Dec 03 2009

Security Blanket: Vista's Outbound Firewall

You can configure outbound filtering to provide an additional layer of security – at little extra cost.

Many decried the Windows Vista firewall as broken when Microsoft released the operating system in 2006 because outbound filtering was turned off by default at the request of enterprise customers. But even in a disabled state, Vista's firewall does provide limited outbound filtering.

The firewall has three distinct outbound filtering modes. In a disabled state, it uses outbound filtering rules to protect built-in Windows services as part of the service-hardening work undertaken during Vista's development. The firewall can block outbound traffic from built-in services if unusual behavior is detected. Additionally, certain outbound network messages are blocked to guard against port-scanning attacks.

When you enable outbound filtering, there are standard rules that enable core network functionality. Any additional applications that require outbound access must be added to the rules list. This can be done using the firewall with the Advanced Security Microsoft Management Console (MMC), from the command line or through Group Policy.

Finally, the firewall incorporates Internet Protocol Security (IPsec) rules for authentication and encryption. Domain isolation can be configured to allow PCs joined to an Active Directory domain to send outbound traffic to one another (or to devices specified by systems administrators) and block any other outbound traffic. IPsec domain isolation rules are intended to protect groups of trusted computers, not prevent PCs in a domain from communicating with one another.

Is It Worth Enabling Outbound Filtering?

Microsoft argues that outbound filtering is not necessary because if a machine becomes infected with malware it might disable the firewall. Although other defense-in-depth mechanisms, such as running standard user and software restriction policies, are more important than filtering, organizations could benefit from the additional protection.

With the exception of a few core networking features, PCs on a corporate network shouldn't be communicating with one another other, only with designated servers. You can enforce this practice with outbound filtering. This may also help prevent malware from propagating PC to PC, minimizing the spread of malware in the event of a virus outbreak. Without software restriction policies, users can run portable apps that generate unwanted outbound traffic.

Windows Firewall Limitations

Vista's firewall has three operating profiles – Domain, Private and Public – that apply filter sets for different types of networks. Though it's possible to assign different firewall profiles to network interfaces, only one profile can be active at a time. The most restrictive profile is always applied, potentially creating access problems for users who are connected to multiple networks simultaneously.

Outbound filtering may be worth setting up on PCs for an additional level of protection, providing extra value with little administrative cost. Although complex outbound rules can be enabled in high-security environments, most organizations should keep it simple and allow most or all outbound traffic to server IP addresses only.

Notebook systems need to be configured and tested more carefully because of the limitations of the firewall in Vista. Windows 7 addresses Vista's shortcomings by allowing multiple firewall profiles to be active concurrently.

How to Configure Outbound Filters

The first step is to enable outbound filtering using the Windows firewall with Advanced Security MMC on a single PC:

  1. Log on to a Vista PC as a domain administrator and type wf.msc in the Search box on the Start menu and press ENTER.

    To log on to a domain and access other network resources, we'll need to add a filter, which allows outbound traffic from Vista to designated servers.

  2. Expand Windows Firewall with Advanced Security on Local Computer and select Outbound Rules.
  3. Right click Outbound Rules and select New Rule from the menu.
  4. In the Rule Type dialog, select Custom and click Next.
  5. Check All programs. Click Next.
  6. Accept the default settings in the Protocols and Ports dialog. Click Next.
  7. In the bottom half of the Scope dialog, check These IP addresses under Which remote IP addresses does this rule match?
  8. Click Add. Check This IP address or subnet, enter the IP address of your domain controller and click OK.
  9. Repeat Step 8 for each server you want to add. In this example, I've added two servers: a domain controller and an Exchange Server (Figure 1). To make troubleshooting easier, you may also want to include the IP addresses of any PCs that sysadmins use to administer the network. Click Next to continue.

  10. Figure 1.

  11. In the Action dialog, check Allow the connection. Click Next.
  12. Check Domain under When does this rule apply? and click Next (Figure 2).

  13. Figure 2.

  14. Name the rule Outbound Servers and click Finish.

    Complete Steps 13 to 18 if you haven't specified a proxy server for Internet Explorer in the Outbound Servers rule.

  15. Right click Outbound Rules and select New Rule from the menu.
  16. Check Program in the Rule Type dialog and click Next.
  17. Check This program path, click Browse to select the path of iexplorer.exe (Figure 3) and click Next.

  18. Figure 3.

  19. Check Allow the connection in the Action dialog. Click Next.
  20. Check Domain and Public in the Profile dialog and click Next.
  21. Name the rule Internet Explorer and click Finish. You should now see two new rules added to the list in the right MMC pane (Figure 4).

    Figure 4.

    Finally, we'll enable outbound filtering for the Domain profile.

  22. Right click Windows Firewall with Advanced Security on Local Computer and select Properties from the menu.
  23. On the Domain Profile tab, change Outbound Connections from the default setting to Block (Figure 5) and click OK.

Figure 5.

Now that outbound traffic is being blocked, you should test core functionality on your PC to ensure that you can log on to the domain successfully, access network resources and use Internet Explorer.

Adding Firewall Rules to a Group Policy Object

Once you're happy that everything is working on your Vista PC, export the rule set and add the configuration to a Group Policy Object (GPO). This will configure all Vista PCs on your network with the same rule set.

  1. On your Vista PC, right click Windows Firewall with Advanced Security on Local Computer and select Export Policy from the menu.
  2. Name the file rules and save it to your desktop. You should note that this file will contain all Windows Firewall settings, not just outbound filters.
  3. Log on as a domain administrator to Windows Server 2008 and open Group Policy Management from Administrative Tools on the Start menu.
  4. In the left pane, expand Forest > Domains and select your domain. Because the firewall rules we configured were not designed to be applied to servers, select an Organizational Unit (OU) that contains only PCs. In this example, I have an OU named Clients, which contains all my Vista PCs. Right click the OU and select Create a GPO in this domain, and Link it here.
  5. Name the GPO Windows Firewall and click OK (Figure 6).

  6. Figure 6.

  7. Right click the new GPO and select Edit from the menu. In the Group Policy Management Editor window, under Computer Configuration, expand Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security.
  8. Right click the Windows Firewall with Advanced Security node and select Import Policy from the menu. Click Yes in the warning dialog, browse to the rules.wfw file saved earlier and click Open.
  9. Click OK when Policy successfully imported appears.
  10. Click Outbound Rules under the Windows Firewall node and you should see the two additional rules in the list on the right. Close the Group Policy Management Editor window.

Our new GPO will apply to computers in the Clients OU the next time Group Policy is refreshed.