![[HaBo]](/styles/default/logoklein.png){kind=small}
Mackz
Member of Honour
Windows Vista Firewall Fragen & Antworten - aus dem Firewall Team Chat Februar 06.
Siehe auch: http://www.microsoft.com/technet/community/columns/cableguy/cg0106.mspx
Q: Will the MMC Snap in for the two-way Firewall be a permanent way to access the Firewall for Windows Vista or is this just temporary?
A: The Windows Firewall with Advanced Security is the mechanism for configuring firewall in Windows Vista and Windows Server Longhorn.
Q: Which programming language is Windows Firewall written?
A: Windows firewall was written with a combination of C/C++ and C# (for the MMC snap-in).
Q: Will the Windows Firewall in Vista be back ported to run on Windows XP and Server 2003?
A: There are no current plans for backport. However, please keep an eye on any announcements related to Windows service packs. Some of the features are available through Windows OneCare beta.
Q: Will the firewall.CPL be sunset or made able to do inbound and outbound?
A: The firewall.cpl will continue to do basic inbound firewall configuration only similar to Windows XP SP2. The outbound filtering is only available from the advanced MMC control panel.
Q: Could you highlight 5 of the best features in this new update of the Windows Firewall and how it integrates and takes advantage of some of the unique features in Windows Vista?
A: I believe the top 5 features are (not sorted by order):
1. Outbound filtering
2. Filtering on services etc.
3. Integration between IPsec and firewall (e.g. allow only secure or encrypted traffic)
4. New MMC snap-in
5. New APIs
Q: The Snap in looks really complex (Setup, Management), is this something a grand ma could get hang of really quick?
A: The Windows Firewall with Advanced Security snap-in is meant for corporate administrators. The Windows Firewall Control Panel and the dialog when programs try to listen for inbound connections are the primary mechanims that most non-corporate admins will use to interact with the firewall.
Q: Will the GPO .adm file support Remote Assistance, much like what is available for Remote Desktop?
A: The GPO .adm file in Vista is the same as in XPSP2 and is there for backwards compatibility purposes. We recommend people use the new MMC snap-in to manage either the local machines or GPO.
Q: Is the FW only configurable through MMC or will there be some kind of GUI?
A: We have no plans at this point to support additional GUIs in addition to the existing Firewall Control Panel (targeted at non-corporate users) and the new Firewall With Advanced Security snap-in (targeted to corporate admins and advanced users)
Q: Will there be additional features for manageability in the enterprise (i.e. through GPO)
A: The Windows Firewall with Advanced Security MMC is available for editing a GPO. Open up a GPO and navigate to Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security.
Q: Windows Vista includes a number of security technologies such as AntiSpyware, Protected Mode for Internet Explorer 7, UAP, and NAP etc, how do all of these technologies work together with the Windows Firewall to provide a safe computing experience?
A: That's a great question! Windows Security Center is a feature of Windows Vista (like Windows XP/SP2) that brings all protection technologies such as the Firewall, Anti-Spyware under one umbrella. Further, technologies such as Windows Firewall are designed to work with UAP so that you will be seeing a seemless experience.
Q: I've heard something about a 2 way firewall (i think in vista)... can you elaborate on of its offerings? -
A: 2 way firewall is a firewall that features both inbound and outbound filtering. The new Vista Firewall does support both inbound and outbound filtering via the new MMC advanced control panel and through group policy.
Q: Will my Windows XP GPOs work with Vista Firewall?
A: If you put a Windows Vista or Windows Server Longhorn computer in a GPO that has a Windows Firewall policy set (through the Windows Firewall Administrative Template) or an IPsec policy (through the IP Security Policies snap-in), the firewall and IPsec policies will be honored.
Q: When will the API's be published for using the new funtionality in the firewall? (Ie. inbound blocking)
A: We are planning to publish a new set of COM interfaces for interacting programmatically with the firewall. They will expose a whole new set of features for more granular filtering, in addition to outbound filtering.
Q: Does Windows Firewall have a way to block access to .DLL's if so how/or else is it planed?
A: The windows Firewall supports application identification through specifying the application path (not by dll) and in Vista we've added support to specify services by service name (some services are DLL's)
Q: Will the firewall have the ability to do context filtering (filter on keyword(s))?
A: We have not current plans to support this
Q: Will ISA Server 2006 (Wolverine) be based on the Windows Firewall in LH Server or will it continue to be seperate?
A: ISA Server 2006 will not be based on Vista Windows Firewall. It will be based on BFE (Base Filtering Engine) which is a set of public filtering APIs. Windows Firewall is also using BFE for its features.
Q: Will there be any support for central logging?
A: The firewall now supports logging to the Windows Audit logs. You can use an event collection tool, such as MOM to centralize your events.
Q: Can Windows FW be removed & replaced by 3rd party FW?
A: Windows Firewall can be disabled, allowing the user to run a 3rd party firewall.
Q: Also, is there a way to completely disable the firewall , if I want to use no firewall or a third party firewall?
A: You can disable the firewall via netsh, the control panel applet, APIs or group policy.
The mpssvc service will still be running and will provide the WSH functionality (Windows Service Hardening) to protect system components and services.
Q: I'm curious about logging/alerting features. Will there be a mechanism to configure a centralized repository for logging blocked traffic?
A: We have continued to support the PFirewall.log logging feature from the Windows XP SP2 firewall. However we have added support for logging blocked traffic through the Windows Security Event log.
Q: Will WF w/ Advanced Security be able to set system-wide settings for all users of a given machine, or are settings per-user?
A: As a group policy, Windows Firewall with Advanced Security is a computer setting, not a user setting. If you are using the connection security functionality and user Kerberos for authentication, then you can scope a firewall rule down to a particular Active Directory user.
Q: how does the vista firewall protect me against worm and virus attacks?
A: Windows Firewall is ON by default as Windows XP/SP2 and hence all unsolicited traffic is blocked by default. Further, the Windows Defender can protect you with anto-spyware capabilities. Malicious software removal tool also helps you with cleaning up infected systems.
Q: Will WF support IPv6?
A: Yes. Windows Firewall is fully IPv6 compatible.
Q: Is it possible to remotely manage the firewalls of several Vista installs from a central location?
A: Yes -- open the MMC and add multiple snap-ins, one for each Windows Vista computer that you want to manage from the central location.
Q: Why must I permit the Windows Firewall under a UAP account?
A: Modifying FW policy is considered an administrative action which UAP will prompt for
Q: I have not tried it yet but will a Vista FW work nicely along side another Version witought conflicts? Or am i best to stick to one or the othjer?
A: You should only run one Firewall at a time.
Q: Will there be some type of wizard that asks the user what common programs (AIM, ICQ, IE, Firefox, iTunes, etc.) they use so the firewall can be configured mostly at one point. Instead of as apps get run?
A: This is certainly something that we have give some thought to. However, currently there are no plans for this. Windows Onecare service certainly helps consumers in this area so that have to answer to less Firewall prompts.
Q: I was thinking about an advanced Setting where the Admin could block by IP. Would this be a good idea?
A: The firewall will allow you to create a rule that blocks by IP address, subnet, or range.
Q: Will there be a way to add Port exceptions for a range of port numbers, instead of having to add an exception a port at a time?
A: No. We don't support port ranges, but we do support list of ports
Q: Will the COM API easily be useable inside a .Net application? (in comparison to some COM API's that are very hard to properly integrate) or will there be a more native .Net interface API created?
A: We're not shipping a .Net wrapper for the COM API, so it will be accessible to .Net apps via interop.
Q: Will the exceptions for common applications be available?
A: Vista out of box will have exceptions for Vista built-in features.
Q: Will Windows Firewall support SPI filters for additional functionalitiy/security/checking?
A: Windows Firewall works on top of BFE APIs. That's the right way to extend the firewall with more checks that run in parallel.
Q: How will the new Windows Firewall affect corporate users, could you list some of the advantages?
A: The biggest benefit to the corporate user is that with Windows Vista, IPSec and IP filtering policy authoring has been combined to under one tool - Windows Firewall with Advanced Security. Not only that the UI is improved and easy to use but it helps corporate users/admin deploy IPSec and IP policy easier. Further, this UI also gives the ability to author the applications that will have outbound access thereby giving admins the ability to lockdown a system.
Q: Will WF integrate with the ISA Firewall client?
A: Not in this release, sorry
Q: Will be the new firewall customizable for single users, or will be the same firewall rules appllied to all users?
A: The firewall rules are only per computer - not per user.
Q: How does the Windows Firewall protect my house?
A: At this point the Windows Firewall is limited in scope to the personal computing device running Windows, we may consider adding support in future for other form factors/objects/corporeal entities.
Q: Will the Vista Windows Firewall support Domain / Standard profiles for VPN connections? We have deployed the Windows Firewall in XP for both on and off the domain but hit issues with configuring VPN connections as we have had to use netsh commands.
A: We have support for interface types in the snap-in that allow you to configure firewall rules on a per-interface type basis (for wireless, RAS, or LAN). This can allow you create a policy that is specific to RAS interfaces.
Q: Do you get any inspiration and advice when developing the Windows Firewall from the ISA Team?
A: I used to work in the ISA team before moving to the Windows Firewall team. I believe it shows in the rules model and some of the UI.
We are in constant communication with the ISA team.
Q: Will there be a feature to tell what application is communicating through the firewall like the monitoring feature in ISA2004?
A: The Monitoring node in the new console shows the active FW rules; however they don't display which app is currently communicating
Q: Are you saying there are Windows Firewalls in Vista, one with Basic functionality and with Advanced Functionality available through MMC?
A: There's only one Windows Firewall in Vista.
There are two main UI entry points for configuring it: the control panel applet for novice users and the MMC snap-in for full configuration by advanced admins.
Q: will there be any upgrade in XP related to windows firewall to be close to windows vista firewall?
A: We are currently investigating this area.
Q: How can third parties make the Windows FW "aware" of their apps/services "normal" behavior (for hardening, like the OS' own services, and to avoid/reduce prompting)?
A: ISVs designing software for Windows Vista will be able to take advantage of Windows Firewall APIs to harden their services just like services in the Vista operating system. At this point, this is applicable to software running as a service only (not a regular application). The APIs are likely to be available in the CTP build after February.
Q: Will there be a .net api to interface with the firewall from our own applications?
A: The COM API can be used for this through .Net interop, but there are currently no plans for a .Net-specific API.
Q: Does the WF support Stateful Packet Inspection via pluggable filters?
A: WF supports Stateful Packet inspection, but doesn't support pluggable filters
Q: Who is the Vista Firewall aimed at? Corporate or Home users? It seems like Corporate, but the biggest benficieraries would be home.
A: The Windows Firewall in Vista is aimed at both corporate users and home users. We expect most corporate users to use the Windows Firewall with Advanced Security snap-in to configure the firewall and take advantage of the advanced functionality. The Windows Firewall Control Panel will be available and is probably the interface that home users will use.
Q: Please say Resultant Set of Policy examinations will be supported in an enterprise environment (and I will be able to trust it, unlike current situation with IPsec).
A: The Group Policy RSoP tool will not be supported. However, the Windows Firewall with Advanced Security snap-in on a single computer will show you what the RSoP is for that computer.
Q: Is the Windows Firewall expected to be an end to end solution for consumers or is just a part of the equation, for Industry partners to build on top of?
A: We believe the Windows Firewall in Vista is a good end to end solution for consumers. However there is a public COM API interface for 3rd parties to develop additional security logic to the Windows Firewall.
Q: Will the new APIs include only a .NET Assemblies or will they be scriptable as well in a COM interface (VBScript)?
A: The COM API is dual-interface, so it is callable from VBScript and JScript.
Q: Will Vista Firewall work on Windows PE for Vista?
A: Yes -- it is on Windows PE.
Q: Will parental controls be integrated into the Vista firewall?
A: No
Q: Is the Windows Firewall included in Vista the same one in Windows OneCare Live Subscription service?
A: Windows Firewall doesn't have support for plugins. However the Windows Firewall builds on top of the "Windows Filtering Platform" which provides APIs for plug-ins and FW/Filtering products.
Q: Is the Vista firewall capable of networking with linux and other OS'es?
A: Windows Firewall with advanced security is about both firewall and IPsec.
IPsec interoperability is going to work with other platforms (to some extent).
The FW is protecting the host so there's not much there in terms of networking with other platforms.
Q: How do I know that my firewall is really protecting my network?
A: The Windows Firewall does not have the ability to protect your network because you can have any number of rougue devices running on your network that are not Windows Vista computers. The Windows Firewall can help you acheive some level of protection by crafting policy that prevents unwanted traffic from being emitted from a Vista computer.
Q: Have you considered adding the process name to the firewall logs for easy troubleshooting when applications do not work with the firewall on?
A: For Vista, we are using the windows security event log to log connections (in addition to the XP packetlog). The new events have the process name
Q: What is Microsoft's plan for balancing security with user simplicity?
A: We are supporting multiple interfaces for the firewall: APIs, netsh, CPL, MMC, GPO etc.
The control panel applet (CPL) is targeted towards simplicity and we're even making it simpler than you see today. The rest gives the admin full control of the security features.
Q: Can we have an option to back up and restore all Firewall Settings so we can config it on one box and just fire it around others?
A: We support import and export of policies to allow you to configure policies on one GPO or local computers and then move them to other GPOs or local computers. We also support restoring all firewall settings to their defaults. These functions can be accessed from the Actions menu of the Windows Firewall with Advanced Security node.
Q: What are the new APIs (#5 on top 5 features)?
A: The new APIs are going to extend the COM ones for Icf you can see on MSDN today.
They will expose full inbound/outbound filtering options including the ability to view/configure rules etc.
In addition, they will expose the network Windows Service Hardening (WSH) feature for 3rd party service owners.
Q: With the risk of root-kit based malware floating around on the web, how well will the Vista firewall keep me secure?
A: The Windows Firewall does not perform stateful inspection of HTTP traffic and will not be able to directly prevent root-kit based malware from being installed.
Q: Will average users who are not on a domain have the added security of two-way filtering, or will the new features not apply to them?
A: Yes, they will be able to configure the two-way filtering via the new Windows Firewall with Advanced Security mmc snap-in.
Q: Why is windows firewall blocking ICMP packets, is there a way to go around them
A: We block all unsolicited traffic by default. This is fully configurable from the CPL and MMC snap-in.
Q: What scenarios do you envision for the outbound scanning capabilities of the Vista firewall? Are the outbound capabilities included purely for enterprise managability, or will it be touted as an additional security measure, a la Zonealarm?
A: Outbound filtering is primarily a means for locking down a system, so that an administrator can decide which applications can access the network, this is just an extension of administratore having the ability to say express the application through port numbers. IPSec filtering in Windows has provided this capability for a long time, but with Windows Vista Firewall with Advanced Security now administrator one place, one console from which they author policy for both secured (IPSec) as well as unsecure (IP) traffic. Overall, outbound filtering is an attacks surface reduction tool.
Q: What new GPO settings are available for managing the WF?
A: The new GPO settings can handle everything in the new MMC advanced console.
Q: what makes windows firewall a better option than any of the third party offerings
A: I'd say: it's integration with IPsec and other compoents in Vista.
Q: Will MSFT provide application level configurations -- e.g., if you want to use AIM, the following ports will get unblocked for that application
A: The new interfaces (programmatic, UI and otherwise) will support grouping multiple rules into a single group which can be enabled with one mouse click to enable the whole scenario/experience. I believe this will solve most of your scenarios here.
Q: Will the new COM API cover pre-Vista Windows Firewall for XP and 2K3 and are there plans to extend the existing Windows Firewall API to configure the Vista Firewall?
A: Yes, there will still be support for the pre-Vista as well as extending those for more granular exception support for Vista
Q: what if any changes have been made to your management story? Today managing on a large scale via GPO is unrealisting and making exceptions for every app on all PC doesn't buy us any security. Have you thought about this problem and if so what are u doing
A: We have 3 management solutions: Manage a local host, Manage a single remote machine (when you enable the Firewall Remote Management), and GP management for an entire OU.
We recommend you use the new MMC snap-in to configure all 3 scenarios.
Q: will the firewall in Vista conflict with routers that have firewalls?
A: It is possible for the Windows Firewall to have the same firewall policy as routers on a network. This should not cause any real conflict.
Q: How well does the Vista firewall perform against DoS attacks?
A: The defense against DOS attacks is built-in to the TCP/IP stack since early versions of Windows and has only improved over time. Windows Vista has a new integrated TCP/IP stack for IPv4 and IPv6 and DOS protection is better.
Q: What is integration between WF and NAP?
A: When you create a connection security rule in Windows Firewall with Advanced Security, you can select computer certificate as the authentication method and specify that the certificate must be a health certificate. This functionality provides integration with NAP and allows you to base your policy on only allowing healthy computers access to specified resources.
Q: Will the Vista firewall notify me of wireless eavesdropping?
A: No.
Q: Will the files/settings transfer wizard support migrating XP's firewall config to Vista?
A: Windows Firewall will preserve settings on upgrade from XP.
Q: will 3rd party isv's be able to extend firewall functionality?
A: Windows Firewall is based on the BFE APIs. These are public APIs and ISVs can (and should) use them to extend the firewall features.
Q: Is the outbound firewall on by default?
A: The out-of-box default for outbound filtering is to allow connections. This default is configurable, so you can change it to block if you like.
Q: Is Firewall in Chinese Vista different than in other countries? (like blocking packets containing 'taiwan independance')
A: We have no plans to do content-based filtering in the Windows Firewall.
Q: How does Windows Firewall handle an outbound request from a program that it does not already know about?
A: By default, Windows Firewall allows all outbound requests. An advanced administrator can change this default through Windows Firewall with Advanced Security UI.
Q: Will the firewall have UPnP support? Will it automaticly work (via an API or SDK) with network applications that need certain ports open to function?
A: Windows firewall detects and reacts to network changes. If there's a new network interface, Windows Firewall will l cover it. In addition, you can configure WF to specific interface types. You can say things like "Don't allow inbound traffic to app foo.exe over port X if it comes over wireless interfaces".
Q: How do we get this MMC snap in? Is it already installed and we just need to activate it or is it already activated and ready to use?
A: Open up MMC and select File -- Add/Remove Snap-ins. Then you can add the Windows Firewall with Advanced Security snap-in.
Q: In my epxierence with OneCare i found that overall it was a great product doing the job effectively. But it was huge drain on system resourcesand ran multiple process in the background. will windows firewall also me a big eater? i personally like Zonealar
A: Performance and scalability are one the core tenants driving our development. In our design we strive to be as lean as possible. At this point, we only have one service for the FW.
Q: Why can the FW APIs not be used to harden non-service apps (re: q106)?
A: They can. It's called firewall rules. WSH is specifically about blocking services (sand-boxing them) so they cannot touch the network beyond their designated in/out ports.
Q: Assuming Outbound blocking has been enabled, will WF prompt to unblock needed ports for specific apps?
A: Nope, and this is done deliberately to not downgrade the default user experience. Windows Onecare service provides thr right solution for this specific scenario.
Q: Will Vista have a locked down firewall until installation is complete and software updated, like R2?
A: yes
Q: Does the firewall API allow an application to configure the firewall so that the application can access the internet? (If so, I see a security risk when things like malware and viruses can bypass the firewall quite easily by configuring it themselves.)
A: You have to be an admin to make any changes to the WF configuration. If the app is running as admin, it's Game Over in so many other ways.
Q: Both Firewall and (especially) IPsec are something of second-class citizens of group policy, at least per toolset support, in an enterprise environment. Will they become first-class citizens of the policy enforcement and user-interface (reliable RSoP)?
A: The combined Windows Firewall and IPsec policy is stored in SysVol. This will solve a lot of the issues that were present with IPsec and Group Policy previously (backup and restore, copy/paste of GPOs, delegation). If you'd like RSoP, you can look at a single computer and our snap-in will show you the RSoP for that computer.
Q: What about Network-IDS ? (like SNORT) ? it can recognize Blaster viruses, etc etc....
A: This is not a part of Windows Firewall in Vista.
Q: Will there be a difference in the version of Vista's Firewall, as in Will the home version be crippled or have less functionality that say the Ultimate version?
A: The Windows Firewall featureset is identical in all client OS SKUs.
Q: WF in XPSP2 allows inbound UDP from an address that the computer sent UDP to, for up to 90 seconds after the outbound request was sent. Will this remain the same in Vista's WF?
A: Yes and it's configurable.
Q: Is there any support for traffic incoming from Bluetooth?
A: All interfaces visible at the NDIS layer are visible to the Windows Firewall.
Siehe auch: http://www.microsoft.com/technet/community/columns/cableguy/cg0106.mspx