Saturday, September 19, 2009

Windows 7 Multiple Active Firewall Policies

In windows vista we saw huge changes to the native windows firewall. It was now bidirectional with outbound and inbound rules and could do layer 7 rules such as queries based on active directory security groups, users and computer accounts as well as things like IP Sec rules. In windows vista the firewall was devided into three catagories called profiles:
- Public
- Domain
- Home

Each profile had its own list of ACL's. Only one profile could be active at a time. If a user took her laptop out of the domain and connected to the WiFi at a coffee shop the user may not be able to use software such as VPN clients anymore. This is because in the office the user was using the Domain profile, but now its reverted to using the Public profile which no longer has the ports open the VPN program requires.

How has Windows 7 Resolved This?

Windows 7 has resolved this by having all firewall profiles always active. Applications are then linked to use a particular profile, for example the VPN client is linked to always use the domain profile. Below in control panel we can see that all firewalls profiles are running but only one is the connected profile:

If we click on "Allow a program or feature through Windows Firewall" we can select which profiles an application can go through.

No comments:

Post a Comment