Lecture 12 Windows Firewall and Action Center. Firewalls Protect networks by stopping network traffic from passing through it Implemented as either a.

Lecture 12

Windows Firewall and Action Center

Firewalls

• Protect networks by stopping network traffic from passing through it

• Implemented as either a hardware or software entity (or a combination of both)

• Allows internal traffic to leave the network

• Ex. Email to the outside world, web access, etc.

• Stop unwanted traffic from the outside world from entering the internal network

• Achieves these things through the use of rules

• Inbound, outbound, and connection-specific rules

• Two types of firewalls:

• Network perimeter firewalls

• Host-based firewalls

Rule Types

• There are 3 basic types of rules:

• Inbound Rules: Help protect your computer from other computers making unsolicited connections to it

• Outbound Rules: Help protect your computer by preventing your computer from making unsolicited connections to other computers

• Connection-specific Rules: Enable a computer’s administrator to create and apply rules based on a specific connection

• In Windows, this is referred to as Network Location Awareness

Outgoing Rules

Incoming Rules

Network Perimeter Firewalls

• Located at the boundary between the internal network and external networks such as the Internet

• Provide variety of services

• Can be hardware-based, software-based, or a combination of both

• Some of these types of firewalls provide application proxy services like Microsoft Internet Security Acceleration (ISA) Server

• Functionality Provided:

• Management and control of network traffic

• Inspecting state of communications between hosts

• Authentication and encryption

• Cannot provide protection for traffic generated inside a trusted network

Host-based Firewalls

• Run on individual computers and provide protection for traffic generated inside a trusted network

• Protect a host from unauthorized access and attack

• Provide an extra layer of security in your network

• Windows Firewall with Advanced Security can block specific types of outgoing traffic in addition to blocking unwanted incoming traffic

HostFirewall

Network Location Awareness

• Windows 7 supports Network Location Awareness

• Enables network-interacting programs to change their behavior based on how the computer is connected to the network

• In case of Windows Firewall with Advanced Security, you can create rules that apply only when the profile associated with a specific network location type is active on your computer

• There are three location types:

• Public

• Private

• Domain

Network Location Awareness

• Public Location Type:

• Assigned by default to any new networks when they are first connected

• A public network is considered to be shared with the world

• No protection between the local computer and any other computer

• Firewall rules associated with the public profile are most restrictive

Network Location Awareness

• Private Location Type:

• Can be manually selected by a local administrator for a connection to a network that is not directly accessible to the public

• Connection be to a home or office network that is isolated from publicly accessible networks by using a firewall device or a device that performs network address translation (NAT)

• Wireless networks assigned the private network location type should be protected by using an encryption protocol such as Wi-Fi Protected Access (WPA) or WPAv2

• A network is never automatically assigned the private network location type

• It must be assigned by the administrator

• Windows remembers the network, and the next time you connect to it, Windows automatically assigns the network the private network location type

• Due to the higher level of protection and isolation from the internet, private profile firewall rules allow more network activity than the public profile rule set

Network Location Awareness

• Domain Location Type:

• Detected when the local computer is a member of an Active Directory domain and the local computer can authenticate to a domain controller for that domain through one of its network connections

• An admin cannot manually assign this network location type

• Because of the higher level of security and isolation from the internet, domain profile firewall rules typically permit more network activity than either the private or public profile rule sets

• On a computer that is running Windows 7, if a domain controller is detected on any network adapter, then the Domain network location type is assigned to that network adapter

Screenshot of Domain Networks

Turning Windows Firewall On and Off

To turn Windows Firewall on or off, simply open the Windows Firewall control panel and click Turn Windows firewall on or off. The Change notification settings link brings up the same screen as shown on the right:

Not only can you turn the firewall on and off for each network location, you can also block all programs, and set notification when a program is blocked. One of the few reasons you would ever want to turn this off is if you had another firewall program that you want to use instead.

Allowing Programs

Traditionally with firewalls, you can open or close a protocol port so that you can allow or block communication through the firewall. With Windows Firewall included in Windows 7, you specify which programs or features you want to communicate through the firewall. The most common options are available by clicking the Allow a program or feature through Windows Firewall option on the left pane of the Windows Firewall control panel. Only users that are members of the local Administrators group, or who have been delegated the appropriate privileges are able to modify Windows Firewall settings. If you need to open a port instead of specifying a program, you have to use the Windows Firewall with Advanced Security which is discussed later in this lecture.

Add a Program

If a program that you want to create a rule for is not present on this list, click Allow Another Program. This opens the Add A Program dialog box. If the program that you want to create a rule for is not listed, click Browse to add it. Click the Network Location Types button to specify the network profiles in which the rule should be active.

If a program is blocked, the first time you try to run it you are notified by the firewall, allowing you to configure an exception that allows traffic from this program in the future. If an exception is not configured at this time, you will need to use the steps above to allow traffic through.

Windows Firewall with Advanced Security (WFAS)

• Designed for advanced users and IT professionals

• Offers more powerful configuration options than the standard Windows Firewall

• Can use it to configure Inbound and Outbound rules, block or allow incoming or outgoing connections based off Protocols and/or Programs and Services, and configure IPSec

• Inbound and Outbound rules can be enforced on predefined profiles, Public, Private, Domain, or all Profiles

• WFAS is useful when you need to enable a rule to allow traffic for a specific service while connected to one network profile, but not on another

• Example: You can allow FTP traffic for the Domain (Work) Profile, but not for the Public Profile

• This allows computers in your work place to connect to your computer hosting an FTP service, but traffic is blocked when you’re connected to another network

• Default Inbound rule settings is to block all connections that don’t have rules (exceptions) that allow the connection unless the incoming request is a response from the client

• Default Outbound rule allows all outbound connections unless you have explicitly blocked an outbound connection

Windows Firewall with Advanced Security

To access Windows Firewall with Advanced Security snap-in, open the Network and Sharing Center and click on Advanced Settings in the left pane. Or, you can type Windows Firewall with Advanced Security into the Search Programs And Files box in the Start menu. You must be a member of the administrators group.

Creating Rules

To create and inbound or outbound rule, follow these steps:

First click on Inbound Rules or Outbound Rules in the left pane depending on which type of rule you are trying to create. In this case, we selected Inbound Rules.

Click on the Action menu and select New Rule.

New Inbound Rule Wizard

This brings up the New Inbound Rules Wizard. In this window you can define a rule based on a program, a port, a predefined service or feature, or multiple parameters (custom rule). The program and predefined rules are the same as those found in the standard Windows Firewall. The custom rule allows you to configure a rule based on more than one option, for example, a rule that involves a specific program and ports.

New Inbound Rule Wizard

What happens from here depends on the type of rule you are going to create and we suggest that you familiarize yourself with all of them. In this case, we are going to create a custom rule.

Applying to a Specific Program

Here you can apply the rule to all programs, browse to a specific program, or a service. We're going to apply ours to a specific program by clicking the Browse and selecting a program.

Apply to Specific Protocols and Ports

Here we can apply the rule to specific protocols and ports. We selected a TCP port.

Define Scope of the Rule

Next, we define the scope of the rule. We have the option to configure local and remote addresses. The local IP address is used by the local computer to determine if the rule applies. The rule only applies to network traffic that goes through a network adapter that is configured to use one of the specified addresses. Specify the remote IP addresses to which the rule applies. Network traffic matches the rule if the destination IP address is one of the addresses in the list.

Allow or Block Connection

Next, we can allow the connection, allow the connection if it is secure, or block the connection.

Choosing Network Locations

Now we choose which network locations the rule will apply to.

Firewalls

In the final step, we enter a name and description for the rule and click Finish.

The previous instructions only demonstrate one of the possible types of rules you can create, and the dialogue boxes will vary depending on the type of rule and selections you make.

In addition to inbound and outbound rules, you can also configure Connection Security Rules.

Import and Export:

WFAS allows you to import and export the current firewall configuration for the purpose of easy configuration on stand-alone computers. To roll out the firewall configuration on a company network, it is better to use group policy. The import and export feature also essentially enables you to make a backup copy of your configuration before you make changes to it. Exported policy files are binary with a .wfw extension.

Action Center & Windows Defender

Configuring the Action Center

These days, having a firewall just isn’t enough. Spyware and viruses are becoming more widespread, more sophisticated, and more dangerous. Users can unintentionally pick up spyware and viruses by visiting websites, or by installing an application in which spyware and viruses are bundled.

Even worse, malicious software cannot typically be uninstalled. Thus, antispyware and virus protection applications are also required to ensure that your computer remains protected. You can further protect your Windows 7 computers using the Action Center.

Using Windows Defender

Windows 7 comes with an antispyware application called Windows Defender. Windows Defender offers real-time protection from spyware and other unwanted software. You can also configure Windows Defender to scan for spyware on a regular basis.

Like antivirus programs, Windows Defender relies on definitions, which are used to determine whether a file contains spyware. Out-of-date definitions can cause Windows Defender to fail to detect some spyware. Windows Update is used to regularly update the definitions used by Windows Defender so that the latest spyware can be detected. You can also configure Windows Defender to manually check for updates using Windows Update.

To access Windows Defender, click Start Control Panel Large Icons View Action Center Windows Defender. The status appears at the bottom of the screen, which includes time of the last scan, the scan schedule, the real-time protection status, and the definition version.

Windows Defender

Windows Defender

Let’s look at how we can scan the system for spyware using Windows Defender.

Performing a Manual Scan

You can configure Windows Defender to perform a manual scan of your computer at any time. You can perform the following three types of scans:

 ◆ Quick Scan checks only where spyware is most likely to be found.

 ◆ Full Scan checks all memory, running processes, and folders.

 ◆ Custom Scan checks only the drives and folders that you select.

By default, Windows Defender performs a Quick Scan daily at 2 A.M. You can change this as setting by using the Tools menu option.

Programs are classified into four spyware alert levels: Severe, High, Medium, and Low 

Depending on the alert level, you can choose to have Windows Defender ignore, quarantine, remove, or always allow software.

Configuring Windows Defender

Use the Tools and Settings menu to configure Windows Defender. You can access the following items through this menu:

 ◆ Options  ◆ Microsoft SpyNet  ◆ Quarantined Items  ◆ Allowed Items  ◆ Windows Defender Website  ◆ Microsoft Malware Protection Center

Windows Defender Options

Options Click Options on the Tools and Settings menu to enable you to configure the default behavior of Windows Defender. You can configure the following options:

Automatic Scanning - You can configure Windows Defender to scan automatically, how often automatic scans should occur, the time that scans will occur, and the type of scan to perform.

Default Actions - You can configure the actions Windows Defender should take on High, Medium, and Low Alert items. You can set each level so that Windows Defender can take the default action for that level, always remove the item, or always ignore the item.

Real-Time Protection You can configure whether real-time protection is enabled, which security agents you want to run, how you should be notified about threats, and whether a Windows Defender icon is displayed in the notification area.

Options continued on next slide…

Windows Defender Options Continued

Excluded Files And Folders - You can set up files and folders that are to be excluded during a scan.

Excluded File Types You can specify certain file types that will be excluded from a scan. For example, you can exclude all .doc files if needed.

Advanced - These options let you configure whether:

 ◆ Archived files and folders are scanned

 ◆ Email is scanned

 ◆ Removable drives are scanned

 ◆ Heuristics are used to detect unanalyzed software

 ◆ A restore point is created before removing spyware

You can also specify file locations that are exempt from scanning

Administrator - These options let you configure whether Windows Defender is enabled, and whether you display items from all users on this computer.

Windows Defender

Microsoft SpyNet

Microsoft SpyNet is an online community that can help you know how others respond to software that has not yet been classified by Microsoft. Participation in SpyNet is voluntary, and subscription to SpyNet is free. If you choose to volunteer, your choices will be added to the community so that others can learn from your experiences.

To join the SpyNet community, click Microsoft SpyNet on the Tools menu, and then choose either a basic or advanced membership. The level of membership will specify how much information is sent to Microsoft when potentially unwanted software is found on your computer.

By default, I Do Not Want To join Microsoft SpyNet At This Time is selected, but you can choose to participate in SpyNet by selecting the appropriate radio button. If you choose not to participate, no information is sent to Microsoft, and Windows Defender does not alert you regarding unanalyzed software.

Quarantined Items

Software that has been quarantined by Windows Defender is placed in Quarantined Items. Quarantined software will remain here until you remove it. If you find that a legitimate application is accidentally removed by Windows Defender, you can restore the application from Quarantined Items.

Windows Defender

Allowed Items

Software that has been marked as allowed is added to the Allowed Items list. Only trusted software should be added to this list. Windows Defender will not alert you regarding any software found on the Allowed Items list. If you find that a potentially dangerous application has been added to the Allowed Items list, you can remove it from the list so that Windows Defender can detect it.

Windows Defender Website

Clicking Windows Defender Website opens Internet Explorer and takes you to the Windows Defender website. Here you can find information on Windows Defender, spyware, and security.

Microsoft Malware Protection Center

Clicking Microsoft Malware Protection Center opens Internet Explorer and takes you to the Malware Protection Center website. Here, you can find information on antimalware research and responses.

History Menu Option

There is also a History menu option next to the tools option. You can use the History menu option to see what actions have been taken by Windows Defender. Information is included about each application, the alert level, the action taken, the date, and the status. Information is retained until you click the Clear History button.