Windows Security With Advanced Security

Windows Firewall with Advanced SecurityYou can use Windows Firewall with Advanced Security to help you protect the computers on yournetwork. Windows Firewall with Advanced Security includes a stateful firewall that allows you todetermine which network traffic is permitted to pass between your computer and the network. It alsoincludes connection security rules that use Internet Protocol security (IPsec) to protect traffic as it travelsacross the network.

For more information about Windows Firewall with Advanced Security, see Windows Firewall withAdvanced Security Content Roadmap (http://go.microsoft.com/fwlink/?linkid=64342) in the WindowsServer TechCenter.

Overview of Windows Firewall with Advanced Security

Understanding Firewall Rules

Understanding Connection Security Rules

Understanding Firewall Profiles

Monitoring Windows Firewall with Advanced Security

Default Settings for Windows Firewall with Advanced Security

Configuring Firewall Rules

Resources for Windows Firewall with Advanced Security

User Interface: Windows Firewall with Advanced Security

Overview of Windows Firewall with AdvancedSecurity

What is Windows Firewall with AdvancedSecurity?

ImportantWindows Firewall with Advanced Security is designed for administrators of a managed network tosecure network traffic in an enterprise environment. Home users should use the Windows Firewallprogram in Control Panel instead. To start the Windows Firewall program, click Start, click ControlPanel, click System and Security, and then click Windows Firewall. You can access Help for theWindows Firewall program either by pressing the F1 key on the main Windows Firewall page, or byclicking the links found on many of the Windows Firewall dialog boxes.

Page 1 of 115Windows Firewall with Advanced Security

9/29/2011file://C:\Users\Malli\AppData\Local\Temp\~hhADBE.htm

Windows Firewall with Advanced Security combines a host firewall and Internet Protocol security(IPsec). Unlike a perimeter firewall, Windows Firewall with Advanced Security runs on each computerrunning this version of Windows and provides local protection from network attacks that might passthrough your perimeter network or originate inside your organization. It also provides computer-to-computer connection security by allowing you to require authentication and data protection forcommunications.

Windows Firewall with Advanced Security is a stateful firewall that inspects and filters all packets forIP version 4 (IPv4) and IP version 6 (IPv6) traffic. In this context, filter means to allow or block networktraffic by processing it through administrator-defined rules. By default, incoming traffic is blockedunless it is a response to a request by the host (solicited traffic) or it is specifically allowed (that is, afirewall rule has been created to allow the traffic). You can configure Windows Firewall with AdvancedSecurity to explicitly allow traffic by specifying a port number, application name, service name, or othercriteria.

Windows Firewall with Advanced Security also allows you to request or require that computersauthenticate each other before communicating, and to require the use of data integrity or data encryptionwhen communicating.

For more information, see Overview of Windows Firewall with Advanced Security(http://go.microsoft.com/fwlink/?linkid=137800) in the TechNet Library.

Understanding Firewall RulesYou create firewall rules to allow this computer to send traffic to, or receive traffic from, programs,system services, computers, or users. Firewall rules can be created to take one of three actions for allconnections that match the rule's criteria:

Allow the connection.

Allow a connection only if it is secured through the use of Internet Protocol security (IPsec).

Block the connection.

Rules can be created for either inbound traffic or outbound traffic. The rule can be configured to specifythe computers or users, program, service, or port and protocol. You can specify which type of networkadapter the rule will be applied to: local area network (LAN), wireless, remote access, such as a virtualprivate network (VPN) connection, or all types. You can also configure the rule to be applied when anyprofile is being used or only when a specified profile is being used.

As your IT environment changes, you might have to change, create, disable, or delete rules.

ImportantWindows Firewall with Advanced Security is designed for use by IT administrators who need tomanage network security in an enterprise environment. It is not intended for use in home networks.Home users should consider using the Windows Firewall program available in Control Panel instead.



Additional references Understanding Firewall Rules (http://go.microsoft.com/fwlink/?linkid=137808)

Configuring Firewall Rules

Understanding Connection Security RulesConnection security involves the authentication of two computers before they begin communicationsand the securing of information sent between two computers. Windows Firewall with AdvancedSecurity uses Internet Protocol security (IPsec) to achieve connection security by using key exchange,authentication, data integrity, and, optionally, data encryption.

Connection security rules use IPsec to secure traffic while it crosses the network. You use connectionsecurity rules to specify that connections between two computers must be authenticated or encrypted.You might still have to create a firewall rule to allow network traffic protected by a connection securityrule.

For more information, see Understanding Connection Security Rules (http://go.microsoft.com/fwlink/?linkid=137809) in the TechNet Library.

Understanding Firewall ProfilesA firewall profile is a way of grouping settings, such as firewall rules and connection security rules, thatare applied to the computer depending on where the computer is connected. On computers running thisversion of Windows, there are three profiles for Windows Firewall with Advanced Security:

NoteUnlike firewall rules, which operate unilaterally, connection security rules require that bothcommunicating computers have a policy with connection security rules or another compatible IPsecpolicy.

Profile Description

Domain Applied to a network adapter when it is connected to a network on which it can detect adomain controller of the domain to which the computer is joined.

Private

Applied to a network adapter when it is connected to a network that is identified by theadministrator as a private network. A private network is one that is not connected directly tothe Internet, but is behind some kind of security device, such as a network address translation(NAT) router or hardware firewall. The private profile settings should be more restrictive thanthe domain profile settings.

PublicApplied to a network adapter when it is connected to a public network such as those availablein airports and coffee shops. A public network is one that has no security devices between thecomputer and the Internet. The public profile settings should be the most restrictive because



Each network adapter is assigned the firewall profile that matches the detected network type. Forexample, if a network adapter is connected to a public network, then all traffic going to or from thatnetwork is filtered by the firewall rules associated with the public profile.

If you do not alter the settings for a profile, then its default values are applied whenever WindowsFirewall with Advanced Security uses the profile. We recommend that you enable Windows Firewallwith Advanced Security for all three profiles.

To configure these profiles, in the Windows Firewall with Advanced Security MMC snap-in, right-clickWindows Firewall with Advanced Security, and then click Properties. You can also access theproperties from the Action menu, the Action pane, or the center pane, when Windows Firewall withAdvanced Security is highlighted.

Additional references Windows Firewall with Advanced Security Properties Page

Monitoring Windows Firewall with AdvancedSecurityThe Monitoring item in the Windows Firewall with Advanced Security MMC snap-in allows you tomonitor the active firewall rules and connection security rules on the computer. Policies created usingthe IP Security Policy snap-in cannot be viewed using Windows Firewall with Advanced Security.

The overview page shows which profiles are active (domain, private, public) and the current settings foreach of the active profiles.

For more information, see Monitoring Windows Firewall with Advanced Security(http://go.microsoft.com/fwlink/?linkid=137811) in the TechNet Library.

the computer is connected to a public network where the security cannot be controlled.

ImportantWindows Server 2008 R2 and Windows 7 provide support for multiple active per-network adapterprofiles. In Windows Vista and Windows Server 2008, only one profile can be active on the computerat a time. If there are multiple network adapters connected to different networks, then the profile withthe most restrictive profile settings is applied to all adapters on the computer. The public profile isconsidered to be the most restrictive, followed by the private profile; the domain profile is consideredto be the least restrictive.

NoteOnly rules that apply to the currently active profiles are displayed. A rule for another profile might beenabled, but if the profile to which it is assigned is not active, then neither is the rule.



Default Settings for Windows Firewall withAdvanced SecurityThe following tables list the default values for Internet Protocol security (IPsec) settings.

Key exchange

*A session limit of zero (0) causes rekeys to be determined only by the Key lifetime (minutes) setting.

Data integrity

Data encryption

Authentication methodComputer Kerberos version 5 authentication is the default authentication method.

How default settings work with Group PolicyPolicies created using the Windows Firewall with Advanced Security snap-in and distributed withGroup Policy are applied in this order:

1. Highest precedence Group Policy object (GPO).

Settings ValueKey lifetimes 480 minutes/0 sessions*Key exchange algorithm Diffie-Hellman Group 2Security methods (integrity) SHA1Security methods (encryption) AES-128 (primary)/3-DES (secondary)

Setting ValueProtocol ESP (primary)/AH (secondary)Data integrity SHA1Key lifetimes 60 minutes/100,000 kilobytes (KB)

Setting ValueProtocol ESPData integrity SHA1Data encryption AES-128 (primary)/3-DES (secondary)Key lifetimes 60 minutes/100,000 KB



2. Locally defined policy settings.

3. Service defaults, as shown in the tables in this topic.

Additional references Windows Firewall with Advanced Security

Configuring Firewall RulesBecause Windows Firewall with Advanced Security blocks all incoming unsolicited network traffic bydefault, you need to configure program, port, or system service rules for programs or services that areacting as servers, listeners, or peers. Program, port, and system service rules are managed on an ongoingbasis as your server roles or configurations change. The roles and features that you can install by usingServer Manager typically create and enable firewall rules for you when the role or feature is installed.They also remove or disable the rules when the role or feature is removed. A growing number of other,non-Microsoft programs and services also automatically configure Windows Firewall with a set of rulesto permit their operation.

For more information, see Configuring Firewall Rules (http://go.microsoft.com/fwlink/?linkid=137813)in the TechNet Library.

Additional references Windows Firewall with Advanced Security

Understanding Firewall Rules

Resources for Windows Firewall with AdvancedSecurityFor more information about Windows Firewall with Advanced Security, see the following resources onthe Microsoft Web site:

ImportantEach filtering criteria that you add to a firewall rule adds increasing levels of restriction. For example,if you do not specify a program or service on the Program and Services tab, all programs andservices will be allowed to connect, if their network traffic matches the other criteria in the rule.Adding more detailed criteria makes the rule progressively more restrictive and less likely to bematched.



Windows Firewall with Advanced Security and IPsec (http://go.microsoft.com/fwlink/?linkid=96525)

Windows Firewall with Advanced Security Deployment Guide (http://go.microsoft.com/fwlink/?linkid=98308)

Server and Domain Isolation (http://go.microsoft.com/fwlink/?linkid=95395)

IPsec (http://go.microsoft.com/fwlink/?linkid=95394)

Windows Firewall (http://go.microsoft.com/fwlink/?linkid=95393)

Windows Firewall Errors and Events for Windows 7 and Windows Server 2008 R2(http://go.microsoft.com/fwlink/?linkid=137360)

User Interface: Windows Firewall withAdvanced SecurityThis section describes each of the pages in the user interface for Windows Firewall with AdvancedSecurity.

Windows Firewall with Advanced Security Properties Page

Connection Security Rule Wizard

Connection Security Rule Properties Page

Firewall Rule Wizard

Firewall Rule Properties Page

Monitored Firewall Rules Properties Page

Monitored Connection Security Rules Properties Page

Monitored Main Mode Security Associations

Monitored Quick Mode Security Associations

Dialog Boxes

Windows Firewall with Advanced SecurityProperties Page



Use this dialog box to configure the basic firewall properties for each of the network profiles. You canalso use the IPsec Settings tab to configure the default values for several IPsec configuration options.

In the Windows Firewall with Advanced Security MMC snap-in, perform one of the followingsteps:

In the navigation pane, right-click Windows Firewall with Advanced Security, and thenclick Properties.

Select the top node in the navigation pane, and then in the center pane, in the Overviewsection, click Windows Firewall Properties.

Select the top node in the navigation pane, and in the Actions pane, click Properties.

Domain, Private, and Public Profile tabsYou can configure any profile, even one that is not currently being applied. If you do not alter profilesettings, their default values are applied whenever Windows Firewall with Advanced Security uses theprofile. We recommend that you enable Windows Firewall with Advanced Security on all three profiles.

You can configure the following settings on each profile tab:

State

State selections determine whether Windows Firewall with Advanced Security uses the profile settingsand how the profile handles inbound and outbound network messages.

Firewall state

Select On (recommended) to have Windows Firewall use the settings for this profile to filter networktraffic. If you select Off, Windows Firewall will not use any of the firewall rules or connection securityrules for this profile.

Inbound connections

To get to this dialog box

ImportantIf you use Group Policy to disable Windows Firewall, or configure Windows Firewall with a rule thatallows all inbound network traffic, then Windows Security Center will alert the user that there aresecurity issues that the user should correct. If the user tries to correct the reported problem by clickingTurn on in Windows Security Center, then an error will be displayed because Windows SecurityCenter cannot enable Windows Firewall. This can generate unwanted support calls to your help desk.If you are managing the security of the computers in your organization and do not want WindowsSecurity Center to alert the user about security issues, then you can disable the Windows SecurityCenter by using the Turn on Security Center (Domain PCs only) Group Policy setting found inLocal Computer Policy\Computer Configuration\Administrative Templates\WindowsComponents\Security Center.



This setting determines the behavior for inbound connections that do not match an inbound firewall rule.The default behavior is to block connections unless there are firewall rules to allow the connection. Youcan choose the following behavior for inbound connections:

Outbound connections

This setting determines the behavior for outbound connections that do not match an outbound firewallrule. The default behavior is to allow connections unless there are firewall rules to block the connection.You can choose the following behavior for outbound connections:

Protected network connections

Use these settings to specify which network adapters are subject to the configuration of this profile.Click Customize to display the Customize Protected Network Connections for a Firewall Profile dialogbox.

Settings

Use these settings to configure settings for notifications, unicast response to multicast or broadcasttraffic, and Group Policy rule merging. Click Customize to display the Customize Settings for aFirewall Profile dialog box.

Logging

Use these settings to configure how Windows Firewall with Advanced Security logs events, how big thelog file can grow, and where the log file is located. Click Customize to display the Customize LoggingSettings for a Firewall Profile dialog box.

Selection Description

Block (default) Blocks all connections that do not have firewall rules that explicitly allow theconnection.

Block allconnections

Blocks all connections, regardless of any firewall rules that explicitly allow theconnection.

Allow Allows the connection unless there is a firewall rule that explicitly blocks theconnection.

Selection Description

Block Blocks all connections that do not have firewall rules that explicitly allow theconnection.

Allow(default)

Allows the connection unless there is a firewall rule that explicitly blocks theconnection.

CautionIf you set Outbound connections to Block and then deploy the firewall policy by using a GroupPolicy object (GPO), computers that receive it will not receive subsequent Group Policy updatesunless you first create and deploy an outbound rule that enables Group Policy to work. Predefinedrules for Core Networking include outbound rules that enable Group Policy to work. Ensure that theseoutbound rules are active, and thoroughly test firewall profiles before deploying the policy.



IPsec Settings tabUse this tab to configure the IPsec default and system-wide settings.

IPsec defaults

Use these settings to configure the key exchange, data protection, and authentication methods used byIPsec to help protect network traffic. Click Customize to display the Customize IPsec Settings dialogbox.

IPsec exemptions

Use this option to determine whether network traffic containing Internet Control Message Protocol(ICMP) messages are protected by IPsec.

ICMP is commonly used by network troubleshooting tools and procedures. Many networkadministrators exempt ICMP packets from IPsec protection to ensure that these messages are notblocked.

IPsec tunnel authorization

Use this option when you have a connection security rule that creates an IPsec tunnel mode connectionfrom a remote computer to the local computer, and you want to specify the users and computers that arepermitted or denied access to the local computer through the tunnel. Select Advanced, and then clickCustomize to display the Customize IPsec Tunnel Authorizations dialog box.

The authorizations you specify here are in effect only for those tunnel rules on which the Applyauthorization option has been selected on the Customize IPsec Tunneling Settings dialog box.

Connection Security Rule WizardThis section describes the Connection Security Rule Wizard pages in Windows Firewall with AdvancedSecurity.

Rule Type

ImportantThis setting exempts ICMP from the IPsec portion of Windows Firewall with Advanced Securityonly. To ensure that ICMP packets are allowed through Windows Firewall, you must create andenable an inbound rule.NoteIf you enable file and printer sharing in the Network and Sharing Center, Windows Firewall withAdvanced Security automatically enables firewall rules that allow commonly used ICMP packettypes. However, this will also enable network features that are not related to ICMP. If you want toenable ICMP only, then create and enable a rule in Windows Firewall to allow inbound ICMPnetwork packets.



Endpoints

Requirements

Authentication Method

Protocols and Ports

Exempt Computers

Tunnel Type

Tunnel Endpoints – Custom Configuration

Tunnel Endpoints – Client-to-Gateway

Tunnel Endpoints – Gateway-to-Client

Profile

Connection Security Rule Wizard: Rule TypePageYou can use the New Connection Security Rule wizard to create Internet Protocol security (IPsec) rulesto meet different network security goals. Use this page to select the type of rule that you want to create.

The wizard provides four predefined rule types. You can also create a custom rule.

1. In the Windows Firewall with Advanced Security MMC snap-in, right-click Connection SecurityRules, and then click New Rule.

2. The Rule Type page is displayed.

IsolationAn isolation rule restricts connections based on authentication criteria that you define. For example, youcan use this rule type to isolate computers that are joined to your domain from computers that areoutside your domain, such as computers on the Internet. If you select this rule type, then the followingpages in addition to the Name page are enabled in the wizard:

NoteAs a best practice, give each connection security rule a unique name so that you can later use theNetsh command-line tool to manage your rules. Do not name a security rule ”all” because that nameconflicts with the all keyword in the netsh command.To get to this wizard page



Requirements


Profile

Authentication exemptionUse this option to create a rule that exempts specified computers from being required to authenticate,regardless of other connection security rules. This rule type is typically used to grant access toinfrastructure computers, such as Active Directory domain controllers, certification authorities (CAs), orDHCP servers, that this computer must communicate with before authentication can be performed. It isalso used for computers that cannot use the form of authentication you configured for this policy andprofile.

If you select this rule type, then the following pages in addition to the Name page are enabled in thewizard:

Exempt Computers

Profile

Server-to-serverUse this rule type to authenticate the communications between two specified computers, between twogroups of computers, between two subnets, or between a specified computer and a group of computersor a subnet. You might use this rule to authenticate the traffic between a database server and a business-layer computer, or between an infrastructure computer and another server. This rule is similar to theisolation rule type, but the Endpoints page will be displayed so that you can identify the computers thatare affected by this rule.


Endpoints

Requirements


Profile

Tunnel

NoteAlthough the computers are exempt from authentication, network traffic from them might still beblocked by Windows Firewall unless a firewall rule allows them to connect.



Use this rule type to secure communications between two computers by using tunnel mode, instead oftransport mode, in IPsec. Tunnel mode embeds the entire network packet in a network packet that isrouted between two defined endpoints. For each endpoint, you can specify a single computer thatreceives and consumes the network traffic sent through the tunnel, or you can specify a gatewaycomputer that connects to a private network onto which the received traffic is routed after the receivingtunnel endpoint extracts it from the tunnel.


Tunnel Type

Requirements

Tunnel Endpoints


Profile

CustomUse this rule type to create a rule that requires special settings. This option enables all of the wizardpages except those that are used only to create tunnel rules.

Endpoints

Requirements


Protocols and Ports

Profile

Additional references Connection Security Rule Wizard

Connection Security Rule Wizard: EndpointsPageUse the settings on this wizard page to specify the computers that can participate in connections createdby this connection security rule. The connection security rule applies to communications between anycomputer in Endpoint 1 and any computer in Endpoint 2. If the local computer has an IP address that is



included in one of the endpoint definitions, then it can send and receive network packets through thisconnection to computers that are listed in the other endpoint. An endpoint can be a single computer or agroup of computers, defined by an IP address, an IP subnet address, an IP address range, or a predefinedset of computers identified by role: default gateway, WINS servers, DHCP servers, DNS servers, orlocal subnet. The local subnet is the collection of all computers available to this computer, except forany public IP addresses (interfaces). This includes both local area network (LAN) and wirelessaddresses.


2. On the Rule Type page, select either Server-to-server or Custom, and then click Next.

Which computers are in Endpoint 1?Use this section to define the computers that are part of Endpoint 1 and can use this rule to communicatewith the computers that are part of Endpoint 2.

Any IP address

Select this option to specify that Endpoint 1 consists of any computer that needs to communicate with acomputer in Endpoint 2. Any network traffic to or from a computer in Endpoint 2 matches this rule andis subject to its authentication requirements.

These IP addresses

Select this option to specify the IP addresses of the computers that make up Endpoint 1. Click Add orEdit to display the IP Addresses dialog box to create or modify your entries.

Customize the interface types to which this ruleappliesClick Customize to display the Customize Interface Types dialog box to select the network adaptertypes to which this rule applies. The default is to apply this rule to all network adapters of any type.

Which computers are in Endpoint 2?Use this section to define the computers that are part of Endpoint 2 and can use this rule to communicatewith the computers that are part of Endpoint 1.

Any IP address

Select this option to specify that Endpoint 2 consists of any computer that needs to communicate with acomputer in Endpoint 1. Any network traffic to or from a computer in Endpoint 1 matches this rule and

To get to this wizard page



is subject to its authentication requirements.

These IP addresses

Select this option to specify the IP addresses of the computers that make up Endpoint 2. Click Add orEdit to display the IP Addresses dialog box to create or modify your entries.

How to change these settingsAfter you create the connection security rule, you can change these settings in the Connection SecurityRule Properties dialog box. This dialog box opens when you double-click a rule in ConnectionSecurity Rules. To change the computers that are in Endpoint 1 or Endpoint 2, click the Computerstab. To change the interface types to which this rule applies, click the Advanced tab, and then underInterface types, click Customize.


Connection Security Rule Wizard: RequirementsPageUse the settings on this wizard page to specify how authentication is applied to inbound and outboundconnections that match this connection security rule. If you request authentication, then the connection isallowed even if authentication fails. If you require authentication, then the connection is dropped ifauthentication fails.

Use the Authentication Method page of the wizard to configure the credentials used for authentication.

Some of the following options appear only when you are configuring certain rule types.


2. Click Next until you reach the Requirements page.

Request authentication for inbound andoutbound connectionsSelect this option to specify that all inbound and outbound traffic is authenticated if possible, but that the




connection is allowed if authentication fails. This option is typically used in either a low-securityenvironment or an environment with computers that must be able to connect, but cannot perform thetypes of authentication available with Windows Firewall with Advanced Security. In a server anddomain isolation environment, this option is typically used for computers that are in the boundary zone.

Require authentication for inbound connectionsand request authentication for outboundconnectionsSelect this option to require that all inbound traffic is authenticated. If inbound traffic failsauthentication, then the connection is blocked. Outbound traffic is authenticated if possible, but thetraffic is allowed if authentication fails. This option is used most in IT environments in which thecomputers that must be able to connect can perform the types of authentication available with WindowsFirewall with Advanced Security. In a server and domain isolation environment, this option is typicallyused for client computers that are part of the main isolation zone in the domain.

Require authentication for inbound andoutbound connectionsUse this option to require that all inbound and outbound traffic is authenticated. If any network trafficfails authentication, then it is blocked. This option is typically used in higher-security IT environmentswhere traffic flow must be secured and controlled and where the computers that must be able to connectcan perform the types of authentication available with Windows Firewall with Advanced Security. In aserver and domain isolation environment, this option is typically used for servers in the main isolationzone in the domain.

Require authentication for inbound connections.Do not establish tunnels for outboundconnectionsUse this option when creating a tunnel mode rule on a computer that serves as a tunnel endpoint forremote clients, to specify that the tunnel only applies to inbound network traffic from the clients. Theserver can make outbound connections that are not affected by this rule.

Do not authenticateUse this option to create an authentication exemption rule for connections to computers that do not

NoteThis option appears only when you select Tunnel on the Rule Type page and either Customconfiguration or Gateway-to-client on the Tunnel Type page.



require Internet Protocol security (IPsec) protection.

How to change these settingsAfter you create the connection security rule, you can change these settings in the Connection SecurityRule Properties dialog box. This dialog box opens when you double-click a rule in ConnectionSecurity Rules. To change the authentication requirements for this rule, click the Authentication tab.


Connection Security Rule Wizard:Authentication Method PageUse these settings to configure the type of authentication used by this connection security rule.

For more information about the authentication methods, see IPsec Algorithms and Methods Supported inWindows (http://go.microsoft.com/fwlink/?linkid=129230).


2. Click Next until you reach the Authentication Method page.

DefaultThis option is available only when you specify an Isolation or Custom rule type.

Select this option to use the authentication method currently displayed on the Windows Firewall withAdvanced Security Properties dialog box, on the IPsec Settings tab, under Authentication Method.

NoteThis option appears when you select Custom on the Rule Type page or when you select Tunnel onthe Rule Type page, and then select either Custom or Client-to-gateway on the Tunnel Type page.

NoteNot all of the authentication methods listed here are available for all connection security rule types.The authentication methods available for the rule type are displayed on the Authentication Methodpage of the New Connection Security Rule Wizard and on the Authentication tab on the ConnectionSecurity Rule Properties page.




For more information about customizing the default options, see Dialog Box: Customize IPsec Settings.

Computer and user (Kerberos V5)This option is available only when you specify an Isolation or Custom rule type.

Select this option to use both computer and user authentication with the Kerberos version 5 protocol. Itis equivalent to selecting Advanced, adding Computer (Kerberos V5) for first authentication and User(Kerberos V5) for second authentication, and then clearing both First authentication is optional andSecond authentication is optional.

Computer (Kerberos V5)This option is available only when you specify an Isolation or Custom rule type.

Select this option to use computer authentication with the Kerberos version 5 protocol. It is equivalent toselecting Advanced, adding Computer (Kerberos V5) for first authentication, and then selectingSecond authentication is optional.

Computer certificateThis option is available only when you specify a Server-to-server or Tunnel rule type.

Select this option to use computer authentication based on a computer certificate. It is equivalent toselecting Advanced, adding Computer certificate for first authentication, and then selecting Secondauthentication is optional.

Signing algorithm

Specify the signing algorithm used to cryptographically secure the certificate.

RSA (default)

Select this option if the certificate is signed by using the RSA public-key cryptography algorithm.

ECDSA-P256

Select this option if the certificate is signed by using the Elliptic Curve Digital Signature Algorithm(ECDSA) with 256-bit key strength.

ECDSA-P384

Select this option if the certificate is signed by using ECDSA with 384-bit key strength.

Certificate store type

Specify the type of certificate by identifying the store in which the certificate is located.



Root CA (default)

Select this option if the certificate was issued by a root certification authority (CA) and is stored in thelocal computer’s Trusted Root Certification Authorities certificate store.

Intermediate CA

Select this option if the certificate was issued by an intermediate CA and is stored in the localcomputer’s Intermediate Certification Authorities certificate store.

Accept only health certificates

This option restricts the use of computer certificates to those that are marked as heath certificates. Healthcertificates are published by a CA in support of a Network Access Protection (NAP) deployment. NAPlets you define and enforce health policies so that computers that do not comply with networkrequirements, such as computers without antivirus software or those that do not have the latest softwareupdates, are less likely to access your network. To implement NAP, you need to configure NAP settingson both server and client computers. NAP Client Management, a Microsoft Management Console(MMC) snap-in, helps you configure NAP settings on your client computers. For more information, seethe NAP MMC snap-in Help. To use this option, you must have a NAP server set up in the domain.

AdvancedThis option is available when you specify any rule type.

Select this option to configure any available authentication method. You must then click Customize andspecify a list of methods for both first authentication and second authentication. For more information,see Dialog Box: Customize Advanced Authentication Methods, Dialog Box: Add or Edit FirstAuthentication Method, and Dialog Box: Add or Edit Second Authentication Method.

How to change these settingsAfter you create the connection security rule, you can change these settings in the Connection SecurityRule Properties dialog box. This dialog box opens when you double-click a rule in ConnectionSecurity Rules. To change the authentication methods used by this rule, select the Authentication tab.


Connection Security Rule Wizard: Protocols andPorts Page



Use this wizard page to specify which protocol and which port or ports specified in a network packetmatch this connection security rule. Only network traffic that matches the criteria on this page and theEndpoints page match the rule and are subject to its authentication requirements.


2. On the Rule Type page, select Custom.

3. In Steps, click Protocol and Ports.

Protocol typeSelect the protocol whose network traffic you want protected by this connection security rule. If theprotocol you want is not in the list, select Custom, and then type the protocol number in Protocolnumber.

If you choose TCP or UDP from the list, then you can type the TCP or UDP port numbers in Endpoint1 port and Endpoint 2 port.

Protocol numberWhen you select a protocol type, the corresponding protocol identification number is automaticallydisplayed in Protocol number and is read-only. If you select Custom for protocol type, then you musttype the protocol identification number in Protocol number.

Endpoint 1 portThis option is available only if the protocol is set to TCP or UDP. Use this option to specify the portnumber used by the computer that is part of Endpoint 1. If you select All ports, then all network trafficfor the protocol you selected matches this connection security rule. If you select Specific Ports, thenyou can type the port numbers in the box under the list. Separate port numbers with commas.

Endpoint 2 portThis option is available only if the protocol is set to TCP or UDP. Use this option to specify the portnumber used by the computer that is part of Endpoint 2. If you select All ports, then all network trafficfor the protocol you selected matches this connection security rule. If you select Specific Ports, then


Notes If the Do not authenticate option on the Requirements page has been selected for this rule,

then you can type port numbers in a range by separating the low and high values with a hyphen,as shown:

80, 445, 5000-5010



you can type the port numbers in the box under the list. Separate port numbers with commas.

How to change these settingsAfter you create the connection security rule, you can change these settings in the Connection SecurityRule Properties dialog box. This dialog box opens when you double-click a rule in ConnectionSecurity Rules. To change the protocols and port numbers, click the Protocols and Ports tab.


Connection Security Rule Wizard: ExemptComputers PageUse this wizard page to exempt computers or computer groups from being required to authenticate,regardless of other connection security rules. This rule type is commonly used to grant access toinfrastructure computers that this computer must communicate with before authentications can beperformed. It is also used for other computers that cannot use the form of authentication you configurefor this policy and profile.

Infrastructure computers, such as Active Directory domain controllers, certification authorities (CAs), orDHCP servers, might be allowed to communicate with this computer before authentication can beperformed.

To create an authentication exemption rule, you only need to specify the computers or a group or rangeof IP addresses (computers) and give the rule a name and, optionally, a description.


2. On the Rule Type page, select Authentication Exemption.

3. In Steps, click Exempt Computers.

Notes If the Do not authenticate option on the Requirements page has been selected for this rule,

then you can type port numbers in a range by separating the low and high values with a hyphen,as shown:

80, 445, 5000-5010




Exempt ComputersOn this wizard page, you add one or more computers or computer groups to the list to exempt them fromauthentication requirements. Click Add to specify computers by Internet Protocol version 4 (IPv4) orInternet Protocol version 6 (IPv6) address, subnet, IP address range, or by using one of the predefined IPaddresses: default gateway, WINS servers, DHCP servers, DNS servers, or local subnet. The localsubnet is the collection of all computers available to this computer, except for any public IP addresses(interfaces). This includes both local area network (LAN) and wireless addresses.

When you click Add or Edit, the IP Address dialog box is displayed.

How to change these settingsAfter you create the connection security rule, you can change these settings in the Connection SecurityRule Properties dialog box. This dialog box opens when you double-click a rule in ConnectionSecurity Rules. To change the computers that are exempt, click the Computers tab. The setting thatindicates that this is an exemption rule appears on the Authentication tab. Authentication mode is setto Do not authenticate.


Connection Security Rule Wizard: Tunnel TypePageIPsec tunnel mode is used primarily for interoperability with routers, gateways, or end systems that donot support Layer Two Tunneling Protocol (L2TP)/Internet Protocol security (IPsec) or Point-to-PointTunneling Protocol (PPTP) VPN tunneling. IPsec tunnel mode is supported only in gateway-to-gatewaytunneling scenarios and for certain server-to-server or server-to-gateway configurations. IPsec tunnelmode is not supported for remote access VPN scenarios. L2TP/IPsec or PPTP should be used for remoteaccess VPN connections.

An IPsec tunnel must be defined at both ends of the connection. At each end, the entries for the localtunnel computer and remote tunnel computer must be swapped (because the local computer at one endof the tunnel is the remote computer at the other end, and vice versa).

Use Windows Firewall with Advanced Security to perform Layer 3 tunneling for scenarios in whichL2TP cannot be used. If you are using L2TP for remote communications, no IPsec tunnel configuration

NoteAlthough the computers listed on this page are exempt from authentication, they might still beblocked by Windows Firewall unless a firewall rule allows them to connect.



is required because the client and server VPN components of this version of Windows create the rules tosecure L2TP traffic automatically.

Use this wizard page to configure the type of IPsec tunnel that you want to create. An IPsec tunnel istypically used to connect a private network behind a gateway to either a remote client or a remotegateway with another private network. IPsec tunnel mode protects a data packet by encapsulating theentire data packet inside an IPsec-protected packet and then routing the IPsec-protected packet betweenthe tunnel endpoints. When it arrives at the destination endpoint, the data packet is extracted and thenrouted to its final destination.


2. On the Rule Type page, select Tunnel.

3. In Steps, select Tunnel Type.

Custom configurationSelect this option to enable all of the endpoint configuration options on the Tunnel Endpoints –Custom Configuration page. You can specify the IP addresses of the computers that serve as the tunnelendpoints and the computers that are located on private networks behind each tunnel endpoint. For moreinformation, see Connection Security Rule Wizard: Tunnel Endpoints Page - Custom Configuration.

Client-to-gatewaySelect this option if you want to create a rule for a client computer that must connect to a remotegateway and the computers behind the gateway on a private network.

When the client sends a network packet to a computer on the remote private network, IPsec embeds thedata packet inside an IPsec packet that is addressed to the remote gateway address. The gateway extractsthe packet and then routes it on the private network to the destination computer.

If you select this option, then only the public IP address of the gateway computer and the IP addresses ofthe computers on the private network can be configured. For more information, see Connection SecurityRule Wizard: Tunnel Endpoints Page - Client-to-Gateway.

Gateway-to-clientSelect this option if you want to create a rule for a gateway computer that is attached to both a privatenetwork and a public network from which it receives network traffic from remote clients.

When the client sends a network packet to a computer on the private network, IPsec embeds the datapacket inside an IPsec packet that is addressed to the public IP address of this gateway computer. Whenthe gateway computer receives the packet, it extracts the packet and then routes it on the private network




to the destination computer.

When a computer on the remote private network needs to reply to the client computer, the data packet isrouted to the gateway computer. The gateway computer embeds the data packet inside an IPsec packetthat is addressed to the remote client computer, and then routes the IPsec packet over the public networkto the remote client computer.

If you select this option, then only the addresses of computers on the private network and the public IPaddress of the gateway computer can be configured. For more information, see Connection SecurityRule Wizard: Tunnel Endpoints Page - Gateway-to-Client.

Exempt IPsec-protected connectionsSometimes a network packet might match more than one connection security rule. If one of the rulesestablishes an IPsec tunnel, you can choose whether to use the tunnel or send the packet outside of thetunnel protected by the other rule.

Yes

Select this option if the connection is already protected by another connection security rule and you donot want the network packet to go through the IPsec tunnel. Any network traffic that is protected by theEncapsulating Security Payload (ESP) protocol, including ESP Null, is prevented from traversing thetunnel.

No

Select this option if you want all network packets that match the tunnel rule to go through the tunneleven when they are protected by another connection security rule.


Connection Security Rule Wizard: TunnelEndpoints Page - Custom ConfigurationUse this wizard page to configure the endpoint options for an IPsec tunnel rule.

If you select Custom configuration on the Tunnel Type page, you can configure all of the details ofthe tunnel on the Tunnel Endpoints page.

The following diagram shows the components that you can configure by using this wizard page.





3. In Steps, click Tunnel Type, and then select Custom configuration.

4. Click Next until you reach the Tunnel Endpoints page.

Which computers are in Endpoint 1?Endpoint 1 is the collection of computers at the local end of the tunnel that must be able to send data toand receive data from the computers that are part of Endpoint 2. Click Add to add an individual IPaddress, an IP subnet address, an IP address range, or a predefined set of computers by using the IPAddress dialog box. To change an entry in the list, select the item, and then click Edit. To remove anentry, select the item, and then click Remove.

What is the local tunnel endpoint (closest to thecomputers in Endpoint 1)?The local tunnel endpoint is the gateway to which a computer in Endpoint 1 sends network packets thatare addressed to a computer in Endpoint 2. The local tunnel endpoint accepts a network packet from acomputer in Endpoint 1, and then encapsulates it in a new network packet that is addressed and routed tothe remote tunnel endpoint. The remote tunnel endpoint extracts the encapsulated original packet, placesit on the network connected to the computers in Endpoint 2, and then routes the packet to its finaldestination.

You can specify an Internet Protocol version 4 (IPv4) address, an Internet Protocol version 6 (IPv6)address, or both. To add an address, click Edit, and provide the information required in the CustomizeIPsec Tunneling Settings dialog box.


Important

If you specify Any, then the computer in Endpoint 1 is also the local tunnel endpoint for theconnection. The Endpoint 1 computer encapsulates and routes its own network packets to the remote



Apply IPsec tunnel authorization

Select this option to specify that the computer or user in Endpoint 1 must authenticate with the localtunnel endpoint before any packets can be sent through the tunnel. To specify the computers or usersthat are authorized to send traffic through the tunnel, follow these steps:

Membership in the local Administrators group, or equivalent, is the minimum required to complete thisprocedure.

1. In the Windows Firewall with Advanced Security MMC snap-in, in the navigation pane, selectWindows Firewall with Advanced Security.

2. In Overview, click Windows Firewall Properties.

3. Select the IPsec Settings tab.

4. In IPsec tunnel authorization, click Advanced, and then click Customize.

5. Add users and computers to the lists, as appropriate for your design. For more information, seeDialog Box: Customize IPsec Tunnel Authorization.

What is the remote tunnel endpoint (closest tothe computers in Endpoint 2)?The remote tunnel endpoint is the gateway to which the local tunnel endpoint sends network packets thatare addressed to a computer in Endpoint 2. The remote tunnel endpoint receives a network packet fromthe local tunnel computer, extracts the encapsulated original packet, and then routes it to the destinationcomputer in Endpoint 2.

You can specify an IPv4 address, an IPv6 address, or both. To add an address, click Edit and providethe information required in the Customize IPsec Tunneling Settings dialog box.

tunnel endpoint, which extracts and routes the data to the destination computer in Endpoint 2.NoteThe IP version of the address at each end of the tunnel must match. For example, if you specify anIPv4 address at one end, then the other end must also have an IPv4 address. You can specify both anIPv4 and an IPv6 address, but if you do so at one end, then you must also do so at the other end.

To specify users and computers that are authorized or denied permission to send networktraffic through the tunnel

ImportantIf you specify Any, then the computer in Endpoint 2 that is receiving the data also serves as theremote tunnel endpoint. The Endpoint 2 computer then extracts and processes the original packet.NoteThe IP version of the address at each end of the tunnel must match. For example, if you specify anIPv4 address at one end, then the other end must also have an IPv4 address. You can specify both andIPv4 and an IPv6 address, but if you do so at one end, then you must also do so at the other end.



Which computers are in Endpoint 2?Endpoint 2 is the collection of computers at the remote end of the tunnel that must be able to send andreceive data from the computers that are part of Endpoint 1. Click Add to add an individual IP address,an IP subnet address, an IP address range, or a predefined set of computers by using the IP Addressdialog box. To change an entry in the list, select the item, and then click Edit. To remove an entry,select the item, and then click Remove.

How to change these settingsAfter you create the connection security rule, you can change these settings in the Connection SecurityRule Properties dialog box. This dialog box opens when you double-click a rule in ConnectionSecurity Rules. To change the computers that are in Endpoint 1 and Endpoint 2, select the Computerstab. To change the authorization setting or the computers that serve as tunnel endpoints, select theAdvanced tab, and then under IPsec tunneling, click Customize.


Connection Security Rule Wizard: TunnelEndpoints Page - Client-to-GatewaySelect Client-to-gateway on the Tunnel Type page if the connection security rule is for a clientcomputer that must communicate with a remote gateway and the computers behind the gateway on aprivate network. You can use this page to configure the IP address of the remote tunnel endpoint (thegateway) and the computers that are behind the remote tunnel endpoint on a private network.

The following figure shows the components that you can configure by using this wizard page.





3. In Steps, click Tunnel Type, and then select Client-to-gateway.


ClientThis option is set to My IP address and cannot be changed.

GatewayThe gateway is the computer to which the client sends packets that are addressed to a computer in theremote endpoint. The gateway receives a network packet from the client, decapsulates the originalpacket, and then routes it to the destination computer that is in Endpoint 2. You can specify an InternetProtocol version 4 (IPv4) address, an Internet Protocol version 6 (IPv6) address, or both.

What are the remote endpoints?The remote endpoints are the computers at the remote end of the tunnel on the other side of the gatewaythat must be able to send and receive data from the client. Click Add to add an individual IP address, anIP subnet address, an IP address range, or a predefined set of computers by using the IP Address dialogbox. To change an entry in the list, select the item, and then click Edit. To remove an entry, select theitem, and then click Remove.


NoteIn this scenario, the client computer is serving as the only computer in Endpoint 1 and is also the localtunnel endpoint.

Notes The IP version of the address at each end of the tunnel must match. For example, if you specify

an IPv4 address at one end, then the other end must also have an IPv4 address. You can specifyboth and IPv4 and an IPv6 address, but if you do so at one end, then you must also do so at theother end. Also, you must specify the same version of IP for both the remote tunnel endpoint(the gateway) and the remote endpoints behind the gateway.

The gateway computer is referred to as the remote tunnel endpoint on the IPsec TunnelingSettings dialog box, in the Netsh command-line tool, and if you select Custom configurationon the Tunnel Type page.

Note

The gateway computer is referred to as the remote tunnel endpoint on the IPsec Tunneling Settingsdialog box, in the Netsh command-line tool, and if you select Custom configuration on the Tunnel



How to change these settingsAfter you create the connection security rule, you can change these settings in the Connection SecurityRule Properties dialog box. This dialog box opens when you double-click a rule in ConnectionSecurity Rules. To change the computers that are accessible behind the remote tunnel endpoint, use theComputers tab and configure the settings for Endpoint 2. To change the remote tunnel endpoint (thegateway), from the Advanced tab, under IPsec Tunneling, click Customize, and then modify theRemote tunnel endpoint.


Connection Security Rule Wizard: TunnelEndpoints Page - Gateway-to-ClientSelect Gateway-to-client on the Tunnel Type page if the connection security rule is for a computer thatwill be the local tunnel endpoint (gateway) to the computers on a private network. You can use this pageto configure the IP addresses of the remote clients that can establish a tunnel to this gateway, and thecomputers that are behind the gateway on the private network.

The following figure shows the components that you can configure by using this wizard page.



Type page.




3. In Steps, click Tunnel Type, and then select Gateway-to-client.


What are the local endpoints?The local endpoints are computers on the private network behind the gateway that must be able to senddata to and receive data from the remote client through the tunnel. Click Add to add an individual IPaddress, an IP subnet address, an IP address range, or a predefined set of computers by using the IPAddresses dialog box. To change an entry in the list, select the item, and then click Edit. To remove anentry, select the item, and then click Remove.

GatewayThe local tunnel endpoint is the computer to which the remote client sends packets that are addressed toa computer in Endpoint 1. The local tunnel computer receives a network packet from the remote client,decapsulates the original packet, and then routes it to the destination computer that is in Endpoint 1. Youcan specify an Internet Protocol version 4 (IPv4) address, an Internet Protocol version 6 (IPv6) address,or both.

ClientThis option is set to Any IP address and cannot be changed. The client computer in this scenario is boththe remote tunnel endpoint and the only computer in Endpoint 2.

How to change these settingsAfter you create the connection security rule, you can change these settings in the Connection SecurityRule Properties dialog box. This dialog box opens when you double-click a rule in ConnectionSecurity Rules. To change the computers that are accessible behind the local tunnel endpoint, use theComputers tab and configure the settings for Endpoint 1. To change the local tunnel endpoint (thegateway), from the Advanced tab, under IPsec Tunneling, click Customize, and then change Localtunnel endpoint.

NoteThe local endpoints are referred to as Endpoint 1 on the IPsec Tunneling Settings dialog box, in theNetsh command-line tool, and if you select Custom configuration on the Tunnel Type page.

NoteThe IP version of the address at each end of the tunnel must match. For example, if you specify anIPv4 address at one end, then the other end must also have an IPv4 address. You can specify both anIPv4 and an IPv6 address, but if you do so at one end, then you must also do so at the other end. Also,you must specify the same version of IP for both the remote tunnel endpoint (the gateway) and theremote endpoints behind the gateway.




Connection Security Rule Wizard: Profile PageUse this wizard page to specify the profiles to which this rule is applied. Select any combination ofprofiles that meet your security goals.

This version of Windows supports multiple simultaneously active profiles. Each network adapter cardattached to a network is assigned one of the following profiles based on what is detected on the attachednetwork. This means that different firewall and connection security rules can affect network traffic,depending on which network adapter receives the traffic.


2. Click Next until you reach the Profile page.

DomainThe domain profile applies to a network when a domain controller for local computer’s domain isdetected. If you select this box, then the rule applies to network traffic passing through the networkadapter connected to this network.

PrivateThe private profile applies to a network when it is marked private by the computer administrator and it isnot a domain network. Newly detected networks are not marked private by default. A network should bemarked private only when there is some kind of security device, such as a network address translator orperimeter firewall, between the computer and the Internet. The private profile settings should be morerestrictive than the domain profile settings.

PublicThe public profile applies to a network when the computer is connected directly to a public network,such as one available in airports and coffee shops. The public profile settings should be the mostrestrictive because the computer is connected to a public network where security cannot be as tightlycontrolled as it is in an IT environment.




How to change these settingsAfter you create the connection security rule, you can change these settings in the Connection SecurityRule Properties dialog box. This dialog box opens when you double-click a rule in ConnectionSecurity Rules. To change the profiles to which the rule applies, select the Advanced tab.


Connection Security Rule Properties PageThis section describes the tabs that appear on the Connection Security Rule Properties page in WindowsFirewall with Advanced Security.

General

Computers

Protocols and Ports

Authentication

Advanced

Connection Security Rule Property Page:General TabThis tab has general information about the rule, including its name, a description, and whether the rule isenabled.

NameEach rule must have a unique name. Do not use the name “all” because that name conflicts with the allkeyword used by the Netsh command-line tool.

DescriptionWe recommend that you provide a comprehensive description for your connection security rule. Include



logical names of affected computers because the rule properties contain IP addresses only.

EnabledSelect this option to activate the rule. If you clear this option, then the rule is disabled, but not deleted.

Additional references Connection Security Rule Properties Page

Connection Security Rule Properties Page:Computers TabUse the settings on this tab of the Connection Security Rule Properties dialog box to specify thecomputers that can participate in connections protected by this connection security rule. The connectionsecurity rule applies to communications between any computer in Endpoint 1 and any computer inEndpoint 2. If the local computer has an IP address that is included in one of the endpoint definitions,then it can send and receive network packets through this connection to computers that are listed as partof the other endpoint. An endpoint can consist of a single computer or a group of computers, defined byan IP address, an IP subnet address, an IP address range, or a predefined set of computers identified byrole: default gateway, WINS servers, DHCP servers, DNS servers, or local subnet. The local subnet isthe collection of all computers available to this computer, except for any public IP addresses(interfaces). This includes both local area network (LAN) and wireless addresses.

The following figure shows the components that you can configure by using this tab.

1. In the Windows Firewall with Advanced Security MMC snap-in, click Connection SecurityRules.

2. Right-click the rule you want to modify, and then click Properties.

To get to this tab



3. Click the Computers tab.

Endpoint 1Endpoint 1 is the collection of computers at the local end of the tunnel that must be able to send data toand receive data from the computers that are part of Endpoint 2. Click Add to add an individual IPaddress, an IP subnet address, an IP address range, or a predefined set of computers by using the IPAddress dialog box. To change an entry in the list, select the item, and then click Edit. To remove anentry, select the item, and then click Remove.

If you created this rule by using the Client-to-Gateway tunnel rule type, then Endpoint 1 is set to Any IPaddress. If you created this rule by using the Gateway-to-Client tunnel rule type, then Endpoint 1consists of the IP addresses of the computers on the private network behind the local tunnel endpoint(the gateway).

Any IP address

Select this option to specify that Endpoint 1 includes any computer that needs to communicate with acomputer that is in Endpoint 2. Any network traffic to or from a computer in Endpoint 2 matches thisrule and is subject to its authentication requirements.

These IP addresses

Select this option to specify the IP addresses of the computers that make up Endpoint 1. Click Add orEdit to display the IP Address dialog box where you can create or change your entries.

Endpoint 2Endpoint 2 is the collection of computers at the remote end of the tunnel that must be able to send andreceive data from the computers that are part of Endpoint 1. Click Add to add an individual IP address,an IP subnet address, an IP address range, or a predefined set of computers by using the IP Addressdialog box. To change an entry in the list, select the item, and then click Edit. To remove an entry,select the item, and then click Remove.

If you created this rule by using the Client-to-Gateway tunnel rule type, then Endpoint 2 consists of theIP addresses of the computers on the private network behind the remote tunnel endpoint (the gateway).If you created this rule by using the Gateway-to-Client tunnel rule type, then Endpoint 2 is set to Any IPaddress.

Any IP address

Select this option to specify that Endpoint 2 includes any computer that needs to communicate with acomputer in Endpoint 1. Any network traffic to or from a computer in Endpoint 1 matches this rule andis subject to its authentication requirements.

These IP addresses

Select this option to specify the IP addresses of the computers that make up Endpoint 2. Click Add or



Edit to display the IP Address dialog box where you can create or change your entries.


Connection Security Rule Properties Page:Protocols and Ports TabUse this tab of the Connection Security Rule Properties dialog box to specify which protocols andports in a network packet match this connection security rule. Only network traffic that matches thecriteria on both this tab and the endpoints on the Computers tab match the rule and are subject to itsauthentication requirements.


2. Right-click the rule that you want to modify, and then click Properties.

3. Click the Protocols and Ports tab.

Protocol typeSelect the protocol whose network traffic will be protected by this connection security rule. If theprotocol you want is not in the list, select Custom, and type the protocol number in Protocol number.

If you choose TCP or UDP in the list, then you can specify the TCP or UDP port numbers in Endpoint1 port and Endpoint 2 port.

Protocol numberWhen you select a protocol type, the corresponding protocol identification number is automaticallydisplayed in Protocol number and is read-only. If you select Custom for Protocol type, then type theprotocol identification number in Protocol number.

Endpoint 1 portThis option is available only if the protocol is set to TCP or UDP. Use this option to specify the portnumber used by the computer that is part of Endpoint 1. If you select All ports, then all network trafficfor the protocol you selected matches this connection security rule. If you select Specific Ports, then

To get to this tab



you can type the port numbers in the box under the list. Separate port numbers with commas.

Endpoint 2 portThis option is available only if the protocol is set to TCP or UDP. Use this option to specify the portnumber used by the computer that is part of Endpoint 2. If you select All ports, then all network trafficfor the protocol you selected matches this connection security rule. If you select Specific Ports, thenyou can type the port numbers in the box under the list. Separate port numbers with commas.


Connection Security Rule Properties Page:Authentication TabUse this tab of the Connection Security Rule Properties dialog box to specify the authenticationrequirements and protocols that are used to protect network traffic that matches this rule.



3. Click the Authentication tab.

RequirementsUnder Authentication mode, select one of the following options to indicate whether authentication ofnetwork traffic is required or requested.

Notes If this rule has Do not authenticate on the Authentication tab, then you can type port numbers

in a range by separating the low and high values with a hyphen, as shown: 80, 445, 5000-5010

Notes If this rule has Do not authenticate on the Authentication tab, then you can type port numbers

in a range by separating the low and high values with a hyphen, as shown: 80, 445, 5000-5010

To get to this tab



MethodUse these settings to configure the type of authentication used by this connection security rule.

For more information about the authentication methods, see IPsec Algorithms and Methods Supported inWindows (http://go.microsoft.com/fwlink/?linkid=129230).

If you choose Advanced, then you must click Customize and add the authentication methods by usingthe Customize Advanced Authentication Methods dialog box.


Connection Security Rule Properties Page:Advanced TabUse the settings on this tab to select the network profile and interface types to which the connectionsecurity rule applies. You can also configure an IPsec tunnel between the endpoints.

1. In the Windows Firewall with Advanced Security MMC snap-in, click Connection Security

Option Description

Do notauthenticate

Select this option to make the rule an authentication exemption rule. Network trafficthat matches this rule is not authenticated by Internet Protocol security (IPsec) onthis computer. The option is also valid on tunnel mode rules that are created by usingthe Custom Configuration or Client-to-Gateway options.

Request inboundand outbound

Connections are authenticated if possible, but the connections are allowed ifauthentication fails.

Require inboundand requestoutbound

All inbound network connections must be authenticated or they fail. Outboundconnections are authenticated if possible, but are allowed if authentication fails.

Require inboundand outbound Only connections that are authenticated are allowed.

Require inboundand clearoutbound

All inbound network connections must be authenticated or they fail. Outboundconnections are not authenticated.

Security NoteWe recommend that you use this setting only when required on an IPsec gatewaythat must be able to initiate communications with computers that cannot use IPsecon the Internet.

To get to this tab



Rules.


3. Click the Advanced tab.

ProfileUse these options to specify the profiles to which this rule is applied. Select any combination of profilesthat meet your security goals. This version of Windows supports multiple simultaneously active profiles.Each network adapter card attached to a network is assigned one of the following profiles based on whatis detected on the attached network. This means that different firewall and connection security rules canaffect network traffic, depending on which network adapter receives the traffic.

Domain

The domain profile applies to a network when a domain controller for the local computer’s domain isdetected. If you select this check box, then the rule applies to network traffic passing through thenetwork adapter connected to this network.

Private

The private profile applies to a network when it is marked private by the computer administrator and it isnot a domain network. Newly detected networks are not marked private by default. A network should bemarked private only when there is some kind of security device, such as a network address translator orperimeter firewall, between the computer and the Internet. The private profile settings should be morerestrictive than the domain profile settings.

Public

The public profile applies to a network when the computer is connected directly to a public network,such as one available in airports and coffee shops. The public profile settings should be the mostrestrictive because the computer is connected to a public network where the security cannot be as tightlycontrolled as it is in an IT environment.

Interface typesYou can use this setting to specify to which interface type this rule applies. You can create rules thatapply to certain interface types only. For example, if you specify only the wireless interface type for thisrule, then Windows Firewall with Advanced Security will take the action specified by the rule forwireless traffic. The default setting is All interface types.

Click Customize to select either all interface types or specific interface types.

IPsec tunnelingYou can use this setting to create a rule that uses IPsec tunnel mode to establish a connection between



two tunnel endpoints.

Use Windows Firewall with Advanced Security to perform Layer 3 tunneling for scenarios in whichLayer Two Tunneling Protocol (L2TP) cannot be used. If you are using L2TP for remotecommunications, no tunnel configuration is required because the client and server virtual privatenetwork (VPN) components of this version of Windows create the rules to secure L2TP trafficautomatically.

To configure the tunnel endpoints, click Customize, and then provide the required information in theCustomize IPsec Tunneling Settings dialog box.


Firewall Rule WizardThis section describes the pages on the Inbound and Outbound Firewall Rule Wizard in WindowsFirewall with Advanced Security.

Rule Type

Program

Protocol and Ports – Port Rule

Protocol and Ports – Custom Rule

Predefined Rules

Scope

Action

Users

Computers

Profile

Firewall Rule Wizard: Rule Type PageWindows Firewall with Advanced Security provides four basic types of firewall rules. By using one ofthese firewall rule types, you can create exceptions to explicitly allow or explicitly deny a connection



through Windows Firewall. The same wizard and property pages are used to create both inbound andoutbound rules. The choice you make on this page determines which pages are displayed by the FirewallRule Wizard.

You can change the settings for any firewall rule after you create it. To make these changes, right-clickthe firewall rule in the results pane, and then select Properties.

1. In the Windows Firewall with Advanced Security MMC snap-in, right-click Inbound Rules orOutbound Rules, and then click New Rule.

2. The Rule Type page is displayed.

ProgramUse this type of firewall rule to allow a connection based on the program that is trying to connect. Thisis an easy way to allow connections for Microsoft Outlook or other programs. It is also useful if you arenot sure of the port or other settings required to allow access. You only need to specify the path to theprogram executable (.exe) file.

By default, the program is allowed to accept connections on any port. To restrict a program rule to allowtraffic on specified port numbers only, after you create the rule, use the Protocols and Ports tab tochange the rule properties.

PortUse this type of firewall rule to allow a connection based on the TCP or UDP port number over whichthe computer is trying to connect. You can specify the protocol (either TCP or UDP) and the local ports.You can specify more than one port number.

By default, any program currently running on the computer can accept network traffic on a port openedwith this type of rule. To restrict the open port to a specified program only, after you create the rule, usethe Programs and Services tab to change the rule properties.

PredefinedUse this type of firewall rule to allow a connection by selecting one of the programs or services from thelist. Most of the well known services and programs available on computers running this version ofWindows appear in this list. Network programs that you install typically add their own entries to this listso that you can enable and disable them as a group.

CustomUse this type of firewall rule to create a firewall rule that you can configure to allow a connection basedon criteria not covered by the other types of firewall rules.




Additional references Firewall Rule Wizard

Firewall Rule Wizard: Program PageUse this wizard page to specify one of the ways in which Windows Firewall with Advanced Securitymatches network packets. If this and all other criteria are matched, Windows Firewall with AdvancedSecurity will take the action that you specify on the Action page.

1. In the Windows Firewall with Advanced Security MMC snap-in, right-click either InboundRules or Outbound Rules , and then click New Rule.

2. On the Rule Type page, select either Program or Custom.

3. Click Next through the wizard until you reach the Program page.

All programsUse this option to match network packets sent or received by any program running on the localcomputer.

This program pathUse this option to match network packets going to or from a specified program. You can select theprogram in one of two ways:

Type the complete path to the program. You can include environment variables, whereappropriate.

Click Browse and find the program in the directory.

NoteTo specify a service by using the wizard, choose the Custom option on the Rule Type page of thewizard.To get to this wizard page

ImportantWe recommend that you do not use environment variable strings that resolve only in thecontext of a certain user (for example, %USERPROFILE%). When these strings are evaluatedby the service at runtime, the service is not running in the context of the user. The use of thesestrings can produce unexpected results.

Note



How to change these settingsAfter you create the firewall rule, you can change these settings in the Firewall Rule Properties dialogbox. This dialog box appears when you double-click a rule in Inbound Rules and Outbound Rules. Tochange the program path, use the Programs and Services tab.


Firewall Rule Wizard: Protocol and Ports Page -Port Rule TypeUse this wizard page to specify which protocol and which port or ports specified in a network packetmatch this firewall rule. Only network traffic that matches the criteria on this page matches the rule andis subject to its action setting.

1. In the Windows Firewall with Advanced Security MMC snap-in, right-click either InboundRules or Outbound Rules , and then click New Rule.

2. On the Rule Type page, select Port.

3. Click Next through the wizard until you reach the Protocol and Ports page.

Does this rule apply to TCP or UDP?Select the protocol whose network traffic you want to filter with this firewall rule. If you need to filterbased on a protocol other than TCP or UDP, then you must use the Custom rule type on the Rule Typepage.

Inbound rules: Does this rule apply to all localports or specific local ports?All local ports

Use this option to apply the rule to inbound network traffic that matches any local port number.

To specify a service in a firewall rule, use the All programs option, and then select the Programsand Services tab on the Firewall Rule Properties dialog box.




Specific local ports

Use this option to apply the rule only to inbound network traffic that matches a local port number listedin the text box. You can specify multiple port numbers, separated by commas. You can also include arange of port numbers by separating the low and high values with a hyphen.

Outbound rules: Does this rule apply to allremote ports or specific remote ports?All remote ports

Use this option to apply the rule to outbound network traffic that matches any destination port number.

Specific remote ports

Use this option to apply the rule only to network traffic that matches a destination port number listed inthe text box. You can specify multiple port numbers, separated by commas. You can also include arange of port numbers by separating the low and high values with a hyphen.

How to change these settingsAfter you create the firewall rule, you can change these settings in the Firewall Rule Properties dialogbox. This dialog box appears when you double-click a rule in Inbound Rules and Outbound Rules. Tochange the protocols and port numbers for this rule, select the Protocols and Ports tab.


Firewall Rule Wizard: Protocol and Ports Page -Custom Rule TypeUse this wizard page to specify which protocols and ports specified in a network packet match thisfirewall rule.

1. In the Windows Firewall with Advanced Security MMC snap-in, right-click either InboundRules or Outbound Rules, and then click New Rule.

2. On the Rule Type page, select either Port or Custom.




3. Click Next through the wizard until you reach the Protocol and Ports page.

Protocol typeSelect the protocol whose network traffic you want to filter with this firewall rule. If the protocol youwant is not in the list, select Custom, and then type the protocol number in Protocol number.

If you specify TCP or UDP, then you can specify the TCP or UDP port numbers in Endpoint 1 port andEndpoint 2 port.

For a list of the protocols, their protocol numbers, and a brief description, see Firewall Rule PropertiesPage: Protocol and Ports Tab (http://go.microsoft.com/fwlink/?linkid=137823) in the TechNet Library.

Protocol numberWhen you select a protocol type, the corresponding protocol identification number is automaticallydisplayed in Protocol number and is read-only. If you select Custom for Protocol type, then type theprotocol identification number in Protocol number.

Local portIf you are using the TCP or UDP protocol type, you can specify the local port by using one of thechoices from the drop-down list, or by specifying a port or a list of ports. The local port is the port on thecomputer on which the firewall profile is applied.

The following options are available for inbound rules:

All Ports. Available for both TCP and UDP on inbound and outbound rules. Selecting this optionspecifies that all of the ports for the selected protocol match the rule.

Specific Ports. Available for both TCP and UDP on inbound and outbound rules. Selecting thisoption enables the text box where you can type the port numbers that you need. Separate portnumbers with commas, and include ranges by separating the low and high values with a hyphen.

RPC Endpoint Mapper. Available for TCP on inbound rules only. Selecting this option allowsthe local computer to receive incoming remote procedure call (RPC) requests on TCP port 135 tothe RPC Endpoint Mapper (RPC-EM). A request to the RPC-EM identifies a network service andasks for the port number on which the specified network service is listening. RPC-EM respondswith the port number to which the remote computer should send future network traffic for theservice. This option also enables RPC-EM to receive RPC over HTTP requests.

RPC Dynamic Ports. Available for TCP on inbound rules only. Selecting this option allows thelocal computer to receive inbound network packets to ports assigned by the RPC runtime. Ports inthe RPC ephemeral range are blocked by Windows Firewall unless assigned by the RPC runtimeto a specific RPC network service. Only the program to which the RPC runtime assigned the portcan receive inbound traffic on that port.



IPHTTPS. Available for TCP only. Available under Local port for inbound rules only. Selectingthis option allows the local computer to receive incoming IP over HTTPS (IPTHTTPS) packetsfrom a remote computer. IPHTTPS is a tunneling protocol that supports embedding InternetProtocol version 6 (IPv6) packets in Internet Protocol version 4 (IPv4) HTTPS network packets.This allows IPv6 traffic to traverse some IP proxies that do not support IPv6 or some of the otherIPv6 transition technologies, such as Teredo and 6to4.

Edge Traversal. Available for UDP on inbound rules only. Selecting this option allows the localcomputer to receive incoming Teredo network packets.

Remote portIf you are using the TCP or UDP protocol type, you can specify the local port and remote port by usingone of the choices from the drop-down list, or by specifying a port or a list of ports. The remote port isthe port on the computer that is attempting to communicate with the computer on which the firewallprofile is applied.



Specific Ports. Available for both TCP and UDP on inbound and outbound rules. Selecting thisoption enables the text box where you can type the port numbers that you need. Separate portnumbers with commas, and include ranges by separating the low and high values with a hyphen.

IPHTTPS. Available for TCP only. Available under Remote port for outbound rules only.Selecting this option allows the local computer to send outbound IPTHTTPS packets to a remotecomputer. IPHTTPS is a tunneling protocol that supports embedding IPv6 packets in IPv4 HTTPSnetwork packets. This allows IPv6 traffic to traverse some IP proxies that do not support IPv6 orsome of the other IPv6 transition technologies, such as Teredo and 6to4.

Internet Control Message Protocol (ICMP)SettingsIf you want to create a rule that allows or blocks ICMP packets, in the Protocol type list, selectICMPv4 or ICMPv6, and then click Customize. Use the Customize ICMP Settings dialog box toconfigure the settings.

How to change these settings

Important Creating rules to allow RPC network traffic by using the RPC Endpoint Mapper and

RPC Dynamic Ports options allows all RPC network traffic. Windows Firewall cannotfilter RPC traffic by the universally unique identifier (UUID) of the destination program.

When an application uses RPC to communicate from a client to a server, you musttypically create two rules, one for RPC Endpoint Mapper and one for Dynamic RPC.



After you create the firewall rule, you can change these settings in the Firewall Rule Properties dialogbox. This dialog box appears when you double-click a rule in Inbound Rules and Outbound Rules. Tochange these settings, use the Protocols and Ports tab.


Firewall Rule Wizard: Predefined Rules PageUse this wizard page to enable or disable rules that are part of a predefined rule group. Predefined rulesprovide network connectivity for Microsoft Windows programs and services. The rules displayed on thispage are determined by the group you select in the list on the Rule Type page.


2. On the Rule Type page, select Predefined.

3. From the list, select the group that contains the predefined rules that you want to manage, and thenclick Next.

Which rules would you like to create?Select each rule that you want to create or, if the rule already exists, enable.

The list on the Predefined Rules wizard page shows the rules in the selected group and the properties ofeach of the rules. Most of the well-known Windows services and programs available on computersrunning this version of Windows appear in this list.

By default, when you use this page to configure a Group Policy object (GPO), all of the check boxes forrules in a group are selected. By default, when you use this page to edit the local computer’s activeconfiguration, all of the check boxes for rules in a group are cleared.

If you select a rule where No appears in the Rule Exists column, and then complete the steps in thewizard, the rule is created with the properties shown in the list, and enabled.

If you select a rule where Already exists appears in the Rule Exists column, and then complete thesteps in the wizard, the new settings overwrite the existing settings, and the rule is enabled.

Additional references




Firewall Rule Wizard

Firewall Rule Wizard: Scope PageUse this wizard page to specify the local and remote IP addresses whose network traffic matches thisrule. If the local computer is listed in the local IP addresses, then all network traffic going to or from anyof the remote IP addresses matches this rule.



3. Click Next through the wizard until you reach the Scope page.

Which local IP addresses does this rule apply to?The local IP address is used by the local computer to determine if the rule applies. The rule only appliesto network traffic that goes through a network adapter that is configured to use one of the specifiedaddresses.

Any IP address

Select this option to specify that the rule matches a network packet with any address specified as thelocal IP address. The local computer always matches the rule when this option is selected.

These IP addresses

Select this option to specify that the rule matches only network traffic that has one of the specifiedaddresses in the local IP address field. If the local computer does not have a network adapter configuredwith one of the specified IP addresses, then the rule does not apply. On the IP Address dialog box, clickAdd to create a new entry in the list, or Edit to change an existing entry in the list.

Customize the interface types to which this rule applies

Click Customize to display the Customize Interface Types dialog box. Use this dialog box toconfigure which network interface types match the rule. By default, all network interface types areincluded.

Which remote IP addresses does this rule applyto?




Specify the remote IP addresses to which the rule applies. Network traffic matches the rule if thedestination IP address is one of the addresses in the list.

Any IP address

Select this option to specify that the rule matches network packets that are addressed from (for inboundrules) or addressed to (for outbound rules) any IP address included in the list.

These IP addresses

Select this option to specify that the rule only matches network traffic that has one of the addressesspecified in the Remote IP address field. On the IP Address dialog box, click Add to create a newentry in the list, or Edit to modify an existing entry in the list.

How to change these settingsAfter you create the firewall rule, you can change these settings in the Firewall Rule Properties dialogbox. This dialog box appears when you double-click a rule in Inbound Rules and Outbound Rules. Tochange these settings, use the Scope tab.


Firewall Rule Wizard: Action PageUse this wizard page when creating a firewall rule to specify the action Windows Firewall withAdvanced Security will take for incoming or outgoing packets that match the rule criteria.


2. This page is available on all rule types. Click Next through the wizard until you reach the Actionpage.

Allow the connectionUse this option to allow network packets that match all criteria in the firewall rule.

Allow the connection if it is secure




Use this option to specify that only connections that are protected by Internet Protocol security (IPsec)are allowed. IPsec settings are defined in separate connection security rules. By default, this settingrequires both authentication and integrity protection. To configure the requirements, click Customize.

When you choose this option, the Users and Computers pages are automatically added to the wizard.You can use these pages to specify the users or computers to whom you want to grant or deny access, orleave the page blank to allow access to all users and computers. If you choose to specify users orcomputers, you must use an authentication method that includes user or computer information, asappropriate, because Windows Firewall with Advanced Security will use the authentication methodfrom the connection security rule to match the users and computers you specify. For example, forcomputers, you can use Computer (Kerberos V5) or Computer Certificate with certificate-to-accountmapping enabled. If you do not specify users or computers, you can use any authentication method.

For more information about how to customize the IPsec requirements for this option, see the CustomizeAllow If Secure Settings dialog box. For more information about restricting access to user or computers,see the Users and Computers pages in the wizard.

Block the connectionUse this option to explicitly block any network packet that matches the firewall rule criteria. The blockaction takes precedence over the allow action, unless the Override block rules option is selected whenthe firewall rule is created.

How to change these settingsAfter you create the firewall rule, you can adjust these settings in the Firewall Rule Properties dialogbox. This dialog box appears when you double-click a rule in Inbound Rules and Outbound Rules. Tochange these settings, select Action on the General tab.


Firewall Rule Wizard: Users PageUse these settings to specify which users or user groups can connect to the local computer.

ImportantTo use these options, the firewall rule action must be set to Allow the connection if it is secure. Tobe considered secure, the network traffic must be protected by a connection security rule that requiresauthentication by using a method that includes user identification information, such asKerberos version 5, NTLMv2, or a certificate with certificate-to-account mapping enabled.To get to this wizard page



1. In the Windows Firewall with Advanced Security MMC snap-in, right-click Inbound Rules, andthen click New rule.

2. Click Next through the wizard until you reach the Action page.

3. On the Action page, select Allow the connection if it is secure.

4. Click Next through the wizard until you reach the Users page.

Authorized usersUse this section to identify the user or group accounts that are allowed to make the connection specifiedby the rule.

Only allow connections from these users

Select this option to specify which users can connect to this computer. Network traffic that is notauthenticated as coming from a user on this list is blocked by Windows Firewall.

If you select the check box, then Add is enabled. Click Add, and then specify the user or group accountsin the Select Users, Computers, or Groups dialog box. To remove a user or group from the list, selectthe user or group, and then click Remove.

ExceptionsUse this section to identify user or group accounts that might be listed in Authorized users, possiblybecause the user or group account is a member of a group, but whose network traffic must be blocked byWindows Firewall. For example, User A is a member of Group B. Group B is included in Authorizedusers, so network traffic authenticated as coming from a user who is a member of Group B is allowed.However, by placing User A in the Exceptions list, network traffic authenticated as being from User Ais not processed by this rule, and so is blocked by the default firewall behavior unless some other ruleallows the traffic.

Skip this rule for connections from these users

Select this option to specify users or groups whose network traffic is an exception to this rule. Networktraffic that is authenticated as coming from a user in this list is not processed by the rule, even if the useris also in Authorized users.

If you select the check box, then Add is enabled. Click Add, and then specify the user or group accountsin the Select Users, Computers, or Groups dialog box. To remove a user or group from the list, selectthe user or group, and then click Remove.

How to change these settings

NoteThis page is displayed for inbound rules only; it is not available for outbound rules.



After you create the firewall rule, you can change these settings in the Firewall Rule Properties dialogbox. This dialog box appears when you double-click a rule in Inbound Rules. To change these settings,select the Users tab.


Firewall Rule Wizard: Computers PageFor inbound rules, use these settings to specify which computers or computer groups can connect to thelocal computer. For outbound rules, use these settings to specify the computers or computer groups towhich this computer can connect.

1. From the Windows Firewall with Advanced Security MMC snap-in, right-click Inbound Rules orOutbound Rules, and then click New rule.

2. Click Next through the wizard until you reach the Action page.

3. On the Action page, select Allow the connection if it is secure.

4. Click Next through the wizard until you reach the Computers page.

Authorized computersUse this section to identify the computer or group accounts that are allowed to make the connectionspecified by the rule.

Only allow connections from/to these computers

For inbound rules, select Only allow connections from these computers to specify whichcomputers can connect to this computer. Network traffic that is not authenticated as coming froma computer on this list is blocked by Windows Firewall.

For outbound rules, select Only allow connections to these computers to specify the computersto which this computer is allowed to connect. Outbound network traffic sent to computers thatcannot be authenticated as a computer on the list is blocked by Windows Firewall.

ImportantTo use these options, the firewall rule action must be set to Allow the connection if it is secure. Tobe considered secure, the network traffic must be protected by a connection security rule that requiresauthentication by using a method that includes computer identification information, such asKerberos version 5, NTLMv2, or a certificate with certificate-to-account mapping enabled.To get to this wizard page



If you select the check box, then Add is enabled. Click Add, and then specify the computer or groupaccounts in the Select Users, Computers and Groups dialog box. To remove a computer or group fromthe list, select the computer or group, and then click Remove.

ExceptionsUse this section to identify computer or group accounts that might be listed in Authorized computers,possibly because the computer or group account is a member of a group, but whose network traffic mustbe blocked by Windows Firewall. For example, Computer A is a member of Group B. Group B isincluded in Authorized computers, so network traffic authenticated as coming from a computer in thegroup is allowed. By placing Computer A in the Exceptions list, network traffic authenticated ascoming from Computer A is not processed by this rule, and so is blocked by the default firewallbehavior unless some other rule allows the traffic.

Skip this rule for connections from/to these computers

For inbound rules, select Skip this rule for connections from these computers to specify whichremote computers are exceptions to this rule.

For outbound rules, select Skip this rule for connections to these computers to specify theremote computers that are exceptions to this rule.

If you select the check box, then Add is enabled. Click Add, and then specify the computer or groupaccounts in Select Users, Computers and Groups dialog box. To remove a computer or group from thelist, select the computer or group, and then click Remove.

How to change these settingsAfter you create the firewall rule, you can change these settings in the Firewall Rule Properties dialogbox. This dialog box appears when you double-click a rule in either Inbound Rules or OutboundRules. To change these settings, select the Computers tab.


Firewall Rule Wizard: Profile PageUse this wizard page to specify the profiles to which this rule is applied. Select any combination ofprofiles that meet your security goals.

This version of Windows supports multiple simultaneously active profiles. Each network adapter cardattached to a network is assigned one of the following profiles based on what is detected on the attachednetwork. This means that different firewall and connection security rules can affect network traffic,



depending on which network adapter receives the traffic.

1. In the Windows Firewall with Advanced Security MMC snap-in, right-click Inbound Rules orOutbound Rules, and then click New Rule.

2. Click Next through the wizard until you reach the Profile page.

DomainThe domain profile applies to a network when a domain controller is detected for the domain to whichthe local computer is joined. If you select this box, then the rule applies to network traffic passingthrough a network adapter connected to this network.

PrivateThe private profile applies to a network when it is marked private by the computer administrator and it isnot a domain network. Newly detected networks are not marked private by default. A network should bemarked private only when there is some kind of security device, such as a network address translator orperimeter firewall, between the computer and the Internet. The private profile settings should be morerestrictive than the domain profile settings.

PublicThe public profile applies to a network when the computer is connected directly to a public network,such as one available in airports and coffee shops. The public profile settings should be the mostrestrictive because the computer is connected to a public network where the security cannot be as tightlycontrolled as it is in an IT environment.

How to change these settingsAfter you create the firewall rule, you can change these settings in the Firewall Rule Properties dialogbox. This dialog box opens when you double-click a rule in either Inbound Rules or Outbound Rules.To change the profiles to which the rule applies, select the Advanced tab.


Firewall Rule Properties Page




This section describes the tabs on the Firewall Rule Properties page in Windows Firewall withAdvanced Security.

General

Programs and Services

Protocols and Ports

Scope

Advanced

Computers

Users

Firewall Rule Properties Page: General TabUse Use this tab to name, enable, and specify the action of a firewall rule.

In the Windows Firewall with Advanced Security MMC snap-in, in either Inbound Rules orOutbound Rules, double-click the firewall rule you want to modify, and then click the Generaltab.

General sectionThis section contains identifying information about the rule and gives you the ability to enable or disablethe rule.

Name

This is the name of the firewall rule. As a best practice, give the firewall rule a unique name. If two ruleshave the same name, then you cannot easily manage them by using the netsh commands. Do not use thename “all” for a firewall rule because that is the name of a Netsh command-line tool keyword.

Description (optional)

This is a description of the rule. Use this to provide information about the rule, such as the rule owner,the rule requester, the purpose of the rule, a version number, or the date of creation.

Enabled

Select this check box to enable the rule. Enabling a rule causes Windows Firewall with Advanced

To get to this tab



Security to compare all network packets to the criteria in this rule and to perform the action specified inAction when a match is found. Disabling the rule does not delete it, but instead causes WindowsFirewall with Advanced Security to stop comparing network packets to the rule.

Action sectionSelect the action that Windows Firewall with Advanced Security will take for network packets thatmatch the firewall rule criteria. When you have multiple firewall rules defined, the order in which theyare evaluated for a match depends on the action specified in the rule. Firewall rules are evaluated in thefollowing order:

1. Allow if secure with Override block rules selected in the Customize Allow if Secure Settingsdialog box.

2. Block the connection.

3. Allow the connection.

4. Default profile behavior (allow or block as specified on the applicable Profile tab of theWindows Firewall with Advanced Security Properties dialog box).

Within each category, rules are evaluated from the most specific to the least specific. A rule thatspecifies four criteria is selected over a rule that specifies only three criteria. As soon as a networkpacket matches a rule, its action is triggered, and it is not compared to any additional rules. In otherwords, even if a network packet matches more than one rule, only the matching rule that is evaluatedagainst the packet first is applied to the packet.

Allow the connection

Use this option to allow a network packet that matches all criteria in the firewall rule.

Allow the connection if it is secure

Use this option to specify that only network packets that are protected by Internet Protocol security(IPsec) are allowed. IPsec settings must be defined in separate connection security rules. By default, thissetting requires both authentication and integrity to be included, but it does not require encryption. Toconfigure the requirements, click Customize, and then select an option on the Customize Allow IfSecure Settings dialog box.

Block the connection

Use this option to explicitly block any network packet that matches the firewall rule criteria. The blockaction takes precedence over the allow action, unless the Override block rules option is selected whenthe firewall rule is created.

Additional references Firewall Rule Properties Page



Firewall Rule Properties Page: Programs andServices TabUse this tab to specify the way in which Windows Firewall with Advanced Security matches criteriabased on which program or service on the local computer is sending the packets to the peer computer. Ifthis and all other criteria are matched, Windows Firewall with Advanced Security will take the actionthat you specify in Action on the General tab.

In the Windows Firewall with Advanced Security MMC snap-in, in either Inbound Rules orOutbound Rules, double-click the firewall rule you want to modify, and then click the Programsand Services tab.

ProgramsThis section contains information about how network packets from a program will be matched.

All programs that meet the specified conditions

Use this option to match network packets being sent or received by any program.

This program

Use this option to match network packets going to or from a specified program. If the program is notrunning, then no packets match the rule. You can select the program in one of two ways:

Type the complete path to the program. You can include environment variables, whereappropriate.

Click Browse and find the program in the directory.

ServicesClick Settings to match packets from all program and services on the computer (the default), servicesonly, or a specified service.

To get to this tab

ImportantDo not use environment variable strings that resolve only in the context of a certain user (forexample, %USERPROFILE%). When these strings are evaluated by the service at runtime, theservice is not running in the context of the user. The use of these strings can produceunexpected results.



More about program and service settingsTo add a program to the rule, you must specify the executable (.exe) file used by the program. A systemservice that runs within its own unique .exe file and is not hosted by a service container is considered tobe a program and can be added to the rule. In the same way, a program that behaves like a systemservice and runs whether or not a user is logged on to the computer is also considered a program as longas it runs within its own unique .exe file.

When you add a program to the rule, Windows Firewall with Advanced Security dynamically opens(unblocks) and closes (blocks) the ports required by the program. When the program is running andlistening for incoming traffic, Windows Firewall with Advanced Security opens the required ports; whenthe program is not running or is not listening for incoming traffic, Windows Firewall with AdvancedSecurity closes the ports. Because of this dynamic behavior, adding programs to a rule is therecommended method for allowing unsolicited incoming traffic through Windows Firewall withAdvanced Security.


Dialog Box: Customize Service Settings

Firewall Rule Properties Page: Protocols andPorts TabUse this tab to specify which protocols and ports in a network packet match this firewall rule.

In the Windows Firewall with Advanced Security MMC snap-in, in either Inbound Rules orOutbound Rules, double-click the firewall rule you want to modify, and then click the Protocolsand Ports tab.

Security NoteDo not add service containers or programs that host services, such as Svchost.exe, Dllhost.exe, andInetinfo.exe, to the rules list without specifying the individual service that is to be allowed or blocked.Specifying only the service container as a program might compromise the security of the computer.

NoteYou can use program rules to allow unsolicited incoming traffic through Windows Firewall withAdvanced Security only if the program uses the Windows Sockets (Winsock) applicationprogramming interface (API) to create port assignments. If a program does not use Winsock to assignports, you must determine which ports the program uses and add those ports to the rules list.

To get to this tab



Protocol typeSelect the protocol whose network traffic you want to filter with this firewall rule. If the protocol youwant is not in the list, then select Custom, and type the protocol number in Protocol number. You canuse any protocol number listed by the Internet Assigned Numbers Authority (IANA).

If you specify TCP or UDP in the list, then you can specify the TCP or UDP port numbers in Endpoint1 port and Endpoint 2 port.

For a list of the protocols, their protocol numbers and a brief description, see Firewall Rule PropertiesPage: Protocol and Ports Tab (http://go.microsoft.com/fwlink/?linkid=137823) in the TechNet Library.

Local portIf you are using the TCP or UDP protocol type, you can specify the local port by using one of thechoices from the drop-down list or by specifying a port or a list of ports. The local port is the port on thecomputer on which the firewall profile is applied.



Specific Ports. Available for both TCP and UDP on inbound and outbound rules. Selecting thisoption enables the text box where you can type the port numbers you need. Separate port numberswith commas and include ranges by separating the low and high values with a hyphen.

RPC Endpoint Mapper. Available for TCP on inbound rules only. Selecting this option allowsthe local computer to receive incoming RPC requests on TCP port 135 to the RPC EndpointMapper (RPC-EM). A request to the RPC-EM identifies a network service and asks for the portnumber on which the specified network service is listening. RPC-EM responds with the portnumber to which the remote computer should send further network traffic for the service. Thisoption also enables RPC-EM to receive RPC over HTTP requests.

RPC Dynamic Ports. Available for TCP on inbound rules only. Selecting this option allows thelocal computer to receive inbound network packets to ports assigned by the RPC runtime. Ports inthe RPC ephemeral range are blocked by Windows Firewall unless assigned by the RPC runtimeto a specific RPC network service. Only the program to which the RPC runtime assigned the portcan receive inbound traffic on that port.

IPHTTPS. Available for TCP only. Available under Local port for inbound rules. Selecting thisoption allows the local computer to receive incoming IP over HTTPS (IPTHTTPS) packets from aremote computer. IPHTTPS is a tunneling protocol that supports the embedding of Internet

Important Creating rules to allow RPC network traffic by using the RPC Endpoint Mapper and RPC

dynamic ports options allows all RPC network traffic. Windows Firewall cannot filterRPC traffic by the universally unique identifier (UUID) of the destination program.

When an application uses RPC to communicate from a client to a server, you musttypically create two rules, one for RPC Endpoint Mapper and one for Dynamic RPC.



Protocol version 6 (IPv6) packets in IPv4 HTTPS network packets. This allows IPv6 traffic totraverse some IP proxies that do not support IPv6 or some of the other IPv6 transitiontechnologies, such as Teredo and 6to4.

Edge Traversal. Available for UDP on inbound rules only. Selecting this option allows the localcomputer to receive incoming Teredo network packets. Teredo is an IPv4-to-IPv6 transitionprotocol.

Remote portIf you are using the TCP or UDP protocol type, you can specify the local port and remote port by usingone of the choices from the drop-down list or by specifying a port or a list of ports. The remote port isthe port on the computer that is attempting to communicate with the computer on which the firewallprofile is applied.



Specific Ports. Available for both TCP and UDP on inbound and outbound rules. Selecting thisoption enables the text box where you can type the port numbers that you need. Separate portnumbers with commas and include ranges by separating the low and high values with a hyphen.

IPHTTPS. Available for TCP only. Available under Remote port for outbound rules. Selectingthis option allows the local computer to send outbound IPTHTTPS packets to a remote computer.IPHTTPS is a tunneling protocol that supports embedding IPv6 packets in IPv4 HTTPS networkpackets. This allows IPv6 traffic to traverse some IP proxies that do not support IPv6 or some ofthe other IPv6 transition technologies, such as Teredo and 6to4.

ICMP SettingsClick Customize to configure settings for Internet Control Message Protocol (ICMP). The Customizebutton is enabled only when you choose the ICMPv4 or ICMPv6 protocol types. For more information,see Dialog Box: Customize ICMP Settings.


Firewall Rule Properties Page: Scope TabUse this tab to specify the local and remote IP addresses whose network traffic matches this rule. If thelocal computer is listed in the local IP addresses, then all network traffic going to or from any of the



remote IP addresses matches this rule.

In the Windows Firewall with Advanced Security MMC snap-in, in either Inbound Rules orOutbound Rules, double-click the firewall rule you want to modify, and then click the Scope tab.

Local IP addressThe local IP address is used by the local computer to determine if the rule applies. The rule applies onlyto network traffic that goes through a network adapter that is configured to use one of the specified localIP addresses.

Any IP address

Select this option to specify that the rule matches a network packet with any address specified as thelocal IP address. The local computer always matches the rule when this option is selected.

These IP addresses

Select this option to specify that the rule matches network traffic that has one of the addresses specifiedin Local IP address. If the local computer does not have a network adapter configured with one of thespecified IP addresses, then the rule does not apply. On the IP Address dialog box, click Add to create anew entry in the list or Edit to change an existing entry in the list. You can also delete an entry from thelist by selecting the item and then clicking Remove.

Remote IP addressSpecify the remote IP addresses to which the rule applies. Network traffic matches the rule if thedestination IP address is one of the addresses in the list.

Any IP address

Select this option to specify that the rule matches network packets that are addressed from (for inboundrules) or addressed to (for outbound rules) any IP address included in the list.

These IP addresses

Select this option to specify that the rule matches only network traffic that has one of the addressesspecified in Remote IP address. On the IP Address dialog box, click Add to create a new entry in thelist or Edit to change an existing entry in the list. You can also delete an entry from the list by selectingthe item and then clicking Remove.


To get to this tab



Firewall Rule Properties Page: Advanced TabUse this tab to configure the profiles and interface types to which this firewall rule will be applied.

In the Windows Firewall with Advanced Security MMC snap-in, in either Inbound Rules orOutbound Rules, double-click the firewall rule you want to modify, and then click the Advancedtab.

ProfilesA profile is a way of grouping settings, such as firewall rules and connection security rules, that areapplied to the computer depending on where the computer is connected. Windows determines a networklocation type for each network adapter, and then applies the corresponding profile to that networkadapter. On computers running this version of Windows, there are three profiles recognized by WindowsFirewall with Advanced Security.

Interface typesClick Customize to specify the interface types to which the connection security rule applies. TheCustomize Interface Types dialog box allows you to select All interface types or any combination ofLocal area network, Remote access, or Wireless types.

To get to this tab

Profile Description

Domain Applies when a computer is connected to a network that contains an Active Directory domaincontroller in which the computer's domain account resides.

Private

Applies when a computer is connected to a network in which the computer's domain accountdoes not reside, such as a home network. The private profile settings should be more restrictivethan the domain profile settings. A network is assigned the private type by a localadministrator.

Public

Applies when a computer is connected to a domain through a public network, such as oneavailable in airports and coffee shops. The public profile settings should be the most restrictivebecause the computer is connected to a public network where the security cannot be as tightlycontrolled as it is in an IT environment. By default, newly discovered networks are assignedthe public type.

Notes Computers running Windows Server 2008 and Windows Vista support only a single profile at a

time. If the computer is connected to more than one network, the most restrictive profile isapplied to all network adapters.

Computers running Windows XP and Windows Server 2003 support only two profiles:standard, which maps to both public and private, and domain. If the computer is connected tomore than one network, the profile that is most restrictive is applied to all network adapters. Forthis purpose, the public profile is considered the most restrictive, followed by the privateprofile, and then the domain profile.



Edge traversalEdge traversal allows the computer to accept unsolicited inbound packets that have passed through anedge device, such as a network address translation (NAT) router or firewall.

Select one of the following options from the list:

Block edge traversal (default)

Prevent applications from receiving unsolicited traffic from the Internet through a NAT edge device.

Allow edge traversal

Allow applications to receive unsolicited traffic directly from the Internet through a NAT edge device.

Defer to user

Let the user decide whether to allow unsolicited traffic from the Internet through a NAT edge devicewhen an application requests it.

Defer to application

Let each application determine whether to allow unsolicited traffic from the Internet through a NATedge device.


Firewall Rule Properties Page: Computers TabUse these settings to specify which computers or computer groups can connect to the local computer.This tab is available on both inbound and outbound firewall rules.

Notes This option cannot be configured by using the New Inbound Firewall Rule wizard. To

configure this setting, you must create the rule by using the wizard and then change it by usingthis tab.

This option applies to inbound rules only; it does not appear on the Advanced tab for anoutbound rule.

ImportantTo use these options, the firewall rule action must be set to Allow the connection if it is secure onthe General tab. To be considered secure, the network traffic must be protected by a connectionsecurity rule that requires authentication by using a method that includes computer identification



In the Windows Firewall with Advanced Security MMC snap-in, in either Inbound Rules orOutbound Rules, right-click the firewall rule you want to modify, and then click the Computerstab.

Authorized computersUse this section to identify the computer or group accounts that are allowed to make the connectionspecified by the rule.

Only allow connections from/to these computers

For inbound rules, select Only allow connections from these computers to specify whichcomputers can connect to this computer. Network traffic that is not authenticated as coming froma computer on this list is blocked by Windows Firewall.

For outbound rules, select Only allow connections to these computers to specify the computersto which this computer is allowed to connect. Outbound network traffic sent to computers thatcannot be authenticated as a computer on the list is blocked by Windows Firewall.

If you select the check box, then Add is enabled. Click Add, and then specify the computer or groupaccounts in the Select Users, Computers, or Groups dialog box.

To remove a computer or group from the list, select the computer or group, and then click Remove.

ExceptionsUse this section to identify computer or group accounts that might be listed in Authorized computers,possibly because the computer or group account is a member of a group, but whose network traffic mustbe blocked by Windows Firewall. For example, Computer A is a member of Group B. Group B isincluded in Authorized computers, so network traffic authenticated as coming from a computer in thegroup is allowed. By placing Computer A in the Exceptions list, network traffic authenticated as beingfrom Computer A is not processed by this rule, and so is blocked by the default firewall behavior unlesssome other rule allows the traffic.

Skip this rule for connections from/to these computers

For inbound rules, select Skip this rule for connections from these computers to specify theremote computers are exceptions to this rule.

For outbound rules, select Skip this rule for connections to these computers to specify theremote computers that are exceptions to this rule.

If you select the check box, then Add is enabled. Click Add, and then specify the computer or groupaccounts in the Select Users, Computers, or Groups dialog box.

information, such as Kerberos version 5, NTLMv2, or a certificate with certificate-to-accountmapping enabled.To get to this tab





Firewall Rule Properties Page: Users TabUse these settings to specify which users or user groups can connect to the local computer.

In the Windows Firewall with Advanced Security MMC snap-in, in Inbound Rules or OutboundRules, double-click the firewall rule you want to modify, and then click the Users tab.

Authorized usersUse this section to identify the user or group accounts that are allowed to make the connection specifiedby the rule.


Select Only allow connections from these users to specify which users can connect to this computer.Network traffic that is not authenticated as coming from a user on this list is blocked by WindowsFirewall.

If you select the check box, then Add is enabled. Click Add, and then specify the user or group accountsin the Select Users, Computers, or Groups dialog box.

To remove a user or group from the list, select the user or group, and then click Remove.

ExceptionsUse this section to identify user or group accounts that might be listed in Authorized users, possiblybecause the user or group account is a member of a group, but whose network traffic must be blocked byWindows Firewall. For example, User A is a member of Group B. Group B is included in Authorizedusers, so network traffic authenticated as coming from a user that is a member of Group B is allowed.

ImportantThese options are only available when the firewall rule action is set to Allow the connection if it issecure. To be considered secure, the network traffic must be protected by a connection security rulethat requires authentication by using a method that includes user identification information, such asKerberos version 5, NTLMv2, or a certificate with certificate-to-account mapping enabled.NoteThis tab is displayed for inbound rules only; is not available for outbound rules.To get to this tab



However, by placing User A in the Exceptions list, network traffic authenticated as being from User Ais not processed by this rule, and so is blocked by the default firewall behavior unless some other ruleallows the traffic.

Skip this rule for connections from these users

Select Skip this rule for connections from these users to specify users or groups whose network trafficis an exception to this rule. Network traffic that is authenticated as coming from a user in this list is notprocessed by the rule, even if the user is also in the Authorized users list.

If you select the check box, then Add is enabled. Click Add, and then specify the user or group accountsin the Select Users, Computers, or Groups dialog box.



Monitored Firewall Rules Properties PageThis section describes the tabs on the Firewall Rule Properties page for rules displayed in Monitoringin Windows Firewall with Advanced Security.

1. In the Windows Firewall with Advanced Security MMC snap-in, expand Monitoring, and thenexpand Firewall.

2. Double-click the firewall rule that you want to examine.

For a description of each tab on the property page, see the following topics:

General

Programs and Ports

Advanced

To get to this page

NoteOnly active firewall rules, those assigned to currently active network profiles, are displayed inMonitoring.



Monitor Firewall Rules - GeneralThis tab shows basic information about an inbound or outbound firewall rule that is being applied to thecomputer.


2. Double-click the firewall rule you want to examine, and then click the General tab.

Local IP addressThis lists the local IP address, range of addresses, or subnet to which the rule applies, as configured onthe Scope tab of the Firewall Rule Properties page.

Remote IP addressThis lists the remote IP address, range of addresses, or subnet to which the rule applies, as configured onthe Scope tab of the Firewall Rule Properties page.

DirectionThis indicates whether the rule is an Inbound or Outbound rule.

ProfileThis lists the network location profiles, Domain, Private, Public or All, to which the rule applies, asconfigured on the Advanced tab of the Firewall Rule Properties page.

Additional references Monitored Firewall Rules Properties Page

Monitor Firewall Rules - Programs and PortsPageThis tab shows information about the protocols and ports that are used to match network packets to aninbound or outbound firewall rule that is being applied to the computer.

To get to this tab




2. Double-click the firewall rule you want to examine, and then click the Programs and Ports tab.

ProtocolThis indicates the IP protocol type to which the rule applies, as configured on the Protocols and Portstab of the Firewall Rule Properties page.

Local portIf you are using the UDP or TCP protocol type, this indicates the UDP or TCP port to which the ruleapplies, on the computer where the firewall rule is applied, as configured on the Protocols and Portstab of the Firewall Rule Properties page.

Remote portIf the rule applies to the UDP or TCP protocol, this indicates the UDP or TCP port to which the ruleapplies, on the remote computer that is attempting to communicate with the computer where the firewallrule is applied, as configured on the Protocols and Ports tab of the Firewall Rule Properties page.

ICMP settingsIf the rule applies to the Internet Control Message Protocol (ICMP) version 4 or ICMP version 6protocol, this indicates the ICMP types and codes that are included, as configured on the Protocols andPorts tab of the Firewall Rule Properties page.

ProgramThis indicates the program file name and path of the application to which the rule applies, as configuredon the Programs and Services tab of the Firewall Rule Properties page.

ServiceIf the program item is a service container, this indicates the service within the container to which therule applies, as configured on the Programs and Services tab of the Firewall Rule Properties page.

Additional references Monitored Firewall Rules Properties Page

To get to this tab



Monitor Firewall Rules - AdvancedThis tab displays information about authenticated users and computers whose network traffic is affectedby this rule. This tab should be used only when the action for the rule is set to Allow if secure.


2. Double-click the firewall rule you want to examine, and then click the Advanced tab.

Authorized users and computersThis is a list of the users or groups of users authorized by this rule, as configured on the Users andComputers tabs of the Firewall Rule Properties dialog box.

Excepted users and computersThis is a list of the users or groups of users who are not subject to this rule, as configured on the Usersand Computers tabs of the Firewall Rule Properties dialog box. If a user or computer appears underboth Authorized and Excepted, the exception takes priority, and the network traffic from that user orcomputer is not subject to this rule.

Interface typesThis is a list of the network interface types to which this rule applies (Local area network, Remoteaccess, Wireless, or All interface types), as configured on the Advanced tab of the Firewall RuleProperties dialog box.

Edge traversalThis indicates whether edge traversal is enabled (Allow edge traversal) or disabled (Block edgetraversal). The Defer to user and Defer to application options are used to indicate that the user orapplication must make the decision to allow unsolicited traffic from the Internet through a networkaddress translation (NAT) edge device. When edge traversal is enabled, the application, service, or portto which the rule applies is globally addressable and accessible from outside a NAT edge device. Thissetting is configured on the Advanced tab of the Firewall Rule Properties dialog box.

Additional references

To get to this tab



Monitored Firewall Rules Properties Page

Monitored Connection Security Rules PropertiesPageThis section describes the tabs on the Connection Security Rule Properties page for rules displayed inMonitoring in Windows Firewall with Advanced Security.

General

Authentication

Advanced

Monitor Connection Security Rules - GeneralThis tab shows basic information about a connection security rule that is being applied to the computer.

1. In the Windows Firewall with Advanced Security MMC snap-in, expand Monitoring, and thenexpand Connection Security Rules.

2. Double-click the rule you want to examine, and then click the General tab.

Endpoint 1 IP AddressThis is the IP address or range of IP addresses of the first endpoint as configured on the Computers tabof the Connection Security Rule Properties page. If no endpoint is specified, Any is displayed.

Endpoint 1 portThis is the TCP or UDP port number of the first endpoint computer or group of computers as configuredon the Protocols and Ports tab of the Connection Security Rule Properties page. If no port isspecified, Any is displayed.

Endpoint 2 IP AddressThis is the IP address or range of IP addresses of the second endpoint as configured on the Computerstab of the Connection Security Rule Properties page. If no endpoint is specified, Any is displayed.

To get to this tab



Endpoint 2 portThis is the TCP or UDP port number of the second endpoint computer or group of computers asconfigured on the Protocols and Ports tab of the Connection Security Rule Properties page. If noport is specified, Any is displayed.

ProtocolThis is the protocol as configured by using the Protocol type option on the Protocols and Ports tab ofthe Connection Security Rule Properties page. If no protocol is specified, Any is displayed.

ProfileThis lists the network location profiles, domain, private or public, to which the rule applies, asconfigured on the Advanced tab of the Connection Security Rule Properties page.

Additional references Monitored Connection Security Rules Properties Page

Monitor Connection Security Rules -AuthenticationThis tab shows basic information about authentication methods used by a connection security rule that isapplied to the computer.


2. Double-click the rule you want to examine, and then select the Authentication tab.

RequirementsThis refers to the authentication requirement on connections matching the rule criteria.

First authenticationThe first and second authentication methods are used during the main mode phase of Internet Protocol

To get to this tab



security (IPsec) negotiations. For first authentication, you can view the way the two peer computersauthenticate, such as through Kerberos version 5, NTLMv2, computer certificates, or another method.

The Details column displays information for certificates and preshared keys only. For certificates, itdisplays the issuer details, whether the certificate was issued by a root or intermediate certificationauthority (CA), and the certificate signing algorithm. For a preshared key, it displays the key in plaintext.

The authentication information displayed can be configured on the Authentication tab of theConnection Security Rules Properties dialog box.

Second authenticationFor second authentication, you can view the user authentication method, such as Kerberos version 5,NTLMv2, user certificates, or a computer health certificate.

The Details column displays information for certificates only. It displays the issuer details, whether thecertificate was issued by a root or intermediate CA, and the certificate signing algorithm.

The authentication information that is displayed can be configured on the Authentication tab of theConnection Security Rules Properties dialog box.


Monitor Connection Security Rules - AdvancedIf the rule specifies an Internet Protocol security (IPsec) tunnel, this tab shows information about thetunnel endpoints and whether computer or user authorization is required.


2. Double-click the rule you want to examine, and then click the Advanced tab.

Local tunnel endpointIf the connection security rule is a tunnel rule, then this indicates the address of the tunnel endpoint thatis closest to the local computer, as configured on the Customize IPsec Tunneling Settings dialog box.

If the connection security rule is not a tunnel rule, then None is displayed.

To get to this tab



Remote tunnel endpointIf the connection security rule is a tunnel rule, then this indicates the address of the tunnel endpoint thatis farthest from the local computer, as configured on the Customize IPsec Tunneling Settings dialogbox.

If the connection security rule is not a tunnel rule, then None is displayed.

Interface typesThis indicates the network interface types to which the rule applies, as configured on the Advanced tabof the Connection Security Rule Properties page.

Apply authorizationThis indicates whether the use of the tunnel is restricted to only authorized users and computers, asconfigured on the Customize IPsec Tunneling Settings dialog box. The list of authorized users andcomputers is configured on the Customize IPsec Tunnel Authorizations dialog box.

Exempt IPsec protected connectionsThis indicates whether network packets addressed to a computer in Endpoint 2 that are already protectedby IPsec are sent through the tunnel. This includes any network packet with an ESP header, includingESP NULL. This setting is configured on the Customize IPsec Tunneling Settings dialog box.


Monitored Main Mode Security AssociationsMain mode negotiation establishes a secure channel between two computers by determining a set ofcryptographic protection suites, exchanging keying material to establish a shared secret key, andauthenticating computer and user identities. A security association (SA) is the information maintainedabout that secure channel on the local computer so that it can use the information for future networktraffic to the remote computer. You can monitor main mode SAs for information like which peers arecurrently connected to this computer and which protection suite was used to form the SA.

In the Windows Firewall with Advanced Security MMC snap-in, expand Monitoring, expandSecurity Associations, and then click Main Mode.

To get to this view



The following information is available in the table view of all main mode SAs. To see the informationfor a single main mode SA, double-click the SA in the list.

Main mode SA informationYou can add, remove, reorder, and sort by these columns in the Results pane:

Local Address: The local computer IP address.

Remote Address: The remote computer or peer IP address.

1st Authentication Method: The authentication method used to create the SA.

1st Authentication Local ID:: The authenticated identity of the local computer used in firstauthentication.

1st Authentication Remote ID: The authenticated identity of the remote computer used in firstauthentication.

2nd Authentication Method: The authentication method used in the SA.

2nd Authentication Local ID:: The authenticated identity of the local computer used in secondauthentication.

2nd Authentication Remote ID: The authenticated identity of the remote computer used insecond authentication.

Encryption: The encryption method used by the SA to secure quick mode key exchanges.

Integrity: The data integrity method used by the SA to secure quick mode key exchanges.

Key Exchange: The Diffie-Hellman group used to create the main mode SA.

Any user account can be used to complete this procedure.

1. Right-click in a blank area in the Results pane for the Main Mode folder, select View, and thenclick Add/Remove Columns.

2. In the Add/Remove Columns dialog box, from the Available columns list, select the column youwant to view, and then click Add. You can select only one column name at a time.

3. You can also select columns that you do not want to view. From the Displayed columns list, clickRemove. You can select only one column name at a time.

4. To reorder the columns, from left to right, select a column in the Displayed columns list, and thenclick Move Up or Move Down. You can select only one column name at a time.

To add, remove, or reorder a column



5. When you are finished, click OK. The view will change to reflect your preferences.

Additional references Monitored Quick Mode Security Associations

Monitored Quick Mode Security AssociationsA quick mode negotiation establishes a secure channel between two computers to protect user dataexchanged between them. During quick mode negotiation, keying material is refreshed or, if necessary,new keys are generated. A protection suite that protects the IP data traffic is also selected. The exchangeof information required to negotiate a quick mode SA is performed within the context of the main modeSA. After the quick mode SA is established, then the two computers can exchange network packetswithin the context of the quick mode SA. There is only one main mode SA between a pair of computers,but there can be many quick mode SAs. Monitoring quick mode SAs can provide information aboutwhich peers are currently connected to this computer, and which protection suite is protecting the dataexchanged between them. Separate SAs are created for Internet Protocol version 4 (IPv4) and InternetProtocol version 6 (IPv6) connections.

1. In the Windows Firewall with Advanced Security MMC snap-in, expand Monitoring, expandSecurity Associations, and then click Quick Mode.

The following information is available in the table view of all quick mode SAs. To see the informationfor single quick mode SA, double-click the item in the list.

Quick mode SA informationYou can add, remove, reorder, and sort by these columns in the Results pane:

Local IP address: The local IP address.

Local port: The TCP or UDP port of the local computer used in the filter.

Remote IP address: The IP address of the remote computer or peer.

Remote port: The TCP or UDP port of the remote computer used in the filter.

Protocol: The protocol specified in the filter.

AH integrity: The AH protocol-specific data integrity method used for peer communications.

ESP integrity: The ESP protocol-specific encryption method used for peer communications.

To get to this view



ESP confidentiality: The ESP protocol-specific encryption method used for peercommunications.

Any user account can be used to complete this procedure.

1. Right-click in a blank area in the Results pane for the Quick Mode folder, select View, and thenclick Add/Remove Columns.

2. In the Add/Remove Columns dialog box, from the Available columns list, select the column youwant to view, and then click Add. You can select only one column name at a time.

3. You can also select columns that you do not want to view. From the Displayed columns list, clickRemove. You can select only one column name at a time.

4. To reorder the columns, from left to right, select a column in the Displayed columns list, and thenclick Move Up or Move Down. You can select only one column name at a time.

5. When you are finished, click OK. The view will change to reflect your preferences.

Additional references Monitored Main Mode Security Associations

Dialog BoxesThis section describes the user interface options on the Windows Firewall with Advanced Securitydialog boxes. Instructions for locating the dialog box are included in each topic.

Dialog Box: Add or Edit Integrity Algorithms

Dialog Box: Add or Edit Integrity and Encryption Algorithms

Dialog Box: Add or Edit IP Addresses

Dialog Box: Add Security Method

Dialog Box: Customize Advanced Authentication Methods

Dialog Box: Customize Advanced Key Exchange Settings

Dialog Box: Customize Allow If Secure Settings

Dialog Box: Customize Data Protection Settings

To add, remove, or reorder a column



Dialog Box: Customize ICMP Settings

Dialog Box: Customize Interface Types

Dialog Box: Customize IPsec Settings

Dialog Box: Customize IPsec Tunnel Authorization

Dialog Box: Customize IPsec Tunneling Settings

Dialog Box: Customize Logging Settings for a Firewall Profile

Dialog Box: Customize Protected Network Connections for a Firewall Profile

Dialog Box: Customize Service Settings

Dialog Box: Customize Settings for a Firewall Profile

Dialog Box: Add or Edit First Authentication Method

Dialog Box: Add or Edit Second Authentication Method

Dialog Box: Add or Edit Integrity AlgorithmsUse this dialog box to configure a data integrity algorithm offer that is available when negotiating quickmode security associations. You must specify both the protocol and the algorithm used to protect theintegrity of the data in the network packet.

Internet Protocol security (IPsec) provides integrity by calculating a hash generated from the data in thenetwork packet. The hash is then cryptographically signed (encrypted) and embedded in the IP packet.The receiving computer uses the same algorithm to calculate the hash and compares its result to the hashthat is embedded in the received packet. If it matches, then the information received is exactly the sameas the information sent, and the packet is accepted. If it does not match, then the packet is dropped.

Using an encrypted hash of the transmitted message makes it computationally infeasible to change themessage without causing a mismatch of the hash. This is critical when data is exchanged over anunsecured network, such as the Internet, because it provides a way to know that the message was notchanged during transit.

1. On the Windows Firewall with Advanced Security MMC snap-in page, in Overview, clickWindows Firewall Properties.

2. Click the IPsec Settings tab.

3. Under IPsec defaults, click Customize.

How to get to this dialog box



4. Under Data protection (Quick Mode), select Advanced, and then click Customize.

5. Under Data integrity, select an algorithm combination from the list, and click Edit or Add.

ProtocolThe following protocols are used to embed the integrity information into an IP packet.

ESP (recommended)

ESP provides authentication, integrity, and anti-replay protection for the IP payload. ESP used intransport mode does not sign the entire packet. Only the IP payload, not the IP header, is protected. ESPcan be used alone or in combination with AH. With ESP, the hash calculation includes the ESP header,trailer, and payload only. ESP can optionally provide data confidentiality services by encrypting the ESPpayload with one of several supported encryption algorithms. Packet replay services are providedthrough the inclusion of a sequence number for each packet.

AH

AH provides authentication, integrity, and anti-replay for the entire packet (both the IP header and thedata payload carried in the packet). It does not provide confidentiality, which means that it does notencrypt the data. The data is readable, but protected from modification. Some fields that are allowed tochange in transit are excluded from the hash calculation. Packet replay services are provided through theinclusion of a sequence number for each packet.

Null encapsulation

Null encapsulation specifies that you do not want to use any integrity or encryption protection on yournetwork traffic. Authentication is still performed as required by the connection security rules, but noother protection is provided to the network packets that are exchanged through this security association.

AlgorithmsThe following integrity algorithms are available to computers running this version of Windows. Some ofthese algorithms are not available on computers running other versions of Windows. If you mustestablish IPsec-protected connections with a computer running an earlier version of Windows, then youmust include algorithm options that are compatible with the earlier version.

ImportantThe AH protocol is not compatible with network address translation (NAT) because NAT deviceschange information in some of the packet headers that are included in the integrity hash. To allowIPsec-based traffic to pass through a NAT device, you must use ESP and ensure that NAT Traversal(NAT-T) is enabled on the IPsec peer computers.

Security NoteBecause this option provides no integrity or confidentiality protection of any kind, we recommendthat you use it only if you must support software or network devices that are not compatible with ESPor AH.



For more information, see IPsec Algorithms and Methods Supported in Windows(http://go.microsoft.com/fwlink/?LinkID=129230).

AES-GMAC 256

AES-GMAC 192

AES-GMAC 128

SHA-1

MD5

Key lifetimesLifetime settings determine when a new key is generated. Key lifetimes allow you to force thegeneration of a new key after a specified time interval or after a specified amount of data has beentransmitted. For example, if the communication takes 100 minutes and you specify a key lifetime of 10minutes, 10 keys will be generated (one every 10 minutes) during the exchange. Using multiple keysensures that if an attacker manages to gain the key to one part of a communication, the entirecommunication is not compromised.

Minutes

Use this setting to configure how long the key used in the quick mode security association lasts, inminutes. After this interval, a new key will be generated. Subsequent communications will use the newkey.

The maximum lifetime is 2,879 minutes (48 hours). The minimum lifetime is 5 minutes. We recommendthat you rekey only as frequently as your risk analysis requires. Excessively frequent rekeying canimpact performance.

KB

Use this setting to configure how many kilobytes (KB) of data are sent using the key. After thisthreshold is reached, the counter is reset, and the key is regenerated. Subsequent communications willuse the new key.

The maximum lifetime is 2,147,483,647 KB. The minimum lifetime is 20,480 KB. We recommend thatyou rekey only as frequently as your risk analysis requires. Excessively frequent rekeying can impact

CautionMD5 is no longer considered secure and should only be used for testing purposes or in cases inwhich the remote computer cannot use a more secure algorithm. It is provided for backwardcompatibility only.

NoteThis key regeneration is for quick mode data integrity only. These settings do not affect the keylifetime settings for main mode key exchange.



performance.

See Also User Interface: Windows Firewall with Advanced Security

Dialog Box: Add or Edit Integrity andEncryption AlgorithmsUse this dialog box to configure an algorithm offer that includes both data integrity and dataconfidentiality (encryption) and that is available when negotiating quick mode security associations.You must specify both the protocol and the algorithm used to protect the integrity of the data in thenetwork packet.

Internet Protocol security (IPsec) provides integrity by calculating a hash generated from the data in thenetwork packet. The hash is then cryptographically signed (encrypted) and embedded in the IP packet.The receiving computer uses the same algorithm to calculate the hash, and compares the result to thehash that is embedded in the received packet. If it matches, then the information received is exactly thesame as the information sent, and the packet is accepted. If it does not match, then the packet is dropped.

Using an encrypted hash of the transmitted message makes it computationally infeasible to change themessage without a resulting mismatch with the hash. This is critical when data is exchanged over anunsecured network such as the Internet and provides a way to know that the message was not changedduring transit.

In addition to integrity protection, this dialog box allows you to specify an encryption algorithm thathelps prevent the data from being read if the network packet is intercepted while in transit.

1. In the Windows Firewall with Advanced Security MMC snap-in page, in Overview, clickWindows Firewall Properties.




5. Under Data integrity and encryption, select an algorithm combination from the list, and clickEdit or Add.

Protocol




The following protocols are used to embed the integrity and encryption information into an IP packet.

ESP (recommended)

Encapsulating Security Payload (ESP) provides confidentiality (in addition to authentication, integrity,and anti-replay) for the IP payload. ESP in transport mode does not sign the entire packet. Only the IPdata payload, not the IP header, is protected. ESP can be used alone or in combination withAuthentication Header (AH). With ESP, the hash calculation includes the ESP header, trailer, andpayload only. ESP provides data confidentiality services by encrypting the ESP payload with one of thesupported encryption algorithms. Packet replay services are provided through the inclusion of asequence number for each packet.

ESP and AH

This option combines the security of the ESP protocol with the AH protocol. AH providesauthentication, integrity, and anti-replay for the entire packet (both the IP header and the data payloadcarried in the packet).

AlgorithmsEncryption algorithm

The following encryption algorithms are available to computers running this version of Windows. Someof these algorithms are not available on computers running earlier versions of Windows. If you mustestablish IPsec-protected connections with a computer running an earlier version of Windows, then youmust include algorithm options that are compatible with the earlier version.


AES-GCM 256

AES-GCM 192

AES-GCM 128

AES-CBC 256

AES-CBC 192

AES-CBC 128

3DES

ImportantThe AH protocol is not compatible with network address translation (NAT) because NAT devicesneed to change information in the packet headers. To allow IPsec-based traffic to pass through a NATdevice, you must ensure that NAT Traversal (NAT-T) is supported on your IPsec peer computers.



DES

Integrity algorithm

The following integrity algorithms are available to computers running this version of Windows. Some ofthese algorithms are not available on computers running other versions of Windows. If you mustestablish IPsec-protected connections with a computer running an earlier version of Windows, then youmust include algorithm options that are compatible with the earlier version.


AES-GCM 256

AES-GCM 192

AES-GCM 128

AES-GMAC 256

AES-GMAC 192

AES-GMAC 128

SHA-1

MD5

Key lifetimesLifetime settings determine when a new key is generated. Key lifetimes allow you to force thegeneration of a new key after a specified time interval or after a specified amount of data has beentransmitted. For example, if the communication takes 100 minutes and you specify a key lifetime of 10minutes, 10 keys will be generated (one every 10 minutes) during the exchange. Using multiple keysensures that if an attacker manages to gain the key to one part of a communication, the entirecommunication is not compromised.

Security NoteWe recommend that you do not use DES. It is provided for backward compatibility only.NoteIf you specify an AES-GCM algorithm for encryption, then you must specify the same algorithm forintegrity.

Security NoteWe recommend that you do not use MD5. It is provided for backward compatibility only.NoteIf you specify an AES-GCM algorithm for integrity, then you must specify the same algorithm forencryption.



Minutes

Use this setting to configure how long the key used in the quick mode security association lasts, inminutes. After this interval, the key will be regenerated. Subsequent communications will use the newkey.

The maximum lifetime is 2,879 minutes (48 hours). The minimum lifetime is 5 minutes. We recommendthat you rekey only as frequently as your risk analysis requires. Excessively frequent rekeying canimpact performance.

KB

Use this setting to configure how many kilobytes (KB) of data are sent using the key. After thisthreshold is reached, the counter is reset, and the key is regenerated. Subsequent communications willuse the new key.

The maximum lifetime is 2,147,483,647 KB. The minimum lifetime is 20,480 KB. We recommend thatyou rekey only as frequently as your risk analysis requires. Excessively frequent rekeying can impactperformance.


Dialog Box: Add or Edit IP AddressesUse this dialog box to specify computers by IP address. You can use either Internet Protocol version 4(IPv4) or Internet Protocol version 6 (IPv6) addresses. You can also specify an entire subnet.

When creating a firewall rule by using the New Firewall Rule wizard, on the Scope page, selectThese IP addresses, and then click Add.

When modifying an existing firewall rule, on the Scope tab, select These IP addresses, and thenclick Add.

When creating a connection security rule by using the Connection Security Rule wizard, on theEndpoints page, select These IP addresses, and then click Add.

When modifying an existing connection security rule, on the Computers tab, select These IPaddresses, and then click Add.

NoteThis key regeneration is for quick mode data integrity and encryption and does not affect the keylifetime settings for main mode key exchange.




This IP address or subnetYou can specify a single IP address or a subnet for either IPv4 or IPv6 addresses. To specify a subnet,enter the IP address using syntax similar to the following:

192.168.1.0/24

The number following the forward slash (/) represents the number of bits in the subnet mask. 32 bits arepossible. In this example, 24 means that the first three octets are the subnet address and the last octet isthe host ID within the subnet. The bits representing the host ID must be 0. The example corresponds to asubnet mask of 255.255.255.0.

For an IPv6 address, use the same syntax. The number after the forward slash represents the number ofbits in the subnet mask. 128 bits are possible. The bits representing the host ID must be 0. For example:

2001:8e6c:6456:1c99::/64

This IP address rangeEnter two IP addresses. The lower numbered address must precede the higher numbered address in therange. The range consists of all IP addresses between the beginning and ending IP addresses. The tworange endpoints must use the same IP version, either IPv4 or IPv6.

Predefined set of computersYou can specify one of the following sets of predefined computers:

Default gateway. Uses the IP address currently set as the default gateway of the local computer.

WINS servers. Uses the IP addresses for the computers currently configured to provide WINSservices to the local computer.

DHCP servers. Uses the IP addresses for the computers currently configured to provide DHCPservices to the local computer.

DNS servers. Uses the IP addresses for the computers currently configured to provide DNSservices to the local computer.

Local subnet. Uses the IP address and subnet mask of the local computer to dynamicallydetermine addresses that are part of the computer’s local subnet.




Dialog Box: Add Security MethodUse this dialog box to configure a security method offer that is available when negotiating main modesecurity associations. You must specify the integrity, encryption, and key exchange algorithm.




4. Under Key exchange (Main Mode), select Advanced, and then click Customize.

5. Under Security methods, select an algorithm combination from the list, and click Edit or Add.

Integrity algorithmSelect one of the following integrity algorithms from the list.

SHA-384

SHA-256

SHA-1

MD5

Encryption algorithmSelect one of the following encryption algorithms from the list.

AES-CBC 256

AES-CBC-192

AES-CBC-128

3DES


CautionMD5 is no longer considered secure and should only be used for testing purposes or in cases inwhich the remote computer cannot use a more secure algorithm. It is included for backwardcompatibility only.



DES

Key exchange algorithmSelect one of the following key exchange algorithms from the list.

Elliptic Curve Diffie-Hellman P-384

Elliptic Curve Diffie-Hellman P-256

Diffie-Hellman Group 14



For more information about any of these algorithms, see IPsec Algorithms and Methods Supported inWindows (http://go.microsoft.com/fwlink/?linkid=129230).


Dialog Box: Customize Advanced AuthenticationMethodsUse these settings to configure the authentication required in your environment. You can configureadvanced authentication on a rule-by-rule basis or to apply by default to all connection security rules.

To get to this dialog box to configure the default settings for the computer, perform the followingsteps. These settings apply to any connection security rule in which Default is selected as theauthentication method.

CautionDES is no longer considered secure and should only be used for testing purposes or in cases inwhich the remote computer cannot use a more secure algorithm. It is included for backwardcompatibility only.

CautionDH1 is no longer considered secure and should only be used for testing purposes or in cases inwhich the remote computer cannot use a more secure algorithm. It is included for backwardcompatibility only.







4. Under Authentication method, select Advanced, and then click Customize.

To get to this dialog box when creating a new connection security rule, perform the followingsteps. These settings apply only to the connection security rule whose properties you are editing.

1. On the Windows Firewall with Advanced Security MMC snap-in page, in the navigationpane, right-click Connection Security Rules, and then click New Rule.

2. Select any rule type except Authentication exemption.

3. Click Next through the wizard until you reach the Authentication Method page.

4. Select Advanced, and then click Customize.

To get to this dialog box to configure the settings for an existing connection security rule, performthe following steps. These settings apply only to the connection security rule whose properties youare editing.

1. On the Windows Firewall with Advanced Security MMC snap-in page, in the navigationpane, click Connection Security Rules.

2. Double-click the rule that you want to modify.


4. Under Method, select Advanced, and then click Customize.

First authenticationThe first authentication method is performed during the main mode phase of Internet Protocol security(IPsec) negotiations. In this authentication, you can specify the way in which the peer computer isauthenticated.

You can specify multiple methods to use for this authentication. The methods are attempted in the orderyou specify; the first successful method is used.

To add a method to the list, click Add.

To modify a method already in the list, select the method, and then click Edit.

To remove a method from the list, select the method, and then click Remove.

To reorder the list, select a method, and then click the up and down arrows.



For more information about the available first authentication methods, see Dialog Box: Add or Edit FirstAuthentication Method.

First authentication is optional

You can select this option to have the first authentication performed with anonymous credentials. This isuseful when the second authentication provides the primary, required means of authentication, and thefirst authentication is to be performed only when both peers support it. For example, if you want torequire user-based Kerberos version 5 authentication, which is available only as a second authentication,you can select First authentication is optional, and then select User (Kerberos V5) in Secondauthentication method.

Second authenticationWith second authentication, you can specify the way in which the user logged on to the peer computer isauthenticated. You can also specify a computer health certificate from a specified certification authority(CA).

The methods are attempted in the order you specify; the first successful method is used.

You can specify multiple methods to use for this authentication.

To add a method to the list, click Add.

To modify a method already in the list, select the method, and then click Edit.

To remove a method from the list, select the method, and then click Remove.

To reorder the list, select a method and then click the up and down arrows.

For more information about the available second authentication methods, see Dialog Box: Add or EditSecond Authentication Method.

Second authentication is optional

You can select this option to indicate the second authentication should be performed if possible, but thatthe connection should not be blocked should the second authentication fail. This is useful when the firstauthentication provides the primary, required means of authentication, and the second authentication is

CautionDo not configure both the first authentication and second authentication to be optional. This isequivalent to turning authentication off.

Notes You must use either all user-based authentication methods or all computer-based authentication

methods. No matter where it appears in the list, you cannot use the second authentication method if you

are using a preshared key for the first authentication method.



optional, but preferred, when both peers support it. For example, if you want to require computer-basedKerberos version 5 authentication and you would like to use user-based Kerberos version 5authentication when possible, you can select Computer (Kerberos V5) as the first authentication, andthen select User (Kerberos V5) as the second authentication with Second authentication is optionalselected.


Dialog Box: Customize Advanced Key ExchangeSettingsUse this dialog box to add, edit, change priority, or remove the algorithm combinations that are availablefor key exchange during main mode negotiations. You can specify more than one algorithm combinationand you can assign the order in which the combinations are tried. The first combination in the list that iscompatible with both peers will be used.




4. Under Key exchange (Main Mode), select Advanced, and then click Customize.

Security methods

CautionDo not configure both the first authentication and second authentication to be optional. This isequivalent to turning authentication off.Important

In a tunnel mode rule, if you select Second authentication is optional, then the resulting IPsecpolicy is implemented as IKE only and does not use Authenticated Internet Protocol (AuthIP).Any authentication methods specified in Second authentication are ignored.

In a transport mode rule, the second authentication methods are still used, as expected.

NoteA best practice is to list the algorithm combinations in order of highest security at the top to lowestsecurity at the bottom. This way, the most secure algorithm in common between the two negotiatingcomputers is used. The less secure algorithms can be used for backward compatibility.How to get to this dialog box



Security methods are combinations of integrity algorithms and encryption algorithms that protect thekey exchange. You can have as many combinations as you need and you can arrange them in preferredorder in the list. The combinations are attempted in the order in which they are displayed. The first set tobe agreed upon by both peer computers is used. If the peer computer cannot use any of the combinationsyou define, the connection attempt fails.

Some algorithms are supported only by computers running this version of Windows. For moreinformation, see IPsec Algorithms and Protocols Supported by Windows(http://go.microsoft.com/fwlink/?LinkID=129230).

To add a combination to the list, click Add to use the Add or Edit Security Method dialog box.

To reorder the list, select a combination, and then click the up or down arrows.

Key lifetimesLifetime settings determine when a new key is generated. Key lifetimes allow you to force thegeneration of a new key after a specified time interval or after a specified number of sessions have beenprotected by using the current key. Using multiple keys ensures that if an attacker manages to gainaccess to one key, only a small amount of information is exposed before a new key is generated and thenetwork traffic is protected once again. You can specify the lifetime in both minutes and number ofsessions. The first threshold reached is used and the key is regenerated.

Minutes

Use this setting to configure how long the key used in main mode security association lasts, in minutes.After this interval, a new key is generated. Subsequent main mode sessions use the new key.

The maximum lifetime is 2,879 minutes (48 hours). The minimum lifetime is 1 minute. We recommendthat you rekey only as frequently as your risk analysis requires. Excessively frequent rekeying canimpact performance.

Sessions

A session is a distinct message or set of messages protected by a quick mode SA. This setting specifieshow many quick mode key generating sessions can be protected using the same main mode keyinformation. After this threshold is reached, the counter is reset, and a new key is generated. Subsequentcommunications will use the new key. The maximum value is 2,147,483,647 sessions. The minimumvalue is 0 sessions.

A session limit of zero (0) causes the generation of a new key to be determined only by the Key lifetime

NoteAs a best practice, order the combinations from highest security at the top of the list to lowest securityat the bottom. This ensures that the most secure method that both peers can support is used.

NoteThis key regeneration is for main mode key exchange only. These settings do not affect the keylifetime settings for quick mode data protection.



(in minutes) setting.

Use caution when setting very different key lifetimes for main mode and quick mode keys. For example,setting a main mode key lifetime of 8 hours and a quick mode key lifetime of 2 hours might leave aquick mode SA in place for almost 2 hours after the main mode SA has expired. This occurs when thequick mode SA is generated shortly before main mode SA expiration.

Key exchange optionsUse Diffie-Hellman for enhanced security

Windows Vista and later versions of Windows support Authenticated IP (AuthIP) in addition to InternetKey Exchange (IKE) for establishing the initial secure connection in which the rest of the IPsecparameters are negotiated. IKE uses Diffie-Hellman exchanges only. When AuthIP is used, no Diffie-Hellman key exchange protocol is required. Instead, when Kerberos version 5 authentication isrequested, the Kerberos version 5 service ticket secret is used in place of a Diffie-Hellman value. Wheneither certificate authentication or NTLM authentication is requested, a transport level security (TLS)session is established, and its secret is used in place of the Diffie-Hellman value.

If you select this check box, then a Diffie-Hellman exchange takes place regardless of the authenticationtype selected, and the Diffie-Hellman secret is used to secure the rest of the IPsec negotiations. Use thiswhen regulatory requirements specify that a Diffie-Hellman exchange must be used.


Dialog Box: Customize Allow If Secure SettingsWhen you select Allow the connection if it is secure in a firewall rule, you are specifying that thenetwork packets must be protected by Internet Protocol security (IPsec) or the packet does not match therule. If you click Customize next to that option, you can configure these options that allow you tospecify the type of IPsec protection that is required.

ImportantThe higher the number of sessions allowed per main mode key, the greater the chance of the mainmode key being discovered. If you want to limit the number of times this reuse occurs, you canspecify a quick mode key limit.Security NoteTo configure main mode perfect forward secrecy (PFS), set Key lifetime in sessions to 1. Althoughthis configuration provides significant additional protection, it also carries a significant computationaland network performance penalty. Every new quick mode session regenerates the main mode keyingmaterial, which in turn causes the two computers to reauthenticate. We recommend that you enablePFS only in environments where IPsec traffic might be exposed to sophisticated attackers who mighttry to compromise the strong cryptographic protection provided by IPsec.



You must select one of the first three options described below. The last option, Override block rules,can be selected independently of the other options.

When creating a firewall rule by using the New Firewall Rule wizard, on the Action page, clickAllow the connection if it is secure, and then click Customize.

When modifying an existing firewall rule, on the General tab, select Allow the connection if it issecure, and then click Customize.

Allow the connection if it is authenticated andintegrity-protectedThis is the default option. Use this option to require that all matching network packets use both IPsecauthentication and integrity algorithms as defined in a separate connection security rule. If a networkpacket matching all other criteria is neither authenticated nor protected with an integrity algorithm, thenit does not match this rule and is blocked.

Require the connection to be encryptedUse this option to require that all matching network packets use data encryption as defined in a separateconnection security rule. If a network packet matching all other criteria is not encrypted, then it does notmatch this rule and is blocked. When this option is enabled, Windows Firewall with Advanced Securityuses the settings on the Customize Data Protection Settings dialog box.

Allow the computers to dynamically negotiate encryption

This option is available for inbound rules only. Use this option to allow the network connection, afterauthentication succeeds, to send and receive unencrypted network traffic while the encryptionalgorithms are negotiated.

Allow the connection to use null encapsulationUse this option to require that all matching network packets use IPsec authentication, but do not requireintegrity or encryption protection. We recommend that you use this option only when you have networkequipment or software that is not compatible with either the Encapsulating Security Payload (ESP) or


NoteThis setting is supported when applied to computers running Windows Vista or later versions ofWindows.

Security NoteWhile encryption is being negotiated, the network traffic is sent as clear text. Do not specify thisoption if the network traffic sent over the connection during this period is too sensitive for plain texttransmission.



Authentication Header (AH) integrity protocols.

Override block rulesUse this option to allow network packets that match this firewall rule to override any block firewallrules. This option is referred to as authenticated bypass. Normally, rules that explicitly blockconnections have priority over rules that allow connections. If you use this option, the connection isallowed even if another rule would block the connection. You are effectively stating that network trafficthat matches this rule is allowed because it is authenticated as coming from an authorized and trusteduser or computer.

This option is typically used to allow trusted programs, such as network vulnerability scanners and othernetworking tools, to run without restrictions. Although a typical firewall configuration does and shouldblock network traffic from such devices, you can create a rule that identifies authorized computers. TheOverride block rules option allows traffic from these authorized computers only. If you do not use thisoption, any block firewall rules that match the same firewall rule criteria will take precedence, and theconnections will be blocked.

If you select this option, you must specify at least one computer or computer group for authorization onthe Computers page of the New Firewall Rule wizard or the Computers tab of the Firewall RuleProperties dialog box.


Dialog Box: Customize Data Protection SettingsUse this dialog box to add, edit, change priority, or remove data integrity or data encryption algorithms.You can use more than one algorithm in each list and you can assign the order in which the algorithmsare attempted. The first algorithm in the list that is compatible with both peers will be used.

You must specify algorithms that are also specified in the rules on the computers to which you want tocommunicate. For more information, see IPsec Algorithms and Protocols Supported by Windows(http://go.microsoft.com/fwlink/?linkid=129230).

NoteThis setting is supported when applied to computers running Windows 7 or Windows Server 2008 R2.It does not apply to computers running earlier versions of Windows.

NoteIf you configure the firewall operational state to Block all connections on the Windows Firewallwith Advanced Security Properties dialog box, then all network traffic is blocked even if this optionis set.



1. On the Windows Firewall with Advanced Security MMC snap-in, in the navigation pane, clickWindows Firewall with Advanced Security, and then in Overview, click Windows FirewallProperties.




Performance considerations for encryptionThe encryption algorithms that provide the best security for your data are those that make itcomputationally infeasible for the data to be decrypted without the key. The mathematical algorithmsthat perform the encryption are themselves mathematically intense and can degrade performance. Asyou switch to higher security algorithms, the computing power required to perform the calculationsincreases.

Windows supports the use of network adapters that have cryptographic processors that can perform mostof the IPsec encryption calculations. This frees up your main processors to do other things and reducesthe performance overhead of IPsec. For more information, see Improving Network Performance byUsing IPsec Task Offload (http://go.microsoft.com/fwlink/?linkid=129229).

Require encryption for all connection securityrules that use these settingsSelect this check box to require all connection security rules to require encryption. If you select thischeck box, the Data integrity section is disabled, and you can only specify algorithm combinations inthe Data integrity and encryption section.

Data integrityThis list shows the currently configured data integrity algorithms. When negotiating the details of thequick mode SA with another computer, the algorithms are proposed in the order shown. Use the up anddown arrows to arrange the algorithms into the preferred order. You should place the algorithms withstronger protection at the top of the list, and those with weaker protection at the bottom of the list.Include weaker algorithms only if required to support computers that cannot use the stronger algorithms.

If you select Require encryption for all connection security rules that use these settings, then thissection is disabled.

NoteA best practice is to list the algorithms in order of greatest security at the top to least security at thebottom. This way, the most secure algorithm in common between the two negotiating computers isused. The less secure algorithms can be used for backward compatibility.How to get to this dialog box



To add an algorithm to the list, click Add. To modify an algorithm that is already in the list, select thealgorithm, and then click Edit. To remove an algorithm from the list, select the algorithm, and then clickRemove.

Data integrity and encryptionThis list shows the currently configured algorithm combinations that include both encryption and dataintegrity. When negotiating the details of the quick mode SA with another computer, the algorithmcombinations are proposed in the order shown. Use the up and down arrows to arrange the algorithmcombinations into the preferred order. You should place the algorithm combinations with strongerprotection at the top of the list and those with weaker protection at the bottom of the list. Include weakeralgorithm combinations only if required to support computers that cannot use the stronger algorithmcombinations.

To add an algorithm combination to the list, click Add. To modify an algorithm combination that isalready in the list, select the algorithm combination, and then click Edit. To remove an algorithmcombination from the list, select the algorithm combination, and then click Remove. For moreinformation, see Dialog Box: Add or Edit Integrity and Encryption Algorithms.

Additional references User Interface: Windows Firewall with Advanced Security

Dialog Box: Add or Edit Integrity Algorithms

Dialog Box: Customize ICMP SettingsUse this dialog box when creating or modifying a firewall rule to configure criteria based on InternetControl Message Protocol (ICMP).

When creating a new firewall rule using the wizard, follow these steps:


2. On the Protocol and Ports page, in Protocol type, select either ICMPv4 or ICMPv6.

3. Click Customize.

When modifying an existing firewall rule using the Firewall Rule Properties dialog box, followthese steps:

1. Click the Protocols and Ports tab.




2. In Protocol type, select either ICMPv4 or ICMPv6.

3. Click Customize.

All ICMP typesSelect this option to specify that any message using ICMP matches the rule.

Specific ICMP typesSelect this option to select one or more ICMP message types. Select the message types to which youwant to apply the rule.

This ICMP typeUse this option to specify an ICMP message type that is not provided in Specific ICMP types. Thisoption is enabled only if you select Specific ICMP types. Click Add to add the type to the list.

Type

This is a number that correlates to an ICMP message type. For example, 3 is the number for the"Destination Unreachable" message. The message type is an integer from 0 to 255.

Code

This is a number that correlates to a code for an ICMP message type. These codes are details that areuseful for troubleshooting and understanding the circumstances that prompted the sending of themessage. The same code number can mean different things for different message types. For example, 3is the code for "Port Unreachable" for the "Destination Unreachable" message, but it is also the code for"Redirect Datagram for the Type of Service and Host" for the "Redirect" message type.

The code can be an integer from 0 to 255, or the value Any.

By combining the message type and code, you can specify very detailed criteria for the exception. Thiscan be useful when you need to make sure specified ICMP messages pass through Windows Firewallwith Advanced Security for remote troubleshooting, while other ICMP messages are blocked.


Dialog Box: Customize Interface Types



Use this dialog box to specify to which interface types the rule is applied. You can specify the local areanetwork (that is, wired network adapters), wireless network adapters, remote access connections, or allnetwork connection types.

1. In the Windows Firewall with Advanced Security MMC snap-in, double-click the firewall ruleyou want to modify, and then click the Advanced tab.

2. Under Interface types, click Customize.

All interface typesThe rule applies to communications sent through any of the network connections that you haveconfigured on the computer.

These interface typesThe rule applies to communications sent through only the network connections types selected in the box.You can select one or a combination of the types.

Local area network

The rule applies only to communications sent through wired local area network (LAN) connections thatyou have configured on the computer.

Remote access

The rule applies only to communications sent through remote access, such as a virtual private network(VPN) connection or dial-up connection that you have configured on the computer.

Wireless

The rule applies only to communications sent through wireless network adapters that you haveconfigured on the computer.


Dialog Box: Customize IPsec SettingsUse this dialog box to configure the Internet Protocol security (IPsec) main mode key exchange andquick mode data protection settings used for all IPsec negotiations. You can also configure the default




authentication settings used whenever a connection security rule uses the Default settings.

1. In the Windows Firewall with Advanced Security MMC snap-in, in Overview, click WindowsFirewall Properties.



Key exchange (Main Mode)Key exchange settings you select here apply to all connection security rules. To ensure successful andsecure communication, IPsec performs a two-phase operation to establish a secured connection betweenthe two computers. Confidentiality and authentication are ensured during each phase by the use ofintegrity, encryption, and authentication algorithms that are agreed upon by the two computers duringsecurity negotiations. With the duties split between two phases, key creation can be accomplishedquickly.

During the first phase, the two computers establish a secure, authenticated channel, called the mainmode security association (SA). The main mode SA is then used during the second phase to allow securenegotiation of the quick mode SA. The quick mode SA specifies the protection settings for matchingTCP/IP data transferred between the two computers.

Default

Select this option to use the key exchange settings that are installed by default or configured as defaultsthrough Group Policy. This setting is used for all key exchanges. For more information, see DefaultSettings for Windows Firewall with Advanced Security.

Advanced

Select this option to specify the key exchange settings that are applied to all key exchanges. This settingoverrides the installed defaults. After selecting this option, click Customize and use the CustomizeAdvanced Key Exchange Settings dialog box to select the settings to use.

Data protection (Quick Mode)Data protection settings you select here apply to all connection security rules created using the WindowsFirewall with Advanced Security MMC snap-in. If you need to create a connection security rule withcustom data protection settings, then you must create the rule by using the netsh advfirewall consec

Important If you are configuring Windows Firewall with Advanced Security on the local computer and

you select Default for any of the settings, any Group Policy objects (GPOs) that apply to thiscomputer can specify the settings.

If you are configuring a GPO and you select Default for any of the settings, any GPOs ofhigher precedence that apply to this computer can specify the settings.




context. For more information, see Netsh Commands for Windows Firewall with Advanced Security(http://go.microsoft.com/fwlink/?linkid=111237).

Default

Select this option to use the data integrity and encryption settings that are installed by default orconfigured as defaults through Group Policy. For more information, see Default Settings for WindowsFirewall with Advanced Security.

Advanced

Use this option to specify data integrity and encryption settings that are available for negotiating thequick mode SA. This setting overrides the installed defaults. After selecting this option, clickCustomize and use the Customize Data Protection Settings dialog box to select the data protectionsettings to use.

Authentication methodAuthentication method settings you select here apply only to connection security rules that have Defaultselected as the authentication method.

Default

Select this option to use the authentication settings that are installed by default or configured as defaultsby using Group Policy. For more information, see Default Settings for Windows Firewall withAdvanced Security.

Computer and User (Kerberos V5)

Select this option to use both computer and user authentication with the Kerberos version 5 protocol.The use of this option is equivalent to selecting Advanced, choosing Computer (Kerberos V5) for firstauthentication and User (Kerberos V5) for second authentication, and then clearing both Firstauthentication is optional and Second authentication is optional.

Computer (Kerberos V5)

Select this option to use computer authentication with the Kerberos version 5 protocol. The use of thisoption is equivalent to selecting Advanced, choosing Computer (Kerberos V5) for first authentication,and then selecting Second authentication is optional.

User (Kerberos V5)

Select this option to use user authentication with the Kerberos version 5 protocol. The use of this optionis equivalent to selecting Advanced, choosing User (Kerberos V5) for second authentication, and thenselecting First authentication is optional.

Advanced



You can use this option to create a method that is specific to your needs. If you select this option, youmust click Customize to use the Customize Advanced Authentication Methods dialog box to specifythe authentication methods to use.


Dialog Box: Customize IPsec TunnelAuthorizationUse these settings to specify which users or computers are authorized to initiate a tunnel connection tothe local computer. These settings only apply to inbound connections. Tunnel connections initiated bythe local computer are not subject to these authorization settings.

1. In the Windows Firewall with Advanced Security MMC snap-in, in Overview, click WindowsFirewall Properties.


3. Under IPsec tunnel authorization, select Advanced, and then click Customize.

Computers tabUse this tab to identify computers or computer groups that are authorized to create tunnel modeconnections to the local computer.

Authorized computers

Only allow connections from these computers

Select this option to specify which computers can create a tunnel mode connection to the localcomputer.

If you select the check box, then Add is enabled. Click Add, and then specify the computer or groupaccounts in the Active Directory Object Picker dialog box.


NoteThese settings only apply to tunnel mode rules that have the Apply authorization option enabled onthe Customize IPsec Tunneling Settings dialog box.To get to this dialog box



Exceptions

Use this section to identify computer or group accounts that are denied permissions to create tunnelmode connections to the local computer. If a computer attempting a connection is listed in both theAuthorized computers and Exceptions boxes, either directly or as a member of a group, the exceptiontakes priority and the connection is blocked.

Deny connections from these computers

Select this option to specify which computers are prohibited from creating a tunnel mode connection tothis computer.

If you select the check box, then Add is enabled. Click Add, and then specify the computer or groupaccounts in the Active Directory Object Picker dialog box.


Users tabUse this tab to identify users or user groups that are authorized to create tunnel mode connections to thelocal computer.

Authorized users


Select this option to specify which users can create a tunnel mode connection to this computer.

If you select the check box, then Add is enabled. Click Add, and then specify the user or group accountsin the Active Directory Object Picker dialog box.


Exceptions

Use this section to identify user or group accounts that are denied permissions to create tunnel modeconnections to the local computer. If a user attempting a connection is listed in both the Authorizedusers and Exceptions boxes, either directly or as a member of a group, the exception takes priority andthe connection is blocked.

Deny connections from these computers

Select this option to specify which users are prohibited from creating a tunnel mode connection to thiscomputer.

If you select the check box, then Add is enabled. Click Add, and then specify the user or group accountsin the Active Directory Object Picker dialog box.





Dialog Box: Customize IPsec Tunneling SettingsUse this dialog box to configure a connection security rule to use tunnel mode rather than transportmode.

1. In the Windows Firewall with Advanced Security MMC snap-in, in the navigation pane, selectConnection Security Rules.

2. Double-click the tunnel rule that you want to modify.

3. Click the Advanced tab, and then under IPsec Tunneling, click Customize.

Use IPsec tunnelingSelect this option to specify that the network traffic that matches this rule travels from Endpoint 1 toEndpoint 2 through an Internet Protocol security (IPsec) tunnel. Selecting this option enables the rest ofthe controls in this dialog box.

Apply authorization

Select this option to specify that the computer or user in Endpoint 1 must authenticate with the localtunnel endpoint before any packets can be sent through the tunnel. To specify the computers or usersthat are authorized to send traffic through the tunnel, follow these steps:

1. In the Windows Firewall with Advanced Security MMC snap-in, in the navigation pane, selectWindows Firewall with Advanced Security.

2. In Overview, click Windows Firewall Properties.

3. Select the IPsec Settings tab.

4. In IPsec tunnel authorization, click Advanced, and then click Customize.

5. Add users and computers to the lists according to your design. For more information, see DialogBox: Customize IPsec Tunnel Authorization.

Exempt IPsec protected connections


To specify users and computers authorized to send network traffic through the tunnel



Sometimes a network packet might match more than one connection security rule. If one of the rulesestablishes an IPsec tunnel, you can choose whether to use the tunnel or send the packet outside of thetunnel protected by the other rule. Select the option to specify that network traffic that matches anotherIPsec connection security rule does not go through the IPsec tunnel.

Local tunnel endpoint (closest to Endpoint 1)

Use this option to identify the computer that terminates the tunnel at the end closest to the computers inEndpoint 1. Click Edit to enter an Internet Protocol version 4 (IPv4) address, Internet Protocol version 6(IPv6) address, or both.

Remote tunnel endpoint (closest to Endpoint 2)

Use this option to identify the computer that terminates the tunnel at the end closest to the computers inEndpoint 2. Click Edit to enter an IPv4 address, IPv6 address, or both.

For information about IPsec tunneling, see Connection Security Rule Wizard: Tunnel Type Page.


Dialog Box: Customize Logging Settings for aFirewall ProfileWindows Firewall with Advanced Security can be configured to log events that indicate the successesand failures of its processes. The logging settings involve two groups of settings: settings for the log fileitself and settings that determine which events the file will record. The settings can be configuredseparately for each of the firewall profiles.

You can specify where the log file will be created, how big the file can grow, and whether you want thelog file to record information about dropped packets, successful connections, or both.

ImportantYou must be consistent in the version of IP you specify for the addresses in a tunnel. If you specifyIPv4 addresses, then do so for both tunnel endpoints and Endpoint1 and Endpoint 2. You can specifyboth IPv4 and IPv6, but you must then specify both for both tunnel endpoints and Endpoint 1 andEndpoint 2.

ImportantYou must be consistent in the version of IP you specify for the addresses in a tunnel. If you specifyIPv4 addresses, then do so for both tunnel endpoints and Endpoint1 and Endpoint 2. You can specifyboth IPv4 and IPv6, but you must then specify both for both tunnel endpoints and Endpoint 1 andEndpoint 2.



1. From the Windows Firewall with Advanced Security MMC snap-in, in Overview, click WindowsFirewall properties.

2. Select the tab that corresponds to the firewall profile for which you want to configure logging.

3. In Logging, click Customize.

NameEnter the path and name of the file in which you want Windows Firewall to write its log information. Ifyou are configuring a Group Policy object (GPO) for deployment to multiple computers, use theavailable environment variables, such as %windir%, to ensure that the location is correct for eachcomputer on your network.

Just specifying a file location does not start logging. You must also select one of the two check boxes tolog dropped packets or successful connections.

1. Locate the folder that you specified for the logging file, right-click it, and then click Properties.

2. Click the Security tab, and then click Edit.

3. Click Add, in Enter object names to select, type NT SERVICE\mpssvc, and then click OK.

4. In the Permissions dialog box, verify that MpsSvc has Write access, and then click OK.

Size limitSpecify the maximum size to which the file is permitted to grow. The value must be between 1 and32,767 kilobytes (KB).

When the specified size limit is reached, Windows Firewall with Advanced Security closes the log fileand renames it by adding ".old" to the end of the file name. It then creates and uses a new log file thathas the original log file name. Only two files are kept at a time. If the second file reaches the maximumsize, then it is renamed by adding “.old”, and the original “.old” file is discarded.

Log dropped packetsUse this option to log when Windows Firewall with Advanced Security discards an inbound packet forany reason. The log records why and when the packet was dropped. Look for entries with the word


ImportantIf you are configuring the setting for a computer that is running Windows Vista or later version ofWindows, and you specify a location other than the default, you must ensure that the WindowsFirewall service has permissions to write to that location.To grant write permissions for the log folder to the Windows Firewall service



DROP in the action column of the log.

Log successful connectionsUse this option to log when Windows Firewall with Advanced Security allows an inbound connection.The log records why and when the connection was formed. Look for entries with the word ALLOW inthe action column of the log.

Event logThe Windows Firewall with Advanced Security operational event log is another resource you can use toview Windows Firewall policy changes. The operational log is always on and contains events for bothfirewall rules and connection security rules.

1. Open Event Viewer. Click Start, click Administrative Tools, and then click Event Viewer.

2. In the navigation pane, expand Applications and Services Logs, expand Microsoft, expandWindows, and then expand Windows Firewall with Advanced Security.

3. Click either ConnectionSecurity, ConnectionSecurityVerbose, Firewall, or FirewallVerbose.The logs marked “verbose” are not enabled by default. To enable them, in Actions, click EnableLog.


Dialog Box: Customize Protected NetworkConnections for a Firewall ProfileUse this dialog box to configure the network connections that are protected by the rules associated witha specified network profile.


2. Select the tab that corresponds to the firewall profile you want to configure.

3. In State, next to Protected network connections, click Customize.

To view the Windows Firewall with Advanced Security event log




The list contains the network connections that are currently configured on the computer. By default, allnetwork connections are selected and therefore protected.

You typically see one connection for each wired network adapter, each wireless network adapter, andeach configured remote network connection (such as a VPN). Select the box next to the entry for eachconnection that you want protected by the rules that are assigned to the currently selected profile (thecurrently selected tab). Each entry is shown by its descriptive name.

If you clear the check box, then that network connection is not subject to the rules in the current profilewhen that network connection is connected to a network that matches the profile.

For more information about a particular network connection, use the Network and Sharing Center. Toopen the Network and Sharing Center, click Start, click Control Panel, click Network and Internet,and then click Network and Sharing Center. To rename a network connection, click Change adaptersettings, right-click the adapter, click Rename, and then type a descriptive name for the networkconnection. The Network and Sharing Center also allows you to reclassify a public network to private,and vice versa. You cannot reclassify a network to or from the domain type.


Dialog Box: Customize Service SettingsUse these options to configure the way in which Windows Firewall with Advanced Security responds toconnection requests from or to services.

When creating a firewall rule by using the New Firewall Rule wizard, follow these steps.

1. On the Rule Type page, click Custom.

2. On the Program page, next to Services, click Customize.

When modifying an existing firewall rule, on the Programs and Services tab, click Customize.


Notes You can specify both a program and a service in the same firewall rule. Both conditions must

be met for the rule to apply to the requested connection. When you select the Apply to services only option, any service running as the LocalSystem or

NetworkService accounts have appropriate access. When you select an option where youspecify one or more services, the security identifier (SID) for the specified service is givenaccess.



Apply to all programs and servicesUse this option to apply the rule to all processes within the program specified in the Programs entry.

Apply to services onlyUse this option to apply the rule only to services, not to other processes.

Apply to this serviceFrom the list, select the service to which you want the rule to be applied.

Apply to service with this service short nameSpecify the short name of the service to which you want the rule to be applied. You can specify anyshort name even if it is not in the list. Misspelled short names and short names that do not specify aservice will be ignored. This option is useful when defining a rule for a Group Policy object (GPO) andthe service referenced in the rule is not installed or running on the computer on which you are modifyingthe rule.


Dialog Box: Customize Settings for a FirewallProfileUse these options to define who can make changes to Windows Firewall properties and profiles.


2. Select the tab that corresponds to the firewall profile you want to configure.

3. In Settings, click Customize.

Display a notification when a program is blocked




Select this option to have Windows Firewall with Advanced Security display a notification to the userwhen a program is blocked from receiving inbound connections. The notification appears when all of thefollowing conditions are true:

This option is selected.

There is no existing block or allow rule for this program. If a block rule exists, then the program isblocked without displaying the notification to the user.

The program is blocked by the default behavior of Windows Firewall.

The user is given the option to unblock the program, as long as the user has network operator oradministrator permissions. Selecting the option to unblock the program automatically creates an inboundprogram rule for the program that was blocked.

Allow unicast response to multicast or broadcastrequestsThis option is useful if you need to control whether this computer receives unicast responses to itsoutgoing multicast or broadcast messages. If you enable this setting, and this computer sends multicastor broadcast messages to other computers, Windows Firewall with Advanced Security waits as long as 4seconds for unicast responses from the other computers and then blocks all later responses. If youdisable this setting, and this computer sends a multicast or broadcast message to other computers,Windows Firewall with Advanced Security blocks the unicast responses sent by those other computers.

Rule mergingUse these options when using Group Policy to configure firewall and connection security rules on thelocal computer. Disabling the options prevents a local user with network operator or administratorpermissions from creating firewall or connection security rules that might conflict with the rulesdeployed by Group Policy.

Allow local firewall rules

Select this option when, in addition to firewall rules applied by Group Policy that are specific to thiscomputer, you want to allow administrators to be able to create and apply local firewall rules on thiscomputer. When you clear this option, administrators can still create rules, but locally defined rules arenot applied. This setting is available only when you are configuring the policy through Group Policy.

Allow local connection security rules

Select this option when, in addition to connection security rules applied by Group Policy that arespecific to this computer, you want to allow administrators to create and apply local connection securityrules on this computer. When you clear this option, administrators can still create rules, but locallydefined rules are not applied. This setting is available only when configuring the policy through GroupPolicy.




Dialog Box: Add or Edit First AuthenticationMethodUse these settings to specify the way in which the peer computer is authenticated. The firstauthentication method is performed during the main mode phase of Internet Protocol security (IPsec)negotiations.

You can specify multiple methods to use for first authentication. The methods are attempted in the orderyou specify. The first successful method is used.

For more information about the authentication methods available in this dialog box, see IPsecAlgorithms and Methods Supported in Windows (http://go.microsoft.com/fwlink/?linkid=129230).

When modifying the system-wide default settings:

1. In the Windows Firewall with Advanced Security MMC snap-in, in Overview, clickWindows Firewall Properties.

2. Click the IPsec Settings tab, and then under IPsec defaults, click Customize.

3. Under Authentication Method, select Advanced, and then click Customize.

4. Under First authentication, select a method, and then click Edit or Add.

When creating a new connection security rule:

1. In the Windows Firewall with Advanced Security MMC snap-in, right-click ConnectionSecurity Rules, and then click New Rule.

2. On the Rule Type page, select any type except Authentication exemption.

3. On the Authentication Method page, select Advanced, and then click Customize.


When modifying an existing connection security rule:

1. In the Windows Firewall with Advanced Security MMC snap-in, click ConnectionSecurity Rules.




2. Double-click the connection security rule that you want to modify.


4. Under Method, click Advanced, and then click Customize.


Computer (Kerberos V5)You can use this method to authenticate peer computers that have computer accounts in the samedomain or in separate domains that have a trust relationship.

Computer (NTLMv2)NTLMv2 is an alternative way to authenticate peer computers that have computer accounts in the samedomain or in separate domains that have a trust relationship.

Computer certificate from this certificationauthority (CA)Use a public key certificate in situations that include external business partner communications orcomputers that do not run the Kerberos version 5 authentication protocol. This requires that at least onetrusted root CA is configured on or accessible through your network and that client computers have anassociated computer certificate.

Signing algorithm


RSA (default)


ECDSA-P256


ECDSA-P384






Root CA (default)

Select this option if the certificate was issued by a root CA and is stored in the local computer’s TrustedRoot Certification Authorities certificate store.

Intermediate CA


Accept only health certificates

This option restricts the use of computer certificates to those that are marked as heath certificates. Healthcertificates are published by a CA in support of a Network Access Protection (NAP) deployment. NAPlets you define and enforce health policies so that computers that do not comply with network policies,such as computers without antivirus software or those that do not have the latest software updates, areless likely to access your network. To implement NAP, you need to configure NAP settings on bothserver and client computers. NAP Client Management, a Microsoft Management Console (MMC) snap-in, helps you configure NAP settings on your client computers. For more information, see the NAPMMC snap-in Help. To use this method, you must have a NAP server set up in the domain.

Enable certificate to account mapping

When you enable IPsec certificate-to-account mapping, the Internet Key Exchange (IKE) andAuthenticated IP (AuthIP) protocols associate (map) a computer certificate to a computer account in anActive Directory domain or forest, and then retrieve an access token, which includes the list of computersecurity groups. This process ensures that the certificate offered by the IPsec peer corresponds to anactive computer account in the domain, and that the certificate is one that should be used by thatcomputer.

Certificate-to-account mapping can only be used for computer accounts that are in the same forest as thecomputer performing the mapping. This provides much stronger authentication than simply acceptingany valid certificate chain. For example, you can use this capability to restrict access to computers thatare within the same forest. Certificate-to-account mapping, however, does not ensure that a specifictrusted computer is being allowed IPsec access.

Certificate-to-account mapping is especially useful if the certificates come from a public keyinfrastructure (PKI) that is not integrated with your Active Directory Domain Services (AD DS)deployment, such as if business partners obtain their certificates from non-Microsoft providers. You canconfigure the IPsec policy authentication method to map certificates to a domain computer account for aspecific root CA. You can also map all certificates from an issuing CA to one computer account. Thisallows IKE certificate authentication to be used to limit which forests are allowed IPsec access in anenvironment where many forests exist and each performs autoenrollment under a single internal rootCA. If the certificate-to-account mapping process is not completed properly, authentication will fail andIPsec-protected connections will be blocked.

Preshared key (not recommended)



You can use preshared keys for authentication. This is a shared, secret key that is previously agreed onby two users. Both parties must manually configure IPsec to use this preshared key. During securitynegotiation, information is encrypted by using the shared key before transmission and decrypted byusing the same key on the receiving end. If the receiver can decrypt the information, identities areconsidered to be authenticated.


Dialog Box: Add or Edit Second AuthenticationMethodUse these settings to specify the way in which the user account on the peer computer is authenticated.You can also specify that the computer must have a computer health certificate. The secondauthentication method is performed by Authenticated IP (AuthIP) in an extended mode of the mainmode phase of Internet Protocol security (IPsec) negotiations.

You can specify multiple methods to use for this authentication. The methods are attempted in the orderyou specify. The first successful method is used.

For more information about the authentication methods available in this dialog box, see IPsecAlgorithms and Methods Supported in Windows (http://go.microsoft.com/fwlink/?linkid=129230).

When modifying the system-wide default settings:

1. In the Windows Firewall with Advanced Security MMC snap-in, in the navigation pane,click Windows Firewall with Advanced Security, and then in Overview, click WindowsFirewall Properties.

2. Click the IPsec Settings tab, and then under IPsec defaults, click Customize.

3. Under Authentication Method, select Advanced, and then click Customize.

4. Under Second authentication, select a method, and then click Edit or Add.

Caution Preshared key methodology is provided for interoperability purposes and to adhere to IPsec

standards. You should use the preshared key for testing purposes only. Regular use of presharedkey authentication is not recommended because the authentication key is stored in anunprotected state in the IPsec policy.

If a preshared key is used for the main mode authentication, second authentication cannot beused.




When creating a new connection security rule:

1. In the Windows Firewall with Advanced Security MMC snap-in, in the navigation pane,right-click Connection Security Rules, and then click New Rule.

2. On the Rule Type page, select any type except Authentication exemption.

3. On the Authentication Method page, select Advanced, and then click Customize.


When modifying an existing security rule:

1. In the Windows Firewall with Advanced Security MMC snap-in, in the navigation pane,click Connection Security Rules.

2. Double-click the connection security rule that you want to modify.


4. Under Method, click Advanced, and then click Customize.


User (Kerberos V5)You can use this method to authenticate a user logged on to a remote computer that is part of the samedomain or in separate domains that have a trust relationship. The logged-on user must have a domainaccount and the computer must be joined to a domain in the same forest.

User (NTLMv2)NTLMv2 is an alternative way to authenticate a user logged on to a remote computer that is part of thesame domain or in a domain that has a trust relationship to the domain of the local computer. The useraccount and the computer must be joined to domains that are part of the same forest.

User certificateUse a public key certificate in situations that include external business partner communications orcomputers that do not run the Kerberos version 5 authentication protocol. This requires that at least onetrusted root certification authority (CA) is configured on or accessible through your network and thatclient computers have an associated computer certificate. This method is useful when the users are not inthe same domain or are in separate domains without a two-way trust relationship, and Kerberos version5 cannot be used.

Signing algorithm




RSA (default)


ECDSA-P256


ECDSA-P384




Root CA (default)


Intermediate CA



When you enable IPsec certificate-to-account mapping, the Internet Key Exchange (IKE) and AuthIPprotocols associate (map) a user certificate to a user account in an Active Directory domain or forest,and then retrieve an access token, which includes the list of user security groups. This process ensuresthat the certificate offered by the IPsec peer corresponds to an active user account in the domain, andthat the certificate is one that should be used by that user.

Certificate-to-account mapping can only be used for user accounts that are in the same forest as thecomputer performing the mapping. This provides much stronger authentication than simply acceptingany valid certificate chain. For example, you can use this capability to restrict access to users who arewithin the same forest. Certificate-to-account mapping, however, does not ensure that a specific trusteduser is being allowed IPsec access.

Certificate-to-account mapping is especially useful if the certificates come from a public keyinfrastructure (PKI) that is not integrated with your Active Directory Domain Services (AD DS)deployment, such as if business partners obtain their certificates from non-Microsoft providers. You canconfigure the IPsec policy authentication method to map certificates to a domain user account for aspecific root CA. You can also map all certificates from an issuing CA to one user account. This allowscertificate authentication to be used to limit which forests are allowed IPsec access in an environmentwhere many forests exist and each performs autoenrollment under a single internal root CA. If the



certificate-to-account mapping process is not completed properly, authentication will fail and IPsec-protected connections will be blocked.

Computer health certificateUse this option to specify that only a computer that presents a certificate from the specified CA and thatis marked as a Network Access Protection (NAP) health certificate can authenticate by using thisconnection security rule. NAP lets you define and enforce health policies so that computers that do notcomply with network policies, such as computers without antivirus software or those that do not havethe latest software updates, are less likely to access your network. To implement NAP, you need toconfigure NAP settings on both server and client computers. For more information, see the NAP MMCsnap-in Help. To use this method, you must have a NAP server set up in the domain.

Signing algorithm


RSA (default)


ECDSA-P256


ECDSA-P384




Root CA (default)


Intermediate CA



When you enable IPsec certificate-to-account mapping, the IKE and AuthIP protocols associate (map) acertificate to a user or computer account in an Active Directory domain or forest, and then retrieve anaccess token, which includes the list of security groups. This process ensures that the certificate offered



by the IPsec peer corresponds to an active computer or user account in the domain, and that thecertificate is one that should be used by that account.

Certificate-to-account mapping can only be used for accounts that are in the same forest as the computerperforming the mapping. This provides much stronger authentication than simply accepting any validcertificate chain. For example, you can use this capability to restrict access to accounts that are withinthe same forest. Certificate-to-account mapping, however, does not ensure that a specific trusted accountis being allowed IPsec access.

Certificate-to-account mapping is especially useful if the certificates come from a PKI that is notintegrated with your AD DS deployment, such as if business partners obtain their certificates from non-Microsoft certificate providers. You can configure the IPsec policy authentication method to mapcertificates to a domain account for a specific root CA. You can also map all certificates from an issuingCA to one computer or user account. This allows IKE certificate authentication to be used to limit whichforests are allowed IPsec access in an environment where many forests exist and each performsautoenrollment under a single internal root CA. If the certificate-to-account mapping process is notcompleted properly, authentication will fail and IPsec-protected connections will be blocked.

Additional references User Interface: Windows Firewall with Advanced Security



Documents

Windows Security With Advanced Security