Personalizing Windows 8 : Protecting Yourself with Windows Firewall

All these options require administrative privileges. We don’t go into great detail on what the various options mean because we assume you are working to comply with an existing policy.

Caution

If you’re not a professional administrator, it’s best to stay out of this area altogether. You certainly don’t want to guess and hack your way through things just to see what happens. Doing so could alter the Windows Firewall configuration such that it is wrong, causing you not to be able to connect to the Internet at all, or leaving you exposed to outside attacks by hackers.

Open Windows Firewall With Advanced Security

To get to the advanced configuration options for Windows Firewall, first open Windows Firewall from the System And Security item in the Control Panel. Then click the Advanced Settings link in the left pane. The firewall console, shown in Figure 1, opens.

FIGURE 1 Windows Firewall With Advanced Security console

As you can see in the figure, you have three independently configurable profiles to work with:

Domain Profile: This is active when the computer is logged in to a network domain, such as in a corporation or business setting.
Private Profile: This applies to computers within a local, private network.
Public Profile: This protects your computer from the public Internet.

Changing firewall profile properties

Clicking the Windows Firewall Properties link near the bottom of the console (or the Properties item in the Actions pane) takes you to the dialog box shown in Figure 2. Notice that you can use tabs at the top of the dialog box to configure the Domain, Private, and Public settings. The fourth option applies to IPsec (IP Security), commonly used with VPNs (Virtual Private Networks), which are described a little later in this section. By default, Inbound Connections are set to Block and Outbound Connections are set to Allow. You can change either setting by clicking the appropriate button.

FIGURE Windows Firewall advanced properties

Firewall alerts, unicast responses, local administrator control

Each profile tab has a Customize button in its Settings section. Clicking that button provides an option to turn off firewall notifications for that profile. Administrators can also use options on that tab to allow or prevent unicast responses to multicast and broadcast traffic. There’s also an option to merge local administrator rules with rules defined through group policy.

Security logging

Each profile tab also offers a Logging section with a Customize button. Click the Customize button to set a name and location for the log file and a maximum size, and to choose whether you want to log dropped packets, successful connections, or both. You can use that log file to review firewall activity and to troubleshoot connection problems caused by the firewall configuration.

Customizing IPsec settings

The IPsec Settings tab in the firewall properties provides a way to configure IPsec (IP Security). Clicking the Customize button under IPsec Defaults reveals the options shown in Figure 3. The Default settings in each case cause settings to be inherited from a higher-level GPO (Group Policy Object). To override the GPO, choose whichever options you want to apply to the current Windows Firewall instance. When you override the default, you can choose key exchange and data integrity algorithms. You can also fine-tune Kerberos V5 authentication through those settings.

FIGURE 3 Customize IPsec Defaults dialog box

Why Outbound Connections Are Set to Allow

Contrary to some common marketing hype and urban myths, having outbound connections set to Allow by default does not make your computer more susceptible to security threats. Firewalls are really about controlling traffic between trusted and untrusted networks. The Internet is always considered untrusted because it’s open to the public and anything goes. It’s necessary to block inbound connections by default so that you can control exactly what does, and doesn’t, come in from the Internet.

Things that are already inside your computer (or local network) are generally considered “trusted.” That’s because, unlike the Internet, you do have control over what’s inside your own PC or network. Your firewall and anti-malware programs also help to keep bad stuff out. Therefore, you shouldn’t need to block outbound connections by default.

There are exceptions, of course. In a secure setting in which highly sensitive data is confined to secure workstations in a subnet, it certainly makes sense to block outgoing connections by default. That way, you can limit outbound connections to specific hosts, programs, security groups, and so forth. You can also enforce encryption on outbound connections.

Clicking OK or Cancel in the Customize IPsec Defaults dialog box takes you back to the IPsec Settings tab. There you can use the IPsec Exemptions section to exempt ICMP from IPsec, which may help with connection problems caused by ICMP rules.

Note

IPsec is a set of cryptographic protocols for securing communications across untrusted networks. It is commonly associated with tunneling and virtual private networks (VPNs).

That covers the main firewall properties. You can configure plenty more outside the Properties dialog box. Again, most of these go far beyond anything the average home user needs to be concerned with, so we’re being brief here. Advanced users needing more information can find plenty of information in the Help section for the firewall.

Inbound and outbound rules

In the left column of the main Windows Firewall With Advanced Security window shown back in Figure 1, you see Inbound Rules and Outbound Rules links. These provide very granular control over Windows Firewall rules for incoming and outgoing connections. Figure 4 shows a small portion of the possibilities there. Use the scrollbars to see them all.

FIGURE 4 Advanced outbound exceptions control