The integrated firewall that is included with Windows Server 2008 R2 vastly improved over previous versions integrated firewall which is turned on
by default. The firewall, which is administered from an MMC snap-in as shown below (that can be accessed at Start>All Programs>Administrative Tools>Windows Firewall with Advanced Security) and provides unprecedented security and control on a server.
The new firewall with advanced security is n0w fully integrated into the Server Manager utility and also the Server Roles Wizard. If, for example, an admin runs the Server Roles Wizard and elects to make the server a file server, the ports and protocols which are required for file server access are only then opened on the server.
Most Windows Server admins instinctively disable software firewalls on servers, due to the numerous problems with this functionality in the past. This approach is, however, not recommended in Windows Server 2008 R2 as the product is now tightly integrated with the firewall, and the firewall provides a much higher level of security than in previous versions of Windows Server .
Creating Outbound and Inbound Rules with Windows Firewall
In some instances, when a third-party app isn’t integrated with Server Manager, or when the need arises to to open specific individual ports, it may be necessary to create firewall rules to ensure individual services to run properly. Both inbound rules (ie addressing traffic coming to the server) and outbound rules (ie addressing the server’s outward communication) can be created with the Windows Firewall. These rules can be based on the below factors:
- Program—A rules which allow specific program executable access can be created. For example, you could specify that the c:\Program Files\XYZ Program\xyzprogram.exe file has full outbound access when it is running. Windows Firewall will then allow any type of connections that are made by that program full access. This is useful in scenarios where a specific application server uses multiple varied ports, but the overarching security of firewall provides is still required.
- Port—Entering a traditional TCP or UDP port in the Add Rules Wizard is supported which covers the traditional scenarios like the requirement to open Port 8787 on the server.
- Predefined—Windows Server also ships with predefined rules, such as those which allow AD DS, DFS, BITS, HTTP, and numerous more. The advantage to using these predefined rules is that Microsoft has performed all the work in advance, and it will be much more straightforward to allow a specific service.
- Custom—Custom rule types not covered in the other categories can also be created.
For example, the below steps shows how to create an inbound rule to allow a custom app to use TCP Port 8787 for inbound communication:
- Start Windows Firewall MMC (Start > All Programs >Administrative Tools > Windows Firewall with Advanced Security).
- Select the Inbound Rules node in the node panel.
- On the Actions pane, select New Rule link.
- In the Rule Type page on the New Inbound Rule Wizard select Port to create a rule based on the port, and the click Next.
- On the Protocol and Ports page select TCP, and then enter 8787 in the Specific Local Ports field and then Click Next.
- Select Allow to enable the connection on the Action page. This Action page of the New Inbound Rule Wizard also enables a rule to be configured which will only allow a connection secured using IPSec technologies.
- On the Profile page check all the three check boxes. This will enable an admin to specify that a rule will only apply when connected to specific networks. Then click Next.
- Enter a name for the rule, and then click Finish to complete the process.
You should review the rule settings in the Inbound Rules node which will provide a quick-glance view of the rule settings. You may also include a rule within a rule group – this allows for multiple rules to be bound together for simple on/off application.
Integrated Windows Firewall is now a vital part of the Windows Server security. The newly added ability to define rules based on factors such as profile, scope, IPSec status, etc positions the Windows Server as an OS with one of the highest levels of integrated security.