Bienvenido! - Willkommen! - Welcome!

Bitácora Técnica de Tux&Cía., Santa Cruz de la Sierra, BO
Bitácora Central: Tux&Cía.
Bitácora de Información Avanzada: Tux&Cía.-Información
May the source be with you!

Monday, October 11, 2010

Windows 7 firewall protected connections

Windows Firewall was introduced with XP, but only the version for Windows Vista was powerful enough to replace third party desktop firewalls. Actually, Vista’s firewall is better than many of the personal firewalls I have ever seen. Compared to these enhancements, Windows 7 only has a tiny improvement to offer. However, in some environments, it might turn out to be very useful.
You probably know that Windows 7 distinguishes between Public, Home, and Work networks. Whenever you connect to a new network, Windows will ask what type of network it is. Each network has its own firewall profile, which allows you to configure different firewall rules depending on the security requirements of the user’s locations. You can use the Windows Firewall with Advanced Security’s snap-in filter to display only rules for specific locations. The corresponding firewall rule sets are Public (Public), Private (Home / Work), and Domain (when a domain-joined workstation detects a domain controller) (see comment below).
This works fine as long as you are only connected to one network at a time. As a matter of fact, more and more users now have their own networks at home. The problem is that once they connect to the corpnet, the Domain firewall rule set becomes active, which will break homegroup connections. The solution to this problem seems to be to work with multiple NICs. However, in Windows Vista, only one profile can be active on the computer at a time. Windows Sever 2008 machines that are connected to multiple networks suffer the same problem. In this case, the profile with the most restrictive settings is applied to all adapters on the computer.
Windows 7’s multiple active firewall profiles are the solution to this problem. It is now possible to assign each firewall profile to specific NICs. You can configure this feature in the Windows Firewall properties (right click on the root folder Windows Firewall with Advanced Security snap-in). This allows you to work with a different firewall profile for each network interface. If the computer is connected to multiple networks at a time, Windows Firewall will use the different rule sets for each NIC.
Note that this feature can’t be configured via Group Policy. At least the Group Policy settings of Windows Server 2008 R2 Beta don’t offer a corresponding option. The problem is that you can’t know in advance, for all external computers, which NIC is connected to the home network and which to the domain network. I guess that’s why you will have to configure this manually for each computer.

No comments: