Spotlight on Windows Firewall: Multiple Active Firewall Profiles in Windows
In today’s interconnected world, we’re always looking for better ways to protect our computers from the threats on the Internet. Windows Firewall is an important piece of armor to include in your security arsenal.
Windows Firewall can swap the set of rules it uses based on the type of network to which it is connected. The different sets of rules are called “profiles,” and there is one each for Domain networks, Private networks, and Public networks. Domain networks are detected automatically by the presence of a domain controller from the client computer’s domain. For non-domain networks, you get to choose between Private (typically a home or small office) and Public (such as coffee shop or public library Wi-Fi hotspots). By default, a network is assigned to the Public profile. You can assign a network to the Private profile when you know and trust the users and computers on that network. You’ve probably seen that, the first time you connect your computer to a network, Windows asks you what kind of network it is. You have to have Administrator permissions to assign a network to the Private profile.
This multiple profile feature was first introduced in Windows Vista, but with the limitation that only one profile is active at a time, even when your computer is connected to multiple networks. To maintain security, if any of the connected networks is identified as Public, then the Public profile is active, and all of the network connections are protected with the Public profile’s rules. If there are no Public networks, but there are one or more Private network connections, then the Private profile’s rules are used to protect your computer. The Domain profile is only used if there are no Private or Public connections.
While the introduction of the three profile types was a great first step, it introduces some obvious challenges when you are connected to multiple network types. For example, if you are sitting in your favorite coffee shop using their Wi-Fi hotspot access to the Internet, then the Public profile with its strict rules is (and should be!) protecting your computer. But what about when you establish a virtual private network (VPN) connection to your work network while sitting in that coffee shop? In Windows Vista, because of the Public connection, the Public profile ends up protecting the VPN connection as well. The stricter rules in the Public profile, while needed to protect you from threats on the Public network, could interfere with programs that you use on your Domain network and that you expect to work over your VPN connection. You shouldn’t relax the rules in the Public profile to make the program work, because you would be increasing your risk from Public networks.
Windows 7 introduces a great new feature that helps address this: Multiple Active Firewall Profiles. In Windows 7, each network connection is protected by the profile that is appropriate for the type of network to which it is attached. Network traffic going in and out of the wireless adapter when you’re sitting in the coffee shop is protected by the Public profile’s rules, as it should be. However, the VPN connection to your office is now protected by the Domain profile and its rules, so your programs operate as well as they do when you are sitting in your office.
Another scenario in which this new feature will be handy is if you are at home using a WWAN connection to the Internet as well as a wired connection to your other home computers. The WWAN connection is protected by the Public profile while the connection to your home network is protected by the Private profile.
Multiple Active Firewall Profiles in Windows 7 gives you more flexibility in accessing your network resources without compromising your security. Give it a try! To see the documentation available for Windows Firewall with Advanced Security, see http://technet.microsoft.com/en-us/library/cc732283.aspx on Microsoft TechNet.
Senior Technical Writer
The Windows Server Networking Documentation Team
Published Monday, April 13, 2009 11:22 PM by WSUA Networking Blog