Windows Filtering Platform
Windows Filtering Platform (WFP) is a collection of application programming interfaces (APIs) and system services that allow for the creation of network-filtering applications on Windows Vista or later By using WFP, third-party developers can create host-based security tools such as these:
■ Intrusion-detection systems
■ Network-monitoring tools
■ Antivirus programs
■ Parental controls
WFP is also the underlying engine used for implementing packet-filtering logic in Windows Firewall with Advanced Security The components of WFP include the following:
■ Base Filter Engine (BFE) This component runs in user mode and receives filtering requests from Windows Firewall with Advanced Security Such requests are then forwarded to the Generic Filter Engine
■ Generic Filter Engine (GFE) This component runs in kernel mode and receives filtering requests from the BFE. The GFE then makes such requests available to callout modules that map to different layers of the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol stack. As the TCP/IP protocol stack processes a packet, each callout module calls the GFE to determine whether to accept or reject the packet
■ Callout modules These run in kernel mode and are used by the GFE to inspect the different layers of a packet as the packet is passed down the TCP/IP protocol stack. For example, the Transport Layer module is used to inspect the Transport Layer protocol portion of the packet, which is either TCP or User Datagram Protocol (UDP.
Note that: The BFE can support multiple clients simultaneously. This means that a third-party, WFP-aware application can interact with and even override Windows Firewall with Advanced Security if so designed.
The APIs of the BFE are all publicly documented so that ISVs can create applications that hook into the advanced filtering capabilities of the Next Generation TCP/IP Stack in Windows Vista and later versions. Some of the filtering features of the WFP are implemented using callouts, but most filtering is performed using static filters created by the BFE as it interacts with Windows Firewall. The Windows Firewall service monitors the system to make sure the filters passed to BFE reflect the environment of the system at any given time. These public WFP APIs are scriptable and expose the full configurability of Windows Firewall, but they have some limitations, such as no support for IPsec integration.
- Firewall State You use this setting to enable or disable Windows Firewall with Advanced Security for the selected profle. Microsoft recommends that you always leave this set to On
- Inbound Connections You use this setting to configure how Windows Firewall with Advanced Security handles incoming traffc. These are the three available options:
■ Block Blocks all connections that do not have firewall rules that explicitly allow the connection
■ Block All Connections Blocks all connections, regardless of any firewall rules that explicitly allow the connection
■ Allow Allows the connection unless there is a firewall rule that explicitly blocks the connection
The default value for the inbound connections property is Block.
- Outbound Connections You use this setting to configure how Windows Firewall with Advanced Security handles outgoing traffic. The only two options available here are Block and Allow The default setting for the Outbound Connections property is Allow, which means that all traffic leaving the host is allowed to pass through the firewall unless an explicit outbound rule prohibits this for a certain type of outgoing traffic.
- Protected Network Connections This setting opens a dialog box you can use to specify which network connections should be protected by the rules associated with the selected profile. For example, on a multihomed computer with two network connections to different networks of type private, the dialog box for the private profile would display two check boxes By default, both private networks would be protected.
- Display a notification: Specify whether Windows Firewall with Advanced Security should display a notification to the user when a program on the user’s computer is blocked from receiving inbound connections. When such a notification is displayed, the user can select an option that unblocks the program as long as the user has sufficient privileges (belongs to the local Administrators or Network Configuration Operators security group). When the user chooses to unblock a program, an inbound program rule for the program is automatically created on the user’s computer
- Allow Unicast response: Allow unicast responses to multicast or broadcast requests to allow Windows Firewall with Advanced Security to wait several seconds for unicast responses from other computers to which the local computer has sent multicast or broadcast messages.
- Rule merging allows users who are members of the local Administrators or Network Configuration Operators security group on the computer to create and apply local rules that are merged together with any rules being applied to the computer by Group Policy.By default this rule is greyed out and can only be applied by using group policy. To configure this, open the Group Policy management on the DC, configure the “default Domain Policy” GPO, Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Security Settings\Windows Firewall with Advanced Security – LDAP://CN=XXXXXXX.
In the right pane, click the “windows Firewall Properties”. You will get a window same as the one in the WFAS MMC, click the Customize… after the settings, then select the options after Apply local firewall rules: or Apply local connection security rules under the Rule merging to No. click OK.
Open a CMD window on the test machine and type
gpupdate /force. Relog in and check the rule merging is No now.
- Name: Specify a location for the firewall log file to be saved.
- Size Limit: Specify the maximum size in KBs to which the log file can grow. Once the log file reaches this size, the file has “.old” appended to its file name and a second file is created. When the second file reaches the maximum size, the existing *.old file is deleted and the second file becomes the new *.old file.
- Log Dropped packets: Specify whether a log entry should be created when Windows Firewall with Advanced Security disallows a connection for any reason. These entries can be identified by the word “DROP” in the Action field.
- Log successful connections: Specify whether a log entry should be created when Windows Firewall with Advanced Security allows an inbound connection for any reason. These entries can be identified by the word “ALLOW” in the Action field.
Note: Another useful source for viewing information about firewall policy changes for Windows Firewall with Advanced Security is the operational log found here in Event Viewer:
Applications and Services Logs/Microsoft/Windows/Windows Firewall with Advanced Security/Firewall
A firewall profile is a way of grouping settings, such as firewall rules and connection security rules, which are applied to the computer depending on where the computer is connected. On computers running this version of Windows, there are three profiles for Windows Firewall with Advanced Security:
Applied to a network adapter when it is connected to a network on which it can detect a domain controller of the domain to which the computer is joined.
Applied to a network adapter when it is connected to a network that is identified by the user or administrator as a private network. A private network is one that is not connected directly to the Internet, but is behind some kind of security device, such as a network address translation (NAT) router or hardware firewall. For example, this could be a home network, or a business network that does not include a domain controller. The Private profile settings should be more restrictive than the Domain profile settings.
Applied to a network adapter when it is connected to a public network such as those available in airports and coffee shops. When the profile is not set to Domain or Private, the default profile is Public. The Public profile settings should be the most restrictive because the computer is connected to a public network where the security cannot be controlled. For example, a program that accepts inbound connections from the Internet (like a file sharing program) may not work in the Public profile because the Windows Firewall default setting will block all inbound connections to programs that are not on the list of allowed programs.
Each network adapter is assigned the firewall profile that matches the detected network type. For example, if a network adapter is connected to a public network, then all traffic going to or from that network is filtered by the firewall rules associated with the Public profile.
Windows Server 2008 R2 and Windows 7 provide support for multiple active per-network adapter profiles. In Windows Vista and Windows Server 2008, only one profile can be active on the computer at a time. If there are multiple network adapters connected to different networks, then the profile with the most restrictive profile settings is applied to all adapters on the computer. The Public profile is considered to be the most restrictive, followed by the Private profile; the Domain profile is considered to be the least restrictive.