Updated: November 2009
Author: Dave Bishop
Editor: Scott Somohano
This guide shows you how to centrally configure and distribute commonly used settings and rules for Windows Firewall with Advanced Security by describing typical tasks in a common scenario. you get hands-on experience in a labenvironment using Group Policy management tools to create and edit GPOs to implement typical firewall settings. You also configure GPOs to implement common server and domain isolation scenarios and see the effects of those settings. This guide applies to computers running Windows® 7, Windows Vista®, Windows Server® 2008 R2, and Windows Server® 2008.
The information contained in this documentrepresents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This Step-by-Step Guide is for informational purposesonly. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give youany license to these patents, trademarks, copyrights, or other intellectual property.
Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended orshould be inferred.
© 2009 Microsoft Corporation. All rights reserved.
Microsoft Windows Server, Windows 7, Windows Vista, and Windows XP are trademarks of the Microsoft group of companies.
All other trademarks are property of their respective owners.
Step-by-Step Guide: Deploying Windows Firewall and IPsec Policies 5
Scenario Overview 6
Technology Review for Deploying WindowsFirewall with Advanced Security 9
Network Location Awareness 9
Host Firewall 11
Connection Security and IPsec 13
Group Policy 16
Requirements for Performing the Scenarios 17
Examining Default Settings on Clients and Servers 21
Step 1: Starting Windows Firewall in Control Panel 22
Step 2: Examining the Basic Options Available by Using the Control Panel Interface 24
Step 3: Examiningthe Basic Options by Using the Netsh Command-Line Tool 26
Step 4: Examining the Basic Options Available When Using the Windows Firewall with Advanced Security MMC snap-in 27
Step 5: Examine the Differences in Functionality Between the MMC Snap-in and the Netsh Command-line Tool 29
Deploying Basic Settings by Using Group Policy 32
Step 1: Creating OUs and Placing Computer Accounts in Them32
Step 2: Creating the GPOs to Store Settings 34
Step 3: Adding the GPO Setting to Enable the Firewall on Member Client Computers 34
Step 4: Deploying the Initial GPO with Test Firewall Settings 36
Step 5: Adding the Setting that Prevents Local Administrators from Applying Conflicting Rules 37
Step 6: Configuring the Rest of Your Client Computer Firewall Settings 39
Step 7: Creating...