Starting with Server 2008 and Vista, the WFP mechanism was built into Windows,
which is a set of APIs and system services. With the help of it, it became possible
deny and allow connections, manage individual packages. These
innovations were intended to simplify the life of developers of various
protection. The changes made to the network architecture affected both kernel-mode and
and user-mode parts of the system. In the first case, the required functions are exported
fwpkclnt.sys, in the second - fwpuclnt.dll (letters "k" and "u" in the names of libraries
mean kernel and user respectively). In this article, we will talk about the application
WFP to intercept and filter traffic, and after reviewing the main
With the definitions and capabilities of WFP, we will write our own simple filter.
Basic concepts
Before starting coding, we absolutely need to familiarize ourselves with the terminology.
Microsoft - and for understanding the article it will be useful, and additional literature
it will be easier to read :). So let's go.
Classification - the process of determining what to do with the package.
Possible actions: allow, block, or call callout.
Callouts is a set of functions in the driver that perform an inspection
packages. They have a special function to classify packages. This
the function can make the following decision:
- allow (FWP_ACTION_PERMIT);
- block (FWP_ACTION_BLOCK);
- continue processing;
- request more data;
- terminate the connection.
Filters - rules indicating in which cases it is called
this or that callout. One driver can have several callouts, and
we will deal with the development of a driver with callout in this article. By the way, callouts
there are built-in ones, for example, NAT-callout.
Layer is a sign by which various filters are combined (or,
as they say on MSDN, "container").
Truth be told, the documentation from Microsoft looks rather hazy, so far
you can't look at the examples in the WDK. Therefore, if you suddenly decide to develop something
serious, you must certainly familiarize yourself with them. Well now smoothly
let's move on to practice. For successful compilation and tests you need WDK (Windows
Driver Kit), VmWare, a virtual machine with Vista installed and the WinDbg debugger.
As for the WDK, I personally have version 7600.16385.0 installed - everything is there
necessary or necessary (since we will be developing a driver, we only need
fwpkclnt.lib and ntoskrnl.lib) and examples of using WFP. Links to the whole
the toolkit has already been presented several times, so we will not repeat ourselves.
Coding
To initialize the callout, I wrote the BlInitialize function. General algorithm
creating a callout and adding a filter is like this:
- FWPMENGINEOPEN0 opens a session;
- FWPMTRANSACTIONBEGIN0 - start of operation with WFP;
- FWPSCALLOUTREGISTER0 - creating a new callout;
- FWPMCALLOUTADD0 - adding a callout object to the system;
- FWPMFILTERADD0 - adding new filter (s);
- FWPMTRANSACTIONCOMMIT0 - saving changes (added
filters).
Note that functions end in 0. In Windows 7, some of these
functions have been changed, for example, FwpsCalloutRegister1 appeared (when
saved by FwpsCalloutRegister0). They differ in arguments and, as a result,
prototypes of classifying functions, but it doesn't matter for us now - 0-functions
are universal.
FwpmEngineOpen0 and FwpmTransactionBegin0 are not particularly interesting to us - they are
preparatory stage. The fun begins with the function
FwpsCalloutRegister0:
FwpsCalloutRegister0 prototype
NTSTATUS NTAPI FwpsCalloutRegister0
__inout void * deviceObject,
__in const FWPS_CALLOUT0 * callout,
__out_opt UINT32 * calloutId
);
I said before that callout is a set of functions, now it's time
tell about this in more detail. The FWPS_CALLOUT0 structure contains pointers to three
functions - classifying (classifyFn) and two notifying (about
adding / removing a filter (notifyFn) and closing the processed flow (flowDeleteFn)).
The first two functions are required, the last one is only needed if
you want to monitor the packets themselves, not just the connections. Also in the structure
contains a unique identifier, the callout GUID (calloutKey).
Callout registration code
FWPS_CALLOUT sCallout \u003d (0);
sCallout.calloutKey \u003d * calloutKey;
sCallout.classifyFn \u003d BlClassify;
// classifier function
sCallout.notifyFn \u003d (FWPS_CALLOUT_NOTIFY_FN0) BlNotify;
// function notifying about adding / removing a filter
// create a new callout
status \u003d FwpsCalloutRegister (deviceObject, & sCallout, calloutId);
DWORD WINAPI FwpmCalloutAdd0 (
__in HANDLE engineHandle,
__in const FWPM_CALLOUT0 * callout,
__in_opt PSECURITY_DESCRIPTOR sd,
__out_opt UINT32 * id
);
typedef struct FWPM_CALLOUT0_ (
CalloutKey GUID;
FWPM_DISPLAY_DATA0 displayData; // callout description
UINT32 flags;
GUID * providerKey;
FWP_BYTE_BLOB providerData;
GUID applicableLayer;
UINT32 calloutId;
) FWPM_CALLOUT0;
In the FWPM_CALLOUT0 structure, we are interested in the applicableLayer field - unique
the identifier of the level to which the callout is added. In our case it is
FWPM_LAYER_ALE_AUTH_CONNECT_V4. "v4" in identifier name means version
protocol Ipv4, there is also FWPM_LAYER_ALE_AUTH_CONNECT_V6 for Ipv6. Considering
low prevalence of Ipv6 at the moment, we will only work with
Ipv4. CONNECT in the name means that we only control the installation
connections, there is no question of incoming and outgoing packets to this address! Generally
there are many levels besides the one we used - they are declared in the header file
fwpmk.h from WDK.
Adding a callout object to the system
// callout name
displayData.name \u003d L "Blocker Callout";
displayData.description \u003d L "Blocker Callout";
mCallout.calloutKey \u003d * calloutKey;
mCallout.displayData \u003d displayData;
// callout description
// FWPM_LAYER_ALE_AUTH_CONNECT_V4
mCallout.applicableLayer \u003d * layerKey;
status \u003d FwpmCalloutAdd (gEngineHandle, & mCallout, NULL, NULL);
So, after callout is successfully added to the system, you need to create
filter, that is, indicate in what cases our callout will be called, namely
- its classifying function. The new filter is created by the FwpmFilterAdd0 function,
which the FWPM_FILTER0 structure is passed as an argument.
FWPM_FILTER0 contains one or more FWPM_FILTER_CONDITION0 structures (their
the number is determined by the numFilterConditions field). The layerKey field is filled in with the GUID
the layer we want to join. In this case, we indicate
FWPM_LAYER_ALE_AUTH_CONNECT_V4.
Now let's take a closer look at filling FWPM_FILTER_CONDITION0. First, in
the fieldKey must be explicitly specified what we want to control - port, address,
app or whatever. In this case WPM_CONDITION_IP_REMOTE_ADDRESS
tells the system that we are interested in an IP address. The fieldKey value determines
what type of values \u200b\u200bwill be in the FWP_CONDITION_VALUE structure included in
FWPM_FILTER_CONDITION0. In this case, it contains the ipv4 address. Come on
farther. The matchType field defines how the comparison will be performed
the values \u200b\u200bin FWP_CONDITION_VALUE with what came over the network. There are many options:
you can specify FWP_MATCH_EQUAL, which will mean full compliance with the condition, and
you can - FWP_MATCH_NOT_EQUAL, that is, in fact, we can add this
exclusion of filtering (address, connection with which is not monitored).
There are also options FWP_MATCH_GREATER, FWP_MATCH_LESS and others (see enum
FWP_MATCH_TYPE). In this case, we have FWP_MATCH_EQUAL.
I didn't bother too much and just wrote a blocking condition
one selected IP address. In the case when some application tries
connect to the selected address, the classifier will be called
the function of our callout. The code summarizing what was said, you can look at
the sidebar "Adding a filter to the system".
Adding a filter to the system
filter.flags \u003d FWPM_FILTER_FLAG_NONE;
filter.layerKey \u003d * layerKey;
filter.displayData.name \u003d L "Blocker Callout";
filter.displayData.description \u003d L "Blocker Callout";
filter.action.type \u003d FWP_ACTION_CALLOUT_UNKNOWN;
filter.action.calloutKey \u003d * calloutKey;
filter.filterCondition \u003d filterConditions;
// one filter condition
filter.numFilterConditions \u003d 1;
//filter.subLayerKey \u003d FWPM_SUBLAYER_UNIVERSAL;
filter.weight.type \u003d FWP_EMPTY; // auto-weight.
// add a filter to the remote address
filterConditions.fieldKey \u003d FWPM_CONDITION_IP_REMOTE_ADDRESS;
filterConditions.matchType \u003d FWP_MATCH_EQUAL;
filterConditions.conditionValue.type \u003d FWP_UINT32;
filterConditions.conditionValue.uint32 \u003d ntohl (BLOCKED_IP_ADDRESS);
// add filter
status \u003d FwpmFilterAdd (gEngineHandle, & filter, NULL, NULL);
In general, of course, there can be many filtering conditions. For example, you can
specify blocking connections to a specific remote or local port (FWPM_CONDITION_IP_REMOTE_PORT
and FWPM_CONDITION_IP_LOCAL_PORT respectively). You can catch all packages
specific protocol or specific application. And that is not all! Can,
for example, block the traffic of a specific user. In general, there is where
take a walk.
Let's get back to the filter though. The classifying function in our case is simply
blocks the connection to the specified address (BLOCKED_IP_ADDRESS), returning
FWP_ACTION_BLOCK:
Our classify function code
void BlClassify (
const FWPS_INCOMING_VALUES * inFixedValues,
const FWPS_INCOMING_METADATA_VALUES * inMetaValues,
VOID * packet, IN const FWPS_FILTER * filter,
UINT64 flowContext, FWPS_CLASSIFY_OUT * classifyOut)
{
// fill in the structure FWPS_CLASSIFY_OUT0
if (classifyOut) (// block the package
classifyOut-\u003e actionType \u003d
FWP_ACTION_BLOCK;
// when blocking a package, you need
reset FWPS_RIGHT_ACTION_WRITE
classifyOut-\u003e rights & \u003d ~ FWPS_RIGHT_ACTION_WRITE;
}
}
In practice, the classification function can also set FWP_ACTION_PERMIT.
FWP_ACTION_CONTINUE etc.
And finally, when unloading the driver, you need to remove all installed
callouts (guess what happens if the system tries to call callout
unloaded driver? That's right, BSOD). For this there is a function
FwpsCalloutUnregisterById. As a parameter, it is passed a 32-bit
callout ID returned by FwpsCalloutRegister.
Callout termination
NTSTATUS BlUninitialize () (
NTSTATUS ns;
if (gEngineHandle) (
FwpmEngineClose (gEngineHandle);
}
if (gBlCalloutIdV4) (
ns \u003d FwpsCalloutUnregisterById (gBlCalloutIdV4);
}
return ns;
}
As you can see, programming a WFP filter is not such a difficult task, since
MS provided us with a very user-friendly API. By the way, in our case, we set
filter in the driver, but you can also do this from the usermode! For example, a sample from wdk
msnmntr (MSN Messenger traffic monitor) does just that - it allows not
overload the kernel-mode part of the filter.
Your GUID
To register a callout, it needs a unique identifier. In order to
get your GUID (Globally Unique Identifier), use the guidgen.exe included
in Visual Studio. The tool is located in (VS_Path) \\ Common7 \\ Tools. Collision probability
very small as the GUID is 128 bits long and there are only 2 ^ 128 available
identifiers.
Debugging a filter
For debugging firewood, it is convenient to use the Windbg + VmWare bundle. This requires
configure both the guest system (which is Vista) and the debugger
WinDbg. If WinXP had to edit boot.ini for remote debugging, then
for Vista + there is a console utility called bcdedit. As usual, you need to enable debugging:
BCDedit / dbgsettings SERIAL DEBUGPORT: 1 BAUDRATE: 115200 BCDedit / debug
ON (or BCDedit / set debug ON)
Now you're done! Launch the batch file with the text below:
start windbg -b -k com: pipe, port \u003d \\\\. \\ pipe \\ com_1, resets \u003d 0
and see the debug output in the windbg window (see picture).
Conclusion
As you can see, the scope of WFP is quite wide. You decide how
apply this knowledge - for evil or for good 🙂
Windows firewall (firewall or firewall) does not command respect. Having changed a bit from XP to Vista, it is not bad at its simple task, but it lacks the ambition to become the best personal firewall. However, despite the fact that the Windows 7 firewall received several new features, it still did not get what I expected to see in it.
Hanging with Homegroup
During installation, Windows 7 prompts you to create a “homegroup”. As other Windows 7 computers are discovered on the network, they are also prompted to join the group. And all they need for this is a password to it. However, having one computer running Windows 7, I did not see the process of joining the group of other computers, although notification about this would not hurt. However, while any Windows 7 computer can join a homegroup, Windows 7 Home Basic and Windows 7 Starter computers cannot create it.
Computers in the same homegroup can share (or, as they say, “share”) printers and specific file libraries. By default, libraries of pictures, music, videos and documents are shared, but the user can restrict them at his own discretion. The operating system help provides clear explanations on how to exclude a file or folder from sharing, or how to make it read-only or restrict access to it.
On their home network, a user can share their content to other computers and devices, and even to computers not running Windows 7, and even to non-computers at all. In particular, Microsoft showed examples of how you can share content for the Xbox 360. However, the company does not offer to connect to the Wii network. Alas, the Wii has not been qualified as a streaming media device.
So how much more secure is your home network in Windows 7? Usually, users who have failed to share files and folders start disabling everything around them, including filewall, antivirus, etc., which, in their opinion, can interfere with this process. At the same time, if you make sharing simple, then disconnecting everything around you can be avoided.
Whereas Vista separates networks into Public and Private, Windows 7 divides a private network into Home and Work. HomeGroup is only available when you select a home network. However, even on a work network, your computer can still see and connect to other devices on it. In turn, on a public network (like a wireless Internet cafe), Windows 7 blocks access to you and from you to other devices for your safety. This is a small but pleasant opportunity.
Dual-mode firewall
In Vista and XP, managing a firewall is just a matter of turning it on and off. At the same time, Windows 7 offers the user various settings configurations for private (home and work) and public networks. At the same time, the user does not need to enter the firewall settings to work, say, in a local cafe. It is enough for him to choose a public network, and the firewall itself will apply the entire set of limiting parameters. Most likely, users will configure the public network to block all incoming connections. In Vista, this could not be done without cutting off all incoming traffic on the user's own network as well.
Some users don't understand why a firewall is needed. If UAC works, isn't a firewall overkill? In reality, these programs have very different goals. UAC monitors programs and their operation within the local system. The firewall, on the other hand, peers intently at the incoming and outgoing data. If you imagine these two programs as two heroes standing back to back and repelling zombie attacks, then, one might say, almost no mistake.
At the first moment, I was intrigued by the new feature “Notify me when Windows Firewall is blocking a new program”. Is this a sign that Windows Firewall has taken control of programs and has become a valid two-way firewall? I was eaten by the desire to disable this feature. And as a result, Windows Firewall hasn't received more respect than it did.
It's been ten years since ZoneLabs popularized the two-way personal firewall. Its ZoneAlarm program hid all ports on a computer (which Windows Firewall can do) and also allowed you to control program access to the Internet (Windows Firewall still does not do this). I do not require intelligent monitoring of program behavior, as, for example, in Norton Internet Security 2010 and other packages. But I hope that by the time Windows 8 comes out, Microsoft will nevertheless introduce a set of ten-year-old ZoneAlarm capabilities into its firewall.
Microsoft is well aware that many users install third-party firewalls and security packages and simply disable Windows Firewall. In the past, many third-party security programs automatically disabled Windows Firewall to avoid conflicts. In Windows 7, Microsoft did it itself. When installing a known firewall, the operating system disables its built-in firewall and reports that "the firewall settings are controlled by such and such a program from such and such a manufacturer."
Whether you use it or not, Windows Firewall is present in every Windows 7, while still having deep integration with the operating system. So wouldn't it be better if third-party security applications can use the Windows filewall for their own purposes? This idea lies behind a programming interface called the Windows Filtering Platform. But will developers use it? More on this in the next part.
Windows 7 Security: Windows Filtering Platform
Firewalls have to run Windows 7 at a very low level, which Microsoft programmers absolutely hate. Some Microsoft technologies, such as PatchGuard, present in 64-bit editions of Windows 7 (64-bit Windows 7 have several security advantages over 32-bit Windows 7), block intruders and also protect the kernel from access to it. Still, Microsoft does not provide the same level of security as third-party programs. So what do you do?
The solution to this problem is the Windows Filtering Platform (WFP). The latter, according to Microsoft, allows third-party firewalls to be based on key Windows Firewall capabilities — allowing you to add custom capabilities to them and selectively enable or disable portions of Windows Firewall. As a result, the user can choose his own firewall, which will coexist with the Windows Firewall.
But how useful is it for security software developers? Will they use it? I interviewed several people and got tons of answers.
BitDefender LLC
Product Development Manager Iulian Costache said his company is currently using the platform in Windows 7. However, they have faced significant memory leaks. The error is on Microsoft's side, which the largest software giant has already confirmed. However, Julian does not know when it will be solved. In the meantime, they have temporarily replaced the new WFP driver with the old TDI.
Check Point Software Technologies Ltd
Mirka Janus, public relations manager at Check Point Software Technologies Ltd, said his company started using WFP since Vista. They also use the platform under Windows 7. It's a good, maintainable interface, but any malware or incompatible driver can be dangerous for a security product that relies on it. ZoneAlarm has always relied on two layers - the network connection layer and the packet layer. Since Vista, Microsoft has offered WFP as a supported way to filter network connections. Starting with Windows 7 SP1, Microsoft has to teach WFP to enable packet filtering.
“Using supported APIs means improved stability and fewer BSODs. Many drivers can be registered and each driver developer does not need to worry about compatibility with others. If any driver is, say, blocked, no other registered driver can bypass that block. On the other hand, an incompatible driver can become a problem bypassing all other registered ones. We don't rely on WFP alone for network security. ”
F-Secure Corporation
Senior researcher at F-Secure Corporation Mikko Hypponen stated that for some reason, WFP never became popular with security software developers. At the same time, his company has been using WFP for quite some time and was happy about it.
McAfee, Inc.
McAfee lead architect Ahmed Sallam, in turn, said that WFP is a more powerful and flexible network filtering interface than the previous NDIS-based interface. McAfee uses WFP extensively in its security products.
At the same time, despite the fact that WFP has positive capabilities, cybercriminals can take advantage of the platform. The platform can allow malware to enter the Windows kernel-level networking stack. Therefore, kernel-level 64-bit Windows drivers must be digitally signed to protect the kernel from malware loading into it. However, digital signatures are not required on 32-bit versions.
Yes, in theory, digital signatures are a reasonable defense mechanism, but in reality, malware authors can still acquire them for themselves.
Panda Security
Panda Security spokesman Pedro Bustamante said his company is monitoring the WFP platform but is not currently using it. The company considers the main disadvantages of WFP, firstly, the inability to create a technology that would combine various techniques to maximize protection. The technology is useless if the company cannot look at the incoming and outgoing packets into the machine. It should also act as a sensor for other protection technologies. None of these capabilities are provided by WFP. Second, WFP is only supported by Vista and newer operating systems. The platform is not backward compatible. And thirdly, WFP is a fairly new platform, and the company prefers to rely on older and proven technologies.
Symantec Corp.
Dan Nadir, director of consumer product management at Symantec, said WFP is not yet used in their products due to its relative novelty. Nevertheless, over time, the company plans to migrate to it, since the old interfaces they now rely on will not be able to provide all the functionality they require. They consider WFP to be a good platform because it has been specifically designed to provide interoperability between many third party software. In principle, the platform should have even fewer compatibility problems in the future. WFP is also great because it integrates with the Microsoft Network Diagnostic Framework. This is extremely useful because makes it much easier to find specific programs that are an obstacle to network traffic. Finally, WFP should lead to improved performance and stability of the operating system because the platform avoids emulation and driver conflict or stability issues.
However, on the other hand, according to Nadir, WFP can create certain problems that exist in any structure - developers relying on WFP cannot close vulnerabilities within WFP itself, nor can they expand the specific capabilities offered by WFP. Also, if many programs rely on WFP, then malware creators could theoretically try to attack WFP itself.
Trend Micro Inc.
Research Director at Trend Micro Inc. Dale Liao said the platform's biggest advantage is operating system compatibility. Also the standard firewall is now useful. So now they can focus on what really matters to the user. The bad thing about WFP is that when an error is found in the platform, the company has to wait for it to be fixed from Microsoft.
WFP: Conclusion
As a result, most of the security software developers I interviewed are already using WFP. True, some are in parallel with other technologies. They like the interoperability, the documentation and the formality of the platform, and the perceived stability of the platform. On the other, negative side, if all developers start relying on WFP, then the platform can potentially become a vulnerability for everyone. And they'll have to rely on Microsoft to fix it. In addition, the platform does not yet offer packet level filtering.
Another big disadvantage of WFP is that it doesn't exist in Windows XP. Therefore, developers who want to support XP will have to run two parallel projects. However, as XP leaves the market, I think WFP will become more popular among developers.
The Windows Vista ™ Microsoft Management Console (MMC) snap-in is a network-logging firewall for workstations that filters incoming and outgoing connections based on configured settings. You can now configure your firewall and IPsec settings with one snap-in. This article describes how Windows Firewall works with Advanced Security, common problems, and solutions.
How Windows Firewall with Advanced Security works
Windows Firewall with Advanced Security is a network-logging firewall for workstations. Unlike router firewalls, which are deployed at a gateway between a local network and the Internet, Windows Firewall is designed to run on separate computers. It only monitors the traffic on the workstation: traffic coming to the IP address of this computer, and outgoing traffic from the computer itself. Windows Firewall with Advanced Security performs the following basic operations:
The incoming packet is checked and compared with the list of allowed traffic. If the packet matches one of the list values, Windows Firewall forwards the packet to TCP / IP for further processing. If the packet does not match any of the list values, Windows Firewall blocks the packet and, if logging is enabled, creates an entry in the log file.
The list of allowed traffic is formed in two ways:
When a connection controlled by Windows Firewall with Advanced Security sends a packet, the firewall creates a value in the list to allow return traffic. Additional permission is required for corresponding inbound traffic.
When you create an Allow Windows Firewall with Advanced Security rule, the traffic for which the rule is created will be allowed on the computer that is running Windows Firewall. This computer will accept explicitly permitted inbound traffic when operating as a server, client computer, or peer-to-peer network.
The first step in troubleshooting Windows Firewall issues is to check which profile is active. Windows Firewall with Advanced Security is an application that monitors your network environment. The Windows Firewall profile changes when the network environment changes. A profile is a set of settings and rules that are applied depending on the network environment and existing network connections.
The firewall distinguishes between three types of network environments: domain, public and private networks. A domain is a network environment in which connections are authenticated to a domain controller. By default, all other types of network connections are treated as public networks. When a new connection is detected, Windows Vista prompts the user to specify whether the network is private or public. The general profile is intended for use in public places such as airports or cafes. A private profile is intended for use at home or in the office, or on a secure network. To define a network as private, a user must have appropriate administrative authority.
Although a computer can be connected to different types of networks at the same time, only one profile can be active. The choice of an active profile depends on the following reasons:
If domain controller authentication is used for all interfaces, the domain profile is used.
If at least one of the interfaces is connected to a private network and all others are connected to the domain or private networks, the private profile is used.
In all other cases, the general profile is used.
To define the active profile click the node Observation in snap Windows Firewall with Advanced Security... Above text Firewall status it will indicate which profile is active. For example, if a domain profile is active, the text will be displayed at the top Domain profile is active.
With profiles, Windows Firewall can automatically allow inbound traffic for special computer management tools when the computer is in a domain, and block the same traffic when the computer is connected to a public or private network. Thus, determining the type of network environment protects your local network without compromising the security of mobile users.
Typical Windows Firewall with Advanced Security Issues
The following are the main issues with Windows Firewall with Advanced Security:
In the event that traffic is being blocked, you should first check if a firewall is enabled and which profile is active. If any of the applications are blocked, make sure that in the snap-in Windows Firewall with Advanced Security there is an active allow rule for the current profile. Double-click the node to verify that an Allowing rule exists. Observationand then select a section Firewall... If there are no active permissive rules for this application, go to the node and create a new rule for this application. Create a rule for a program or service, or specify a rule group that applies to this feature, and make sure that all rules for this group are enabled.
To verify that an Allow Rule is not overridden by a Blocking Rule, follow these steps:
In a snap tree Windows Firewall with Advanced Security click node Observationand then select a section Firewall.
View a list of all active local and group policy rules. Deny rules override permissive rules even if the latter are more precisely defined.
Group Policy prevents local rules from being applied
If Windows Firewall with Advanced Security is configured using Group Policy, an administrator can specify whether to use firewall rules or connection security rules created by local administrators. This makes sense if there are any configured local firewall rules or connection security rules that are not in the corresponding section of the settings.
To investigate the reasons why local firewall rules or connection security rules are missing from the Monitoring section, follow these steps:
In snap Windows Firewall with Advanced Security, click the link Windows Firewall Properties.
Select the active profile tab.
In chapter Parameters, press the button Tune.
If local rules apply, section Combining rules will be active.
Rules requiring the use of secure connections can block traffic
When creating a firewall rule for inbound or outbound traffic, one of the options is. If this option is selected, you must have an appropriate connection security rule or a separate IPSec policy that determines which traffic is protected. Otherwise, this traffic is blocked.
To check that one or more rules for an application require secure connections, do the following:
In a snap tree Windows Firewall with Advanced Security click section Inbound rules... Select the rule you want to check and click on the link Properties in the scope of the console.
Select a tab General and check if the selected switch value is Allow only secure connections.
If the parameter is specified for the rule Allow only secure connections, expand the section Observation in the snap-in tree and select the section. Ensure that the appropriate connection security rules exist for the traffic defined in the firewall rule.
Warning:
If you have an active IPSec policy, make sure that the policy is protecting the traffic you need. Do not create connection security rules to avoid conflicts between IPSec policy and connection security rules.
Unable to allow outgoing connections
In a snap tree Windows Firewall with Advanced Security Choose a section Observation... Select the active profile tab and under Firewall statuscheck that outbound connections that do not match the allow rule are allowed.
In chapter Observation Choose a section Firewallto ensure that the required outbound connections are not specified in the deny rules.
Mixed policies can lead to traffic blocking
You can configure the firewall and IPSec settings using various Windows interfaces.
Creating policies in multiple locations can lead to conflicts and blocking traffic. The following setting points are available:
Windows Firewall with Advanced Security. This policy can be configured using the corresponding snap-in locally or as part of Group Policy. This policy controls the firewall and IPSec settings on computers running Windows Vista.
Windows Firewall Administrative Template. This policy is configured using the Group Policy Object Editor in the section. This interface contains Windows Firewall settings that were available before Windows Vista and is designed to configure the GPO that controls previous versions of Windows. Although these settings can be used for computers running Windows Vista, it is recommended that you use the policy instead Windows Firewall with Advanced Securitybecause it provides more flexibility and security. Note that some of the domain profile settings are shared between the Windows Firewall Administrative Template and Policy Windows Firewall with Advanced Security, so you can see here the parameters configured in the domain profile using the snap-in Windows Firewall with Advanced Security.
IPSec policies. This policy is configured using the local snap-in IPSec Policy Management or the Group Policy Object Editor under Computer Configuration \\ Windows Configuration \\ Security Settings \\ IP Security Policies on Local Computer. This policy defines the IPSec settings that can be used by both previous versions of Windows and Windows Vista. Do not apply this policy and the connection security rules defined in the policy at the same time on the same computer Windows Firewall with Advanced Security.
To view all of these settings in the corresponding snap-ins, create your own snap-in for the management console and add snap-ins to it Windows Firewall with Advanced Securityand IP security.
To create your own management console snap-in, follow these steps:
Click the button Start, go to the menu All programs, then in the menu Standard and select item Execute.
In a text box Open ENTER.
Proceed.
On the menu Console select an item.
In the list Available rigs select rig Windows Firewall with Advanced Security and press the button Add to.
Click the button OK.
Repeat steps 1 through 6 to add snap Group Policy Management and IP Security Monitor.
Use the following procedure to check which policies are active on the active profile:
To check which policies are being applied, follow these steps:
At the command prompt, type mmc and press ENTER.
If a User Account Control dialog box appears, confirm the requested action and click Proceed.
On the menu Console select item Add or remove snap-in.
In the list Available rigs select rig Group Policy Management and press the button Add to.
Click the button OK.
Expand the node in the tree (usually the forest tree in which this computer is located) and double-click the section in the details pane of the console.
Select switch value Display policy settings for of meanings current user or another user... If you do not want to display policy settings for users, but only policy settings for a computer, select the radio button value Do not display user policy (view only computer policy) and press the button twice Further.
Click the button Done... The Group Policy Results Wizard generates a report in the details pane of the console. The report contains tabs Summary, Parameters and Policy events.
To check that there is no conflict with IP security policies, after generating the report, select the tab Parameters and open Computer Configuration \\ Windows Configuration \\ Security Settings \\ IP Security Settings in Active Directory. If the last section is missing, then no IP security policy has been set. Otherwise, the name and description of the policy and the GPO to which it belongs will be displayed. When IP Security policy and Windows Firewall with Advanced Security policy are used together with connection security rules, these policies may conflict. We recommend that you use only one of these policies. The best solution is to use IP security policies in conjunction with Windows Firewall with Advanced Security rules for inbound or outbound traffic. In the event that the settings are configured in different places and are not consistent with each other, complex policy conflicts can arise.
Conflicts can also arise between policies defined in local GPOs and scripts configured by the IT department. Check all IP security policies using IP Security Monitor or by typing the following command at a command prompt:
Expand the section to view the settings defined in the Windows Firewall Administrative Template. Computer Configuration \\ Administrative Templates \\ Network \\ Network Connections \\ Windows Firewall.
To view the latest events related to the current policy, you can go to the tab Policy Events in the same console.
To view the policy used by Windows Firewall with Advanced Security, open the snap-in on the diagnosed computer and view the settings under Observation.
To view administrative templates, open the snap-in Group policy and in section Group Policy Results review whether there are settings that are inherited from Group Policy that might cause traffic to be denied.
Open the IP Security Monitor snap-in to view the IP Security Policies. Select the local computer in the tree. In the console scope, select the link Active politics, Basic Mode or Fast mode... Check for competing policies that might block traffic.
In chapter Observation snap Windows Firewall with Advanced Security You can view existing rules for both local and group policy. For more information, refer to the section " Using the Observation Feature in a Snap Windows Firewall with Advanced Security »Of this document.
To stop the IPSec Policy Agent, follow these steps:
Click the button Start and select a section Control Panel.
Click the icon System and its maintenance and select a section Administration.
Double click the icon Services. Proceed.
Find the service in the list IPSec Policy Agent
If the service IPSec agent is running, right-click on it and select Stop... You can also stop the service IPSec agent from the command line using the command
Peer-to-peer policy can lead to traffic rejection
For IPSec connections, both computers must have compatible IP security policies. These policies can be defined by using the Windows Firewall Connection Security Rules snap-in IP security or another IP security vendor.
To check IP security policy settings on a peer-to-peer network, follow these steps:
Click a section Basic Mode, in the console details pane, select the connection to test, then click the link Properties in the scope of the console. Review the connection properties for both nodes to ensure they are compatible.
Repeat step 2.1 for the section Fast mode... Review the connection properties for both nodes to ensure they are compatible.
In snap Windows Firewall with Advanced Security select node Observation and Connection security rulesto make sure that both hosts are configured with IP security policy.
If one of the computers in the peer-to-peer network is running a version of Windows earlier than Windows Vista, make sure that at least one of the native mode cipher suites and one of the fast mode cipher suites use algorithms supported by both hosts. ...
If you are using Kerberos version 5 authentication, make sure the host is in the same or trusted domain.
If you are using certificates, make sure the required check boxes are selected. A digital signature is required for certificates using Internet Key Exchange (IKE). For certificates using Authenticated IP (AuthIP), client authentication is required (depends on the server authentication type). For more information on AuthIP certificates refer to the article Authenticated IP in Windows VistaAuthIP in Windows Vista at the Microsoft website.
Unable to configure Windows Firewall with Advanced Security
Windows Firewall with Advanced Security settings are unavailable (dimmed) in the following cases:
The computer is connected to a centrally managed network and the network administrator uses Group Policy to configure Windows Firewall with Advanced Security settings. In this case, at the top of the snap Windows Firewall with Advanced Security You will see the message "Some settings are controlled by Group Policy." Your network administrator configures the policy, thereby making it impossible for you to change the Windows Firewall settings.
The Windows Vista-based computer is not connected to a centrally managed network, but the Windows Firewall settings are determined by local Group Policy.
To change the settings for Windows Firewall with Advanced Security by using Local Group Policy, use the snap-in Local Computer Policy... To open this snap-in, enter secpol at a command prompt. If a User Account Control dialog box appears, confirm the requested action and click Proceed... Navigate to Computer Configuration \\ Windows Configuration \\ Security Settings \\ Windows Firewall with Advanced Security to configure Windows Firewall with Advanced Security policy settings.
Computer does not respond to ping requests
The main way to test connectivity between computers is to use the Ping utility to test connectivity to a specific IP address. During ping, an ICMP echo message (also known as an ICMP echo request) is sent and an ICMP echo response is requested in response. By default, Windows Firewall rejects incoming ICMP echo messages, so the computer cannot send an ICMP echo response.
Allowing incoming ICMP echo messages will allow other computers to ping your computer. On the other hand, it would leave the computer vulnerable to attacks using ICMP echo messages. However, it is recommended that you temporarily allow incoming ICMP echo messages if necessary and then disable them.
To allow ICMP echo messages, create new inbound traffic rules to allow ICMPv4 and ICMPv6 echo request packets.
To allow ICMPv4 and ICMPv6 echo requests, follow these steps:
In a snap tree Windows Firewall with Advanced Security select node Inbound rules and click the link New rule in the console action area.
Customizable and press the button Further.
Specify a switch value All programs and press the button Further.
Dropdown Protocol type select value ICMPv4.
Click the button Tune for item ICMP parameters.
Set the switch to value Specific ICMP Types, check the box Echo Request, press the button OK and press the button Further.
At the stage of selecting local and remote IP addresses that match this rule, set the radio buttons to Any IP address or Specified IP addresses... If you choose the value Specified IP addresses, specify the required IP addresses, click the button Add to and press the button Further.
Specify a switch value Allow connectionand press the button Further.
At the stage of selecting profiles, mark one or several profiles (domain profile, private or public profile) in which you want to use this rule, and click Further.
In field Name enter the name of the rule, and in the field Description - optional description. Click the button Done.
Repeat the above steps for ICMPv6 protocol by selecting in step Protocol type dropdown value ICMPv6 instead ICMPv4.
If you have active connection security rules, temporarily excluding ICMP from IPsec requirements can help resolve problems. To do this, open in snap Windows Firewall with Advanced Security dialog window Properties, go to the tab IPSec options and specify the value in the dropdown list Yes for parameter Exclude ICMP from IPSec.
Note
Windows Firewall settings can only be changed by administrators and network operators.
Unable to share files and printers
If you cannot share files and printers on a computer with an active Windows Firewall, make sure all group rules are enabled Access to files and printers Windows Firewall with Advanced Security select node Inbound rules Access to files and printers Enable Rule in the scope of the console.
Attention:
It is strongly discouraged to enable file and printer sharing on computers that are directly connected to the Internet, as attackers can try to access shared files and harm you by damaging your personal files.
Unable to remotely administer Windows Firewall
If you cannot remotely administer a computer with an active Windows Firewall, make sure that all rules in the default group are enabled Remote control of Windows Firewall active profile. In snap Windows Firewall with Advanced Security select node Inbound rules and scroll the list of rules to the group Remote control... Make sure these rules are enabled. Select each of the disabled rules and click the button Enable Rule in the scope of the console. Additionally, make sure that the IPSec Policy Agent service is enabled. This service is required to remotely manage Windows Firewall.
To verify that the IPSec Policy Agent is running, follow these steps:
Click the button Start and select a section Control Panel.
Click the icon System and its maintenance and select a section Administration.
Double click the icon Services.
If a User Account Control dialog box appears, enter the required user details with the appropriate authority and click Proceed.
Find the service in the list IPSec Policy Agent and make sure it has the status "Running".
If the service IPSec agent stopped, right-click on it and select Run... Also you can start the service IPSec agent from the command line using the net start policy agent command.
Note
Default service IPSec Policy Agent launched. This service should be running unless it was manually stopped.
Windows Firewall troubleshooting tools
This section describes the tools and techniques for solving common problems. This section is divided into the following subsections:
Using Surveillance Features in Windows Firewall with Advanced Security
The first step in troubleshooting Windows Firewall issues is to review the current rules. Function Observation allows you to view the rules used based on local and group policies. To view the current rules for inbound and outbound traffic in the snap-in tree Windows Firewall with Advanced Security Choose a section Observation, and then select the section Firewall... In this section you can also view the current connection safety rules and security Associations (Main and Fast Modes).
Enabling and Using Security Auditing with the auditpol Command Line Tool
Auditing options are disabled by default. To configure these, use the auditpol.exe command-line tool, which modifies the audit policy settings on the local computer. Auditpol can be used to enable or disable the display of different categories of events and then view them in the snap-in View events.
To view a list of subcategories that are in a given category (for example, the Change Policy category), at a command prompt, type:
auditpol.exe / list / category: "Policy change"
To enable the display of a category or subcategory, at a command prompt, enter:
/ SubCategory: " NameCategories"
To view a list of categories supported by auditpol, at a command prompt, type:
For example, to set audit policies for a category and its subcategory, enter the following command:
auditpol.exe / set / category: "Policy change" / subcategory: "Policy change at the MPSSVC rule level" / success: enable / failure: enable
Policy change
Change policy at the level of MPSSVC rules
Filtering Platform Policy Change
Enter exit
IPsec main mode
Fast IPsec Mode
Advanced IPsec Mode
System
IPSEC driver
Other system events
Access to objects
Dropping a packet by the filtering platform
Filtering platform connection
For changes to the security audit policy to take effect, you must restart the local computer or manually force a policy update. To force a policy update, at a command prompt, type:
secedit / refreshpolicy<название_политики>
After completing the diagnostics, you can disable event auditing by changing the enable parameter to disable in the above commands and rerunning the commands.
Viewing Security Auditing Events in the Event Log
After you enable auditing, use the Event Viewer snap-in to view audit events in the security event log.
To open the Event Viewer snap-in in the Administration folder, follow these steps:
Click the button Start.
Choose a section Control Panel... Click the icon System and its maintenance and select a section Administration.
Double click the icon View events.
To add the Event Viewer snap-in to the MMC, follow these steps:
Click the button Start, go to the menu All programs, then in the menu Standard and select item Execute.
In a text box Open type mmc and press key ENTER.
If a User Account Control dialog box appears, confirm the requested action and click Proceed.
On the menu Console select item Add or remove snap-in.
In the list Available rigs select rig View events and press the button Add to.
Click the button OK.
Save the console for future use before closing the snap-in.
In snap View events expand the section Windows logs and select a node Safety... In the workspace of the console, you can view security audit events. All events are displayed at the top of the console workspace. Click on an event at the top of the console workspace to display detailed information at the bottom of the panel. In the tab General posted description of events in clear text. In the tab Details the following event display options are available: Clear presentation and XML mode.
Configuring Firewall Log for a Profile
Before you can view the firewall logs, you must configure Windows Firewall with Advanced Security to generate log files.
To configure logging for the Windows Firewall with Advanced Security profile, follow these steps:
In a snap tree Windows Firewall with Advanced Security Choose a section Windows Firewall with Advanced Security and press the button Properties in the scope of the console.
Select the tab of the profile for which you want to configure logging (domain profile, private profile, or public profile), and then click Tune In chapter Logging.
Provide a name and location for the log file.
Specify the maximum size of the log file (1 to 32767 kilobytes)
Dropdown Log skipped packets specify value Yes.
Dropdown Log successful connections specify value Yes and then press the button OK.
Viewing Firewall Log Files
Open the file that you specified in the previous procedure, “Configuring the Firewall Log for a Profile”. You must have local administrator rights to access the firewall log.
You can view the log file using Notepad or any text editor.
Analyzing Firewall Log Files
The information recorded in the log is shown in the following table. Some information is specified only for certain protocols (TCP flags, ICMP type and code, etc.), and some information is specified only for dropped packets (size).
|
Field |
Description |
Example |
|
Displays the year, month and day on which the event was recorded. The date is written in the format YYYY-MM-DD, where YYYY is the year, MM is the month, and DD is the day. |
||
|
Displays the hour, minute, and second at which the event was recorded. Time is recorded in the format HH: MM: SS, where HH is the hour in 24-hour format, MM is the minute, and SS is the second. |
||
|
Act |
Indicates an action taken by a firewall. The actions are OPEN, CLOSE, DROP, and INFO-EVENTS-LOST. The INFO-EVENTS-LOST action indicates that multiple events have occurred, but they were not logged. |
|
|
Protocol |
Displays the protocol used to connect. This entry can also represent the number of packets that do not use TCP, UDP, or ICMP. |
|
|
Displays the IP address of the sending computer. |
||
|
Displays the IP address of the destination computer. |
||
|
Displays the source port number of the sending computer. The source port value is written in the form of an integer from 1 to 65535. The correct source port value is displayed only for TCP and UDP protocols. For other protocols, "-" is written as the source port. |
||
|
Displays the port number of the destination computer. The destination port value is written in the form of an integer from 1 to 65535. The correct destination port value is displayed only for TCP and UDP protocols. For other protocols, “-” is written as the destination port. |
||
|
Displays the size of the packet in bytes. |
||
|
Displays the TCP check flags found in the TCP header of an IP packet.
Ack. Acknowledgment field significant Fin. No more data from sender Psh. Push function Rst. Reset the connection The flag is indicated by the first capital letter of its name. For example, the flag Fin denoted as F. |
||
|
Displays the TCP queue number in the packet. |
||
|
Displays the TCP acknowledgment number in the packet. |
||
|
Displays the TCP packet window size in bytes. |
||
|
A type in the ICMP message. |
||
|
Displays a number representing a field The code in the ICMP message. |
||
|
Displays information based on the action taken. For example, for the INFO-EVENTS-LOST action, the value of this field indicates the number of events that occurred but were not logged since the previous occurrence of an event of this type. |
Note
A hyphen (-) is used in fields of the current record that do not contain any information.
Generating netstat and tasklist text files
You can create two configurable log files, one for viewing network statistics (a list of all listening ports) and one for viewing lists of service and application tasks. The task list contains the process identifier (PID) for the events contained in the network statistics file. The procedure for creating these two files is described below.
To create text files for network statistics and a task list, follow these steps:
At the command prompt, enter netstat -ano\u003e netstat.txt and press the key ENTER.
At the command prompt, enter tasklist\u003e tasklist.txt and press the key ENTER... If you want to create a text file with a list of services, enter tasklist / svc\u003e tasklist.txt.
Open the tasklist.txt and netstat.txt files.
Find the code of the process you are diagnosing in the tasklist.txt file and compare it with the value contained in the netstat.txt file. Write down the protocols used.
Example of outputting Tasklist.txt and Netstat.txt files
Netstat.txt
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:XXX 0.0.0.0 0 LISTENING 122
TCP 0.0.0.0:XXXXX 0.0.0.0 0 LISTENING 322
Tasklist.txt
Image Name PID Session Name Session # Mem Usage
==================== ======== ================ =========== ============
svchost.exe 122 Services 0 7.172 K
XzzRpc.exe 322 Services 0 5.104 K
Note
The real IP addresses are changed to "X" and the RPC service to "z".
Make sure basic services are running
The following services should be running:
Basic filtering service
Group Policy Client
IPsec Key Modules for Internet Key Exchange and Authenticated IP
IP Helper
IPSec Policy Agent Service
Network Location Service
Network List Service
Windows firewall
To open the Services snap-in and check that the required services are running, follow these steps:
Click the button Start and select a section Control Panel.
Click the icon System and its maintenance and select a section Administration.
Double click the icon Services.
If a User Account Control dialog box appears, enter the required user details with the appropriate authority and click Proceed.
Make sure the services listed above are running. If one or more services are not running, right-click on the service name in the list and select the command Run.
An additional way to solve problems
As a last resort, you can restore the default Windows Firewall settings. When you restore the default settings, you will lose any settings you made after installing Windows Vista. This can cause some programs to stop working. Also, if you control a computer remotely, the connection to it will be terminated.
Make sure to save the current firewall configuration before restoring the default settings. This will allow you to restore your settings if necessary.
Here are the steps to save your firewall configuration and restore default settings.
To save the current firewall configuration, follow these steps:
In snap Windows Firewall with Advanced Security click the link Export policyin the scope of the console.
To restore default firewall settings, follow these steps:
In snap Windows Firewall with Advanced Security click the link Restore defaults in the scope of the console.
When prompted by Windows Firewall with Advanced Security, click Yes to restore default values.
Conclusion
There are many ways to diagnose and resolve issues with Windows Firewall with Advanced Security. Among them:
Using the function Observation to view firewall actions, connection security rules, and security associations.
Analyze security audit events related to Windows Firewall.
Creating text files tasklist and netstat for comparative analysis.