Access Protection
B
y their nature, networks can allow healthy computers to communicate with unhealthy computers and malicious tools to attack legitimate applications. This can result in costly security compromises, such as a worm that spreads rapidly through an internal network or a sophisticated attacker who steals confidential data across the network.Windows Server 2008 R2 supports two technologies that are useful for improving network security: Windows Firewall and Network Access Protection (NAP). Windows Firewall can filter incoming and outgoing traffic, using complex criteria to distinguish between legitimate and potentially malicious communications. NAP requires computers to complete a health check before allowing unrestricted access to your network and facilitates resolving problems with computers that do not meet health requirements.
This lesson describes how to plan and implement Windows Firewall and NAP using Windows Server 2008 R2.
Exam objectives in this chapter:
■ Configure Windows Firewall with Advanced Security. ■ Configure Network Access Protection (NAP).
Lessons in this chapter:
■ Lesson 1: Configuring Windows Firewall 430
■ Lesson 2: Configuring Network Access Protection 444
before You begin
To complete the lessons in this chapter, you should be familiar with Windows networking and be comfortable with the following tasks:
■ Adding roles to a computer running Windows Server 2008 R2
You will also need the following nonproduction hardware connected to test networks: ■ A computer named Dcsrv1 that is a domain controller in the Nwtraders.msft domain.
This computer must have at least one network interface that you can connect to either the Internet or a private network.
Note ComPuTER And domAin nAmEs
The computer and domain names you use will not affect these exercises. The practices in this chapter refer to these computer names for simplicity, however.
■ A computer named Hartford that is running Windows 7 Professional, Enterprise, or Ulti- mate, and is a member of the Nwtraders.msft domain. You must use Windows 7 because Windows Server 2008 R2 does not support the Windows Security Health Validator.
Real WoRld
Tony Northrup
I
nstead of absolutes, security can be measured only in degrees of risk. Although NAP can’t prevent a determined, skilled attacker from connecting to your network, NAP can improve your network security by helping keep computers up to date and ensuring that legitimate users do not accidentally connect to your internal network without meeting your security requirements.When evaluating NAP as a way to protect against malicious attackers, remember that NAP trusts the System Health Agent (SHA) to report on the health of the client. The SHA is also running on the client computer. So it’s a bit like airport security merely asking people if they are carrying any banned substances—people without any malicious intent would happily volunteer anything they accidentally brought. People with malicious intent would simply lie.
It’s not quite as easy as simply lying, because the SHA signs the Statement of Health (SoH) to help prove that the health report is genuine. Additional security measures, such as requiring IPsec connection security, can help further reduce the opportunity for attackers. Nonetheless, with some time and effort, it’s entirely possible that someone will create a malicious SHA that impersonates a legitimate SHA.
Lesson 1: Configuring Windows Firewall
Windows Firewall filters incoming traffic to help block unwanted network traffic. Option- ally, Windows Firewall can also filter outgoing traffic to help limit the risk of malware. Although Windows Firewall’s default settings will work well with components built into Windows, they might prevent other applications from functioning correctly. Windows Firewall’s default settings can also be significantly improved to provide even stronger
After this lesson, you will be able to: ■ Describe the purpose of firewalls.
■ List the three firewall profiles and how each is used. ■ Create a firewall rule to allow inbound traffic.
■ Create a firewall rule to allow outbound traffic and enable outbound filtering. ■ Configure the scope of a firewall rule to limit communications to specific subnets. ■ Configure firewall rules to require IPsec connection security and, optionally, limit
authorization to specific users and computers.
■ Use Group Policy settings to configure firewall rules in an Active Directory domain environment.
■ Enable Windows Firewall logging so that you can isolate problems related to firewall rules.
■ Identify network communications used by a specific application so that you can create rules for the application.
Estimated lesson time: 45 minutes
Why Firewalls Are Important
In networking, firewalls analyze communications and drop packets that haven’t been specifically allowed. This is an important task, because connecting to the Internet means any of the millions of other Internet-connected computers can attack you. A successful compromise can crash a service or computer, compromise confidential data, or even allow the attacker to take complete control of the remote computer. In the case of worms, automated software attacks computers across the Internet, gains elevated privileges, copies itself to the compromised computer, and then begins attacking other computers (typically at random).
The purpose of a firewall is to drop unwanted traffic, such as traffic from worms, while allowing legitimate traffic, such as authorized file sharing. The more precisely you use firewall rules to identify legitimate traffic, the less you risk exposure to unwanted traffic from worms.
Firewall Profiles
When you create firewall rules to allow or block traffic, you can separately apply them to the Domain, Private, and Public profiles. These profiles enable mobile computers to allow incoming connections while connected to a domain network (for example, to allow incoming Remote Desktop connections) but block connection attempts on less secure networks (such as public wireless hotspots).
The firewall profiles are:
■ domain Applies when a computer is connected to its Active Directory domain. Specifically, any time a member computer’s domain controller is accessible, this
■ private Applies when a computer is connected to a private network location. By default, no networks are considered private—users must specifically mark a network location, such as their home office network, as private.
■ public The default profile applied to all networks when a domain controller is not avail- able. For example, the Public profile is applied when users connect to Wi-Fi hotspots at airports or coffee shops. By default, the Public profile allows outgoing connections but blocks all incoming traffic that is not part of an existing connection.
Most servers are always connected to a domain environment. To ensure consistent operation even when a domain controller is not available, configure the same firewall rules for all three profiles when configuring a server.