1
00:00:03,040 --> 00:00:07,180
The next scenario that I want to talk about is managing Windows Firewall.

2
00:00:08,080 --> 00:00:09,640
So let's dive into that.

3
00:00:10,570 --> 00:00:14,290
Group policy provides Windows Firewall with advanced security.

4
00:00:14,320 --> 00:00:20,650
Under the security settings path within computer configuration, the old way of configuring Windows

5
00:00:20,650 --> 00:00:23,260
Firewall was actually within admin templates.

6
00:00:24,190 --> 00:00:30,820
So if you had a Windows XP or Server 23 client, there was a section under admin templates for the computer

7
00:00:30,820 --> 00:00:38,380
that lets you configure this that has been superseded by Windows Firewall with advanced security that

8
00:00:38,380 --> 00:00:43,780
lets you configure the domain private and public profile states for the Windows firewall, whether it's

9
00:00:43,780 --> 00:00:44,560
on or off.

10
00:00:45,490 --> 00:00:50,950
It also lets you configure inbound rules, in other words, to what traffic is allowed inbound to machines

11
00:00:50,950 --> 00:00:54,190
that process this firewall policy and outbound rules now.

12
00:00:55,060 --> 00:01:00,910
So you can set rules on what traffic can go outbound from a machine which has interesting security implications

13
00:01:00,910 --> 00:01:03,610
and also challenges as well as IP SEQ rules.

14
00:01:04,440 --> 00:01:10,270
IP SEQ is a sort of tunneling protocol that allows you to securely traverse networks and provide tunnels

15
00:01:10,270 --> 00:01:12,130
for encrypted traffic and windows.

16
00:01:12,130 --> 00:01:17,200
Firewall with Advanced Security is your tool for configuring both Firewall and IPsec.

17
00:01:18,070 --> 00:01:20,110
In this particular policy area.

18
00:01:20,140 --> 00:01:22,930
Those IPsec rules are called connection rules.

19
00:01:23,810 --> 00:01:28,750
Windows Firewall Profiles, which I talked about in the previous slide, are what you can use to have

20
00:01:28,750 --> 00:01:32,740
different firewall behaviors depending on what kind of network you're on.

21
00:01:33,610 --> 00:01:40,690
So the three firewall profiles that are represented in the policy are domain, private and public domain

22
00:01:40,690 --> 00:01:42,510
being when you're on the corporate network.

23
00:01:42,520 --> 00:01:46,540
In other words, you have a domain controller that's accessible to the client.

24
00:01:47,440 --> 00:01:52,030
Private, meaning you're on your home network, which means it's a trusted network, but it's not your

25
00:01:52,030 --> 00:01:52,870
work network.

26
00:01:53,740 --> 00:01:55,920
And then public is pretty much everything else.

27
00:01:55,930 --> 00:02:00,700
It's when you're in a cafe or on an airplane or in an airport and you're on essentially what is it,

28
00:02:00,700 --> 00:02:02,770
the Wild West for wireless networks.

29
00:02:03,700 --> 00:02:09,520
You can configure firewall on or off for each of those profiles as well as other postures based on each

30
00:02:09,520 --> 00:02:11,770
of those different locations that you can be in.

31
00:02:12,640 --> 00:02:16,120
This is really a good idea, especially for public networks.

32
00:02:16,990 --> 00:02:22,450
If you do no other configuration of Windows Firewall, do one for public profile so that when your domain

33
00:02:22,450 --> 00:02:28,690
join machines, go off network laptops and such are connecting at Starbucks, that you are controlling

34
00:02:28,690 --> 00:02:31,540
what inbound traffic is able to get to those machines.

35
00:02:32,440 --> 00:02:35,710
Let's talk a little bit more about inbound and outbound rules.

36
00:02:36,610 --> 00:02:39,280
Inbound rules are definitely the most common.

37
00:02:40,150 --> 00:02:44,860
This is what we had before Windows Firewall with advanced security in the XP days.

38
00:02:45,760 --> 00:02:51,250
It's basically saying who can talk to the system, who can initiate traffic from externally to this

39
00:02:51,250 --> 00:02:54,280
to this particular system that's processing policy?

40
00:02:55,160 --> 00:03:00,020
Outbound rules are more interesting and more challenging because it it kind of assumes that, you know,

41
00:03:00,020 --> 00:03:04,280
all of the outbound traffic going from a workstation to other sources on your network.

42
00:03:05,160 --> 00:03:10,860
This is definitely easier to do if you're on a server with a predetermined workload instead of applications,

43
00:03:10,860 --> 00:03:16,230
and you can more easily characterize the traffic of those applications to from the server to external

44
00:03:16,230 --> 00:03:16,800
sources.

45
00:03:17,700 --> 00:03:22,710
But it's a lot harder to do in a workstation world where you've got users running different applications

46
00:03:22,710 --> 00:03:25,890
all the time that may have different protocol and port needs.

47
00:03:26,820 --> 00:03:31,770
So I think, you know, outbound rolls are one of those thing where if you're going to go down the road

48
00:03:31,770 --> 00:03:37,170
of host based firewall configuration, outbound rolls are sort of the next level of sophistication in

49
00:03:37,170 --> 00:03:38,130
terms of doing that.

50
00:03:39,030 --> 00:03:41,940
That rules can be set to be either allow or deny.

51
00:03:42,780 --> 00:03:45,690
Once the firewall is turned on for a given profile.

52
00:03:45,720 --> 00:03:51,540
In other words, let's say on the domain profile that the firewall is on, then all traffic is implicitly

53
00:03:51,540 --> 00:03:55,020
denied inbound, but not outbound unless exceptions are defined.

54
00:03:55,920 --> 00:04:00,870
That's important to understand that the default state when the firewall is on, is to deny all.

55
00:04:01,760 --> 00:04:05,180
And you can create exception rules that allow specific traffic in.

56
00:04:05,360 --> 00:04:07,550
But by large, everything else is denied.

57
00:04:08,420 --> 00:04:11,870
This is just a kind of a UI that talks about how you create a rule.

58
00:04:11,880 --> 00:04:14,810
And I'm going to show you this in a demo in the next session.

59
00:04:15,680 --> 00:04:21,260
You define the thing that you want to block, and it could be a program, a port predefined or custom

60
00:04:21,260 --> 00:04:21,620
rule.

61
00:04:22,520 --> 00:04:24,010
You say whether it's allowed.

62
00:04:24,020 --> 00:04:27,650
In other words, the action decides whether it's allow or deny.

63
00:04:28,490 --> 00:04:31,250
And you tell it which profile the rule applies to.

64
00:04:32,030 --> 00:04:37,460
Let's go ahead and dive in and do a demo of this Windows firewall capability so you can see sort of

65
00:04:37,460 --> 00:04:38,120
how it works.