The firewall function in Microsoft's Windows Server 2003 is so rudimentary that many system administrators regard it as useless. It has always been a simple, host-based stateful firewall that only supports inbound protection. As Windows Server 2008 comes closer to us, its built-in firewall function has been greatly improved. Let’s take a look at this new high
Why should you use this host-based firewall for Windows?
Many companies today are using external security hardware to harden their networks. This means that they use firewalls and intrusion prevention systems to build an ironclad wall around their networks, protecting them naturally from malicious attackers on the Internet. However, if an attacker is able to breach the perimeter defenses and gain access to the internal network, only Windows Certification security will prevent them from accessing a company's most valuable asset - their data.
This is because most IT professionals don't use host-based firewalls to harden their servers. Why does this happen? Because most IT professionals believe that deploying host-based firewalls causes more trouble than the value they bring.
I hope that after reading this article you will take a moment to consider Windows host-based firewalls. In Windows Server 2008, this host-based firewall is built into Windows, comes pre-installed, has more features than previous versions, and is easier to configure. It is one of the best ways to harden a critical base server. Windows Firewall with Advanced Security combines host firewall and IPSec. Unlike Perimeter Firewall, Windows Firewall with Advanced Security runs on every computer running this version of Windows and provides local protection against network attacks that may cross the perimeter network or originate within the organization. It also provides computer-to-computer connection security, allowing you to require authentication and data protection for communications.
So, what can this Windows Server Advanced Firewall do for you, and how do you configure it? Let’s read on.
What the new firewall has and how it can help you
The built-in firewall in Windows Server 2008 is now "advanced". It's not just me saying it's advanced, Microsoft has now called it Windows Firewall with Advanced Security (WFAS for short).
Here are the new features that justify its new name:
1. New graphical interface.
Now configure this advanced firewall through a management console unit.
2. Two-way protection.
Filter outbound and inbound communications.
3. Better cooperation with IPSEC.
Windows Firewall with Advanced Security integrates Windows Firewall functionality and Internet Protocol Security (IPSec) into a single console. Use these advanced options to configure key exchange, data protection (integrity and encryption), and authentication settings the way your environment requires.
4. Advanced rule configuration.
You can create firewall rules for various objects on Windows Server and configure firewall rules to determine whether to block or allow traffic through Windows Firewall with Advanced Security.
When an incoming packet reaches your computer, Windows Firewall with Advanced Security inspects the packet and determines whether it meets the criteria specified in the firewall rules. If the packet matches the criteria in the rule, Windows Firewall with Advanced Security performs the action specified in the rule, i.e. blocks the connection or allows the connection. If a packet does not match the criteria in the rule, Windows Firewall with Advanced Security drops the packet and creates an entry in the firewall log file (if logging is enabled).
When configuring a rule, you can choose from a variety of criteria: such as application name, system service name, TCP port, UDP port, local IP address, remote IP address, configuration file, interface type (such as network adapter), user , user group, computer, computer group, protocol, ICMP type, etc. Criteria in a rule are added together; the more criteria you add, the more finely Windows Firewall with Advanced Security matches incoming traffic.
By adding two-way protection, a better graphical interface and advanced rule configuration, Windows Firewall with Advanced Security is becoming as powerful as traditional host-based firewalls such as ZoneAlarm Pro.
I know the first thing any server administrator thinks about when using a host-based firewall is: Will it affect the normal operation of this critical server infrastructure? However, this is a possible problem with any security measure, Windows 2008 Advanced Security The firewall will automatically configure new rules for any new roles added to this server. However, if you are running a non-Microsoft application on your server and it requires inbound network connectivity, you will have to create a new rule based on the type of communication.
By using this advanced firewall, you can better harden your server against attacks, prevent your server from being exploited to attack others, and truly determine what data is going in and out of your server. Let's take a look at how to achieve these goals.
Learn about options for configuring Windows Firewall Advanced Security
In previous versions of Windows Server , you could configure your network adapter or configure Windows Firewall from Control Panel. This configuration is very simple.
For Windows Firewall with Advanced Security, most administrators can configure it either from Windows Server Manager or from the Windows Firewall with Advanced Security MMC snap-in only. The following are screenshots of the two configuration interfaces:
Figure 1. Windows Server 2008 Server Manager
Figure 2. Windows 2008 Advanced Security Firewall Management Console
The easiest and fastest way I've found to start this Windows Firewall with Advanced Security is to type 'firewall' in the search box of the Start menu, as shown below:
Figure 3. How to quickly start the Windows 2008 Advanced Security Firewall Management Console
Additionally, you can configure Windows Firewall with Advanced Security using Netsh, a command-line tool that configures network component settings. Use netsh advfirewall to create scripts that automatically configure a set of Windows Firewall settings with advanced security for both IPv4 and IPv6 traffic. You can also use the netsh advfirewall command to display the configuration and status of Windows Firewall with Advanced Security.
[Cut-Page] What can be configured using the new Windows Firewall with Advanced Security MMC snap-in?
Since there are so many features you can configure using this new firewall management console, it's impossible for me to mention them all. If you've ever looked at the Windows 2003 built-in firewall configuration graphical interface, you'll quickly notice that there are so many options hidden in this new Windows Advanced Security Firewall. Let me select some of the most commonly used functions to introduce to you.
By default, when you first enter the Windows Firewall with Advanced Security management console, you will see that Windows Firewall with Advanced Security is enabled by default and blocks inbound connections that do not match the inbound rules. Additionally, this new outbound firewall is turned off by default.
Other things you will notice is that this Windows Firewall with Advanced Security also has multiple profiles for users to choose from. 
Figure 4. Configuration files provided in Windows 2008 Firewall with Advanced Security
In this Windows Firewall with Advanced Security there is a domain profile, private profile and public profile. Profiles are a way of grouping settings, such as firewall rules and connection security rules, that are applied to a computer based on where it is connected. Depending on whether your computer is on a corporate LAN or a local coffee shop, for example.
In my opinion, of all the improvements we've discussed in Windows 2008 Advanced Security Firewall, the most significant improvement is more complex firewall rules. Take a look at the option to add an exception in Windows Server 2003 Firewall, as shown below:
[img]/u/info_img/2009-06/05/20071018183935294.jpg
Figure 5. Windows 2003 Server Firewall Exception Window
Let’s compare the configuration window in Windows 2008 Server .
Note that the Protocol and Port tabs are only a small part of this multi-tab window. You can also apply rules to users and computers, programs and services, and IP address ranges. Through this complex firewall rule configuration, Microsoft has moved Windows Advanced Security Firewall toward Microsoft's IAS Server .
The number of default rules provided by Windows Firewall with Advanced Security is also surprising. In Windows 2003 Server , there are only three default exception rules. Windows 2008 Advanced Security Firewall provides approximately 90 default inbound firewall rules and at least 40 default outbound rules.
How to create a custom inbound rule?
Suppose you have installed the Windows version of the Apache website server on your Windows 2008 Server . If you are already using Windows' built-in IIS web server, this port will be automatically opened for you. However, since you are now using a web server from a third party and you have the inbound firewall enabled, you must open this window manually.
Here are the steps:
·Identify the protocol you want to block - in our case, it's TCP/IP (its counterpart would be UDP/IP or ICMP).
·Identify the source IP address, source port number, destination IP address and destination port. The web communication we conduct is data communication coming from any IP address and any port number and flowing to port 80 of this server. (Note that you can create a rule for a specific program, such as the apache HTTP server here).
·Open the Windows Firewall with Advanced Security Management Console.
·Add rules - Click the New Rule button in the Windows Firewall with Advanced Security MMC to start the wizard for starting a new rule.
Figure 8. Windows 2008 Server Advanced Firewall Management Console-New Rule Button
·Select the rule you want to create for a port.
·Configure protocol and port number - Select the default TCP protocol and enter 80 as the port, then click Next.
·Select the default "Allow connection" and click Next.
·Select Apply this rule to all profiles by default and click Next.
·Give this rule a name and click Next.
At this time, you will get a rule as shown below:
Figure 9. Windows 2008 Server Advanced Firewall Management Console after creating rules
After my testing, my recently installed Apache website server did not work properly when this rule was not enabled. However, after creating this rule, it works fine!
Conclusion: Great improvements worth trying
With firewall configuration files, complex rule settings, 30 times the number of default rules, and many advanced security features not mentioned in this article, Windows 2008 Server Advanced Security Firewall is truly what Microsoft calls an advanced firewall. I believe this built-in, free, advanced host-based firewall will ensure that Windows Server becomes even more secure in the future. But if you don't use it, it won't do you any good. So I hope you'll try out this new Windows Advanced Firewall today.
Learn about options for configuring Windows Firewall Advanced Security
In previous versions of Windows Server , you could configure your network adapter or configure Windows Firewall from Control Panel. This configuration is very simple.
For Windows Firewall with Advanced Security, most administrators can configure it either from Windows Server Manager or from the Windows Firewall with Advanced Security MMC snap-in only. The following are screenshots of the two configuration interfaces:
Figure 1. Windows Server 2008 Server Manager
Figure 2. Windows 2008 Advanced Security Firewall Management Console
The easiest and fastest way I've found to start this Windows Firewall with Advanced Security is to type 'firewall' in the search box on the Start menu, as shown below:
Figure 3. How to quickly start the Windows 2008 Advanced Security Firewall Management Console
Additionally, you can configure Windows Firewall with Advanced Security using Netsh, a command-line tool that configures network component settings. Use netsh advfirewall to create scripts that automatically configure a set of Windows Firewall settings with advanced security for both IPv4 and IPv6 traffic. You can also use the netsh advfirewall command to display the configuration and status of Windows Firewall with Advanced Security.