First available in Windows XP, the Windows Firewall has gone through a few evolutions. But, in this tip, let's review if its latest model, the Windows 7 Firewall, is robust enough today to use as a stand-alone firewall on your workstations. As a midmarket organization, does it provide enough protection and value to your security strategy that you can safely dismiss the third-party application providers?
Windows 7 Firewall settings and profiles
The Windows 7 Firewall today has seen some positive evolutions to its features and capabilities. The basic structure of Windows 7 Firewall consists of three configurable profiles: Work (Domain), Home and Public. Each has their own security settings.
As a consumer, you control which profile is 'active', easily switching between them as needed through the GUI. Small to midsize organizations can go either way: allow individual users to control the 'active' profile or mandate which profile is 'active' through Group Policy.
The Work and Home profiles are considered private, more secure configurations. However, network discovery, which allows network users to see each other's computers is permitted, along with some common file/print sharing functions, in order to facilitate productivity for the mobile workforce.
While network discovery is permitted in both work and home profiles, the homegroup function, which provides an auto-generated password and allows the sharing of images, documents and other common network resources, is appropriately disabled in the Work profile. Allowing homegroup access on a home network could expose company computers to all services, applications and user permissions extended to member computers of the homegroup. Translation: Viruses, malware and spyware could more easily migrate to company assets and bring those back to the company network.
Domain users take note: If the workstation is a member of an Active Directory domain, the network profile cannot be changed unless you are an administrator on the local machine (and firewall group policies are not used). When managing Windows 7 Firewall settings using group policies on machines in a domain, the centrally managed policy always reigns -- administrator or not; the configuration cannot be changed by the user. While more secure, this fixed profile setting has the potential to frustrate your mobile workforce if the restrictive settings prevent connectivity/productivity on a home network or while on business travel. Granting users admin privileges would solve this, yet doing so contradicts a key principle in securing user devices.
The only other profile available -- public -- is more limiting, shutting down both homegroup and standard network discovery along with potentially blocking outbound application connections to the Internet. This is a welcome touch because, after all, there should be increased vigilance when connecting to untrusted networks. Network access to the Internet readily works, but you'll find it much more difficult to access network and shared resources with other computers that may be on the same network. Combined with many of the predefined rules discussed below, the public profile offers a solid set of protections for Windows machines that will never see a third party firewall installed.
Creating rules with Windows Firewall
Administrative tools include the standard Windows browser interface with back and forward buttons, the MMC snap-in to manage local and domain policy, and the command line for advanced scripting. The latter two permit the knowledgeable user or administrator to enable/disable well-known predefined in/outbound rules or create their own.
Four basic firewall rules are possible: port, program, custom or predefined. Port rules allow classic control of standard TCP/UDP connections. Program and custom rules lead you through a wizard for both explicit allow or detailed blocking conditions. Valuable granular controls in this area include associating rules to services, source/destination, Windows user and computer objects.
In this sense, the Windows 7 Firewall is the only firewall I know that is "Windows aware" to the extent that rules can extend to authenticated network resources (e.g. users and computers). Take, for example, a finance group using an application called "payroll" to access the Windows IIS PayrollWebServer. Imagine the power of a simple firewall rule that could allow the payroll application to only be run by members of the finance group that in turn can only connect to the PayrollWebServer. A very specific, restrictive and centrally managed rule set can quickly and easily be built by selecting Windows domain objects. Instead of blocking all of the 'bad' behavior, whitelisting only allows the known good (and blocks everything else).
Predefined rules are plentiful and control many of the connections and services commonly attacked or probed on a Windows host: ICMP, Windows Remote Management (RPC and port 80) and peer-to-peer services to name a few. Despite these omissions, the ability to centrally manage and configure the Windows 7 firewall natively via Group Policy is key. It enables an organization to leverage uniform or specialized firewall configurations not possible with other free standing firewalls without additional centralized management infrastructure.
Limitations of Windows Firewall
Interestingly, the profiles are fixed. That is, work, home or public are it. You can't create any custom profiles and populate them with specialized rules. This could be viewed as a limitation or as a valuable simplification. Anyone who has dug deep into other popular host firewalls knows there is an infinite combination of possible rules and profiles.
Despite comprehensive granular controls that rival other popular host firewalls, building meaningful rules unique to a computing environment is a manual process. Absent from Windows 7 Firewall is a mechanism, often referred to as "learning mode," to detect and automatically build rules for trusted applications and connections. Also unavailable are program installation alerts (deny/allow responses) that warn of potentially malicious program installations, registry modifications or BHO functions -- all methods used in more stealthy and sophisticated attack vectors.
Given limited dollars as a midmarket consumer, any application you standardize on must provide business value. Midmarket organizations adopting the Windows 7 platform in an AD domain will have a built-in, standalone firewall capable of protecting against fundamental exploits, and also, at the flip of a switch, have a host firewall that can scale across the enterprise in a centrally managed model without spending another software dime. While not a match for today's mature, multifaceted endpoint protection suites that keep pace with sophisticated attacks, Windows 7 Firewall can be a cost-effective building block for host-based security in a small- to medium-sized business.
Join our IT Knowledge Exchange discussion forum; please use the midmarket security tag.
Join us on LinkedIn.
About the author:
Gregg Braunton, CISSP, GSEC, C|EH, MCP serves as an Information Security Officer. He possesses fifteen years experience working in the information technology field with expertise in user awareness education, security compliance, forensics and technical and policy based security controls across various technologies and platforms.
Windows 7 security guide: Best practices on security for Windows 7
Introduction: Windows 7 learning guide
How to use Microsoft Windows 7 AppLocker for whitelisting applications
Understand the pros and cons of Microsoft Windows 7 DirectAccess
A closer look at Internet Explorer 8 security features
The value of booting from a VHD in Windows 7
How to use BitLocker (and BitLocker To Go) in Windows 7
A closer look at Windows 7 firewall settings
How to use Windows XP Mode in Windows 7
This was first published in May 2010