and then click Customize. 5. Under Data integrity, select an algorithm combination from the list, and click Edit or Add.
Protocol
The following protocols are used to embed the integrity information into an IP packet.
ESP (recommended)
ESP provides authentication, integrity, and anti-replay protection for the IP payload. ESP used in transport mode does not sign the entire packet. Only the IP payload, not the IP header, is protected. ESP can be used alone or in combination with AH. With ESP, the hash calculation includes the ESP header, trailer, and payload only. ESP can optionally provide data confidentiality services by encrypting the ESP payload with one of several supported encryption algorithms. Packet replay services are provided through the inclusion of a sequence number for each packet.
AH
AH provides authentication, integrity, and anti-replay for the entire packet (both the IP header and the data payload carried in the packet). It does not provide confidentiality, which means that it does not encrypt the data. The data is readable, but protected from modification. Some fields that are allowed to change in transit are excluded from the hash calculation. Packet replay services are provided through the inclusion of a sequence number for each packet. Important The AH protocol is not compatible with network address translation (NAT) because NAT devices change information in some of the packet headers that are included in the integrity hash. To allow IPsec-based traffic to pass through a NAT device, you must use ESP and ensure that NAT Traversal (NAT-T) is enabled on the IPsec peer computers.
Null encapsulation
Null encapsulation specifies that you do not want to use any integrity or encryption protection on your network traffic. Authentication is still performed as required by the connection security rules, but no other protection is provided to the network packets that are exchanged through this security association. Security Note Because this option provides no integrity or confidentiality protection of any kind, we recommend that you use it only if you must support software or network devices that are not compatible with ESP or AH.
Algorithms
The following integrity algorithms are available to computers running this version of Windows. Some of these algorithms are not available on computers running other versions of Windows. If you must establish IPsec-protected connections with a computer running an earlier version of Windows, then you must include algorithm options that are compatible with the earlier version.
9/29/2011
Page 78 of 115
For more information, see IPsec Algorithms and Methods Supported in Windows (http://go.microsoft.com/fwlink/?LinkID=129230).
AES-GMAC 256 AES-GMAC 192 AES-GMAC 128 SHA-1 MD5 Caution MD5 is no longer considered secure and should only be used for testing purposes or in cases in which the remote computer cannot use a more secure algorithm. It is provided for backward compatibility only.
Key lifetimes
Lifetime settings determine when a new key is generated. Key lifetimes allow you to force the generation of a new key after a specified time interval or after a specified amount of data has been transmitted. For example, if the communication takes 100 minutes and you specify a key lifetime of 10 minutes, 10 keys will be generated (one every 10 minutes) during the exchange. Using multiple keys ensures that if an attacker manages to gain the key to one part of a communication, the entire communication is not compromised. Note This key regeneration is for quick mode data integrity only. These settings do not affect the key lifetime settings for main mode key exchange.
Minutes
Use this setting to configure how long the key used in the quick mode security association lasts, in minutes. After this interval, a new key will be generated. Subsequent communications will use the new key. The maximum lifetime is 2,879 minutes (48 hours). The minimum lifetime is 5 minutes. We recommend that you rekey only as frequently as your risk analysis requires. Excessively frequent rekeying can impact performance.
KB
Use this setting to configure how many kilobytes (KB) of data are sent using the key. After this threshold is reached, the counter is reset, and the key is regenerated. Subsequent communications will use the new key. The maximum lifetime is 2,147,483,647 KB. The minimum lifetime is 20,480 KB. We recommend that you rekey only as frequently as your risk analysis requires. Excessively frequent rekeying can impact
9/29/2011
Page 79 of 115
performance.
See Also
Dialog Box: Add or Edit Integrity and Encryption Algorithms

Use this dialog box to configure an algorithm offer that includes both data integrity and data confidentiality (encryption) and that is available when negotiating quick mode security associations. You must specify both the protocol and the algorithm used to protect the integrity of the data in the network packet. Internet Protocol security (IPsec) provides integrity by calculating a hash generated from the data in the network packet. The hash is then cryptographically signed (encrypted) and embedded in the IP packet. The receiving computer uses the same algorithm to calculate the hash, and compares the result to the hash that is embedded in the received packet. If it matches, then the information received is exactly the same as the information sent, and the packet is accepted. If it does not match, then the packet is dropped. Using an encrypted hash of the transmitted message makes it computationally infeasible to change the message without a resulting mismatch with the hash. This is critical when data is exchanged over an unsecured network such as the Internet and provides a way to know that the message was not changed during transit. In addition to integrity protection, this dialog box allows you to specify an encryption algorithm that helps prevent the data from being read if the network packet is intercepted while in transit. How to get to this dialog box 1. In the Windows Firewall with Advanced Security MMC snap-in page, in Overview, click Windows Firewall Properties. 2. Click the IPsec Settings tab. 3. Under IPsec defaults, click Customize. 4. Under Data protection (Quick Mode), select Advanced, and then click Customize. 5. Under Data integrity and encryption, select an algorithm combination from the list, and click Edit or Add.
Protocol
9/29/2011
Page 80 of 115
The following protocols are used to embed the integrity and encryption information into an IP packet.
ESP (recommended)
Encapsulating Security Payload (ESP) provides confidentiality (in addition to authentication, integrity, and anti-replay) for the IP payload. ESP in transport mode does not sign the entire packet. Only the IP data payload, not the IP header, is protected. ESP can be used alone or in combination with Authentication Header (AH). With ESP, the hash calculation includes the ESP header, trailer, and payload only. ESP provides data confidentiality services by encrypting the ESP payload with one of the supported encryption algorithms. Packet replay services are provided through the inclusion of a sequence number for each packet.
ESP and AH
This option combines the security of the ESP protocol with the AH protocol. AH provides authentication, integrity, and anti-replay for the entire packet (both the IP header and the data payload carried in the packet). Important The AH protocol is not compatible with network address translation (NAT) because NAT devices need to change information in the packet headers. To allow IPsec-based traffic to pass through a NAT device, you must ensure that NAT Traversal (NAT-T) is supported on your IPsec peer computers.
Algorithms
Encryption algorithm
The following encryption algorithms are available to computers running this version of Windows. Some of these algorithms are not available on computers running earlier versions of Windows. If you must establish IPsec-protected connections with a computer running an earlier version of Windows, then you must include algorithm options that are compatible with the earlier version. For more information, see IPsec Algorithms and Methods Supported in Windows (http://go.microsoft.com/fwlink/?LinkID=129230).
AES-GCM 256 AES-GCM 192 AES-GCM 128 AES-CBC 256 AES-CBC 192 AES-CBC 128 3DES
9/29/2011
Page 81 of 115
DES
Security Note We recommend that you do not use DES. It is provided for backward compatibility only. Note If you specify an AES-GCM algorithm for encryption, then you must specify the same algorithm for integrity.
Integrity algorithm
The following integrity algorithms are available to computers running this version of Windows. Some of these algorithms are not available on computers running other versions of Windows. If you must establish IPsec-protected connections with a computer running an earlier version of Windows, then you must include algorithm options that are compatible with the earlier version. For more information, see IPsec Algorithms and Methods Supported in Windows (http://go.microsoft.com/fwlink/?LinkID=129230).
AES-GCM 256 AES-GCM 192 AES-GCM 128 AES-GMAC 256 AES-GMAC 192 AES-GMAC 128 SHA-1 MD5
Security Note We recommend that you do not use MD5. It is provided for backward compatibility only. Note If you specify an AES-GCM algorithm for integrity, then you must specify the same algorithm for encryption.
Key lifetimes
Lifetime settings determine when a new key is generated. Key lifetimes allow you to force the generation of a new key after a specified time interval or after a specified amount of data has been transmitted. For example, if the communication takes 100 minutes and you specify a key lifetime of 10 minutes, 10 keys will be generated (one every 10 minutes) during the exchange. Using multiple keys ensures that if an attacker manages to gain the key to one part of a communication, the entire communication is not compromised.
9/29/2011
Page 82 of 115
Note This key regeneration is for quick mode data integrity and encryption and does not affect the key lifetime settings for main mode key exchange.
Minutes
Use this setting to configure how long the key used in the quick mode security association lasts, in minutes. After this interval, the key will be regenerated. Subsequent communications will use the new key. The maximum lifetime is 2,879 minutes (48 hours). The minimum lifetime is 5 minutes. We recommend that you rekey only as frequently as your risk analysis requires. Excessively frequent rekeying can impact performance.
KB
Use this setting to configure how many kilobytes (KB) of data are sent using the key. After this threshold is reached, the counter is reset, and the key is regenerated. Subsequent communications will use the new key. The maximum lifetime is 2,147,483,647 KB. The minimum lifetime is 20,480 KB. We recommend that you rekey only as frequently as your risk analysis requires. Excessively frequent rekeying can impact performance.
See Also
Dialog Box: Add or Edit IP Addresses

Use this dialog box to specify computers by IP address. You can use either Internet Protocol version 4 (IPv4) or Internet Protocol version 6 (IPv6) addresses. You can also specify an entire subnet. To get to this dialog box
When creating a firewall rule by using the New Firewall Rule wizard, on the Scope page, select These IP addresses, and then click Add. When modifying an existing firewall rule, on the Scope tab, select These IP addresses, and then click Add. When creating a connection security rule by using the Connection Security Rule wizard, on the Endpoints page, select These IP addresses, and then click Add. When modifying an existing connection security rule, on the Computers tab, select These IP addresses, and then click Add.
9/29/2011
Page 83 of 115
This IP address or subnet

You can specify a single IP address or a subnet for either IPv4 or IPv6 addresses. To specify a subnet, enter the IP address using syntax similar to the following:
192.168.1.0/24
The number following the forward slash (/) represents the number of bits in the subnet mask. 32 bits are possible. In this example, 24 means that the first three octets are the subnet address and the last octet is the host ID within the subnet. The bits representing the host ID must be 0. The example corresponds to a subnet mask of 255.255.255.0. For an IPv6 address, use the same syntax. The number after the forward slash represents the number of bits in the subnet mask. 128 bits are possible. The bits representing the host ID must be 0. For example:
2001:8e6c:6456:1c99::/64
This IP address range

Enter two IP addresses. The lower numbered address must precede the higher numbered address in the range. The range consists of all IP addresses between the beginning and ending IP addresses. The two range endpoints must use the same IP version, either IPv4 or IPv6.
Predefined set of computers

You can specify one of the following sets of predefined computers:
Default gateway. Uses the IP address currently set as the default gateway of the local computer. WINS servers. Uses the IP addresses for the computers currently configured to provide WINS services to the local computer. DHCP servers. Uses the IP addresses for the computers currently configured to provide DHCP services to the local computer. DNS servers. Uses the IP addresses for the computers currently configured to provide DNS services to the local computer. Local subnet. Uses the IP address and subnet mask of the local computer to dynamically determine addresses that are part of the computers local subnet.
See Also
9/29/2011
Page 84 of 115
Dialog Box: Add Security Method

Use this dialog box to configure a security method offer that is available when negotiating main mode security associations. You must specify the integrity, encryption, and key exchange algorithm. How to get to this dialog box 1. On the Windows Firewall with Advanced Security MMC snap-in page, in Overview, click Windows Firewall Properties. 2. Click the IPsec Settings tab. 3. Under IPsec defaults, click Customize. 4. Under Key exchange (Main Mode), select Advanced, and then click Customize. 5. Under Security methods, select an algorithm combination from the list, and click Edit or Add.
Integrity algorithm
Select one of the following integrity algorithms from the list.
SHA-384 SHA-256 SHA-1 MD5 Caution MD5 is no longer considered secure and should only be used for testing purposes or in cases in which the remote computer cannot use a more secure algorithm. It is included for backward compatibility only.
Encryption algorithm
Select one of the following encryption algorithms from the list.
AES-CBC 256 AES-CBC-192 AES-CBC-128 3DES
9/29/2011
Page 85 of 115
DES Caution DES is no longer considered secure and should only be used for testing purposes or in cases in which the remote computer cannot use a more secure algorithm. It is included for backward compatibility only.
Key exchange algorithm

Select one of the following key exchange algorithms from the list.
Elliptic Curve Diffie-Hellman P-384 Elliptic Curve Diffie-Hellman P-256 Diffie-Hellman Group 14 Diffie-Hellman Group 2 Diffie-Hellman Group 1 Caution DH1 is no longer considered secure and should only be used for testing purposes or in cases in which the remote computer cannot use a more secure algorithm. It is included for backward compatibility only.
For more information about any of these algorithms, see IPsec Algorithms and Methods Supported in Windows (http://go.microsoft.com/fwlink/?linkid=129230).
See Also
Dialog Box: Customize Advanced Authentication Methods

Use these settings to configure the authentication required in your environment. You can configure advanced authentication on a rule-by-rule basis or to apply by default to all connection security rules. How to get to this dialog box
To get to this dialog box to configure the default settings for the computer, perform the following steps. These settings apply to any connection security rule in which Default is selected as the authentication method.
9/29/2011
Page 86 of 115
1. On the Windows Firewall with Advanced Security MMC snap-in page, in Overview, click Windows Firewall Properties. 2. Click the IPsec Settings tab. 3. Under IPsec defaults, click Customize. 4. Under Authentication method, select Advanced, and then click Customize.
To get to this dialog box when creating a new connection security rule, perform the following steps. These settings apply only to the connection security rule whose properties you are editing. 1. On the Windows Firewall with Advanced Security MMC snap-in page, in the navigation pane, right-click Connection Security Rules, and then click New Rule. 2. Select any rule type except Authentication exemption. 3. Click Next through the wizard until you reach the Authentication Method page. 4. Select Advanced, and then click Customize.
To get to this dialog box to configure the settings for an existing connection security rule, perform the following steps. These settings apply only to the connection security rule whose properties you are editing. 1. On the Windows Firewall with Advanced Security MMC snap-in page, in the navigation pane, click Connection Security Rules. 2. Double-click the rule that you want to modify. 3. Click the Authentication tab. 4. Under Method, select Advanced, and then click Customize.
First authentication
The first authentication method is performed during the main mode phase of Internet Protocol security (IPsec) negotiations. In this authentication, you can specify the way in which the peer computer is authenticated. You can specify multiple methods to use for this authentication. The methods are attempted in the order you specify; the first successful method is used.
To add a method to the list, click Add. To modify a method already in the list, select the method, and then click Edit. To remove a method from the list, select the method, and then click Remove. To reorder the list, select a method, and then click the up and down arrows.
9/29/2011
Page 87 of 115
For more information about the available first authentication methods, see Dialog Box: Add or Edit First Authentication Method.
First authentication is optional

You can select this option to have the first authentication performed with anonymous credentials. This is useful when the second authentication provides the primary, required means of authentication, and the first authentication is to be performed only when both peers support it. For example, if you want to require user-based Kerberosversion 5 authentication, which is available only as a second authentication, you can select First authentication is optional, and then select User (Kerberos V5) in Second authentication method. Caution Do not configure both the first authentication and second authentication to be optional. This is equivalent to turning authentication off.
Second authentication
With second authentication, you can specify the way in which the user logged on to the peer computer is authenticated. You can also specify a computer health certificate from a specified certification authority (CA). The methods are attempted in the order you specify; the first successful method is used. You can specify multiple methods to use for this authentication.
To add a method to the list, click Add. To modify a method already in the list, select the method, and then click Edit. To remove a method from the list, select the method, and then click Remove. To reorder the list, select a method and then click the up and down arrows. You must use either all user-based authentication methods or all computer-based authentication methods. No matter where it appears in the list, you cannot use the second authentication method if you are using a preshared key for the first authentication method.
Notes

For more information about the available second authentication methods, see Dialog Box: Add or Edit Second Authentication Method.
Second authentication is optional

You can select this option to indicate the second authentication should be performed if possible, but that the connection should not be blocked should the second authentication fail. This is useful when the first authentication provides the primary, required means of authentication, and the second authentication is
9/29/2011
Page 88 of 115
optional, but preferred, when both peers support it. For example, if you want to require computer-based Kerberosversion 5 authentication and you would like to use user-based Kerberosversion 5 authentication when possible, you can select Computer (KerberosV5) as the first authentication, and then select User (KerberosV5) as the second authentication with Second authentication is optional selected. Caution Do not configure both the first authentication and second authentication to be optional. This is equivalent to turning authentication off. Important In a tunnel mode rule, if you select Second authentication is optional, then the resulting IPsec policy is implemented as IKE only and does not use Authenticated Internet Protocol (AuthIP). Any authentication methods specified in Second authentication are ignored. In a transport mode rule, the second authentication methods are still used, as expected.
See Also
Dialog Box: Customize Advanced Key Exchange Settings

Use this dialog box to add, edit, change priority, or remove the algorithm combinations that are available for key exchange during main mode negotiations. You can specify more than one algorithm combination and you can assign the order in which the combinations are tried. The first combination in the list that is compatible with both peers will be used. Note A best practice is to list the algorithm combinations in order of highest security at the top to lowest security at the bottom. This way, the most secure algorithm in common between the two negotiating computers is used. The less secure algorithms can be used for backward compatibility. How to get to this dialog box 1. On the Windows Firewall with Advanced Security MMC snap-in page, in Overview, click Windows Firewall Properties. 2. Click the IPsec Settings tab. 3. Under IPsec defaults, click Customize. 4. Under Key exchange (Main Mode), select Advanced, and then click Customize.
Security methods
9/29/2011
Page 89 of 115
Security methods are combinations of integrity algorithms and encryption algorithms that protect the key exchange. You can have as many combinations as you need and you can arrange them in preferred order in the list. The combinations are attempted in the order in which they are displayed. The first set to be agreed upon by both peer computers is used. If the peer computer cannot use any of the combinations you define, the connection attempt fails. Some algorithms are supported only by computers running this version of Windows. For more information, see IPsec Algorithms and Protocols Supported by Windows (http://go.microsoft.com/fwlink/?LinkID=129230). To add a combination to the list, click Add to use the Add or Edit Security Method dialog box. To reorder the list, select a combination, and then click the up or down arrows. Note As a best practice, order the combinations from highest security at the top of the list to lowest security at the bottom. This ensures that the most secure method that both peers can support is used.
Key lifetimes
Lifetime settings determine when a new key is generated. Key lifetimes allow you to force the generation of a new key after a specified time interval or after a specified number of sessions have been protected by using the current key. Using multiple keys ensures that if an attacker manages to gain access to one key, only a small amount of information is exposed before a new key is generated and the network traffic is protected once again. You can specify the lifetime in both minutes and number of sessions. The first threshold reached is used and the key is regenerated. Note This key regeneration is for main mode key exchange only. These settings do not affect the key lifetime settings for quick mode data protection.
Minutes
Use this setting to configure how long the key used in main mode security association lasts, in minutes. After this interval, a new key is generated. Subsequent main mode sessions use the new key. The maximum lifetime is 2,879 minutes (48 hours). The minimum lifetime is 1 minute. We recommend that you rekey only as frequently as your risk analysis requires. Excessively frequent rekeying can impact performance.
Sessions
A session is a distinct message or set of messages protected by a quick mode SA. This setting specifies how many quick mode key generating sessions can be protected using the same main mode key information. After this threshold is reached, the counter is reset, and a new key is generated. Subsequent communications will use the new key. The maximum value is 2,147,483,647 sessions. The minimum value is 0 sessions. A session limit of zero (0) causes the generation of a new key to be determined only by the Key lifetime
9/29/2011
Page 90 of 115
(in minutes) setting. Use caution when setting very different key lifetimes for main mode and quick mode keys. For example, setting a main mode key lifetime of 8 hours and a quick mode key lifetime of 2 hours might leave a quick mode SA in place for almost 2 hours after the main mode SA has expired. This occurs when the quick mode SA is generated shortly before main mode SA expiration. Important The higher the number of sessions allowed per main mode key, the greater the chance of the main mode key being discovered. If you want to limit the number of times this reuse occurs, you can specify a quick mode key limit. Security Note To configure main mode perfect forward secrecy (PFS), set Key lifetime in sessions to 1. Although this configuration provides significant additional protection, it also carries a significant computational and network performance penalty. Every new quick mode session regenerates the main mode keying material, which in turn causes the two computers to reauthenticate. We recommend that you enable PFS only in environments where IPsec traffic might be exposed to sophisticated attackers who might try to compromise the strong cryptographic protection provided by IPsec.
Key exchange options

Use Diffie-Hellman for enhanced security
WindowsVista and later versions of Windows support Authenticated IP (AuthIP) in addition to Internet Key Exchange (IKE) for establishing the initial secure connection in which the rest of the IPsec parameters are negotiated. IKE uses Diffie-Hellman exchanges only. When AuthIP is used, no DiffieHellman key exchange protocol is required. Instead, when Kerberos version 5 authentication is requested, the Kerberos version 5 service ticket secret is used in place of a Diffie-Hellman value. When either certificate authentication or NTLM authentication is requested, a transport level security (TLS) session is established, and its secret is used in place of the Diffie-Hellman value. If you select this check box, then a Diffie-Hellman exchange takes place regardless of the authentication type selected, and the Diffie-Hellman secret is used to secure the rest of the IPsec negotiations. Use this when regulatory requirements specify that a Diffie-Hellman exchange must be used.
See Also
Dialog Box: Customize Allow If Secure Settings

When you select Allow the connection if it is secure in a firewall rule, you are specifying that the network packets must be protected by Internet Protocol security (IPsec) or the packet does not match the rule. If you click Customize next to that option, you can configure these options that allow you to specify the type of IPsec protection that is required.
9/29/2011
Page 91 of 115
You must select one of the first three options described below. The last option, Override block rules, can be selected independently of the other options. To get to this dialog box
When creating a firewall rule by using the New Firewall Rule wizard, on the Action page, click Allow the connection if it is secure, and then click Customize. When modifying an existing firewall rule, on the General tab, select Allow the connection if it is secure, and then click Customize.
Allow the connection if it is authenticated and integrity-protected

This is the default option. Use this option to require that all matching network packets use both IPsec authentication and integrity algorithms as defined in a separate connection security rule. If a network packet matching all other criteria is neither authenticated nor protected with an integrity algorithm, then it does not match this rule and is blocked. Note This setting is supported when applied to computers running WindowsVista or later versions of Windows.
Require the connection to be encrypted

Use this option to require that all matching network packets use data encryption as defined in a separate connection security rule. If a network packet matching all other criteria is not encrypted, then it does not match this rule and is blocked. When this option is enabled, Windows Firewall with Advanced Security uses the settings on the Customize Data Protection Settings dialog box.
Allow the computers to dynamically negotiate encryption

This option is available for inbound rules only. Use this option to allow the network connection, after authentication succeeds, to send and receive unencrypted network traffic while the encryption algorithms are negotiated. Security Note While encryption is being negotiated, the network traffic is sent as clear text. Do not specify this option if the network traffic sent over the connection during this period is too sensitive for plain text transmission.
Allow the connection to use null encapsulation

Use this option to require that all matching network packets use IPsec authentication, but do not require integrity or encryption protection. We recommend that you use this option only when you have network equipment or software that is not compatible with either the Encapsulating Security Payload (ESP) or
9/29/2011
Page 92 of 115
Authentication Header (AH) integrity protocols. Note This setting is supported when applied to computers running Windows7 or Windows Server2008R2. It does not apply to computers running earlier versions of Windows.
Override block rules

Use this option to allow network packets that match this firewall rule to override any block firewall rules. This option is referred to as authenticated bypass. Normally, rules that explicitly block connections have priority over rules that allow connections. If you use this option, the connection is allowed even if another rule would block the connection. You are effectively stating that network traffic that matches this rule is allowed because it is authenticated as coming from an authorized and trusted user or computer. This option is typically used to allow trusted programs, such as network vulnerability scanners and other networking tools, to run without restrictions. Although a typical firewall configuration does and should block network traffic from such devices, you can create a rule that identifies authorized computers. The Override block rules option allows traffic from these authorized computers only. If you do not use this option, any block firewall rules that match the same firewall rule criteria will take precedence, and the connections will be blocked. If you select this option, you must specify at least one computer or computer group for authorization on the Computers page of the New Firewall Rule wizard or the Computers tab of the Firewall Rule Properties dialog box. Note If you configure the firewall operational state to Block all connections on the Windows Firewall with Advanced Security Properties dialog box, then all network traffic is blocked even if this option is set.
See Also
Dialog Box: Customize Data Protection Settings

Use this dialog box to add, edit, change priority, or remove data integrity or data encryption algorithms. You can use more than one algorithm in each list and you can assign the order in which the algorithms are attempted. The first algorithm in the list that is compatible with both peers will be used. You must specify algorithms that are also specified in the rules on the computers to which you want to communicate. For more information, see IPsec Algorithms and Protocols Supported by Windows (http://go.microsoft.com/fwlink/?linkid=129230).
9/29/2011
Page 93 of 115
Note A best practice is to list the algorithms in order of greatest security at the top to least security at the bottom. This way, the most secure algorithm in common between the two negotiating computers is used. The less secure algorithms can be used for backward compatibility. How to get to this dialog box 1. On the Windows Firewall with Advanced Security MMC snap-in, in the navigation pane, click Windows Firewall with Advanced Security, and then in Overview, click Windows Firewall Properties. 2. Click the IPsec Settings tab. 3. Under IPsec defaults, click Customize. 4. Under Data protection (Quick Mode), select Advanced, and then click Customize.
Performance considerations for encryption

The encryption algorithms that provide the best security for your data are those that make it computationally infeasible for the data to be decrypted without the key. The mathematical algorithms that perform the encryption are themselves mathematically intense and can degrade performance. As you switch to higher security algorithms, the computing power required to perform the calculations increases. Windows supports the use of network adapters that have cryptographic processors that can perform most of the IPsec encryption calculations. This frees up your main processors to do other things and reduces the performance overhead of IPsec. For more information, see Improving Network Performance by Using IPsec Task Offload (http://go.microsoft.com/fwlink/?linkid=129229).
Require encryption for all connection security rules that use these settings
Select this check box to require all connection security rules to require encryption. If you select this check box, the Data integrity section is disabled, and you can only specify algorithm combinations in the Data integrity and encryption section.
Data integrity
This list shows the currently configured data integrity algorithms. When negotiating the details of the quick mode SA with another computer, the algorithms are proposed in the order shown. Use the up and down arrows to arrange the algorithms into the preferred order. You should place the algorithms with stronger protection at the top of the list, and those with weaker protection at the bottom of the list. Include weaker algorithms only if required to support computers that cannot use the stronger algorithms. If you select Require encryption for all connection security rules that use these settings, then this section is disabled.
9/29/2011
Page 94 of 115
To add an algorithm to the list, click Add. To modify an algorithm that is already in the list, select the algorithm, and then click Edit. To remove an algorithm from the list, select the algorithm, and then click Remove.
Data integrity and encryption

This list shows the currently configured algorithm combinations that include both encryption and data integrity. When negotiating the details of the quick mode SA with another computer, the algorithm combinations are proposed in the order shown. Use the up and down arrows to arrange the algorithm combinations into the preferred order. You should place the algorithm combinations with stronger protection at the top of the list and those with weaker protection at the bottom of the list. Include weaker algorithm combinations only if required to support computers that cannot use the stronger algorithm combinations. To add an algorithm combination to the list, click Add. To modify an algorithm combination that is already in the list, select the algorithm combination, and then click Edit. To remove an algorithm combination from the list, select the algorithm combination, and then click Remove. For more information, see Dialog Box: Add or Edit Integrity and Encryption Algorithms.
User Interface: Windows Firewall with Advanced Security Dialog Box: Add or Edit Integrity Algorithms
Dialog Box: Customize ICMP Settings

Use this dialog box when creating or modifying a firewall rule to configure criteria based on Internet Control Message Protocol (ICMP). How to get to this dialog box
When creating a new firewall rule using the wizard, follow these steps: 1. On the Rule Type page, select Custom. 2. On the Protocol and Ports page, in Protocol type, select either ICMPv4 or ICMPv6. 3. Click Customize.
When modifying an existing firewall rule using the Firewall Rule Properties dialog box, follow these steps: 1. Click the Protocols and Ports tab.
9/29/2011
Page 95 of 115
2. In Protocol type, select either ICMPv4 or ICMPv6. 3. Click Customize.
All ICMP types

Select this option to specify that any message using ICMP matches the rule.
Specific ICMP types

Select this option to select one or more ICMP message types. Select the message types to which you want to apply the rule.
This ICMP type

Use this option to specify an ICMP message type that is not provided in Specific ICMP types. This option is enabled only if you select Specific ICMP types. Click Add to add the type to the list.
Type
This is a number that correlates to an ICMP message type. For example, 3 is the number for the "Destination Unreachable" message. The message type is an integer from 0 to 255.
Code
This is a number that correlates to a code for an ICMP message type. These codes are details that are useful for troubleshooting and understanding the circumstances that prompted the sending of the message. The same code number can mean different things for different message types. For example, 3 is the code for "Port Unreachable" for the "Destination Unreachable" message, but it is also the code for "Redirect Datagram for the Type of Service and Host" for the "Redirect" message type. The code can be an integer from 0 to 255, or the value Any. By combining the message type and code, you can specify very detailed criteria for the exception. This can be useful when you need to make sure specified ICMP messages pass through Windows Firewall with Advanced Security for remote troubleshooting, while other ICMP messages are blocked.
See Also
Dialog Box: Customize Interface Types

Page 96 of 115
Use this dialog box to specify to which interface types the rule is applied. You can specify the local area network (that is, wired network adapters), wireless network adapters, remote access connections, or all network connection types. To get to this dialog box 1. In the Windows Firewall with Advanced Security MMC snap-in, double-click the firewall rule you want to modify, and then click the Advanced tab. 2. Under Interface types, click Customize.
All interface types

The rule applies to communications sent through any of the network connections that you have configured on the computer.
These interface types

The rule applies to communications sent through only the network connections types selected in the box. You can select one or a combination of the types.
Local area network

The rule applies only to communications sent through wired local area network (LAN) connections that you have configured on the computer.
Remote access
The rule applies only to communications sent through remote access, such as a virtual private network (VPN) connection or dial-up connection that you have configured on the computer.
Wireless
The rule applies only to communications sent through wireless network adapters that you have configured on the computer.
See Also
Dialog Box: Customize IPsec Settings

Use this dialog box to configure the Internet Protocol security (IPsec) main mode key exchange and quick mode data protection settings used for all IPsec negotiations. You can also configure the default
9/29/2011
Page 97 of 115
authentication settings used whenever a connection security rule uses the Default settings. Important If you are configuring Windows Firewall with Advanced Security on the local computer and you select Default for any of the settings, any Group Policy objects (GPOs) that apply to this computer can specify the settings. If you are configuring a GPO and you select Default for any of the settings, any GPOs of higher precedence that apply to this computer can specify the settings. To get to this dialog box 1. In the Windows Firewall with Advanced Security MMC snap-in, in Overview, click Windows Firewall Properties. 2. Click the IPsec Settings tab. 3. Under IPsec defaults, click Customize.
Key exchange (Main Mode)

Key exchange settings you select here apply to all connection security rules. To ensure successful and secure communication, IPsec performs a two-phase operation to establish a secured connection between the two computers. Confidentiality and authentication are ensured during each phase by the use of integrity, encryption, and authentication algorithms that are agreed upon by the two computers during security negotiations. With the duties split between two phases, key creation can be accomplished quickly. During the first phase, the two computers establish a secure, authenticated channel, called the main mode security association (SA). The main mode SA is then used during the second phase to allow secure negotiation of the quick mode SA. The quick mode SA specifies the protection settings for matching TCP/IP data transferred between the two computers.
Default
Select this option to use the key exchange settings that are installed by default or configured as defaults through Group Policy. This setting is used for all key exchanges. For more information, see Default Settings for Windows Firewall with Advanced Security.
Advanced
Select this option to specify the key exchange settings that are applied to all key exchanges. This setting overrides the installed defaults. After selecting this option, click Customize and use the Customize Advanced Key Exchange Settings dialog box to select the settings to use.
Data protection (Quick Mode)

Data protection settings you select here apply to all connection security rules created using the Windows Firewall with Advanced Security MMC snap-in. If you need to create a connection security rule with custom data protection settings, then you must create the rule by using the netsh advfirewall consec
9/29/2011
Page 98 of 115
context. For more information, see Netsh Commands for Windows Firewall with Advanced Security (http://go.microsoft.com/fwlink/?linkid=111237).
Default
Select this option to use the data integrity and encryption settings that are installed by default or configured as defaults through Group Policy. For more information, see Default Settings for Windows Firewall with Advanced Security.
Advanced
Use this option to specify data integrity and encryption settings that are available for negotiating the quick mode SA. This setting overrides the installed defaults. After selecting this option, click Customize and use the Customize Data Protection Settings dialog box to select the data protection settings to use.
Authentication method
Authentication method settings you select here apply only to connection security rules that have Default selected as the authentication method.
Default
Select this option to use the authentication settings that are installed by default or configured as defaults by using Group Policy. For more information, see Default Settings for Windows Firewall with Advanced Security.
Computer and User (Kerberos V5)

Select this option to use both computer and user authentication with the Kerberosversion 5 protocol. The use of this option is equivalent to selecting Advanced, choosing Computer (KerberosV5) for first authentication and User (KerberosV5) for second authentication, and then clearing both First authentication is optional and Second authentication is optional.

Select this option to use computer authentication with the Kerberosversion 5 protocol. The use of this option is equivalent to selecting Advanced, choosing Computer (KerberosV5) for first authentication, and then selecting Second authentication is optional.
User (Kerberos V5)

Select this option to use user authentication with the Kerberosversion 5 protocol. The use of this option is equivalent to selecting Advanced, choosing User (KerberosV5) for second authentication, and then selecting First authentication is optional.
Advanced
9/29/2011
Page 99 of 115
You can use this option to create a method that is specific to your needs. If you select this option, you must click Customize to use the Customize Advanced Authentication Methods dialog box to specify the authentication methods to use.
See Also
Dialog Box: Customize IPsec Tunnel Authorization

Use these settings to specify which users or computers are authorized to initiate a tunnel connection to the local computer. These settings only apply to inbound connections. Tunnel connections initiated by the local computer are not subject to these authorization settings. Note These settings only apply to tunnel mode rules that have the Apply authorization option enabled on the Customize IPsec Tunneling Settings dialog box. To get to this dialog box 1. In the Windows Firewall with Advanced Security MMC snap-in, in Overview, click Windows Firewall Properties. 2. Click the IPsec Settings tab. 3. Under IPsec tunnel authorization, select Advanced, and then click Customize.
Computers tab
Use this tab to identify computers or computer groups that are authorized to create tunnel mode connections to the local computer.
Only allow connections from these computers Select this option to specify which computers can create a tunnel mode connection to the local computer. If you select the check box, then Add is enabled. Click Add, and then specify the computer or group accounts in the Active Directory Object Picker dialog box. To remove a computer or group from the list, select the computer or group, and then click Remove.
9/29/2011
Page 100 of 115
Exceptions
Use this section to identify computer or group accounts that are denied permissions to create tunnel mode connections to the local computer. If a computer attempting a connection is listed in both the Authorized computers and Exceptions boxes, either directly or as a member of a group, the exception takes priority and the connection is blocked. Deny connections from these computers Select this option to specify which computers are prohibited from creating a tunnel mode connection to this computer. If you select the check box, then Add is enabled. Click Add, and then specify the computer or group accounts in the Active Directory Object Picker dialog box. To remove a computer or group from the list, select the computer or group, and then click Remove.
Users tab
Use this tab to identify users or user groups that are authorized to create tunnel mode connections to the local computer.
Authorized users
Only allow connections from these users Select this option to specify which users can create a tunnel mode connection to this computer. If you select the check box, then Add is enabled. Click Add, and then specify the user or group accounts in the Active Directory Object Picker dialog box. To remove a user or group from the list, select the user or group, and then click Remove.
Exceptions
Use this section to identify user or group accounts that are denied permissions to create tunnel mode connections to the local computer. If a user attempting a connection is listed in both the Authorized users and Exceptions boxes, either directly or as a member of a group, the exception takes priority and the connection is blocked. Deny connections from these computers Select this option to specify which users are prohibited from creating a tunnel mode connection to this computer. If you select the check box, then Add is enabled. Click Add, and then specify the user or group accounts in the Active Directory Object Picker dialog box. To remove a user or group from the list, select the user or group, and then click Remove.
9/29/2011
Page 101 of 115
See Also
Dialog Box: Customize IPsec Tunneling Settings

Use this dialog box to configure a connection security rule to use tunnel mode rather than transport mode. To get to this dialog box 1. In the Windows Firewall with Advanced Security MMC snap-in, in the navigation pane, select Connection Security Rules. 2. Double-click the tunnel rule that you want to modify. 3. Click the Advanced tab, and then under IPsec Tunneling, click Customize.
Use IPsec tunneling

Select this option to specify that the network traffic that matches this rule travels from Endpoint 1 to Endpoint 2 through an Internet Protocol security (IPsec) tunnel. Selecting this option enables the rest of the controls in this dialog box.
Apply authorization
Select this option to specify that the computer or user in Endpoint 1 must authenticate with the local tunnel endpoint before any packets can be sent through the tunnel. To specify the computers or users that are authorized to send traffic through the tunnel, follow these steps: To specify users and computers authorized to send network traffic through the tunnel 1. In the Windows Firewall with Advanced Security MMC snap-in, in the navigation pane, select Windows Firewall with Advanced Security. 2. In Overview, click Windows Firewall Properties. 3. Select the IPsec Settings tab. 4. In IPsec tunnel authorization, click Advanced, and then click Customize. 5. Add users and computers to the lists according to your design. For more information, see Dialog Box: Customize IPsec Tunnel Authorization.
Exempt IPsec protected connections
9/29/2011
Page 102 of 115
Sometimes a network packet might match more than one connection security rule. If one of the rules establishes an IPsec tunnel, you can choose whether to use the tunnel or send the packet outside of the tunnel protected by the other rule. Select the option to specify that network traffic that matches another IPsec connection security rule does not go through the IPsec tunnel.
Local tunnel endpoint (closest to Endpoint 1)

Use this option to identify the computer that terminates the tunnel at the end closest to the computers in Endpoint 1. Click Edit to enter an Internet Protocol version 4 (IPv4) address, Internet Protocol version 6 (IPv6) address, or both. Important You must be consistent in the version of IP you specify for the addresses in a tunnel. If you specify IPv4 addresses, then do so for both tunnel endpoints and Endpoint1 and Endpoint 2. You can specify both IPv4 and IPv6, but you must then specify both for both tunnel endpoints and Endpoint 1 and Endpoint 2.
Remote tunnel endpoint (closest to Endpoint 2)

Use this option to identify the computer that terminates the tunnel at the end closest to the computers in Endpoint 2. Click Edit to enter an IPv4 address, IPv6 address, or both. Important You must be consistent in the version of IP you specify for the addresses in a tunnel. If you specify IPv4 addresses, then do so for both tunnel endpoints and Endpoint1 and Endpoint 2. You can specify both IPv4 and IPv6, but you must then specify both for both tunnel endpoints and Endpoint 1 and Endpoint 2. For information about IPsec tunneling, see Connection Security Rule Wizard: Tunnel Type Page.
See Also
Dialog Box: Customize Logging Settings for a Firewall Profile

Windows Firewall with Advanced Security can be configured to log events that indicate the successes and failures of its processes. The logging settings involve two groups of settings: settings for the log file itself and settings that determine which events the file will record. The settings can be configured separately for each of the firewall profiles. You can specify where the log file will be created, how big the file can grow, and whether you want the log file to record information about dropped packets, successful connections, or both.
9/29/2011
Page 103 of 115
To get to this dialog box 1. From the Windows Firewall with Advanced Security MMC snap-in, in Overview, click Windows Firewall properties. 2. Select the tab that corresponds to the firewall profile for which you want to configure logging. 3. In Logging, click Customize.
Name
Enter the path and name of the file in which you want Windows Firewall to write its log information. If you are configuring a Group Policy object (GPO) for deployment to multiple computers, use the available environment variables, such as %windir%, to ensure that the location is correct for each computer on your network. Just specifying a file location does not start logging. You must also select one of the two check boxes to log dropped packets or successful connections. Important If you are configuring the setting for a computer that is running WindowsVista or later version of Windows, and you specify a location other than the default, you must ensure that the Windows Firewall service has permissions to write to that location. To grant write permissions for the log folder to the Windows Firewall service 1. Locate the folder that you specified for the logging file, right-click it, and then click Properties. 2. Click the Security tab, and then click Edit. 3. Click Add, in Enter object names to select, type NT SERVICE\mpssvc, and then click OK. 4. In the Permissions dialog box, verify that MpsSvc has Write access, and then click OK.
Size limit
Specify the maximum size to which the file is permitted to grow. The value must be between 1 and 32,767 kilobytes (KB). When the specified size limit is reached, Windows Firewall with Advanced Security closes the log file and renames it by adding ".old" to the end of the file name. It then creates and uses a new log file that has the original log file name. Only two files are kept at a time. If the second file reaches the maximum size, then it is renamed by adding .old, and the original .old file is discarded.
Log dropped packets

Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word
9/29/2011
Page 104 of 115
DROP in the action column of the log.
Log successful connections

Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log.
Event log
The Windows Firewall with Advanced Security operational event log is another resource you can use to view Windows Firewall policy changes. The operational log is always on and contains events for both firewall rules and connection security rules. To view the Windows Firewall with Advanced Security event log 1. Open Event Viewer. Click Start, click Administrative Tools, and then click Event Viewer. 2. In the navigation pane, expand Applications and Services Logs, expand Microsoft, expand Windows, and then expand Windows Firewall with Advanced Security. 3. Click either ConnectionSecurity, ConnectionSecurityVerbose, Firewall, or FirewallVerbose. The logs marked verbose are not enabled by default. To enable them, in Actions, click Enable Log.
See Also
Dialog Box: Customize Protected Network Connections for a Firewall Profile

Use this dialog box to configure the network connections that are protected by the rules associated with a specified network profile. To get to this dialog box 1. From the Windows Firewall with Advanced Security MMC snap-in, in Overview, click Windows Firewall properties. 2. Select the tab that corresponds to the firewall profile you want to configure. 3. In State, next to Protected network connections, click Customize.
9/29/2011
Page 105 of 115
The list contains the network connections that are currently configured on the computer. By default, all network connections are selected and therefore protected. You typically see one connection for each wired network adapter, each wireless network adapter, and each configured remote network connection (such as a VPN). Select the box next to the entry for each connection that you want protected by the rules that are assigned to the currently selected profile (the currently selected tab). Each entry is shown by its descriptive name. If you clear the check box, then that network connection is not subject to the rules in the current profile when that network connection is connected to a network that matches the profile. For more information about a particular network connection, use the Network and Sharing Center. To open the Network and Sharing Center, click Start, click Control Panel, click Network and Internet, and then click Network and Sharing Center. To rename a network connection, click Change adapter settings, right-click the adapter, click Rename, and then type a descriptive name for the network connection. The Network and Sharing Center also allows you to reclassify a public network to private, and vice versa. You cannot reclassify a network to or from the domain type.
See Also
Dialog Box: Customize Service Settings

Use these options to configure the way in which Windows Firewall with Advanced Security responds to connection requests from or to services. To get to this dialog box
When creating a firewall rule by using the New Firewall Rule wizard, follow these steps. 1. On the Rule Type page, click Custom. 2. On the Program page, next to Services, click Customize.
When modifying an existing firewall rule, on the Programs and Services tab, click Customize. You can specify both a program and a service in the same firewall rule. Both conditions must be met for the rule to apply to the requested connection. When you select the Apply to services only option, any service running as the LocalSystem or NetworkService accounts have appropriate access. When you select an option where you specify one or more services, the security identifier (SID) for the specified service is given access.
Notes

9/29/2011
Page 106 of 115
Apply to all programs and services

Use this option to apply the rule to all processes within the program specified in the Programs entry.
Apply to services only

Use this option to apply the rule only to services, not to other processes.
Apply to this service

From the list, select the service to which you want the rule to be applied.
Apply to service with this service short name

Specify the short name of the service to which you want the rule to be applied. You can specify any short name even if it is not in the list. Misspelled short names and short names that do not specify a service will be ignored. This option is useful when defining a rule for a Group Policy object (GPO) and the service referenced in the rule is not installed or running on the computer on which you are modifying the rule.
See Also
Dialog Box: Customize Settings for a Firewall Profile

Use these options to define who can make changes to Windows Firewall properties and profiles. To get to this dialog box 1. From the Windows Firewall with Advanced Security MMC snap-in, in Overview, click Windows Firewall properties. 2. Select the tab that corresponds to the firewall profile you want to configure. 3. In Settings, click Customize.
Display a notification when a program is blocked

Page 107 of 115
Select this option to have Windows Firewall with Advanced Security display a notification to the user when a program is blocked from receiving inbound connections. The notification appears when all of the following conditions are true:
This option is selected. There is no existing block or allow rule for this program. If a block rule exists, then the program is blocked without displaying the notification to the user. The program is blocked by the default behavior of Windows Firewall.
The user is given the option to unblock the program, as long as the user has network operator or administrator permissions. Selecting the option to unblock the program automatically creates an inbound program rule for the program that was blocked.
Allow unicast response to multicast or broadcast requests

This option is useful if you need to control whether this computer receives unicast responses to its outgoing multicast or broadcast messages. If you enable this setting, and this computer sends multicast or broadcast messages to other computers, Windows Firewall with Advanced Security waits as long as 4 seconds for unicast responses from the other computers and then blocks all later responses. If you disable this setting, and this computer sends a multicast or broadcast message to other computers, Windows Firewall with Advanced Security blocks the unicast responses sent by those other computers.
Rule merging
Use these options when using Group Policy to configure firewall and connection security rules on the local computer. Disabling the options prevents a local user with network operator or administrator permissions from creating firewall or connection security rules that might conflict with the rules deployed by Group Policy.
Allow local firewall rules

Select this option when, in addition to firewall rules applied by Group Policy that are specific to this computer, you want to allow administrators to be able to create and apply local firewall rules on this computer. When you clear this option, administrators can still create rules, but locally defined rules are not applied. This setting is available only when you are configuring the policy through Group Policy.
Allow local connection security rules

Select this option when, in addition to connection security rules applied by Group Policy that are specific to this computer, you want to allow administrators to create and apply local connection security rules on this computer. When you clear this option, administrators can still create rules, but locally defined rules are not applied. This setting is available only when configuring the policy through Group Policy.
9/29/2011
Page 108 of 115
See Also
Dialog Box: Add or Edit First Authentication Method

Use these settings to specify the way in which the peer computer is authenticated. The first authentication method is performed during the main mode phase of Internet Protocol security (IPsec) negotiations. You can specify multiple methods to use for first authentication. The methods are attempted in the order you specify. The first successful method is used. For more information about the authentication methods available in this dialog box, see IPsec Algorithms and Methods Supported in Windows (http://go.microsoft.com/fwlink/?linkid=129230). To get to this dialog box
When modifying the system-wide default settings: 1. In the Windows Firewall with Advanced Security MMC snap-in, in Overview, click Windows Firewall Properties. 2. Click the IPsec Settings tab, and then under IPsec defaults, click Customize. 3. Under Authentication Method, select Advanced, and then click Customize. 4. Under First authentication, select a method, and then click Edit or Add.
When creating a new connection security rule: 1. In the Windows Firewall with Advanced Security MMC snap-in, right-click Connection Security Rules, and then click New Rule. 2. On the Rule Type page, select any type except Authentication exemption. 3. On the Authentication Method page, select Advanced, and then click Customize. 4. Under First authentication, select a method, and then click Edit or Add.
When modifying an existing connection security rule: 1. In the Windows Firewall with Advanced Security MMC snap-in, click Connection Security Rules.
9/29/2011
Page 109 of 115
2. Double-click the connection security rule that you want to modify. 3. Click the Authentication tab. 4. Under Method, click Advanced, and then click Customize. 5. Under First authentication, select a method, and then click Edit or Add.

You can use this method to authenticate peer computers that have computer accounts in the same domain or in separate domains that have a trust relationship.
Computer (NTLMv2)
NTLMv2 is an alternative way to authenticate peer computers that have computer accounts in the same domain or in separate domains that have a trust relationship.
Computer certificate from this certification authority (CA)

Use a public key certificate in situations that include external business partner communications or computers that do not run the Kerberosversion 5 authentication protocol. This requires that at least one trusted root CA is configured on or accessible through your network and that client computers have an associated computer certificate.
Signing algorithm
9/29/2011
Page 110 of 115
Specify the type of certificate by identifying the store in which the certificate is located. Root CA (default) Select this option if the certificate was issued by a root CA and is stored in the local computers Trusted Root Certification Authorities certificate store. Intermediate CA Select this option if the certificate was issued by an intermediate CA and is stored in the local computers Intermediate Certification Authorities certificate store.
Accept only health certificates

This option restricts the use of computer certificates to those that are marked as heath certificates. Health certificates are published by a CA in support of a Network Access Protection (NAP) deployment. NAP lets you define and enforce health policies so that computers that do not comply with network policies, such as computers without antivirus software or those that do not have the latest software updates, are less likely to access your network. To implement NAP, you need to configure NAP settings on both server and client computers. NAP Client Management, a Microsoft Management Console (MMC) snapin, helps you configure NAP settings on your client computers. For more information, see the NAP MMC snap-in Help. To use this method, you must have a NAP server set up in the domain.
Enable certificate to account mapping

When you enable IPsec certificate-to-account mapping, the Internet Key Exchange (IKE) and Authenticated IP (AuthIP) protocols associate (map) a computer certificate to a computer account in an Active Directory domain or forest, and then retrieve an access token, which includes the list of computer security groups. This process ensures that the certificate offered by the IPsec peer corresponds to an active computer account in the domain, and that the certificate is one that should be used by that computer. Certificate-to-account mapping can only be used for computer accounts that are in the same forest as the computer performing the mapping. This provides much stronger authentication than simply accepting any valid certificate chain. For example, you can use this capability to restrict access to computers that are within the same forest. Certificate-to-account mapping, however, does not ensure that a specific trusted computer is being allowed IPsec access. Certificate-to-account mapping is especially useful if the certificates come from a public key infrastructure (PKI) that is not integrated with your Active Directory Domain Services (ADDS) deployment, such as if business partners obtain their certificates from non-Microsoft providers. You can configure the IPsec policy authentication method to map certificates to a domain computer account for a specific root CA. You can also map all certificates from an issuing CA to one computer account. This allows IKE certificate authentication to be used to limit which forests are allowed IPsec access in an environment where many forests exist and each performs autoenrollment under a single internal root CA. If the certificate-to-account mapping process is not completed properly, authentication will fail and IPsec-protected connections will be blocked.
Preshared key (not recommended)

Page 111 of 115
You can use preshared keys for authentication. This is a shared, secret key that is previously agreed on by two users. Both parties must manually configure IPsec to use this preshared key. During security negotiation, information is encrypted by using the shared key before transmission and decrypted by using the same key on the receiving end. If the receiver can decrypt the information, identities are considered to be authenticated. Caution Preshared key methodology is provided for interoperability purposes and to adhere to IPsec standards. You should use the preshared key for testing purposes only. Regular use of preshared key authentication is not recommended because the authentication key is stored in an unprotected state in the IPsec policy. If a preshared key is used for the main mode authentication, second authentication cannot be used.
See Also
Dialog Box: Add or Edit Second Authentication Method

Use these settings to specify the way in which the user account on the peer computer is authenticated. You can also specify that the computer must have a computer health certificate. The second authentication method is performed by Authenticated IP (AuthIP) in an extended mode of the main mode phase of Internet Protocol security (IPsec) negotiations. You can specify multiple methods to use for this authentication. The methods are attempted in the order you specify. The first successful method is used. For more information about the authentication methods available in this dialog box, see IPsec Algorithms and Methods Supported in Windows (http://go.microsoft.com/fwlink/?linkid=129230). To get to this dialog box
When modifying the system-wide default settings: 1. In the Windows Firewall with Advanced Security MMC snap-in, in the navigation pane, click Windows Firewall with Advanced Security, and then in Overview, click Windows Firewall Properties. 2. Click the IPsec Settings tab, and then under IPsec defaults, click Customize. 3. Under Authentication Method, select Advanced, and then click Customize. 4. Under Second authentication, select a method, and then click Edit or Add.
9/29/2011
Page 112 of 115
When creating a new connection security rule: 1. In the Windows Firewall with Advanced Security MMC snap-in, in the navigation pane, right-click Connection Security Rules, and then click New Rule. 2. On the Rule Type page, select any type except Authentication exemption. 3. On the Authentication Method page, select Advanced, and then click Customize. 4. Under Second authentication, select a method, and then click Edit or Add.
When modifying an existing security rule: 1. In the Windows Firewall with Advanced Security MMC snap-in, in the navigation pane, click Connection Security Rules. 2. Double-click the connection security rule that you want to modify. 3. Click the Authentication tab. 4. Under Method, click Advanced, and then click Customize. 5. Under Second authentication, select a method, and then click Edit or Add.
User (KerberosV5)
You can use this method to authenticate a user logged on to a remote computer that is part of the same domain or in separate domains that have a trust relationship. The logged-on user must have a domain account and the computer must be joined to a domain in the same forest.
User (NTLMv2)
NTLMv2 is an alternative way to authenticate a user logged on to a remote computer that is part of the same domain or in a domain that has a trust relationship to the domain of the local computer. The user account and the computer must be joined to domains that are part of the same forest.
User certificate
Use a public key certificate in situations that include external business partner communications or computers that do not run the Kerberosversion 5 authentication protocol. This requires that at least one trusted root certification authority (CA) is configured on or accessible through your network and that client computers have an associated computer certificate. This method is useful when the users are not in the same domain or are in separate domains without a two-way trust relationship, and Kerberosversion 5 cannot be used.
Signing algorithm
9/29/2011
Page 113 of 115


When you enable IPsec certificate-to-account mapping, the Internet Key Exchange (IKE) and AuthIP protocols associate (map) a user certificate to a user account in an Active Directory domain or forest, and then retrieve an access token, which includes the list of user security groups. This process ensures that the certificate offered by the IPsec peer corresponds to an active user account in the domain, and that the certificate is one that should be used by that user. Certificate-to-account mapping can only be used for user accounts that are in the same forest as the computer performing the mapping. This provides much stronger authentication than simply accepting any valid certificate chain. For example, you can use this capability to restrict access to users who are within the same forest. Certificate-to-account mapping, however, does not ensure that a specific trusted user is being allowed IPsec access. Certificate-to-account mapping is especially useful if the certificates come from a public key infrastructure (PKI) that is not integrated with your Active Directory Domain Services (ADDS) deployment, such as if business partners obtain their certificates from non-Microsoft providers. You can configure the IPsec policy authentication method to map certificates to a domain user account for a specific root CA. You can also map all certificates from an issuing CA to one user account. This allows certificate authentication to be used to limit which forests are allowed IPsec access in an environment where many forests exist and each performs autoenrollment under a single internal root CA. If the
9/29/2011
Page 114 of 115
certificate-to-account mapping process is not completed properly, authentication will fail and IPsecprotected connections will be blocked.
Computer health certificate

Use this option to specify that only a computer that presents a certificate from the specified CA and that is marked as a Network Access Protection (NAP) health certificate can authenticate by using this connection security rule. NAP lets you define and enforce health policies so that computers that do not comply with network policies, such as computers without antivirus software or those that do not have the latest software updates, are less likely to access your network. To implement NAP, you need to configure NAP settings on both server and client computers. For more information, see the NAP MMC snap-in Help. To use this method, you must have a NAP server set up in the domain.
Signing algorithm


When you enable IPsec certificate-to-account mapping, the IKE and AuthIP protocols associate (map) a certificate to a user or computer account in an Active Directory domain or forest, and then retrieve an access token, which includes the list of security groups. This process ensures that the certificate offered
9/29/2011
Page 115 of 115
by the IPsec peer corresponds to an active computer or user account in the domain, and that the certificate is one that should be used by that account. Certificate-to-account mapping can only be used for accounts that are in the same forest as the computer performing the mapping. This provides much stronger authentication than simply accepting any valid certificate chain. For example, you can use this capability to restrict access to accounts that are within the same forest. Certificate-to-account mapping, however, does not ensure that a specific trusted account is being allowed IPsec access. Certificate-to-account mapping is especially useful if the certificates come from a PKI that is not integrated with your ADDS deployment, such as if business partners obtain their certificates from nonMicrosoft certificate providers. You can configure the IPsec policy authentication method to map certificates to a domain account for a specific root CA. You can also map all certificates from an issuing CA to one computer or user account. This allows IKE certificate authentication to be used to limit which forests are allowed IPsec access in an environment where many forests exist and each performs autoenrollment under a single internal root CA. If the certificate-to-account mapping process is not completed properly, authentication will fail and IPsec-protected connections will be blocked.
9/29/2011

Windows Security With Advanced Security

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Windows Security With Advanced Security

Uploaded by

Copyright:

Available Formats

Windows Firewall with Advanced Security

Windows Firewall with Advanced Security

Windows Firewall with Advanced Security

Understanding Firewall Rules

Windows Firewall with Advanced Security

Understanding Firewall Rules (http://go.microsoft.com/fwlink/?linkid=137808) Configuring Firewall Rules

Understanding Connection Security Rules

Understanding Firewall Profiles

Windows Firewall with Advanced Security

Windows Firewall with Advanced Security Properties Page

Monitoring Windows Firewall with Advanced Security

Windows Firewall with Advanced Security

Default Settings for Windows Firewall with Advanced Security

How default settings work with Group Policy

Windows Firewall with Advanced Security

Windows Firewall with Advanced Security

Configuring Firewall Rules

Windows Firewall with Advanced Security Understanding Firewall Rules

Resources for Windows Firewall with Advanced Security

Windows Firewall with Advanced Security

User Interface: Windows Firewall with Advanced Security

Windows Firewall with Advanced Security Properties Page

Windows Firewall with Advanced Security

Domain, Private, and Public Profile tabs

Windows Firewall with Advanced Security

Windows Firewall with Advanced Security

IPsec Settings tab

IPsec tunnel authorization

Connection Security Rule Wizard

Windows Firewall with Advanced Security

Connection Security Rule Wizard: Rule Type Page

Windows Firewall with Advanced Security

Requirements Authentication Method Profile

Exempt Computers Profile

Endpoints Requirements Authentication Method Profile

Windows Firewall with Advanced Security

Tunnel Type Requirements Tunnel Endpoints Authentication Method Profile

Endpoints Requirements Authentication Method Protocols and Ports Profile

Connection Security Rule Wizard

Connection Security Rule Wizard: Endpoints Page

Windows Firewall with Advanced Security

Which computers are in Endpoint 1?

Customize the interface types to which this rule applies

Which computers are in Endpoint 2?

Windows Firewall with Advanced Security

is subject to its authentication requirements.

How to change these settings

Connection Security Rule Wizard

Connection Security Rule Wizard: Requirements Page

Request authentication for inbound and outbound connections

Windows Firewall with Advanced Security

Require authentication for inbound and outbound connections

Windows Firewall with Advanced Security

How to change these settings

Connection Security Rule Wizard

Connection Security Rule Wizard: Authentication Method Page

Windows Firewall with Advanced Security

Computer and user (Kerberos V5)

Computer (Kerberos V5)

Certificate store type

Windows Firewall with Advanced Security

Accept only health certificates

How to change these settings