How to…Use a Windows Firewall to Secure Clients
Imagine you are a small-business consultant living in a rural corner of Florida where peer-to-peer networking and cow-farming are still prevalent. You are a stone’s throw from technological hubs like NASA’s Kennedy Space Center, but the surrounding business community has yet to enjoy the trickle-down effect. Welcome to my world: My consulting business is just reaping the benefits of a client-server network and having a high-speed Internet connection.
Due to the availability of the Internet, combined with the use of Small Business Server (SBS) 2003, more and more small businesses are learning to take advantage of the mobility features included in the Windows 2003 operating system (which is the core of SBS). The trend has started to unwire employees from their traditional desktops, supply them with laptops and enable them to work from home, hotel rooms and just about anywhere else.
This has had the great effect of increasing productivity and efficiency for many businesses and has significantly impacted the bottom line. Businesses are requesting mobility, and my staff and I are faced with the challenge of ensuring the security of client operating systems while off the network. Clients expect to be secure on and off the network, and obviously want to spend as little money as possible. Why not use the Windows Firewall included in Windows XP SP2?
The Windows Firewall has replaced the Internet Connection Firewall (ICF) and acts as a host firewall that can drop all unsolicited incoming traffic. The firewall is turned on by default and can be managed locally in the Control Panel/Security Center. In my case, the most efficient way to manage firewall settings in a Windows network environment is by using Group Policies. Not that I can’t trust my clients, but this allows me to centrally manage and configure Windows Firewall settings that can be applied to Windows XP SP2 clients, and the end user will never even know it’s there.
With Windows XP SP2, you now have the option to apply firewall settings to two types of profiles, a domain and a standard profile. (See Figure 1.) Windows XP includes networking components that help determine whether the computer is attached to its own company network controlled by a Domain Controller or connected to another network.
The emerging trend of businesses switching to a wireless environment and an increasingly mobile workforce is reason enough to start the best practice of configuring both the domain and the standard profile. By configuring both profiles, you will be able to gain better control over mobile clients and ensure that the company firewall security policy is in effect in the office, as well as on the road.
Network Determination Behavior
How does a client determine whether it is on the company network or not? When a Windows XP client receives a Group Policy update, the connection-specific DNS suffixes are recorded in the registry. (The connection-specific DNS suffixes are recorded when the client is assigned an IP address and is not PPP- or SLIP-based.) The network determination algorithm then performs an analysis, and if the last received Group Policy update DNS name matches the connection-specific DNS suffixes, it determines that it is attached to the company network and uses the domain profile. If the Group Policy-updated DNS name doesn’t match any of the connection-specific DNS suffixes, it determines that it is attached to another network and uses the standard profile.
Group Policy Settings
Four Group Policy settings determine whether to use the standard or domain profile to specify the behavior and configuration of network services:
- Windows Firewall: Located at Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall, this setting allows you to configure the domain profile or standard profile. The domain profile contains the settings needed when the computer is connected to the company network. There may be settings for traffic exceptions, opening specific ports and allowing specific programs to run that are used by the company like a proprietary accounting application. The standard profile should be configured with more restrictive settings than the domain profile because the user is now connecting to the Internet over a public network (most likely unsecured) and you want the Windows Firewall to block unwanted programs.
- Prohibit Use of Internet Connection Sharing (ICS): Located at Computer Configuration > Administrative Templates > Network > Network Connections, this setting determines if local administrators can enable and configure ICS on an Internet connection. When this setting is enabled, users cannot enable or configure ICS. Leaving this disabled or not configured would allow local administrators to enable ICS.
- Prohibit Use of Internet Connection Firewall (ICF): Located at Computer Configuration > Administrative Templates > Network > Network Connections, this setting determines if local administrators or users can enable or configure ICF. When this setting is not configured or disabled and a LAN or VPN connection is established, local administrators could enable ICF using the Advanced tab in the connection’s Properties box. Enabling this setting prohibits local administrators or users from enabling or configuring ICF.
- Prohibit Installation and Configuration of Network Bridge: Located at Computer Configuration > Administrative Templates > Network > Network Connections, this setting determines if a user can install and configure a network bridge. Using a network bridge, users can create a Layer 2 transparent bridge that enables the connection of two or more LAN segments to create a single network segment. When this setting is not configured or enabled, local administrators and users can create and modify the network bridge configuration. Enabling this setting stops local administrators and users from enabling and configuring the network bridge. (See Figure 2.)
When you configure the Windows Firewall with Group Policy, even local administrators will not be able to change some elements in the Windows Firewall component in the Control Panel, because the dialog boxes will be grayed out.
Besides configuring these four Group Policy components, there also are some basic recommendations on how to configure the Windows Firewall settings for the standard profile. For a list of these recommendations, see the bottom of this page. Figure 3 shows the domain profile settings.
There is always a chance that an employee’s laptop may get infected with a virus or worm while at home or on the road. The malicious bug could be brought back to the company network, effectively bypassing the company firewall and then infiltrating the entire company network.
That is why you should enable the standard profile, protecting the client as much as possible while being off the network. In case an infected laptop is brought into the business network, each individual workstation will have its own defense mechanism, if you configured the domain profile for clients to use the host firewall.
The way I look at it, the proper configuration of the Windows Firewall takes us one step closer to secure computing—on and off the network—regardless of whether you are in an enterprise environment or right next to the cow patch.
Beatrice Mulzer, MCSE, MCT, is the owner of a small consulting firm in Cocoa, Fla., a Microsoft Hands-On-Lab Instructor and the co-author of “Advanced Windows Small Business Server 2003 Best Practices.” She can be reached at