Overview of Windows Firewall with Advanced Security

Updated: January 20, 2009

Applies To: Windows 7, Windows Server 2008 R2

In this topic:

  • What is Windows Firewall with Advanced Security?

  • How does Windows Firewall with Advanced Security work?

  • How firewall rules and connection security rules are related

  • Windows Firewall and IPsec configuration tools

What is Windows Firewall with Advanced Security?

Windows Firewall with Advanced Security combines a host firewall and Internet Protocol security (IPsec). Unlike a perimeter firewall, Windows Firewall with Advanced Security runs on each computer running this version of Windows and provides local protection from network attacks that might pass through your perimeter network or originate inside your organization. It also provides computer-to-computer connection security by allowing you to require authentication and data protection for communications.

Important

Windows Firewall with Advanced Security is designed for use by IT administrators who need to manage network security in an enterprise environment. It is not intended for use in home networks. Home users should consider using the Windows Firewall program available in Control Panel instead.

Windows Firewall with Advanced Security is a stateful firewall that inspects and filters all packets for IP version 4 (IPv4) and IP version 6 (IPv6) traffic. In this context, filter means to allow or block network traffic by processing it through administrator-defined rules. By default, incoming traffic is blocked unless it is a response to a request by the host (solicited traffic) or it is specifically allowed (that is, a firewall rule has been created to allow the traffic). You can configure Windows Firewall with Advanced Security to explicitly allow traffic by specifying a port number, application name, service name, or other criteria.

Windows Firewall with Advanced Security also allows you to request or require that computers authenticate each other before communicating, and to require the use of data integrity or data encryption when communicating.

How does Windows Firewall with Advanced Security work?

In Windows Firewall with Advanced Security, two types of rules determine how network traffic is handled:

  • Firewall rules determine which traffic is allowed or blocked.

    When an incoming packet reaches your computer, Windows Firewall with Advanced Security inspects the packet and determines whether it matches the criteria specified in a firewall rule. If a match is found, Windows Firewall with Advanced Security performs the action specified in the rule, either to block the connection or to allow the connection. If the incoming packet does not match the criteria in a rule, Windows Firewall with Advanced Security discards the packet and creates an entry in the firewall log file (if logging is enabled). When configuring a firewall rule, you can select criteria like program names, system service names, TCP or UDP port numbers, local and remote IP addresses, interface type (for example, a wired versus wireless network adapter), users or user groups, computers or computer groups, protocols, ICMP types, and more. The criteria within a rule are added together; the more criteria you add, the more narrowly Windows Firewall with Advanced Security matches incoming traffic. For more information, see Understanding Firewall Rules. For information about how to enable logging, see Dialog Box: Customize Logging Settings for a Firewall Profile.

  • Connection security rules determine the way in which traffic between this computer and other computers is secured.

    You can use connection security rules to configure IPsec settings for specific connections between this computer and other computers. Windows Firewall with Advanced Security uses the rule to evaluate network traffic and then blocks, allows, or protects the network traffic based on the criteria you establish in the rule. If you have configured a setting that requires IPsec protection for a connection (in either direction), and the two computers cannot authenticate each other or otherwise negotiate IPsec security, the connection will be blocked. For more information, see Understanding Connection Security Rules.

Firewall rules and connection security rules, as well as other settings, can be applied to one or more firewall profiles. These profiles are applied to the computer, depending on the types of networks to which the computer is connected. You can configure a profile for when the computer is connected to a domain, a private network, such as a home network, or a public network, such as an Internet kiosk. For more information, see Understanding Firewall Profiles.

Firewall rules and connection security rules are complementary; both contribute to a defense-in-depth strategy to help protect your computer.

Firewall rules allow or block traffic passing through the firewall, but do not specify how or even if the data in that traffic is protected while crossing the network. One of the firewall criteria that can be checked in a rule is whether the network packet is protected by IPsec. The rule does not control the way in which IPsec protects the packet; it simply allows or blocks the packet based on whether the packet is protected by IPsec.

Windows Firewall and IPsec configuration tools

There are several tools you can use to configure Windows Firewall and IPsec settings and options, including the following:

Windows Firewall with Advanced Security MMC snap-in

The Windows Firewall with Advanced Security MMC snap-in enables you to configure both firewall settings and connection security (IPsec) settings in one interface. Windows Firewall with Advanced Security also allows you to monitor the operation of the firewall and IPsec components. The Monitoring item in the Windows Firewall with Advanced Security MMC snap-in displays information about the computer you are currently managing. This item is not present if you are using the snap-in to manage a Group Policy object (GPO). It only appears when you are directly managing a computer. For more information, see Monitoring Windows Firewall with Advanced Security.

Note

The Windows Firewall with Advanced Security MMC snap-in can be used to configure rules and settings for IPsec policies that are to be applied to computers running Windows Vista® or later versions of Windows. To create IPsec policies for computers running Windows Server 2003 or earlier versions of Windows, use the IP Security Policy Management snap-in.

Windows Firewall Control Panel

Windows Firewall Control Panel, which is available for the local computer, configures a limited number of the settings available through the Windows Firewall with Advanced Security MMC snap-in. For more information, see the Windows Firewall Control Panel Help.

IP Security Policy MMC snap-in

The IP Security Policy MMC snap-in can be used to configure IPsec policies that apply to computers running Windows Server 2003 or earlier versions of Windows. Although it can be used to configure IPsec policies that apply to computers running Windows Vista and later versions of Windows, you cannot use it to configure any of the advanced settings available in Windows Firewall with Advanced Security. This MMC snap-in can be useful in mixed Windows environments. For more information, see the IP Security Policy snap-in Help.

IP Security Monitor MMC snap-in

The IP Security Monitor MMC snap-in can be used for monitoring IPsec security associations on Windows Server 2003 and earlier versions of Windows. Although it can be used to monitor IPsec on computers running Windows Vista and later versions of Windows, it does not monitor advanced settings available only in the Windows Firewall with Advanced Security MMC snap-in. The Statistics item displays statistics for the combined activities of policies created with the IP Security Policy snap-in and with the Windows Firewall with Advanced Security snap-in.

Netsh

Netsh is a command-line tool that you can use to configure settings for network components. Windows Firewall with Advanced Security provides the netsh advfirewall context, which you can use to configure Windows Firewall with Advanced Security settings. Using netsh advfirewall, you can create scripts to configure Windows Firewall with Advanced Security settings for both IPv4 and IPv6 traffic. You can also use netsh advfirewall commands to display the configuration and status of Windows Firewall with Advanced Security. For more information, see the Netsh Commands for Windows Firewall with Advanced Security (https://go.microsoft.com/fwlink/?linkid=111237).

You can also configure connection security rules by using the netsh ipsec commands and configure a more limited set of firewall settings by using netsh firewall commands. For more information, see the Netsh Technical Reference (https://go.microsoft.com/fwlink/?linkid=111236).

Group Policy

If your organization uses Active Directory® Domain Service (AD DS), Windows Firewall with Advanced Security provides Group Policy settings that you can use to centrally configure and manage large numbers of computers. These Group Policy settings allow you to configure Windows Firewall with Advanced Security rules and other settings. You can find the Windows Firewall with Advanced Security Group Policy settings in the Group Policy Management Editor by navigating to Computer Configuration/Windows Settings/Security Settings/Windows Firewall with Advanced Security. You can also use the Windows Firewall administrative templates to apply settings available in Windows Server 2003 and earlier versions of Windows.

You can also use Group Policy to configure and distribute IPsec policies created in the IP Security Policies snap-in. For more information, see the IP Security Policy snap-in Help or the Group Policy Help.