Snap-in Management Console (MMC) OS Windows Vista™ is a network logging firewall for workstations that filters incoming and outgoing connections according to the settings you have configured. Now you can configure firewall settings and IPsec protocol with one tool. This article describes Windows Firewall with Advanced Security, common problems, and solutions.
How Windows Firewall with Advanced Security works
Windows Firewall in enhanced security mode, it is a network state logging firewall for workstations. Unlike firewalls for routers, which are deployed at the gateway between your local network and the Internet, Windows Firewall is designed to run on individual computers. It only monitors traffic workstation: Traffic coming to this computer's IP address and outgoing traffic to the computer itself. Windows Firewall with Advanced Security performs the following basic operations:
The incoming packet is checked and compared with the list of allowed traffic. If the packet matches one of the values in the list, Windows Firewall passes the packet to TCP/IP for further processing. If the packet does not match any of the values in the list, Windows Firewall blocks the packet and, if logging is enabled, creates an entry in the log file.
The list of allowed traffic is formed in two ways:
When a connection controlled by Windows Firewall with Advanced Security sends a packet, the firewall creates a value in the list to allow return traffic. Appropriate incoming traffic will require additional permission.
When you create a Windows Firewall with Advanced Security allow rule, the traffic for which the rule is created will be allowed on a computer running Windows Firewall. This computer will accept explicitly allowed incoming traffic when operating as a server, client computer, or peer-to-peer network host.
The first step in resolving problems with Windows Firewall is to check which profile is active. Windows Firewall with Advanced Security is an application that monitors your network environment. The Windows Firewall profile changes when the network environment changes. A profile is a set of settings and rules that is applied depending on the network environment and operating network connections.
The firewall distinguishes between three types of network environments: domain, public, and private networks. A domain is a network environment where connections are authenticated by a domain controller. By default, all other types of network connections are treated as public networks. Upon discovery of a new Windows connections Vista prompts the user to indicate whether this network private or public. The general profile is intended for use in public places such as airports or cafes. A private profile is designed for use at home or in the office, and on a secure network. To define a network as private, the user must have the appropriate administrative privileges.
Although the computer may be connected to networks at the same time different type, only one profile can be active. The choice of an active profile depends on the following reasons:
If all interfaces use domain controller authentication, the domain profile is used.
If at least one of the interfaces is connected to a private network and all the others are connected to a domain or private networks, the private profile is used.
In all other cases, the general profile is used.
To determine the active profile, click the node Observation in a snap Windows Firewall with Advanced Security. Above text Firewall status will indicate which profile is active. For example, if a domain profile is active, the caption will be displayed at the top Domain profile active.
Using profiles, Windows Firewall can automatically allow incoming traffic for special computer management tools when the computer is in a domain, and block the same traffic when the computer is connected to a public or private network. Thus, determining the type of network environment ensures the protection of your local network without compromising the security of mobile users.
Common issues when running Windows Firewall with Advanced Security
The following are the main issues that occur when running Windows Firewall with Advanced Security:
In the event that traffic is blocked, you should first check if the firewall is enabled and which profile is active. If any of the applications are blocked, make sure that in the snap Windows Firewall with Advanced Security there is an active allow rule for the current profile. To verify that an allow rule exists, double-click the node Observation, and then select a section Firewall. If there are no active allow rules for this program, go to the node and create a new rule for this program. Create a rule for a program or service, or specify a rule group that applies to this feature, and make sure that all rules in that group are enabled.
To check that an allow rule is not overridden by a block rule, follow these steps:
In the tool tree Windows Firewall with Advanced Security click node Observation, and then select a section Firewall.
View a list of all active local and group policy. Deny rules override allow rules, even if the latter are more precisely defined.
Group Policy prevents local rules from being enforced
If Windows Firewall with Advanced Security is configured using Group Policy, an administrator can specify whether firewall rules or connection security rules created by local administrators are used. This makes sense if there are configured local firewall rules or connection security rules that are not in the corresponding settings section.
To find out why local firewall rules or connection security rules are missing from the Monitoring section, do the following:
in a snap Windows Firewall with Advanced Security, click the link Windows Firewall Properties.
Select the active profile tab.
In chapter Options, press the button Tune.
If local rules apply, section Combining Rules will be active.
Rules requiring secure connections may block traffic
When creating a firewall rule for inbound or outbound traffic, one of the options is . If selected given function, you must have an appropriate connection security rule or a separate IPSec policy that defines what traffic is secure. Otherwise, this traffic is blocked.
To check that one or more application rules require secure connections, follow these steps:
In the tool tree Windows Firewall with Advanced Security click section Rules for incoming connections. Select the rule you want to check and click on the link Properties within the scope of the console.
Select tab Are common and check if the radio button value is selected Allow only secure connections.
If the parameter is specified for the rule Allow only secure connections, expand the section Observation in the snap-in tree and select the section. Make sure that the traffic defined in the firewall rule has the appropriate connection security rules.
Warning:
If you have an active IPSec policy, make sure that the policy is protecting the required traffic. Do not create connection security rules to avoid conflict between IPSec policy and connection security rules.
Cannot allow outgoing connections
In the tool tree Windows Firewall with Advanced Security Choose a section Observation. Select the active profile tab and under Firewall status check that outgoing connections that do not match the allow rule are allowed.
In chapter Observation Choose a section Firewall to ensure that the required outbound connections are not listed in the deny rules.
Mixed Policies Can Block Traffic
You can configure the firewall and IPSec settings using various interfaces Windows OS.
Creating policies in multiple places can lead to conflicts and traffic blocking. The following setting points are available:
Windows Firewall with Advanced Security. This policy is configured using the appropriate snap-in locally or as part of a group policy. This policy controls the firewall and IPSec settings on computers running Windows Vista.
Windows Firewall Administrative Template. This policy is configured using the Group Policy Object Editor in the section. This interface contains Windows Firewall settings that were available prior to Windows Vista and is intended for configuring the GPO that manages previous versions Windows. Although these settings can be used for computers running Windows control Vista, it is recommended to use the policy instead Windows Firewall with Advanced Security because it provides more flexibility and security. Note that some of the domain profile settings are shared between the Windows Firewall Administrative Template and the Windows Firewall policy. Windows Firewall with Advanced Security, so you can see here the settings configured in the domain profile using the snap-in Windows Firewall with Advanced Security.
IPSec policies. This policy is configured using the local snap-in IPSec policy management or the Group Policy Object Editor under Computer Configuration\Windows Settings\Security Settings\IP Security Policies on Local Computer. This policy defines IPSec settings that can be used by both previous versions of Windows and Windows Vista. Do not apply this policy and the connection security rules defined in the policy on the same computer at the same time. Windows Firewall with Advanced Security.
To view all of these options in the appropriate snap-ins, create your own Management Console snap-in and add the snap-ins to it Windows Firewall with Advanced Security, And IP security.
To create your own management console snap-in, follow these steps:
Click the button Start, go to the menu All programs, then in the menu Standard and select the item Run.
In a text field Open ENTER.
Continue.
On the menu Console select .
Listed Available snap-ins select a snap Windows Firewall with Advanced Security and press the button Add.
Click the button OK.
Repeat steps 1 to 6 to add snaps Control group policy And IP Security Monitor.
To check which policies are active in the active profile, use the following procedure:
To check which policies are applied, follow these steps:
IN command line type mmc and press the key ENTER.
If a User Account Control dialog box appears, confirm the requested action and click Continue.
On the menu Console select item Add or remove a snap.
Listed Available snap-ins select a snap Group Policy Management and press the button Add.
Click the button OK.
Expand the node in the tree (usually the tree of the forest where the this computer) and double-click the section in the details pane of the console.
Select switch value Show policy settings for from values current user or another user. If you do not want to display policy settings for users, but only policy settings for the computer, select the radio button value Do not display user policy (view computer policy only) and double click the button Further.
Click the button Ready. The Group Policy Results Wizard generates a report in the details pane of the console. Report contains tabs Summary, Options And Policy Events.
To verify that there is no conflict with IP security policies, after generating the report, select the Options and open Computer Configuration\Windows Settings\Security Settings\IP Security Settings in the Active Directory directory service. If the last section is missing, then no IP security policy has been set. Otherwise, the name and description of the policy, as well as the GPO to which it belongs, will be displayed. If you use an IP security policy and a Windows Firewall with Advanced Security policy at the same time with connection security rules, these policies may conflict. It is recommended that you use only one of these policies. The optimal solution will use IP security policies along with Windows Firewall with Advanced Security rules for incoming or outgoing traffic. If the settings are configured in different places and are not consistent with each other, policy conflicts that are difficult to resolve can occur.
There may also be conflicts between policies defined in local GPOs and scripts configured by the IT department. Check all IP security policies using the IP Security Monitor program or by typing the following command at a command prompt:
To view the settings defined in the Windows Firewall Administrative Template, expand the section Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall.
To view the latest events related to the current policy, you can go to the tab policy events in the same console.
To view the policy used by Windows Firewall with Advanced Security, open the snap-in on the computer being diagnosed and review the settings under Observation.
To view administrative templates, open the snap-in Group Policy and in the section Group Policy Results See if there are settings inherited from Group Policy that might cause traffic to be rejected.
To view IP security policies, open the IP Security Monitor snap-in. Select in the tree local computer. In the console scope, select the link Active policy, Basic Mode or Quick Mode. Check for competing policies that could result in traffic being blocked.
In chapter Observation snap Windows Firewall with Advanced Security You can view existing local and group policy rules. For getting additional information refer to the section " Using the watch function in a snap-in Windows Firewall with Advanced Security » of this document.
To stop the IPSec Policy Agent, follow these steps:
Click the button Start and select section Control Panel.
Click icon System and its maintenance and select section Administration.
Double click the icon Services. Continue.
Find a service in the list IPSec Policy Agent
If the service IPSec Agent running, click on it right click mouse and select from the menu Stop. You can also stop the service IPSec Agent from the command line using the command
Peer-to-peer network policy may cause traffic to be rejected
For connections using IPSec, both computers must have compatible IP security policies. These policies can be defined using the Windows Firewall Connection Security Rules snap-in IP Security or another IP security provider.
To check the IP security policy settings in a peer-to-peer network, follow these steps:
Click section Basic Mode, in the details pane of the console, select the connection to test, and then click the link Properties within the scope of the console. Review the connection properties for both nodes to ensure they are compatible.
Repeat step 2.1 for section Quick Mode. Review the connection properties for both nodes to ensure they are compatible.
in a snap Windows Firewall with Advanced Security select node Observation And Connection security rules to make sure both hosts on the network have an IP security policy configured.
If one of the computers in the peer-to-peer network is running an earlier Windows versions than Windows Vista, ensure that at least one of the native mode cipher suites and one of the quick mode cipher suites use algorithms supported by both hosts.
If you are using Kerberos version 5 authentication, make sure the host is in the same or trusted domain.
If certificates are used, make sure the required checkboxes are selected. Certificates that use IPSec Internet Key Exchange (IKE) require a digital signature. Certificates that use Authenticated Internet Protocol (AuthIP) require client authentication (depending on the server authentication type). For more information about AuthIP certificates, please refer to the article Authenticated IP in Windows Vista AuthIP in Windows Vista on the Microsoft website.
Unable to configure Windows Firewall with Advanced Security
The Windows Firewall with Advanced Security settings are grayed out in the following cases:
The computer is connected to a network with centralized management, and a network administrator uses Group Policies to configure Windows Firewall with Advanced Security settings. In this case, at the top of the snap Windows Firewall with Advanced Security You will see the message "Some settings are controlled by Group Policy". Your network administrator configures the policy, thereby preventing you from changing Windows Firewall settings.
A computer running Windows Vista is not connected to a centrally managed network, but Windows Firewall settings are determined by local group policy.
To change Windows Firewall with Advanced Security settings using local group policy, use the Local Computer Policy. To open this snap-in, type secpol at the command prompt. If a User Account Control dialog box appears, confirm the requested action and click Continue. Go to Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security to configure the Windows Firewall with Advanced Security policy settings.
Computer not responding to ping requests
The main way to test connectivity between computers is to use the Ping utility to test connectivity to a specific IP address. During a ping, an ICMP echo message (also known as an ICMP echo request) is sent and an ICMP echo response is requested in response. By default, Windows Firewall rejects incoming ICMP echo messages, so the computer cannot send an ICMP echo response.
Allowing incoming ICMP echo messages will allow other computers to ping your computer. On the other hand, this will leave the computer vulnerable to attacks using ICMP echo messages. However, it is recommended to temporarily enable incoming ICMP echoes if necessary, and then disable them.
To allow ICMP echo messages, create new inbound rules to allow ICMPv4 and ICMPv6 echo request packets.
To allow ICMPv4 and ICMPv6 echo requests, follow these steps:
In the tool tree Windows Firewall with Advanced Security select node Rules for incoming connections and click the link new rule in the console's scope.
Customizable and press the button Further.
Specify a radio button value All programs and press the button Further.
Drop protocol type select value ICMPv4.
Click the button Tune for item ICMP protocol parameters.
Set the radio button to Certain types of ICMP, check the box echo request, press the button OK and press the button Further.
At the stage of selecting local and remote IP addresses corresponding to this rule, set the radio buttons to values Any IP address or Specified IP addresses. If you choose the value Specified IP addresses, specify the required IP addresses, click the button Add and press the button Further.
Specify a radio button value Allow connection and press the button Further.
At the profile selection stage, check one or more profiles (domain profile, private or public profile) in which you want to use this rule, and click the button Further.
In field Name enter the name of the rule, and in the field Description is an optional description. Click the button Ready.
Repeat the above steps for the ICMPv6 protocol, choosing in the step protocol type dropdown value ICMPv6 instead of ICMPv4.
If you have active connection security rules, temporary exclusion of ICMP from IPsec requirements can help resolve problems. To do this, open in the snap Windows Firewall with Advanced Security dialog window Properties, go to the tab IPSec Settings and set the value in the drop-down list Yes for parameter Exclude ICMP from IPSec.
Note
Windows Firewall settings can only be changed by administrators and network operators.
Unable to share files and printers
If you can't get general access to files and printers on a computer with an active Windows Firewall, make sure that all group rules are enabled Access to files and printers Windows Firewall with Advanced Security select node Rules for incoming connections Access to files and printers Enable rule within the scope of the console.
Attention:
It is highly recommended that you do not enable file and printer sharing on computers that are directly connected to the Internet, as attackers may attempt to gain access to shared files and harm you by damaging your personal files.
Unable to remotely administer Windows Firewall
If you cannot remotely administer a computer with Windows Firewall active, make sure that all rules in the default configured group are enabled Remote control of Windows Firewall active profile. in a snap Windows Firewall with Advanced Security select node Rules for incoming connections and scroll the list of rules to the group Remote control. Make sure these rules are enabled. Select each of the disabled rules and click the button Enable rule within the scope of the console. Additionally, verify that the IPSec Policy Agent service is enabled. This service is required for remote control Windows Firewall.
To verify that the IPSec Policy Agent is running, follow these steps:
Click the button Start and select section Control Panel.
Click icon System and its maintenance and select section Administration.
Double click the icon Services.
If a User Account Control dialog box appears, enter the required credentials for a user with the appropriate permissions, and then click Continue.
Find a service in the list IPSec Policy Agent and make sure it has the status "Running".
If the service IPSec Agent stopped, right-click on it and select context menu paragraph Run. You can also start the service IPSec Agent from the command line using the net start policy agent command.
Note
Default Service IPSec Policy Agent launched. This service should work unless it was manually stopped.
Windows Firewall Troubleshooters
This section describes the tools and methods used to solve common problems. This section consists of the following subsections:
Using monitoring features in Windows Firewall with Advanced Security
The first step in resolving problems with Windows Firewall is to view the current rules. Function Observation allows you to view the rules used based on local and group policies. To view the current inbound and outbound traffic rules in the snap-in tree Windows Firewall with Advanced Security Choose a section Observation, and then select a section Firewall. In this section you can also view current connection security rules And Security Associations (Basic and Quick Modes).
Enabling and using security auditing with the auditpol command-line tool
By default, audit options are disabled. To configure them, use the auditpol.exe command-line tool, which changes the audit policy settings on the local computer. auditpol can be used to enable or disable the display of different categories of events and their further viewing in the snap-in Event Viewer.
To view a list of subcategories that are included in a given category (for example, in the Policy Change category), at the command prompt, type:
auditpol.exe /list /category:"Change policy"
To enable the display of a category or subcategory, enter the following at the command line:
/SubCategory:" NameCategory"
To view a list of categories supported by the auditpol program, at the command prompt, type:
For example, to set audit policies for a category and its subcategory, enter the following command:
auditpol.exe /set /category:"Change policy" /subcategory:"Change policy at the MPSSVC rule level" /success:enable /failure:enable
Policy change
Changing policy at the MPSSVC rule level
Changing the filtering platform policy
Enter exit
IPsec Basic Mode
Fast IPsec Mode
Advanced IPsec Mode
System
IPSec driver
Other system events
Access to objects
Dropping a packet by the filtering platform
Connecting the filtration platform
For changes to the security audit policy to take effect, you must restart the local computer or force a manual update of the policy. To force a policy refresh, at the command prompt, type:
secedit /refreshpolicy<название_политики>
After diagnostics are completed, you can disable event auditing by replacing the enable parameter with disable in the above commands and running the commands again.
Viewing Security Audit Events in the Event Log
After you enable auditing, use the Event Viewer snap-in to view audit events in the security event log.
To open the Event Viewer snap-in in the Administrative Tools folder, follow these steps:
Click the button Start.
Choose a section Control Panel. Click icon System and its maintenance and select section Administration.
Double click the icon Event Viewer.
To add the Event Viewer snap-in to the MMC, follow these steps:
Click the button Start, go to the menu All programs, then in the menu Standard and select the item Run.
In a text field Open type mmc and press the key ENTER.
If a User Account Control dialog box appears, confirm the requested action and click Continue.
On the menu Console select item Add or remove a snap.
Listed Available snap-ins select a snap Event Viewer and press the button Add.
Click the button OK.
Before closing the snap-in, save the console for future use.
in a snap Event Viewer expand section Windows logs and select node Safety. You can view security audit events in the console workspace. All events are displayed at the top of the console workspace. Click on the event at the top of the console workspace to display detailed information at the bottom of the panel. On the tab Are common the description of events is placed in the form of understandable text. On the tab Details available following parameters event display: Clear presentation And XML mode.
Setting the firewall log for a profile
Before you can view firewall logs, you must configure Windows Firewall with Advanced Security to generate log files.
To configure logging for a Windows Firewall with Advanced Security profile, follow these steps:
In the tool tree Windows Firewall with Advanced Security Choose a section Windows Firewall with Advanced Security and press the button Properties within the scope of the console.
Select the profile tab for which you want to configure logging (domain profile, private profile, or public profile), and then click the button Tune In chapter Logging.
Specify a name and location for the log file.
Specify maximum size log file (from 1 to 32767 kilobytes)
Drop Log missed packets enter a value Yes.
Drop Record successful connections enter a value Yes and then click the button OK.
Viewing Firewall Log Files
Open the file you specified during the previous procedure, "Configuring the Firewall Log for a Profile." To access the firewall log, you must have local administrator rights.
You can view the log file with Notepad or any text editor.
Analyzing Firewall Log Files
The information that is logged is shown in the following table. Some data is specified only for certain protocols (TCP flags, ICMP type and code, etc.), and some data is specified only for dropped packets (size).
|
Field |
Description |
Example |
|
Displays the year, month, and day that the event was recorded. The date is written in the format YYYY-MM-DD, where YYYY is the year, MM is the month, and DD is the day. |
||
|
Displays the hour, minute and second at which the event was recorded. Time is written in the format HH:MM:SS, where HH is the hour in 24-hour format, MM is the minute, and SS is the second. |
||
|
Action |
Indicates an action taken by the firewall. The following actions exist: OPEN, CLOSE, DROP, and INFO-EVENTS-LOST. The INFO-EVENTS-LOST action indicates that more than one event occurred but was not logged. |
|
|
Protocol |
Displays the protocol used for the connection. This entry can also be the number of packets that do not use TCP, UDP, or ICMP. |
|
|
Displays the IP address of the sending computer. |
||
|
Displays the IP address of the destination computer. |
||
|
Displays the source port number of the sending computer. The source port value is written as an integer from 1 to 65535. A valid source port value is displayed only for TCP and UDP protocols. For other protocols, "-" is written as the source port. |
||
|
Displays the port number of the destination computer. The destination port value is written as an integer from 1 to 65535. A valid destination port value is displayed only for TCP and UDP protocols. For other protocols, "-" is written as the destination port. |
||
|
Displays the packet size in bytes. |
||
|
Displays the TCP protocol control flags found in the TCP header of an IP packet.
Ack. Acknowledgment field significant Fin. No more data from sender Psh. push function Rst. Reset the connection The flag is denoted by the first capital letter of its name. For example, the flag Fin denoted as F. |
||
|
Displays the TCP queue number in the packet. |
||
|
Displays the TCP acknowledgment number in the packet. |
||
|
Displays the TCP packet window size in bytes. |
||
|
Type in an ICMP message. |
||
|
Displays a number representing the field Code in an ICMP message. |
||
|
Displays information based on the action performed. For example, for the INFO-EVENTS-LOST action, the value given field indicates the number of events that occurred but were not logged in the time elapsed since the previous occurrence of an event of this type. |
Note
A hyphen (-) is used in fields in the current record that do not contain any information.
Creating netstat and tasklist text files
You can create two custom log files, one for viewing network statistics (a list of all listening ports) and another for viewing service and application task lists. The task list contains the Process ID (process identifier, PID) for the events contained in the network statistics file. The procedure for creating these two files is described below.
For creating text files network statistics and task list do the following:
At the command line, type netstat -ano > netstat.txt and press the key ENTER.
At the command line, type tasklist > tasklist.txt and press the key ENTER. If you want to create a text file with a list of services, type tasklist /svc > tasklist.txt.
Open the tasklist.txt and netstat.txt files.
Find the ID of the process you are diagnosing in the tasklist.txt file and compare it with the value contained in the netstat.txt file. Record the protocols used.
An example of issuing Tasklist.txt and Netstat.txt files
netstat.txt
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:XXX 0.0.0.0:0 LISTENING 122
TCP 0.0.0.0:XXXXX 0.0.0.0:0 LISTENING 322
Tasklist.txt
Image Name PID Session Name Session# Mem Usage
==================== ======== ================ =========== ============
svchost.exe 122 Services 0 7.172 K
XzzRpc.exe 322 Services 0 5.104 K
Note
The real IP addresses have been changed to "X" and the RPC service to "z".
Make sure essential services are running
The following services must be running:
Basic Filtering Service
Group Policy Client
IPsec Key Modules for Internet Key Exchange and Authenticated IP
IP Helper Service
IPSec Policy Agent Service
Network Location Service
Network List Service
Windows Firewall
To open the Services snap-in and verify that the required services are running, follow these steps:
Click the button Start and select section Control Panel.
Click icon System and its maintenance and select section Administration.
Double click the icon Services.
If a User Account Control dialog box appears, enter the required credentials for a user with the appropriate permissions, and then click Continue.
Make sure the services listed above are running. If one or more services are not running, right-click the service name in the list and select command Run.
An additional way to solve problems
As a last resort, you can restore the default Windows Firewall settings. Restoring the default settings will lose any settings made since Windows Vista was installed. This may cause some programs to stop working. Also, if you manage the computer remotely, the connection to it will be lost.
Before restoring the default settings, make sure you save your current firewall configuration. This will allow you to restore your settings if necessary.
The steps to save the firewall configuration and restore the default settings are described below.
To save the current firewall configuration, do the following:
in a snap Windows Firewall with Advanced Security click the link Export policy within the scope of the console.
To restore the default firewall settings, do the following:
in a snap Windows Firewall with Advanced Security click the link Restore Defaults within the scope of the console.
When prompted by Windows Firewall with Advanced Security, click Yes to restore default values.
Conclusion
There are many ways to diagnose and resolve problems with Windows Firewall with Advanced Security. Among them:
Function use Observation to view firewall activity, connection security rules, and security associations.
Analyze security audit events related to Windows Firewall.
Creating text files tasklist And netstat for comparative analysis.
Starting with Server 2008 and Vista, the WFP mechanism was built into Windows,
which is a set of API and system services. With it, it became possible
deny and allow connections, manage individual packages. These
innovations were intended to simplify the life of developers of various
protection The changes made to the network architecture affected both kernel-mode and
and user-mode parts of the system. In the first case, the necessary functions are exported
fwpkclnt.sys, in the second - fwpuclnt.dll (letters "k" and "u" in the names of libraries
stand for kernel and user respectively). In this article, we will talk about the use
WFP for intercepting and filtering traffic, and after familiarizing yourself with the basic
With the definitions and capabilities of WFP, we will write our own simple filter.
Basic concepts
Before we start coding, we absolutely need to familiarize ourselves with the terminology
Microsoft - and for understanding the article it will be useful, and additional literature
it will be easier to read :) So let's go.
Classification- the process of determining what to do with the package.
Of the possible actions: allow, block or call a callout.
Callouts is a set of functions in the driver that perform inspection
packages. They have a special function that performs packet classification. This
the function can make the following decision:
- allow(FWP_ACTION_PERMIT);
- block(FWP_ACTION_BLOCK);
- continue processing;
- request more data;
- terminate the connection.
Filters- rules specifying when to call
this or that callout. One driver can have multiple callouts, and
we will deal with the development of a callout driver in this article. By the way, colouts
there are also built-in ones, for example, NAT-callout.
layer is a feature by which different filters are combined (or,
as they say in MSDN, "container").
In truth, the documentation from Microsoft looks rather murky, yet
you can't look at the examples in the WDK. Therefore, if you suddenly decide to develop something
Seriously, you should definitely check them out. Well now it's smooth
let's move on to practice. For successful compilation and tests, you will need the WDK (Windows
Driver Kit), VmWare, virtual machine with Vista installed and the WinDbg debugger.
As for the WDK, I personally have version 7600.16385.0 installed - everything is there
necessary libs (since we will be developing a driver, we only need
fwpkclnt.lib and ntoskrnl.lib) and WFP examples. Links to the whole
The tools have already been cited several times, so we will not repeat ourselves.
Coding
To initialize the callout, I wrote the BlInitialize function. General algorithm
creating a callout and adding a filter is like this:
- FWPMENGINEOPEN0 performs the opening of the session;
- FWPMTRANSACTIONBEGIN0- start of operation with WFP;
- FWPSCALLOUTREGISTER0- creation of a new callout;
- FWPMCALLOUTADD0- adding a callout object to the system;
- FWPMFILTERADD0- adding a new filter(s);
- FWPMTRANSACTIONCOMMIT0- saving changes (added
filters).
Note that functions end in 0. In Windows 7, some of these
functions have been changed, for example, FwpsCalloutRegister1 appeared (when
saved FwpsCalloutRegister0). They differ in arguments and, as a result,
prototypes of classifying functions, but for us it does not matter now - 0-functions
universal.
FwpmEngineOpen0 and FwpmTransactionBegin0 are not of particular interest to us - these are
preparatory stage. The fun starts with the function
FwpsCalloutRegister0:
FwpsCalloutRegister0 Prototype
NTSTATUS NTAPI FwpsCalloutRegister0
__inout void *deviceObject,
__in const FWPS_CALLOUT0 *callout,
__out_opt UINT32 *calloutId
);
I already said that callout is a set of functions, now it's time
talk about it in more detail. The FWPS_CALLOUT0 structure contains pointers to three
functions - classifying (classifyFn) and two notifying (about
adding/removing a filter (notifyFn) and closing the stream being processed (flowDeleteFn)).
The first two functions are mandatory, the last one is needed only if
you want to monitor the packets themselves, not just the connections. Also in structure
contains a unique identifier, callout GUID (calloutKey).
callout registration code
FWPS_CALLOUT sCallout = (0);
sCallout.calloutKey = *calloutKey;
sCallout.classifyFn = BlClassify;
// classifying function
sCallout.notifyFn = (FWPS_CALLOUT_NOTIFY_FN0)BlNotify;
// function notifying about adding/removing a filter
// create a new callout
status = FwpsCalloutRegister(deviceObject, &sCallout, calloutId);
WINAPI DWORD FwpmCalloutAdd0(
__in HANDLE engineHandle,
__in const FWPM_CALLOUT0 *callout,
__in_opt PSECURITY_DESCRIPTOR sd,
__out_opt UINT32 *id
);
typedef struct FWPM_CALLOUT0_(
calloutKey GUID;
FWPM_DISPLAY_DATA0 displayData; // callout description
UINT32 flags;
GUID *providerKey;
FWP_BYTE_BLOB providerData;
applicableLayer GUID;
UINT32 calloutId;
) FWPM_CALLOUT0;
In the FWPM_CALLOUT0 structure, we are interested in the applicableLayer field - unique
identifier of the level to which the callout is added. In our case, this
FWPM_LAYER_ALE_AUTH_CONNECT_V4. "v4" in the name of the identifier means the version
Ipv4 protocol, there is also FWPM_LAYER_ALE_AUTH_CONNECT_V6 for Ipv6. Considering
low prevalence of Ipv6 at the moment, we will work only with
ipv4. CONNECT in the name means that we only control the installation
connection, there is no question of incoming and outgoing packets to this address! At all
there are many levels besides the one we used - they are declared in the header file
fwpmk.h from WDK.
Adding a callout object to the system
// callout name
displayData.name = L"Blocker Callout";
displayData.description = L"Blocker Callout";
mCallout.calloutKey = *calloutKey;
mCallout.displayData = displayData;
// callout description
//FWPM_LAYER_ALE_AUTH_CONNECT_V4
mCallout.applicableLayer = *layerKey;
status = FwpmCalloutAdd(gEngineHandle, &mCallout, NULL, NULL);
So, after the callout is successfully added to the system, you need to create
filter, that is, specify in which cases our callout will be called, namely
- its classifying function. The new filter is created by the FwpmFilterAdd0 function,
to which the FWPM_FILTER0 structure is passed as an argument.
FWPM_FILTER0 contains one or more FWPM_FILTER_CONDITION0 structures (their
the number is determined by the numFilterConditions field). The layerKey field is filled with a GUID
layer (layer) to which we want to join. In this case, we specify
FWPM_LAYER_ALE_AUTH_CONNECT_V4.
Now let's take a closer look at filling FWPM_FILTER_CONDITION0. First, in
the fieldKey field must be explicitly specified what we want to control - port, address,
application or something else. In this case WPM_CONDITION_IP_REMOTE_ADDRESS
tells the system that we are interested in an IP address. The fieldKey value determines
what type of values will be in the FWP_CONDITION_VALUE structure included in
FWPM_FILTER_CONDITION0. In this case, it contains an ipv4 address. Let's go
further. The matchType field determines how the comparison will be made.
values in FWP_CONDITION_VALUE with what came over the network. There are many options here:
you can specify FWP_MATCH_EQUAL, which will mean full match to the condition, and
you can - FWP_MATCH_NOT_EQUAL, that is, in fact, we can add this
thus filtering exception (address, connection to which is not tracked).
There are also options FWP_MATCH_GREATER, FWP_MATCH_LESS and others (see enum
FWP_MATCH_TYPE). In this case, we have FWP_MATCH_EQUAL.
I didn’t bother much and just wrote a blocking condition
one selected IP address. In the event that some application tries
establish a connection with the selected address, a classifier will be called
our callout function. The code summarizing what has been said can be seen at
See the sidebar "Adding a filter to the system".
Adding a filter to the system
filter.flags = FWPM_FILTER_FLAG_NONE;
filter.layerKey = *layerKey;
filter.displayData.name = L"Blocker Callout";
filter.displayData.description = L"Blocker Callout";
filter.action.type = FWP_ACTION_CALLOUT_UNKNOWN;
filter.action.calloutKey = *calloutKey;
filter.filterCondition = filterConditions;
// one filter condition
filter.numFilterConditions = 1;
//filter.subLayerKey = FWPM_SUBLAYER_UNIVERSAL;
filter.weight.type = FWP_EMPTY; // auto weight.
// add a filter to the remote address
filterConditions.fieldKey = FWPM_CONDITION_IP_REMOTE_ADDRESS;
filterConditions.matchType = FWP_MATCH_EQUAL;
filterConditions.conditionValue.type = FWP_UINT32;
filterConditions.conditionValue.uint32 = ntohl(BLOCKED_IP_ADDRESS);
// add filter
status = FwpmFilterAdd(gEngineHandle, &filter, NULL, NULL);
In general, of course, there can be many filtering conditions. For example, you can
specify blocking connections to a specific remote or local port (FWPM_CONDITION_IP_REMOTE_PORT
and FWPM_CONDITION_IP_LOCAL_PORT respectively). Can catch all packages
specific protocol or specific application. And that is not all! Can,
for example, block the traffic of a specific user. In general, there is where
roam.
However, back to the filter. The classifying function in our case is simply
blocks the connection to the specified address (BLOCKED_IP_ADDRESS), returning
FWP_ACTION_BLOCK:
Our classify function code
void BlClassify(
const FWPS_INCOMING_VALUES* inFixedValues,
const FWPS_INCOMING_METADATA_VALUES* inMetaValues,
VOID* packet,IN const FWPS_FILTER* filter,
UINT64 flowContext,FWPS_CLASSIFY_OUT* classifyOut)
{
// fill in the structure FWPS_CLASSIFY_OUT0
if(classifyOut)( // block the package
classifyOut->actionType =
FWP_ACTION_BLOCK;
// when blocking a package, you need
reset FWPS_RIGHT_ACTION_WRITE
classifyOut->rights&=~FWPS_RIGHT_ACTION_WRITE;
}
}
In practice, the classification function may also set FWP_ACTION_PERMIT,
FWP_ACTION_CONTINUE etc.
And finally, when unloading the driver, you need to remove all installed
callouts (guess what happens if the system tries to call callout
unloaded driver? That's right, BSOD). There is a function for this
FwpsCalloutUnregisterById. It is passed a 32-bit parameter as a parameter.
the callout identifier returned by the FwpsCalloutRegister function.
Completion of the callout
NTSTATUS BlUninitialize()(
NTSTATUS ns;
if(gEngineHandle)(
FwpmEngineClose(gEngineHandle);
}
if(gBlCalloutIdV4)(
ns =FwpsCalloutUnregisterById(gBlCalloutIdV4);
}
return ns;
}
As you can see, programming the WFP filter is not such a difficult task, because
MS provided us with a very handy API. By the way, in our case we set
filter in the driver, but it can also be done from the usermod! For example, a sample from wdk
msnmntr (MSN Messenger traffic monitor) does just that - it allows you to not
overload the kernel-mode part of the filter.
Your GUID
To register a callout, it needs a unique identifier. In order to
get your GUID (Globally Unique Identifier), use guidgen.exe included
V visual studio. The tool is located in (VS_Path)\Common7\Tools. Collision Probability
very small since the GUID is 128 bits long and there are 2^128 available
identifiers.
Filter Debugging
For debugging firewood, it is convenient to use the Windbg + VmWare bundle. For this you need
configure both the guest system (in the form of which Vista acts) and the debugger
windbg. If WinXP had to edit boot.ini for remote debugging, then
for Vista+ there is bcdedit console utility. As usual, you need to enable debugging:
BCDedit /dbgsettings SERIAL DEBUGPORT:1 BAUDRATE:115200 BCDedit /debug
ON (or BCDedit /set debug ON)
Now everything is ready! We launch a batch file with the following text:
start windbg -b -k com:pipe,port=\\.\pipe\com_1,resets=0
and see the debug output in the windbg window (see picture).
Conclusion
As you can see, the scope of WFP is quite wide. You decide how
apply this knowledge - for evil or for good 🙂
Firewall (firewall or firewall) Windows does not command respect. Slightly changed from XP to Vista, it does its job well, but lacks the ambition to be the best personal firewall. However, despite the fact that the Windows 7 firewall received several new features, it still did not get what I expected to see in it.
Hanging with HomeGroup
During Windows installation 7 suggests creating a “homegroup”. As more Windows 7 computers are discovered on the network, they are also prompted to join the group. And all they need for this is a password to it. However, with one computer running Windows 7, I did not see the process of logging into a group of other computers, although a notification about this would not hurt. However, while any Windows 7 computer can join a homegroup, Windows 7 computers Home Basic and Windows 7 Starter cannot create it.
Computers in the same homegroup can share (or, as they say, “share”) printers and specific file libraries. By default, libraries of pictures, music, videos and documents are shared, but the user can limit them at his discretion. The help in the operating system gives clear explanations on how to exclude a file or folder from being shared, or how to make it read-only or how to restrict access to it.
In his home network the user can share his content to other computers and devices, and even to non-Windows 7 computers and even to non-computers at all. In particular, Microsoft showed examples of how to share content for the Xbox 360. However, the company does not offer to connect the Wii to the network. Alas, the company did not qualify the Wii as a streaming media device.
So how much more secure is home networking in Windows 7? Usually, users who fail to share files and folders start disabling everything around, including the filewall, antivirus, etc., which, in their opinion, can interfere with this process. At the same time, if you make sharing simple, then shutting down everything around can be avoided.
If Vista divides networks into public (Public) and private (Private), then Windows 7 divides the private network into home (Home) and work (Work). home group(HomeGroup) is available only when the home network is selected. However, even on a work network, your computer can still see and connect to other devices on it. In turn, on a public network (like a wireless Internet cafe), Windows 7 blocks access to you and from you to other devices, for your safety. This is a small but nice opportunity.
Dual mode firewall
In Vista and XP, managing the firewall is as simple as turning it on and off. At the same Windows time 7 offers the user different configuration settings for private (home and work) and public networks. At the same time, the user does not need to enter the firewall settings in order to work, say, in a local cafe. It is enough for him to choose public network, and the firewall itself will apply the entire set of limiting parameters. Most likely, users will configure the public network to block all incoming connections. In Vista, this could not be done without also cutting off all incoming traffic in own network user.
Some users do not understand why a firewall is needed. If UAC works, isn't a firewall overkill? In fact, these programs serve very different purposes. UAC keeps track of programs and their operation within the local system. The firewall, on the other hand, peers closely at incoming and outgoing data. If you imagine these two programs as two heroes standing back to back and repelling zombie attacks, then you can almost say you can't go wrong.
At first I was intrigued new opportunity“Notify me when Windows Firewall blocks new program". Isn't this a sign that the Windows Firewall has taken control of the programs and become a true two-way firewall?. I was devoured by the desire to disable this feature. And as a result, Windows Firewall didn't get more respect than it had.
It's been ten years since ZoneLabs popularized the two-way personal firewall. Her ZoneAlarm program hid all computer ports (which Windows Firewall can do) and also allowed you to control access of programs to the Internet (Windows Firewall still cannot do this). I do not require intelligent monitoring of program behavior, as, for example, in Norton internet security 2010 and other packages. But I hope that by the release of Windows 8, Microsoft will still implement a decade-old ZoneAlarm feature set into its firewall.
Microsoft is well aware that many users install third-party firewalls and security packages and simply disable Windows Firewall. In the past, many third-party security programs automatically disabled Windows Firewall to avoid conflicts. In Windows 7, Microsoft has done it itself. When installing a firewall known to it, the operating system disables its built-in firewall and reports that "the firewall settings are controlled by such and such a program from such and such a manufacturer."
Whether you use it or not, Windows Firewall is present in every Windows 7, with deep integration with operating system. So wouldn't it be better if third party security applications could use the Windows filewall for their own purposes? This idea lies behind a programming interface called the Windows Filtering Platform. But will developers use it? More on this in the next section.
Windows 7 Security: Windows Filtering Platform - Windows Filtering Platform
Firewalls have to work with Windows 7 at a very low level, which Microsoft programmers absolutely hate. Some Microsoft technologies, like PatchGuard, found in 64-bit editions of Windows 7 (64-bit Windows 7 has a number of security advantages over 32-bit Windows 7), block intruders and also protect the kernel from accessing it. Still, Microsoft doesn't provide the same level of security as third-party programs. So what to do?
The solution to this problem is the Windows Filtering Platform (WFP). The latter, according to Microsoft, allows third-party firewalls to be based on core Windows Firewall features - allowing them to add custom features and selectively enable or disable parts of Windows Firewall. As a result, the user can choose a firewall that will coexist with the Windows Firewall.
But how useful is this really for security software developers? Will they use it? I interviewed several people and got a lot of answers.
BitDefender LLC
Product Development Manager Iulian Costache stated that his company is currently running the platform on Windows 7. However, they have encountered significant memory leaks. The bug is on Microsoft's side, as the biggest software giant has already confirmed. However, Julian does not know when it will be resolved. In the meantime, they temporarily replaced new driver WFP to old TDI.
Check Point Software Technologies Ltd
Mirka Janus, PR manager at Check Point Software Technologies Ltd, said his company has been using WFP since Vista. They also use the platform under Windows 7 as well. It's a good, well-supported interface, but any malware or incompatible driver can be dangerous for a security product that relies on it. ZoneAlarm has always relied on two layers - layers network connections and batch level. Since Vista, Microsoft has offered WFP as a supported way to filter network connections. Starting with Windows 7 SP1, Microsoft should teach WFP to enable packet filtering.
“Using supported APIs means improved stability and fewer BSODs. Many drivers can be registered and every driver developer need not worry about compatibility with others. If any driver is, say, blocked, no other registered driver can bypass this blocking. On the other hand, an incompatible driver can become a problem, bypassing all other registered ones. We don't rely on WFP alone for network security.”
F-Secure Corporation
Mikko Hypponen, a senior researcher at F-Secure Corporation, stated that for some reason, WFP never caught on with security software developers. At the same time, his company had been using WFP for quite some time and was happy with it.
McAfee Inc.
In turn, lead architect McAfee Ahmed Sallam (Ahmed Sallam) said that WFP is a more powerful and flexible network filtering interface than the previous interface based on NDIS. McAfee makes extensive use of WFP in its security products.
At the same time, despite the fact that WFP has positive features, cybercriminals can also take advantage of the platform. The platform may allow malware to enter the network layer stack Windows kernel. Therefore, 64-bit Windows drivers kernel level must have digital signatures to protect the kernel from being loaded into it malware. However, digital signatures are not required on 32-bit versions.
Yes, in theory, digital signatures are a reasonable defense mechanism, but in reality, malware authors can still acquire them.
panda security
Panda Security spokesman Pedro Bustamante said his company is monitoring the WFP platform but is not currently using it. The company believes that the main disadvantages of WFP are, firstly, the inability to create a technology that would combine various techniques to maximize protection. Technology is useless if the company cannot look at the incoming and outgoing packets to the machine. It should also act as a sensor for other protection technologies. None of these features are provided by WFP. Second, WFP is only supported by Vista and newer operating systems. The platform is not backwards compatible. And thirdly, WFP is a fairly new platform, and the company prefers to build on older, more established technologies.
Symantec Corp.
Symantec's director of consumer products management, Dan Nadir, said that WFP is not yet used in their products due to its relative novelty. However, over time, the company plans to migrate to it, because. the old interfaces they rely on now will not be able to provide the full functionality they require. They consider WFP to be a good platform because it has been specifically designed to provide interoperability between a variety of third party software. In principle, the platform should have even fewer compatibility problems in the future. WFP is also good because it is integrated with the Microsoft Network Diagnostic Framework. This is extremely useful as greatly facilitates the search for specific programs that are an obstacle to network traffic. Finally, WFP should lead to improvements in operating system performance and stability, as the platform avoids emulation and driver conflict or stability issues.
However, on the other hand, according to Nadir, WFP can create certain problems that exist in any structure - developers relying on WFP cannot close vulnerabilities within WFP itself, nor can they expand the specific features offered by WFP. Also, if many programs rely on WFP, then malware creators could theoretically try to attack WFP itself.
TrendMicro Inc.
Director of Research at Trend Micro Inc. Dale Liao said that the biggest advantage of the platform is compatibility with the operating system. Also the standard firewall is now useful. So now they can focus on what really matters to the user. The bad thing about WFP is that when a bug is found in the platform, the company has to wait for Microsoft to fix it.
WFP: Conclusion
As a result, most of the security software developers I interviewed are already using WFP. True, some in parallel with other technologies. They like interoperability, they like the documented and official nature of the platform, and also the supposed stability of its operation. With another, negative side, if all developers begin to rely on WFP, then the platform can potentially become a vulnerable point for everyone. And they'll have to rely on Microsoft to fix it. In addition, the platform does not yet offer packet-level filtering.
The big disadvantage of WFP is also that it is not available in Windows XP. Therefore, developers who want to support XP will have to run two parallel projects. However, as XP goes off the market, I think WFP will become more popular among developers.
Loading...