Windows 7 Resource Kit- P27

Chia sẻ: Thanh Cong | Ngày: | Loại File: PDF | Số trang:50

0
46
lượt xem
2
download

Windows 7 Resource Kit- P27

Mô tả tài liệu
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

Tham khảo tài liệu 'windows 7 resource kit- p27', công nghệ thông tin, hệ điều hành phục vụ nhu cầu học tập, nghiên cứu và làm việc hiệu quả

Chủ đề:
Lưu

Nội dung Text: Windows 7 Resource Kit- P27

  1. attempts . For example, a back-end database server might be configured to accept only authenticated connections from a front-end Web application server . For more information on how server isolation works and how to implement it, see http://technet.microsoft.com/en-us/network/bb545651.aspx. See also the Step-by-Step Guide: Deploying Windows Firewall and IPsec Policies at http://technet.microsoft.com /en-us/library/cc732400.aspx for a walkthrough of how to implement a basic server isolation scenario . n Domain isolation Domain isolation involves configuring connection security rules on both clients and servers so that domain members accept only authenticated (and optionally, encrypted) connection attempts from other domain members . By default, connection attempts from non-domain members are not accepted, but you can con- figure exception rules that allow unauthenticated connections from specific non-domain members . For more information on how domain isolation works and how to implement it, see http://technet.microsoft.com/en-us/network/bb545651.aspx. See also the Step-by-Step Guide: Deploying Windows Firewall and IPsec Policies at http://technet.microsoft.com/en-us/library/cc732400.aspx for a walkthrough of how to implement a basic domain isolation scenario . n Network Access Protection Network Access Protection (NAP) is a technology avail- able in Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2 that enforces health requirements by monitoring and assessing the health of client computers when they try to connect or communicate on a network . Client computers that are found to be out of compliance with the health policy can then be provided with restricted network access until their configuration has been updated and brought into compliance with policy . Windows Firewall with Advanced Security can be used as part of a NAP implementation by creating connection security rules that require com- puter certificates for authentication . Specifically, client computers that are determined to be in compliance with health policy are provisioned with the computer certificate needed to authenticate . For more information on how NAP works and how to imple- ment it, see http://www.microsoft.com/nap/. n DirectAccess DirectAccess is a new feature of Windows 7 and Windows Server 2008 R2 that provides users with the experience of being seamlessly connected to their corporate network any time they have Internet access . Using DirectAccess, users can securely access internal resources such as e-mail servers and intranet sites without the need of first establishing a VPN connection with their corporate network . DirectAccess uses IPv6 together with IPsec tunnels to establish secure, bidirectional communications between the client computer and the corporate network over the public Internet . DirectAccess also seamlessly integrates with server and domain isolation scenarios and NAP implementations enabling enterprises to create comprehensive end-to-end security, access, and health requirement solutions . For more information on how DirectAccess works and how to implement it, see http://www.microsoft.com/directaccess/. Understanding Windows Firewall with Advanced Security CHapTER 26 1253 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  2. diReCt FRoM tHe SoURCe Combining Domain Isolation with Server Isolation Dave Bishop, Senior Technical Writer WSUA Networking Y ou can easily combine both Domain Isolation and Server Isolation on the same network. The Domain Isolation rules that configure your computers to authen- ticate before connecting can also serve as the basis for identifying computers and users to restrict access to sensitive servers. By default, only computer authentica- tion is performed, but on computers that are running Windows 7, Windows Vista, Windows Server 2008, or Windows Server 2008 R2, you can configure the rules to also require user authentication. The client rules that support Domain Isolation support Server Isolation as well. To isolate a server, you configure the server to permit connections from authorized users and computers only. To do this, add a firewall rule to the isolated server that uses the allow The Connection If It Is Secure action. This enables the Users and Computers tabs, where you can identify the user and computer accounts that are authorized to connect to the isolated server. No further configuration on the client computers is required; the user and computer credentials used for authentication for Domain Isolation are also used for the authorization on the isolated server. Server Isolation is an important defense-in-depth layer that helps to protect your sensitive servers, such as payroll, personnel, and other servers that must be carefully guarded. TYpES OF CONNECTION SECURITY RULES Depending on the scenario you want to implement or the business need you are trying to meet, different types of connection security rules may be needed for your environment . Windows Firewall with Advanced Security allows you to create the following types of connection security rules: n Isolation rules These rules are used to isolate computers by restricting inbound con- nections based on credentials such as domain membership . Isolation rules are typically used when implementing a server or domain isolation strategy for your network . n Authentication exemption rules These rules are used to identify computers that do not require authentication when attempting to connect to a domain member when implementing a domain isolation strategy . n Server-to-server rules These rules are used to protect communications between specific computers . This is basically the same as an isolation rule except that you can specify the endpoints . 1254 CHapTER 26 Configuring Windows Firewall and IPsec Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  3. n Tunnel rules These rules are used to protect communications between gateways on the public Internet . In Windows 7, you can create dynamic tunnel endpoint rules that enable Client-to-Gateway and Gateway-to-Client tunnel configurations . n Custom rules These rules can be created when the other types of connection secu- rity rules don‘t meet the needs of your environment . SUppORTED IpSEC SETTINGS FOR CONNECTION SECURITY RULES Connection security rules use IPsec to protect traffic between the local computer and other computers on the network . IPsec is an industry-standard set of protocols for protecting communications over IP networks using cryptographic security services . IPsec can provide network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection to ensure the security of traffic as it passes across a network . For general information concerning IPsec concepts and how IPsec can be used to protect a network, see the resources available at http://www.microsoft.com/IPsec/ . The range of IPsec features supported previously in the Windows Vista RTM has been expanded, first in Windows Vista SP1 and later versions in Windows 7 to include new security methods, data integrity algorithms, data encryption algorithms, and authentication protocols . Tables 26-2 through 26-6 summarize the key exchange algorithms, data protection (integrity or encryption) algorithms, and authentication methods now supported for IPsec communica- tions in Windows 7 . Note that some algorithms are supported only for main mode or quick mode, and different authentication methods are supported for first and second authentica- tion . For more information on how to configure IPsec settings in Windows 7, see the section titled “Creating and Configuring Connection Security Rules” later in this chapter . TABlE 26-2 Supported Key Exchange Algorithms for IPsec Communications in Windows 7 KEy EXCHANgE AlgORITHM NOTES Diffie-Hellman Group 1 (DH Group 1) Not recommended . Provided for backward compatibility only . DH Group 2 Stronger than DH Group 1 . DH Group 14 Stronger than DH Group 2 . Elliptic Curve Diffie-Hellman P-256 Stronger than DH Group 2 . Medium resource usage . Compatible only with Windows Vista and later versions . Elliptic Curve Diffie-Hellman P-384 Strongest security . Highest resource usage . Compatible only with Windows Vista and later versions . Understanding Windows Firewall with Advanced Security CHapTER 26 1255 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  4. TABlE 26-3 Supported Data Integrity Algorithms for IPsec Communications in Windows 7 DATA INTEgRITy AlgORITHM NOTES Message-Digest algorithm 5 (MD5) Not recommended . Provided for backward compatibility only . Secure Hash Algorithm 1 (SHA-1) Stronger than MD5 but uses more resources . SHA 256-bit (SHA-256) Main mode only . Supported on Windows Vista SP1 and later versions . SHA-384 Main mode only . Supported on Windows Vista SP1 and later versions . Advanced Encryption Standard-Galois Quick mode only . Message Authentication Code 128 bit Supported on Windows Vista SP1 and later (AES-GMAC 128) versions . Equivalent to AES-GCM 128 for integrity . AES-GMAC 192 Quick mode only . Supported on Windows Vista SP1 and later versions . Equivalent to AES-GCM 192 for integrity . AES-GMAC 256 Quick mode only . Supported on Windows Vista SP1 and later versions . Equivalent to AES-GCM 256 for integrity . AES-GCM 128 Quick mode only . Supported on Windows Vista SP1 and later versions . Equivalent to AES-GMAC 128 for integrity . AES-GCM 192 Quick mode only . Supported on Windows Vista SP1 and later versions . Equivalent to AES-GMAC 192 for integrity . AES-GCM 256 Quick mode only . Supported on Windows Vista SP1 and later versions . Equivalent to AES-GMAC 256 for integrity . 1256 CHapTER 26 Configuring Windows Firewall and IPsec Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  5. TABlE 26-4 Supported Data Encryption Algorithms for IPsec Communications in Windows 7 DATA ENCRyPTION AlgORITHM NOTES Data Encryption Standard (DES) Not recommended . Provided for backward compatibility only . Triple-DES (3DES) Higher resource usage than DES . Advanced Encryption Standard-Cipher Faster and stronger than DES . Block Chaining 128-bit (AES-CBC 128) Supported on Windows Vista and later versions . AES-CBC 192 Stronger than AES-CBC 128 . Medium resource usage . Supported on Windows Vista and later versions . AES-CBC 256 Strongest security . Highest resource usage . Supported on Windows Vista and later versions . AES-GCM 128 Quick mode only . Faster and stronger than DES . Supported on Windows Vista and later versions . The same AES-GCM algorithm must be speci- fied for both data integrity and encryption . AES-GCM 192 Quick mode only . Medium resource usage . Supported on Windows Vista and later versions . The same AES-GCM algorithm must be speci- fied for both data integrity and encryption . AES-GCM 256 Quick mode only . Faster and stronger than DES . Supported on Windows Vista and later versions . The same AES-GCM algorithm must be speci- fied for both data integrity and encryption . Understanding Windows Firewall with Advanced Security CHapTER 26 1257 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  6. TABlE 26-5 Supported First Authentication Methods for IPsec Communications in Windows 7 FIRST AUTHENTICATION METHOD NOTES Computer (Kerberos V5) Compatible with Microsoft Windows 2000 or later versions . Computer (NTLMv2) Use on networks that include systems running an earlier version of Windows and on stand- alone systems . Computer certificate The default signing algorithm is RSA, but Elliptic Curve Digital Signature Algorithm (ECDSA)–P256 and ECDSA-P384 are also supported signing algorithms . New in Windows 7 is added support for using an intermediate CA as a certificate store in addition to using a root CA as was previously supported in Windows Vista . Certificate to account mapping is also supported . First authentication can also be configured to accept only health certificates when using a NAP infrastructure . Pre-shared key Not recommended . TABlE 26-6 Supported Second Authentication Methods for IPsec Communications in Windows 7 SECOND AUTHENTICATION METHOD NOTES User (Kerberos V5) Compatible with Windows 2000 or later versions . User (NTLMv2) Use on networks that include systems running an earlier version of Windows and on stand- alone systems . User certificate The default signing algorithm is RSA, but ECDSA-P256 and ECDSA-P384 are also supported signing algorithms . New in Windows 7 is added support for using an intermediate CA as a certificate store in addition to using a root CA as was previously supported in Windows Vista . Certificate to account mapping is also supported . 1258 CHapTER 26 Configuring Windows Firewall and IPsec Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  7. SECOND AUTHENTICATION METHOD NOTES Computer health certificate The default signing algorithm is RSA, but ECDSA-P256 and ECDSA-P384 are also supported signing algorithms . New in Windows 7 is added support for using an intermediate CA as a certificate store in addition to using a root CA as was previously supported in Windows Vista . Certificate to account mapping is also supported . DEFaULT IpSEC SETTINGS FOR CONNECTION SECURITY RULES The default IPsec settings for Windows Firewall with Advanced Security are as follows: n Default key exchange settings (main mode): • Key exchange algorithm: DH Group 2 • Data integrity algorithm: SHA-1 • Primary data encryption algorithm: AES-CBC 128 • Secondary data encryption algorithm: 3DES • Key lifetime: 480 minutes/0 sessions n Default data integrity settings (quick mode): • Primary protocol: Encapsulating Security Payload (ESP) • Secondary protocol: Authentication Header (AH) • Data integrity algorithm: SHA-1 • Key lifetime: 60 minutes/100,000 KB n Default data encryption settings (quick mode): • Primary protocol: ESP • Secondary protocol: ESP • Data integrity algorithm: SHA-1 • Primary data encryption algorithm: AES-CBC 128 • Secondary data encryption algorithm: 3DES • Key lifetime: 60 minutes/100,000 KB The default authentication method used for first authentication of IPsec connections is Computer (Kerberos V5) . By default, no second authentication method is configured for IPsec connections . Understanding Windows Firewall with Advanced Security CHapTER 26 1259 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  8. By default, these settings are used when creating new connection security rules unless you select different settings when using the New Connection Security Rule Wizard . For more information, see the section titled “Creating and Configuring Connection Security Rules” later in this chapter . Windows Firewall and Windows PE B eginning with Windows 7 and Windows Server 2008 R2, you can now configure Ipsec in Windows preinstallation Environment (Windows pE) for added security during desktop and server deployment. While Windows pE 3.0 now supports Ipsec by default, the computer you want to connect to may require additional configu- ration to allow a connection. The default Ipsec settings for Windows pE 3.0 are as follows: n MM Security Offer: aES128-SHa1-ECDHp256, where MM is main mode. n MM authentication Method: anonymous n QM policy: 3DES-SHa1; aES128-SHa1, where QM is quick mode. n QM authentication Method: NTLMv2 Understanding Default Rules Default rules specify the default behavior of Windows Firewall with Advanced Security when traffic does not match any other type of rule . Default rules can be configured on a per-profile basis . The possible default rules for inbound traffic are: n Block (the default for all profiles) n Block all connections n Allow The possible default rules for outbound traffic are: n Allow (the default for all profiles) n Block From a practical standpoint, the block all connections default rule for inbound traffic can be interpreted as “shields up” or “ignore all allow and allow-bypass rules .” For information on configuring default rules, see the section titled “Configuring Firewall Profiles and IPsec Set- tings by Using Group Policy” later in this chapter . 1260 CHapTER 26 Configuring Windows Firewall and IPsec Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  9. Understanding WSH Rules WSH rules are built-in rules that protect Windows services (and thereby also the applications that use these services) by restricting services from establishing connections in ways other than they were designed . WSH rules are not exposed to management using the Windows Firewall with Advanced Security MMC snap-in, the Netsh command, or Group Policy . Third-party ISVs who create services for Windows can also create WSH rules to protect those services . For more information on this, see http://msdn.microsoft.com/en-us/library /aa365491.aspx . Understanding Rules processing If more than one rule matches a particular packet being examined, Windows Firewall with Advanced Security must decide which of these rules to apply to the packet so as to decide what action to take . The order in which Windows Firewall with Advanced Security processes rules is as follows: 1. WSH rules (this is not configurable by the user) 2. Connection security rules 3. Authenticated bypass rules 4. Block rules 5. Allow rules 6. Default rules When a packet is being examined by Windows Firewall with Advanced Security, the packet is compared to each of these types of rules in the order they are listed . If the packet matches a particular rule, that rule is applied, and rule processing stops . In addition, if two rules in the same group match, then the rule that is more specific (that is, has more matching criteria) is the one that is applied . For example, if rule A matches traffic to 192 .168 .0 .1 and rule B matches traffic to 192 .168 .0 .1 TCP port 80, then traffic to port 80 on that server matches rule B, and its action is the one taken . By default, the rule processing described previously includes both local rules (firewall and/ or connection security rules configured by the local administrator of the computer) and rules applied to the computer by Group Policy . If more than one Group Policy object (GPO) applies to a particular computer, the default rules come from the GPO with the highest precedence . Merging of local rules can be enabled or disabled using Group Policy . For more information, see the section titled “Considerations When Managing Windows Firewall Using Group Policy” later in this chapter . Understanding Windows Firewall with Advanced Security CHapTER 26 1261 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  10. Managing Windows Firewall with Advanced Security Windows 7 and Windows Server 2008 R2 include tools for configuring and managing Windows Firewall with Advanced Security in both stand-alone and domain environments . These tools can be used to perform common tasks such as creating firewall rules to block or allow traffic, creating connection security rules to protect network traffic using IPsec, monitoring firewall and connection security activity, and more . The sections that follow examine the tools that you can use to manage Windows Firewall with Advanced Security and describe some common management tasks . Tools for Managing Windows Firewall with advanced Security The following tools can be used for managing Windows Firewall with Advanced Security: n Windows Firewall Control Panel item n Windows Firewall with Advanced Security MMC snap-in n Windows Firewall with Advanced Security Group Policy node n Netsh advfirewall command context The sections that follow summarize the differences in functionality between using these various tools . Managing Windows Firewall Using Control panel The Windows Firewall utility in Control Panel exposes only a small subset of Windows Firewall with Advanced Security functionality and is primarily intended for consumers and for users working in SOHO environments . Using this utility, a user on the local computer can perform the following tasks: n Turning Windows Firewall on or off for each type of network location (domain, private, or public) n Enabling or disabling firewall notifications for each type of network location n Verifying which firewall profiles apply to which network connections on the computer n Allowing a program or feature to communicate through Windows Firewall for a par- ticular firewall profile (see Figure 26-7) n Restoring the default settings for Windows Firewall Note that most actions involving Windows Firewall require local administrator credentials on the computer . 1262 CHapTER 26 Configuring Windows Firewall and IPsec Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  11. FIgURE 26-7 Viewing which firewall profiles allow Remote Assistance to communicate through Windows Firewall Managing Windows Firewall Using the Windows Firewall with advanced Security Snap-in The Windows Firewall with Advanced Security MMC snap-in exposes most of the functionality of Windows Firewall for advanced users and administrators of the local computer (main mode rules and some advanced global IPsec settings are configurable only by Netsh) . To start this snap-in, do any of the following: n From the Start menu, select Control Panel, System And Security, Windows Firewall, Advanced Settings . n Type fire in the Start menu Search box, and then click Windows Firewall With Advanced Security in the Programs group . n Type wf.msc in the Start menu Search box and press Enter . n Type mmc in the Start menu Search box and press Enter to open a new MMC console, and then add the Windows Firewall with Advanced Security snap-in to the console in the usual way . The first three methods listed here can be used only to manage Windows Firewall on the local computer . The last method can be used to manage Windows Firewall on either the local computer or a specified remote computer . You must have local administrator credentials on the computer on which you want to manage Windows Firewall when using this snap-in . Managing Windows Firewall with Advanced Security CHapTER 26 1263 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  12. note The Windows 7 version of the Windows Firewall with advanced Security snap-in can be used to manage Windows Firewall on Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2. Using the Windows Firewall with Advanced Security snap-in, you can perform a wide variety of administrative tasks, including the following: n Configuring default settings for each firewall profile n Enabling and disabling firewall rules n Creating and configuring firewall rules n Configuring default IPsec settings n Enabling and disabling connection security rules n Creating and configuring connection security rules n Exporting and importing firewall policy for the computer n Restoring the default firewall settings for the computer n Configuring firewall logging settings n Monitoring the state of the firewall and its configuration n Monitoring active firewall rules n Monitoring active connection security rules n Monitoring security associations for both main mode and quick mode n Monitoring event logs associated with Windows Firewall Many of these management tasks are described in more detail in the section titled “Com- mon Management Tasks” later in this chapter . To make it easier to manage large numbers of rules on a computer, the Windows Firewall with Advanced Security snap-in lets you filter firewall and connection security rules by profile (domain, private or public) and/or by state (enabled or disabled) . In addition, firewall rules (but not connection rules) can also be filtered by rule group . Figure 26-8 shows all inbound rules that match the following filtering criteria: n Profile: domain n State: enabled n Group: Remote Assistance To remove applied filters, select Clear All Filters from the shortcut menu . 1264 CHapTER 26 Configuring Windows Firewall and IPsec Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  13. FIgURE 26-8 You can filter firewall rules by profile, state, and group to make it easier to manage large numbers of rules . Managing Windows Firewall Using Group policy In enterprise environments, the primary method for managing Windows Firewall on remote computers (both clients and servers) is to use Group Policy . To manage Windows Firewall on a collection of computers on your network using Group Policy, do the following: 1. Create a new GPO and link the GPO to the organizational unit (OU) where the com- puter accounts for these computers reside . 2. Open the GPO using the Group Policy Management Editor from the Group Policy Management Console (GPMC) and navigate to the following location: Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall With Advanced Security\ 3. Select the policy node under this location, which should look like this: Windows Firewall with Advanced Security - LDAP://CN={GUID},CN=POLICIES,CN= SYSTEM,DC=domain_name,DC=COM Here GUID is the globally unique identifier for the Group Policy Container (GPC) associated with the GPO you have opened . Once you have selected this node, you can configure Group Policy settings for Windows Firewall using the same graphical user interface for the Windows Firewall with Advanced Security snap-in described previously (see Figure 26-9) . Managing Windows Firewall with Advanced Security CHapTER 26 1265 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  14. FIgURE 26-9 Using Group Policy to configure Windows Firewall with Advanced Security on targeted computers CONSIDERaTIONS WHEN MaNaGING WINDOWS FIREWaLL USING GROUp pOLICY The following considerations should be kept in mind when managing Windows Firewall using Group Policy: n The state of each firewall profile in the firewall policy of a GPO is initially Not Config- ured . This means that firewall policy applied to computers targeted by the GPO will have no effect . For example, if the domain profile of Windows Firewall on a targeted computer is enabled, it will remain enabled after Group Policy processing has occurred . Similarly, if the domain profile of Windows Firewall on a targeted computer is disabled, it will remain disabled after Group Policy processing has taken place on the computer . So if a local administrator on the targeted computer turns off Windows Firewall on his computer, it will remain turned off even after Group Policy processing has taken place on the computer . Therefore, if you want to ensure that the firewall policy in the GPO applies to targeted computers, you must enable the firewall profiles in the policy . To do this, right-click the following policy node in the GPO: Windows Firewall with Advanced Security - LDAP://CN={GUID},CN=POLICIES,CN= SYSTEM,DC=domain_name,DC=COM 1266 CHapTER 26 Configuring Windows Firewall and IPsec Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  15. Select Properties from the context menu, and on each profile tab (Domain Profile, Private Profile, and Public Profile), change the Firewall State policy setting from Not Configured to On (Recommended) . n The default inbound and outbound rules for each firewall profile in the firewall policy of a GPO are also initially Not Configured . Therefore, if you want to ensure that firewall rules are processed as expected when the GPO is processed by targeted computers, you should configure the desired default inbound and outbound rules in the policy . To do this, right-click on the policy node described above and select Properties from the context menu . Then on each profile tab (Domain Profile, Private Profile, and Public Profile), change the Inbound Connections and Outbound Connections policy settings to the values you want to use, which are typically the following . Note that if multiple GPOs for firewall policy target the same computer and each GPO has different default rules configured, the default rules for the GPO that has the highest precedence apply . Note also that if you set outbound connections to Block and then deploy the firewall policy by using a GPO, computers that receive it will not receive subsequent Group Policy updates unless you first create and deploy an outbound rule that enables Group Policy to work . Predefined rules for Core Networking include outbound rules that enable Group Policy to work . Ensure that these outbound rules are active, and thoroughly test firewall profiles before deploying the policy n By default, rule merging is enabled between local firewall policy on Windows 7 com- puters and firewall policy specified in GPOs that target those computers . This means that local administrators can create their own firewall and connection security rules on their computers, and these rules will be merged with the rules obtained through Group Policy targeting the computers . Rule merging can be enabled or disabled on a Managing Windows Firewall with Advanced Security CHapTER 26 1267 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  16. per-GPO, per-profile basis by opening the Properties of the policy node described pre- viously, selecting a firewall profile, and clicking Customize under Settings . Then under Rule Merging in the Customize Settings For The firewall_profile dialog box, change the Apply Local Firewall Rules and/or Apply Local Connection Security Rules policy settings from Not Configured to Yes (Default) or No, as shown here . To ensure that only GPO-supplied rules are applied to computers targeted by the GPO and that locally defined rules on the computers are ignored, change these two policy settings from Not Configured to No . If you decide to leave rule merging enabled in the firewall policy of a GPO by configuring these two policy settings as either Yes (Default) or Not Configured, you should explicitly configure all firewall policy settings that may be needed by the targeted computers including firewall and IPsec settings, firewall rules, and connection security rules . Otherwise, any policy settings that you leave unconfigured in the GPO can be overridden by the local administrator on the targeted computer by using the Windows Firewall with Advanced Security snap-in or the Netsh command . MoRe inFo See also the Step-by-Step Guide: Deploying Windows Firewall and IPsec Policies at http://technet.microsoft.com/en-us/library/cc732400.aspx, for a walkthrough of how to deploy firewall and connection security rules using Group policy. note For faster processing of GpOs that are used only for applying firewall policy to targeted computers, disable the User portion of the GpO using the GpMC. 1268 CHapTER 26 Configuring Windows Firewall and IPsec Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  17. Managing Windows Firewall Using the Netsh Command The Netsh command can be used to manage Windows Firewall either interactively from the command line or by using scripts . The Netsh command also has been enhanced in Windows 7 to expose almost all aspects of Windows Firewall to viewing and configuration (some settings, such as global quick mode, can only be configured using the Windows Firewall with Advanced Security snap-in . By using the netsh advfirewall context of this command, you can display the status and configuration of Windows Firewall, configure firewall and IPsec settings, create and configure both firewall and connection security rules, monitor active connections, and perform other management tasks . note You must run the netsh advfirewall command from an elevated command prompt to set (configure) Windows Firewall settings. You do not need to run it from an elevated command prompt if you only want to show (view) Windows Firewall settings. To enter the netsh advfirewall context from the command line, type netsh and press Enter, then type advfirewall and press Enter . C:\Windows\System32>netsh netsh>advfirewall netsh advfirewall> The prompt indicates the current context of the command . Typing help at the netsh advfirewall prompt displays the following additional commands available for this context: n consec Changes to the netsh advfirewall consec context, which lets you view and configure connection security rules . n export Exports the current firewall policy to a .w fw file . n firewall Changes to the netsh advfirewall firewall context, which lets you view and configure firewall rules . n import Imports a .w fw policy file into the current policy store . n mainmode New in Windows 7, this changes to the netsh advfirewall mainmode context, which lets you view and configure main mode configuration rules . n monitor Enhanced with added functionality in Windows 7, this changes to the netsh advfirewall monitor context, which lets you view the current IPsec, firewall, and main mode states, and the current quick mode and main mode security associates estab- lished on the local computer . n reset Resets the firewall policy to the default out-of-box policy . n set Sets per-firewall profile and global firewall settings . n show Displays firewall profiles and global firewall settings . For example, you can use the show domainprofile command to view the firewall settings for the domain profile as follows . Managing Windows Firewall with Advanced Security CHapTER 26 1269 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  18. netsh advfirewall>show domainprofile Domain Profile Settings: ---------------------------------------------------------------------- State ON Firewall Policy BlockInbound,AllowOutbound LocalFirewallRules N/A (GPO-store only) LocalConSecRules N/A (GPO-store only) InboundUserNotification Enable RemoteManagement Disable UnicastResponseToMulticast Enable Logging: LogAllowedConnections Disable LogDroppedConnections Disable FileName %systemroot%\system32\LogFiles\Firewall\pfirewall.log MaxFileSize 4096 To view the global firewall and IPsec settings on the local computer, use the show global command as follows . netsh advfirewall>show global Global Settings: ---------------------------------------------------------------------- IPsec: StrongCRLCheck 0:Disabled SAIdleTimeMin 5min DefaultExemptions NeighborDiscovery,DHCP IPsecThroughNAT Never AuthzUserGrp None AuthzComputerGrp None StatefulFTP Enable StatefulPPTP Enable Main Mode: KeyLifetime 480min,0sess SecMethods DHGroup2-AES128-SHA1,DHGroup2-3DES-SHA1 ForceDH No Categories: BootTimeRuleCategory Windows Firewall FirewallRuleCategory Windows Firewall StealthRuleCategory Windows Firewall ConSecRuleRuleCategory Windows Firewall To view full details concerning a particular firewall rule such as the Remote Assistance (TCP-In) rule, first type firewall and press Enter to change to the netsh advfirwall firewall context, then use the show rule command as follows . 1270 CHapTER 26 Configuring Windows Firewall and IPsec Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  19. netsh advfirewall firewall>show rule name="Remote Assistance (TCP-In)" profile=domain,private verbose Rule Name: Remote Assistance (TCP-In) ---------------------------------------------------------------------- Description: Inbound rule for Remote Assistance traffic. [TCP] Enabled: Yes Direction: In Profiles: Domain,Private Grouping: Remote Assistance LocalIP: Any RemoteIP: Any Protocol: TCP LocalPort: Any RemotePort: Any Edge traversal: Defer to application Program: C:\Windows\system32\msra.exe InterfaceTypes: Any Security: NotRequired Rule source: Local Setting Action: Allow You can also pipe Netsh to Findstr to display the names of all inbound rules belonging to a specific rule group . For example, to display all inbound rules for the Remote Assistance rule group, use this command . C:\Windows\system32>netsh advfirewall firewall show rule name=all dir=in | findstr /I /C:"remote assistance" Rule Name: Remote Assistance (PNRP-In) Grouping: Remote Assistance Rule Name: Remote Assistance (SSDP TCP-In) Grouping: Remote Assistance Rule Name: Remote Assistance (SSDP UDP-In) Grouping: Remote Assistance Rule Name: Remote Assistance (TCP-In) Grouping: Remote Assistance Rule Name: Remote Assistance (DCOM-In) Grouping: Remote Assistance Rule Name: Remote Assistance (RA Server TCP-In) Grouping: Remote Assistance Rule Name: Remote Assistance (PNRP-In) Grouping: Remote Assistance Rule Name: Remote Assistance (TCP-In) Grouping: Remote Assistance Managing Windows Firewall with Advanced Security CHapTER 26 1271 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  20. To show all connection security rules configured on the local computer, type consec to change to the netsh advfirewall consec context . Then use the show rule command as follows . netsh advfirewall consec>show rule name=all Rule Name: Lab Server ---------------------------------------------------------------------- Enabled: Yes Profiles: Domain Type: Static Mode: Transport Endpoint1: 172.16.11.131/32 Endpoint2: 172.16.11.163/32 Protocol: Any Action: RequestInRequestOut Auth1: ComputerPSK Auth1PSK: test MainModeSecMethods: DHGroup2-AES128-SHA1,DHGroup2-3DES-SHA1 QuickModeSecMethods: ESP:SHA1-None+60min+100000kb,ESP:SHA1- AES128+60min+100000kb,ESP:SHA1-3DES+60min+ 100000kb,AH:SHA1+60min+100000kb note To view all firewall settings including global settings, per-firewall profile settings, and all active firewall rules on the computer, type netsh advfirewall monitor show firewall verbose at a command prompt. Also new in Windows 7 are the following two Netsh contexts: n netsh trace Enables ETW tracing and/or Network Diagnostics Framework (NDF) diagnostics for various features and scenarios including Windows Firewall and IPsec . n netsh wfp Enables WFP and Internet Key Exchange (IKE)/AuthIP tracing . MoRe inFo For more information concerning Netsh syntax and examples of usage, see “Netsh Commands for Windows Firewall with advanced Security” at http://technet.microsoft.com/en-us/library/cc771920.aspx. Common Management Tasks The sections that follow briefly describe some common management tasks for administering Windows Firewall with Advanced Security on Windows 7 and Windows Server 2008 R2 . For additional information concerning managing Windows Firewall with Advanced Security, see the references in the section titled “Related Information” at the end of this chapter . 1272 CHapTER 26 Configuring Windows Firewall and IPsec Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Đồng bộ tài khoản