Transcript PPT-05

Lecture 12
Windows Firewall and
Action Center
Firewalls
• Protect networks by stopping network traffic from passing through it
• Implemented as either a hardware or software entity (or a combination of
both)
• Allows internal traffic to leave the network
• Ex. Email to the outside world, web access, etc.
• Stop unwanted traffic from the outside world from entering the internal
network
• Achieves these things through the use of rules
• Inbound, outbound, and connection-specific rules
• Two types of firewalls:
• Network perimeter firewalls
• Host-based firewalls
Rule Types
• There are 3 basic types of rules:
• Inbound Rules: Help protect your
computer from other computers making
unsolicited connections to it
Outgoing Rules
• Outbound Rules: Help protect your
computer by preventing your computer
from making unsolicited connections to
other computers
• Connection-specific Rules: Enable a
computer’s administrator to create and
apply rules based on a specific
connection
• In Windows, this is referred to as
Network Location Awareness
Incoming Rules
Network Perimeter Firewalls
•
Located at the boundary between the internal network and external networks such as
the Internet
•
Provide variety of services
•
Can be hardware-based, software-based, or a combination of both
•
Some of these types of firewalls provide application proxy services like Microsoft
Internet Security Acceleration (ISA) Server
•
Functionality Provided:
• Management and control of network traffic
• Inspecting state of communications between hosts
• Authentication and encryption
•
Cannot provide protection for traffic generated inside a trusted network
Host-based Firewalls
•
Run on individual computers and provide protection for traffic generated inside a
trusted network
•
Protect a host from unauthorized access and attack
•
Provide an extra layer of security in your network
•
Windows Firewall with Advanced Security can block specific types of outgoing traffic in
addition to blocking unwanted incoming traffic
Host
Firewall
Network Location Awareness
• Windows 7 supports Network Location Awareness
• Enables network-interacting programs to change their behavior based on how
the computer is connected to the network
• In case of Windows Firewall with Advanced Security, you can create rules
that apply only when the profile associated with a specific network location
type is active on your computer
• There are three location types:
• Public
• Private
• Domain
Network Location Awareness
• Public Location Type:
• Assigned by default to any new networks when they are first connected
• A public network is considered to be shared with the world
• No protection between the local computer and any other computer
• Firewall rules associated with the public profile are most restrictive
Network Location Awareness
•
Private Location Type:
•
Can be manually selected by a local administrator for a connection to a network that is
not directly accessible to the public
•
Connection be to a home or office network that is isolated from publicly accessible
networks by using a firewall device or a device that performs network address
translation (NAT)
•
Wireless networks assigned the private network location type should be protected by
using an encryption protocol such as Wi-Fi Protected Access (WPA) or WPAv2
•
A network is never automatically assigned the private network location type
• It must be assigned by the administrator
•
Windows remembers the network, and the next time you connect to it, Windows
automatically assigns the network the private network location type
•
Due to the higher level of protection and isolation from the internet, private profile
firewall rules allow more network activity than the public profile rule set
Network Location Awareness
•
Domain Location Type:
•
Detected when the local computer is a member of an Active Directory domain and the
local computer can authenticate to a domain controller for that domain through one of
its network connections
•
An admin cannot manually assign this network location type
•
Because of the higher level of security and isolation from the internet, domain profile
firewall rules typically permit more network activity than either the private or public
profile rule sets
•
On a computer that is running Windows 7, if a domain controller is detected on any
network adapter, then the Domain network location type is assigned to that network
adapter
Screenshot of Domain Networks
Turning Windows
Firewall On and Off
To turn Windows Firewall on or off, simply
open the Windows Firewall control panel
and click Turn Windows firewall on or off.
The Change notification settings link
brings up the same screen as shown on
the right:
Not only can you turn the firewall on and off
for each network location, you can also
block all programs, and set notification
when a program is blocked. One of the
few reasons you would ever want to turn
this off is if you had another firewall
program that you want to use instead.
Allowing Programs
Traditionally with firewalls, you can open or close
a protocol port so that you can allow or block
communication through the firewall. With
Windows Firewall included in Windows 7, you
specify which programs or features you want
to communicate through the firewall. The most
common options are available by clicking the
Allow a program or feature through Windows
Firewall option on the left pane of the
Windows Firewall control panel. Only users
that are members of the local Administrators
group, or who have been delegated the
appropriate privileges are able to modify
Windows Firewall settings. If you need to open
a port instead of specifying a program, you
have to use the Windows Firewall with
Advanced Security which is discussed later in
this lecture.
Add a Program
If a program that you want to create a rule
for is not present on this list, click Allow
Another Program. This opens the Add A
Program dialog box. If the program that
you want to create a rule for is not listed,
click Browse to add it. Click the Network
Location Types button to specify the
network profiles in which the rule should
be active.
If a program is blocked, the first time you try
to run it you are notified by the firewall,
allowing you to configure an exception
that allows traffic from this program in the
future. If an exception is not configured at
this time, you will need to use the steps
above to allow traffic through.
Windows Firewall with
Advanced Security (WFAS)
•
Designed for advanced users and IT professionals
•
Offers more powerful configuration options than the standard Windows Firewall
•
Can use it to configure Inbound and Outbound rules, block or allow incoming or outgoing connections
based off Protocols and/or Programs and Services, and configure IPSec
•
Inbound and Outbound rules can be enforced on predefined profiles, Public, Private, Domain, or all
Profiles
•
WFAS is useful when you need to enable a rule to allow traffic for a specific service while connected to
one network profile, but not on another
•
Example: You can allow FTP traffic for the Domain (Work) Profile, but not for the Public Profile
•
This allows computers in your work place to connect to your computer hosting an FTP service, but
traffic is blocked when you’re connected to another network
•
Default Inbound rule settings is to block all connections that don’t have rules (exceptions) that allow the
connection unless the incoming request is a response from the client
•
Default Outbound rule allows all outbound connections unless you have explicitly blocked an outbound
connection
Windows Firewall with
Advanced Security
To access Windows Firewall
with Advanced Security
snap-in, open the Network
and Sharing Center and
click on Advanced
Settings in the left pane.
Or, you can type Windows
Firewall with Advanced
Security into the Search
Programs And Files box
in the Start menu. You
must be a member of the
administrators group.
Creating Rules
To create and inbound or outbound rule, follow these steps:
First click on Inbound Rules or Outbound Rules in the left pane depending on which type of rule you are
trying to create. In this case, we selected Inbound Rules.
Click on the Action menu and select New Rule.
New Inbound Rule Wizard
This brings up the New Inbound Rules Wizard. In this window you can define a rule based on a
program, a port, a predefined service or feature, or multiple parameters (custom rule). The
program and predefined rules are the same as those found in the standard Windows Firewall.
The custom rule allows you to configure a rule based on more than one option, for example, a
rule that involves a specific program and ports.
New Inbound Rule Wizard
What happens from here depends on the type of rule you are going to create and we suggest that
you familiarize yourself with all of them. In this case, we are going to create a custom rule.
Applying to a Specific Program
Here you can apply the rule to all programs, browse to a specific program, or a service. We're going
to apply ours to a specific program by clicking the Browse and selecting a program.
Apply to Specific
Protocols and Ports
Here we can apply the rule to specific protocols and ports. We selected a TCP port.
Define Scope of the Rule
Next, we define the scope of the rule. We have the option to configure local and remote addresses.
The local IP address is used by the local computer to determine if the rule applies. The rule only
applies to network traffic that goes through a network adapter that is configured to use one of the
specified addresses. Specify the remote IP addresses to which the rule applies. Network traffic
matches the rule if the destination IP address is one of the addresses in the list.
Allow or Block Connection
Next, we can allow the connection, allow the connection if it is secure, or block the connection.
Choosing Network Locations
Now we choose which network locations the rule will apply to.
Firewalls
In the final step, we enter a name and description for the rule and click Finish.
The previous instructions only demonstrate one of the possible types of rules
you can create, and the dialogue boxes will vary depending on the type of
rule and selections you make.
In addition to inbound and outbound rules, you can also configure Connection
Security Rules.
Import and Export:
WFAS allows you to import and export the current firewall configuration for the
purpose of easy configuration on stand-alone computers. To roll out the
firewall configuration on a company network, it is better to use group policy.
The import and export feature also essentially enables you to make a backup
copy of your configuration before you make changes to it. Exported policy
files are binary with a .wfw extension.
Action Center &
Windows Defender
Configuring the Action Center
These days, having a firewall just isn’t enough. Spyware and viruses are becoming more widespread, more
sophisticated, and more dangerous. Users can unintentionally pick up spyware and viruses by visiting
websites, or by installing an application in which spyware and viruses are bundled.
Even worse, malicious software cannot typically be uninstalled. Thus, antispyware and virus protection applications
are also required to ensure that your computer remains protected. You can further protect your Windows 7
computers using the Action Center.
Using Windows Defender
Windows 7 comes with an antispyware application called Windows Defender. Windows Defender offers real-time
protection from spyware and other unwanted software. You can also configure Windows Defender to scan for
spyware on a regular basis.
Like antivirus programs, Windows Defender relies on definitions, which are used to determine whether a file
contains spyware. Out-of-date definitions can cause Windows Defender to fail to detect some spyware.
Windows Update is used to regularly update the definitions used by Windows Defender so that the latest
spyware can be detected. You can also configure Windows Defender to manually check for updates using
Windows Update.
To access Windows Defender, click Start  Control Panel  Large Icons View Action Center  Windows
Defender. The status appears at the bottom of the screen, which includes time of the last scan, the scan
schedule, the real-time protection status, and the definition version.
Windows Defender
Windows Defender
Let’s look at how we can scan the system for spyware using Windows Defender.
Performing a Manual Scan
You can configure Windows Defender to perform a manual scan of your computer at any
time. You can perform the following three types of scans:
◆ Quick Scan checks only where spyware is most likely to be found.
◆ Full Scan checks all memory, running processes, and folders.
◆ Custom Scan checks only the drives and folders that you select.
By default, Windows Defender performs a Quick Scan daily at 2 A.M. You can change this
as setting by using the Tools menu option.
Programs are classified into four spyware alert levels: Severe, High, Medium, and Low
Depending on the alert level, you can choose to have Windows Defender ignore,
quarantine, remove, or always allow software.
Configuring Windows Defender
Use the Tools and Settings menu to configure Windows Defender. You can access the following
items through this menu:
◆
◆
◆
◆
◆
◆
Options
Microsoft SpyNet
Quarantined Items
Allowed Items
Windows Defender Website
Microsoft Malware Protection Center
Windows Defender Options
Options Click Options on the Tools and Settings menu to enable you to configure the
default behavior of Windows Defender. You can configure the following options:
Automatic Scanning - You can configure Windows Defender to scan automatically, how
often automatic scans should occur, the time that scans will occur, and the type of
scan to perform.
Default Actions - You can configure the actions Windows Defender should take on High,
Medium, and Low Alert items. You can set each level so that Windows Defender can
take the default action for that level, always remove the item, or always ignore the
item.
Real-Time Protection You can configure whether real-time protection is enabled, which
security agents you want to run, how you should be notified about threats, and
whether a Windows Defender icon is displayed in the notification area.
Options continued on next slide…
Windows Defender
Options Continued
Excluded Files And Folders - You can set up files and folders that are to be excluded during
a scan.
Excluded File Types You can specify certain file types that will be excluded from a scan. For
example, you can exclude all .doc files if needed.
Advanced - These options let you configure whether:
◆ Archived files and folders are scanned
◆ Email is scanned
◆ Removable drives are scanned
◆ Heuristics are used to detect unanalyzed software
◆ A restore point is created before removing spyware
You can also specify file locations that are exempt from scanning
Administrator - These options let you configure whether Windows Defender is enabled, and
whether you display items from all users on this computer.
Windows Defender
Microsoft SpyNet
Microsoft SpyNet is an online community that can help you know how others respond to software
that has not yet been classified by Microsoft. Participation in SpyNet is voluntary, and
subscription to SpyNet is free. If you choose to volunteer, your choices will be added to the
community so that others can learn from your experiences.
To join the SpyNet community, click Microsoft SpyNet on the Tools menu, and then choose either a
basic or advanced membership. The level of membership will specify how much information is
sent to Microsoft when potentially unwanted software is found on your computer.
By default, I Do Not Want To join Microsoft SpyNet At This Time is selected, but you can choose to
participate in SpyNet by selecting the appropriate radio button. If you choose not to participate,
no information is sent to Microsoft, and Windows Defender does not alert you regarding
unanalyzed software.
Quarantined Items
Software that has been quarantined by Windows Defender is placed in Quarantined Items.
Quarantined software will remain here until you remove it. If you find that a legitimate application
is accidentally removed by Windows Defender, you can restore the application from Quarantined
Items.
Windows Defender
Allowed Items
Software that has been marked as allowed is added to the Allowed Items list. Only trusted software should
be added to this list. Windows Defender will not alert you regarding any software found on the Allowed
Items list. If you find that a potentially dangerous application has been added to the Allowed Items list,
you can remove it from the list so that Windows Defender can detect it.
Windows Defender Website
Clicking Windows Defender Website opens Internet Explorer and takes you to the Windows Defender
website. Here you can find information on Windows Defender, spyware, and security.
Microsoft Malware Protection Center
Clicking Microsoft Malware Protection Center opens Internet Explorer and takes you to the Malware
Protection Center website. Here, you can find information on antimalware research and responses.
History Menu Option
There is also a History menu option next to the tools option. You can use the History menu option to see
what actions have been taken by Windows Defender. Information is included about each application,
the alert level, the action taken, the date, and the status. Information is retained until you click the Clear
History button.