Windows ip packet filtering platform filter has been changed. Windows Firewall in Advanced Security Mode – Diagnosis and Solution of Problems. Common problems with Windows Firewall operation in advanced security mode

Equipment management console (MMC) OS Windows Vista™ is a firewall that registers the network, for working stations, that filters the inputs and outputs of the system, all the time. Now it is possible to configure the firewall parameters and the IPsec protocol with the help of one tool. This article describes the operation of the Windows Firewall in advanced security mode, typical problems, and symptoms.

How to use Windows Firewall in advanced security mode

Windows Firewall in the advanced security mode - the firewall, which registers the security guard for the working stations. On the front line of firewalls for routers, which are deployed on the gateways between the local network and the Internet, Windows Firewall creations for work on other computers. Vіdstezhuє vіdstezhuє only traffic of the working station: traffic that comes to the IP-address of this computer, that is the traffic of the computer itself. Windows Firewall in advanced security mode has the following basic operations:

The input package is checked and compared with the list of allowed traffic. Whenever a packet matches one of the values ​​in the list, Windows Firewall passes the TCP/IP packet for further processing. If the packet does not match any of the list values, Windows Firewall will block the packet, and if the logging is noted, it will write to the log file.

The list of allowed traffic is formed by two ways:

If the connection is controlled by the Windows firewall in advanced security mode, then the packet is edited, the firewall creates a value in the list that allows it to receive traffic from the router. Additional allowance is required for free entry traffic.

If you allow Windows Firewall in advanced security mode, traffic for which the above rule is set will be allowed on a computer with Windows Firewall. This computer accepts explicit permissions for incoming traffic in robotic modes as a server, client computer or the node of a one-way mesh.

The first step in solving problems caused by the Windows Firewall is to check which profile is active. Windows Firewall in the mode of advanced security is a program, as if it were a clear cut. The Windows firewall profile is changed when the hemstitch is changed. The profile is a set of established rules, which zastosovuetsya fallow in the form of a lace sharpening and fluffy merezhy connection.

The firewall distinguishes three types of truss lines: domain, public and private titling. Domain є merge otochennya, in which connection to pass authentication on the controller of the domain. Behind the locks, other types of lace connections are looked at as public ties. When a new Windows connection Vista proponuє koristuvachu vkazati, chi є merezha is given private and public. Highlight profile of nominations for a wink in communities, for example, in airports chi cafes. Private profile of appointments for vikoristannya at home or in the office, as well as at the protection of the land. To designate a measure as private, the coristuvach is to blame for the mother of the senior administrative authorities.

If the computer can be connected one hour before the different type, more than one profile can be active. Choose an active profile to lie down for such reasons:

As for all interfaces, authentication on the domain controller is won, and the domain profile is won.

If you want one of the interfaces to connect to a private link, and if you want to connect to a domain or to a private link, a private profile is won.

Resht vipadkiv vikoristovuetsya zagalny profile.

To designate an active profile, press the vuzol Caution equipped Windows Firewall in Advanced Security Mode. Above text firewall mill It will indicate which profile is active. For example, as an active profile for the domain, the top will be displayed Active domain profile.

For additional profiles, the Windows firewall can automatically allow incoming traffic for special purposes by the computer, if the computer is in the domain, and block that traffic itself, if the computer is connected to a public or private network. In this rank, assigned to the type of lace sharpening, I will secure the protection of your local lines without shkody without care mobile coristuvachiv.

Common problems with Windows Firewall operation in advanced security mode

The following are the main problems that blame Windows Firewall for half an hour in advanced security mode:

If the traffic is blocked, check again if the firewall is activated, and which profile is active. As if the program is blocked, change to what is in the equipment Windows Firewall in Advanced Security ModeІсnuє actively allowed rule for streaming profile. To switch over in the presence of the permissive rule, double click on the vuzol Caution, and then choose the distribution firewall. Since there are no active rules for this program, go to the node and create a new rule for this program. Create a rule for a program or service, or specify a group of rules, so that it gets to the function, and change, so that all the rules of this group are included.

To check that a allowed rule is not overlapped by a blocking rule, use the following:

The tree is equipped Windows Firewall in Advanced Security Mode click vuzol Caution, and then choose the distribution firewall.

Review the list of currently active local rules group policy. Defensive rules overlap the allowable rules to be found at different times, as the rest are determined more precisely.

Group policy reshuffling local rules

If the Windows Firewall in security enabled mode is enforced by additional group policies, the administrator can specify whether firewall rules are overridden or the connection security rules created by local administrators. There may be some sense in that case, as to establish the local firewall rules, or the connection security rules, as in the daily distribution of the firewall.

To clarify the reasons for any local firewall rules or connection security rules are included in the "Caution" section, see the following:

Equipment Windows Firewall in Advanced Security Mode, click on the force Windows Firewall Authority.

Select the active profile tab.

In retail Parameters, press the button Nalashtuvati.

How to set up local rules, split Consolidation of rules be active.

Rules that require a secure connection can block traffic

When you create firewall rules for incoming or outgoing traffic, one of the parameters is . As soon as this function is selected, it is necessary to use the rule of connection security, otherwise I will set the IPSec policy, as it will designate, any traffic will be protected. Otherwise, all traffic is blocked.

To check if one or more rules for the program require secure connections, follow these steps:

The tree is equipped Windows Firewall in Advanced Security Mode click split Rules for input connections. Choose a rule, as it is necessary to revise and click on the message power at the sphere of the console.

Select tab Zagalni that reverse, chi є choose the meaning of the change Allow more secure connections.

Whenever a parameter is specified for a rule Allow more secure connections, razgornіt razdіl Caution at the tree, snap and choose a split. Perekonaytes, scho for traffic, designated in the firewall, follow the rules of secure connection.

Advance:

For the presence of an active IPSec policy, change your mind, that this policy is protecting the traffic you need. Do not create any connection security rules to avoid conflict between IPSec policy and connection security rules.

Unable to allow weekend connections

The tree is equipped Windows Firewall in Advanced Security Mode choose a section Caution. Select the tab of the active profile and at the branch firewall mill pervert, what is included, what does not fall under the allowed rule, is allowed.

In retail Caution choose a section firewall, in order to reconsider, what the necessary reconnections are not indicated in the rules that are being protected.

Changed policies can lead to traffic blocking

You can configure the firewall and IPSec settings for additional Windows interfaces.

The creation of policies in some areas can lead to conflicts and traffic blocking. The following adjustment points are available:

Windows Firewall in advanced security mode. Tsya policy is established for the help of appropriate equipment locally or as part of a group policy. This policy determines the firewall and IPSec settings on computers under Windows Vista protection.

Windows Firewall Administrative Template. This policy is changed for the help of the editor of the group policy objects in the distribution. Use this interface to change the Windows firewall settings that were available before come Windows Vista, and appointments for the establishment of a group policy object, which one earlier versions Windows. If you want these parameters, you can use them for computers keruvannyam Windows Vista Windows Firewall in Advanced Security Mode oskolki won't ensure the great gnuchkіst that security. Give respect to those who have set up a domain profile and are sleeping for the Windows Firewall administrative template and policies Windows Firewall in Advanced Security Mode, you can use the parameters here, set up in the domain profile for additional equipment Windows Firewall in Advanced Security Mode.

IPSec policies. This policy is established for the help of local equipment IPSec policy management or the Group Policy Object Editor in the Computer Configuration\Windows Configuration\Security Settings\IP Security Policies on Local Computer . This policy defines IPSec parameters so that it can be overridden by older versions of Windows and Windows Vista. Do not immediately zastosovuvat on the same computer the policy and the rules of connection security, designated in the policy Windows Firewall in Advanced Security Mode.

To review all of these parameters for different equipments, create a properly equipped console and add equipment to it Windows Firewall in Advanced Security Mode, і Bezpeka IP.

To fold the wet equipment of the console, follow these steps:

Press button Start, go to menu All programs, potim at the menu Standard and choose an item Vikonati.

At the text field Vidkriti ENTER.

Continue.

On the menu Console Select .

Add to list Available accessories choose equipment Windows Firewall in Advanced Security Mode and press the button Add.

Press button OK.

Repeat steps 1 to 6 to add rigging management group policy і IP security monitor.

To check which policies are active in the active profile, check the following procedure:

If you want to reconsider, how politicians will get stuck, follow these steps:

AT command line enter mmc and press a key ENTER.

As soon as a dialog box appears for the control of the public records of the coristuvachs, confirm the confirmation of the energized dialog and press the button Continue.

On the menu Console select item Add or remove equipment.

Add to list Available accessories choose equipment Group policy management and press the button Add.

Press button OK.

Open the vuzol near the tree (sing out the tree to the fox, who knows Danish computer) and double click split in the console area.

Select jumper value Display policy settings for from value in-line koristuvach or another koristuvach. It is not necessary to change the policy settings for the corystuvacs, but rather the policy settings for the computer, choose the value of the jumper Do not display the policy of the koristuvach (revisiting the policy of the computer) and double press the button Dali.

Press button Ready. Master of group policy results to create a sound in the sphere of the console. Zvіt revenge tabs Zvedennya, Parametersі Sub policy.

To check if there is no conflict with the IP security policies, after making the call, select the tab Parameters and then enter Computer Configuration\Windows Configuration\Security Settings\Directory Services Security IP Settings Active Directory. If the rest of the distribution was made during the day, then the IP security policy is not set. Otherwise, the name of the description of the policy will be displayed, as well as the object of the group policy, which should not be. If you change the IP security policy for one hour and the Windows Firewall policy in the advanced security mode with the security rules, these policies may conflict. It is recommended to win at least one of these policies. The best solution would be to use the IP security policy together with the Windows firewall rules in the advanced security mode for inbound and outbound traffic. If the parameters are adjusted in different times and are not comfortable with oneself, they can blame the folding of the political conflicts.

It can also be blamed for conflicts between politicians, assigned to local objects of group policy and scenarios, imposed by IT-viddil. Convert all IP security policies using the additional program "IP Security Monitor" or enter the following command in the command line:

To review the settings specified in the Windows Firewall Administrative Template, check the section Computer Configuration\Administrative Templates\Merezh\Connection Merezhni\Windows Firewall.

To review the rest of the cases related to the flow policy, you can go to the tab policy events at the same console.

To look at the Windows firewall policy in advanced security mode, check the hardware on the computer that is being diagnosed, and look at the settings in the distribution Caution.

To review the administrative templates, check the availability Group policy the one at the branch Group policy results take a look, what are the parameters that are declining in the group policy, which can lead to traffic recovery.

To review the IP security policy, check the equipment of the IP security monitor. Choose from the tree local computer. In the area of ​​\u200b\u200bdії console, choose the power Active policy, Basic mode or Swedish mode . Reverse the appearance of competing policies, which can lead to traffic blocking.

In retail Caution equipment Windows Firewall in Advanced Security Mode You can review the rules of both local and group policies. For otrimannya additional information go back to distribution " Vykoristannya funktsії ї storezhennya u equipped Windows Firewall in Advanced Security Mode » which document.

To set up the IPSec policy agent, follow these steps:

Press button Start and choose Control panel.

Click on the icon System and її service and choose Administration.

Double click on the pictogram Services. Continue.

Find a service in the list IPSec Policy Agent

What a service IPSec agent is running, click on it with the right mouse button and select the item in the menu Zupiniti. Also, you can get the service IPSec agent from the command row for the help of the team

Peer-to-peer network policy can lead to traffic withdrawal

For the connection that wins IPSec, offending the computer is the responsibility of the mother of the summ_sn_ IP security policy. These policies may be responsible for additional security rules for connecting the Windows firewall, equipped with IP Security or another provider of IP security.

To review the IP security policy settings in a peer-to-peer manner, follow these steps:

Equipment Windows Firewall in Advanced Security Mode choose vuzol Cautionі Connection security rules, to reconsider, that both nodes of the merezhі have established an IP security policy.

Like one of the computers in a peer-to-peer network works under the previous Windows versions, under Windows Vista, switch over to accepting one of the encryption sets in the main mode and one of the encryption sets in the swid mode and the encryption algorithms that are supported by both nodes.

1. Click on the section Basic mode, select the order for rechecking in the console display area, and then press the message power at the sphere of the console. Look over the power of connection for both nodes, in order to perekonatisya in their totality.

   Repeat Croc 2.1 for distribution Swedish mode. Look over the power of connection for both nodes, in order to perekonatisya in their totality.

To win over Kerberos 5 authentication, check that the university is in the same trusted domain.

As a result, certificates are victorious, reversed, which ensigns are installed. For certificates, which require the exchange of IPSec keys on the Internet (Internet Key Exchange, IKE), a digital signature is required. For certificates to win IP over Authentication Protocol (AuthIP), client authentication is required (deposit according to server authentication type). For additional information about AuthIP certificates, go back to the article IP Authentication in Windows Vista AuthIP in Windows Vista on the Microsoft website.

Unable to configure Windows Firewall in Advanced Security Mode

Setting the Windows firewall in advanced security mode is not available (dimmed), in such cases:

Connection computer to the merezhі with centralized management, and Merezhevy administrator vicorist group policy for setting Windows firewall parameters in advanced security mode. In the right direction in the mountains of the equipment Windows Firewall in Advanced Security Mode You should say “Deyak parameters are subject to group policy”. Your administrator will set up a policy to help you change the Windows firewall settings.

Computer under Windows Vista lockdown does not connect to a centralized lockdown network, but Windows Firewall settings are enforced by local group policy.

To change the settings of the Windows firewall in advanced security mode for additional local group policy, use the snap-in Local Computer Policy. To open the equipment, enter secpol at the command line. As soon as a dialog box appears for the control of the public records of the coristuvachs, confirm the confirmation of the energized dialog and press the button Continue. Go to Computer Configuration\Windows Configuration\Security Settings\Windows Firewall in Advanced Security Mode to configure Windows Firewall policy settings in Advanced Security Mode.

The computer does not respond to the request for reverification of the call

The main way to check connections between computers is to use the Ping utility to check the connection to the original IP address. At the hour of reverification, the call is overpowered by an ICMP echo (also known as an ICMP echo request), and an ICMP echo is requested. Because of the promotion, Windows Firewall will allow ICMP echo input, so the computer cannot send ICMP echo notification.

Allow ICMP echo input to allow other computers to ping your computer. On the other hand, we can break up the computer for attacks like ICMP moons. Tim is no less, it is recommended to timely allow ICMP echo notifications at different times, after which turn them on.

To allow ICMP override, create new rules for incoming traffic to allow ICMPv4 and ICMPv6 request packets.

To enable ICMPv4 and ICMPv6 requests, follow these steps:

The tree is equipped Windows Firewall in Advanced Security Mode choose vuzol Rules for input connections and click on the force new rule at the sphere of the console.

Settings and press the button Dali.

Enter jumper value All programs and press the button Dali.

At the list that opens up protocol type choose a value ICMPv4.

Press button Nalashtuvati for paragraph ICMP Options.

Set jumper to value Pevni Tipi ICMP, appoint ensign Vіdlunnya-zazat, press the button OK and press the button Dali.

At the stage of selecting local and remote IP addresses that match this rule, set jumpers to the value Be-yaka IP addresses or Specify IP address. Yakshcho Wee will get the value Specify IP address, enter the required IP addresses, press the button Add and press the button Dali.

Enter jumper value Allow connection and press the button Dali.

At the stage of selecting profiles, designate one or more profiles (domain profile, private or public profile), in which case you want to win the rule, then press the button Dali.

In the field Im'ya enter the rules, and in the field Description- Neobov'yazkovy description. Press button Ready.

Repeat the hover for ICMPv6 by selecting the step protocol type dropdown list value ICMPv6 deputy ICMPv4.

If you have active security rules, you can turn on the ICMP protocol in addition to help with solving problems. For whom you can see in the equipment Windows Firewall in Advanced Security Mode dialogue window power, go to the tab IPSec Settings and indicate in the list what is being revealed, the value So for parameter Disable ICMP from IPSec.

Note

Windows Firewall settings can only be changed by administrators and network operators.

Unable to take away full access to files and printers.

If you don't want to gain access to files and printers on a computer with an active Windows firewall, change it so that all group rules are enabled. Access to files and printers Windows Firewall in Advanced Security Mode choose vuzol Rules for input connections Access to files and printers Enable rule at the sphere of the console.

Respect:

It is strongly not recommended to enable shared access to files and printers on computers connected to the Internet without intermediary, hackers can try to remove access to hot files And I'll hurt you by messing up your special files.

Unable to remove Windows Firewall Administration

As if the administrator computer with an active Windows firewall was not far away, please check that all the rules have been added to the group promotion team Remote protection by Windows Firewall active profile. Equipment Windows Firewall in Advanced Security Mode choose vuzol Rules for input connections and scroll the list of rules to a group Remote control. Perekonaytes, scho rules uvіmkneni. Select the skin of the rules and press the button Enable rule at the sphere of the console. Dodatkovo perekonaytes, scho uymkneno IPSec policy agent service. This service is required for remote care Windows firewall.

To verify that the IPSec agent is running, see the following:

Press button Start and choose Control panel.

Click on the icon System and її service and choose Administration.

Double click on the pictogram Services.

As soon as a dialog box appears for the control of cloud records of the correspondent, enter the necessary data of the correspondent with the necessary updates and press the button Continue.

Find a service in the list IPSec Policy Agent that perekonaytes, scho won the status of "practice".

What a service IPSec agent zupineno, click on them with the right mouse button and select context menu paragraph run. Also you can start the service IPSec agent from the command line for the help of the net start policy agent command.

Note

For the locking service IPSec Policy Agent launched. Tsya service is guilty of pratsyuvati, because she didn’t do it by hand.

Troubleshoot Windows Firewall Robot

In this branch, there are descriptions of the techniques that are used to overcome typical problems. This distribution is made up of the upcoming developments:

Alternate security features in "Windows Firewall with Advanced Security Mode"

The first step in solving problems caused by the Windows firewall is a revision of the current rules. Function Caution allows you to review the rules that are based on local and group policies. To review the current rules for entry and exit traffic at the equipment tree Windows Firewall in Advanced Security Mode choose a section Caution, and then choose the distribution firewall. You can also look at the current connection security rulesі security settings (Basic and Swedish modes).

Inclusion of that support to the audit of security for the help of the command line auditpol

For locking parameters and auditing are inactive. To set it up, use the auditpol.exe command line to change the setting of the audit policy on the local computer. Auditpol can be checked for inclusion or inclusion of different categories of sub-categories and their distant review in the equipment Revisiting the Pod.

To look through the list of categories that are supported by the auditpol program, enter at the command line:

• To look through the list of subcategories that go up to the tsієї category (for example, in the category Change of policy), enter at the command line:

  auditpol.exe /list /category:"Change policy"

• To change the category or subcategory, enter at the command line:

  /SubCategory:" Name Categories"

For example, in order to set audit policies for a category and a subcategory, you would enter the following command:

auditpol.exe /set /category:"Change policies" /subcategory:"Change policies based on MPSSVC rules" /success:enable /failure:enable

Change of policy

Policy change based on MPSSVC rules

Changing the policy of the filtering platform

Entry Exit

IPsec Basic Mode

swedish IPsec mode

IPsec mode extensions

System

IPSec driver

Other system subs

Access to objects

Checking data for the package by the filtering platform

Connecting the filtering platform

To change the security audit policy, you need to reset the local computer or change the policy manually. For primus policy update, enter at the command line:

secedit /refreshpolicy<название_политики>

After the diagnostics are completed, you can turn on the auditing of the pods by replacing the enable parameter in the other commands with disable and running the commands again.

Revisiting podіy, pov'yazanih z security audit, at the journal

After acknowledging the audit, vindicate the equipment Pereglyad podіy for pereglyad podіy audit in the magazine podіy bezpeki.

To open the window “Pereslyad Podіy” at the papacy “Administrevannya”, read the following:

1. Press button Start.

   Choose a section Control panel. Click on the icon System and її service and choose Administration.

   Double click on the pictogram Revisiting the Pod.

To add the Pereglyad Podіy equipment to the MMC console, follow these steps:

Press button Start, go to menu All programs, potim at the menu Standard and choose an item Vikonati.

At the text field Vidkriti enter mmc and press a key ENTER.

As soon as a dialog box appears for the control of the public records of the coristuvachs, confirm the confirmation of the energized dialog and press the button Continue.

On the menu Console select item Add or remove equipment.

Add to list Available accessories choose equipment Revisiting the Pod and press the button Add.

Press button OK.

Before that, close the snap-in, save the console for a distant chanting.

Equipment Revisiting the Pod open the section Windows logs and choose vuzol Bezpeka. In the working area of ​​the console, you can view the security audit subsection. Mustaches are displayed at the upper part of the working area of ​​the console. Click on the podium near the upper part of the working area of ​​the console to display the report information at the bottom of the panel. On deposit Zagalni a description of the pod_y as a sensible text was posted. On deposit Details available offensive parameters vodobrazhennya podії: Understanding the Appearanceі XML mode.

Setting up a firewall log for a profile

First lower You can look through the firewall logs, you need to set the Windows Firewall in advanced security mode to keep the files in the log.

To configure a log for a Windows Firewall profile in Advanced Security Mode, follow these steps:

The tree is equipped Windows Firewall in Advanced Security Mode choose a section Windows Firewall in Advanced Security Mode and press the button power at the sphere of the console.

Select the profile tab, for which you need to set up a journal (domain profile, private or public profile), and then press the button Nalashtuvati in retail Keeping a journal.

Enter the name of the roster to the log file.

Specify the maximum size for the log file (type 1 to 32,767 kilobytes)

At the list that opens up Record missed packets enter value So.

At the list that opens up Record successful connection enter value So and then press the button OK.

View Files in the Firewall Log

Open the file, instructed by you before the hour of the procedure “Setting the firewall log for the profile”. To access the firewall log, you must have local administrator rights.

You can look through the log file for additional Notepad software or any text editor.

File analysis in the firewall log

Information that is registered with the journal is shown in the next table. Effective data is indicated only for single protocols (TCP standard, type and ICMP code is too short), and effective data is indicated only for outgoing packets (expiry).

Note

A hyphen (-) is chosen in the fields of the streaming record, so as not to retaliate against the original information.

Creating text files in netstat and tasklist

You can create two log files that are being configured, one for reviewing the merging statistics (a list of all ports that can be listened to) and the other for reviewing the lists of service tasks and addenda. List of jobs to be deleted Process code (process identifier, PID) for subtypes, like for tallying statistics files. Below is the procedure for merging two files.

To create text files in the metric statistics and add the following to the list:

At the command line enter netstat -ano > netstat.txt and press the key ENTER.

At the command line enter tasklist > tasklist.txt and press the key ENTER. It is also necessary to create a text file with a list of services, enter tasklist /svc > tasklist.txt.

Open the files tasklist.txt and netstat.txt.

Find the process code from the tasklist.txt file, which you will diagnose and match with the values ​​that are found in the netstat.txt file. Write down the protocols that are victorious.

An example of viewing files in Tasklist.txt and Netstat.txt

netstat.txt
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:XXX 0.0.0.0:0 LISTENING 122
TCP 0.0.0.0:XXXXX 0.0.0.0:0 LISTENING 322
Tasklist.txt
Image Name PID Session Name Session# Mem Usage
==================== ======== ================ =========== ============
svchost.exe 122 Services 0 7.172 K
XzzRpc.exe 322 Services 0 5.104 K

Note

The real IP addresses are changed to X, and the RPC service is changed to z.

Check out that the main services are running

Some of the following services have been launched:

Basic filtering service

Group Policy Client

IPsec key modules for key exchange on the Internet and IP protocol for authentication

Additional service IP

IPSec Policy Agent Service

Meringue dressing service

Service list merge

Windows Firewall

To check the “Services” snap-in and check that the necessary services are running, see the following:

Press button Start and choose Control panel.

Click on the icon System and її service and choose Administration.

Double click on the pictogram Services.

As soon as a dialog box appears for the control of cloud records of the correspondent, enter the necessary data of the correspondent with the necessary updates and press the button Continue.

Perekonaytes, scho services, put more, run. If one or more services are not running, right-click on the name of the service in the list and select a command run.

Additive way to solve problems

As a Remaining Note You can reconfigure the Windows Firewall behind the promotion. After the renewal of the lock, all the updates will be used after the installation of Windows Vista. You can bring it to the point that some programs will stop working. So, if you check the computer out, the connection to the new one will be disconnected.

Before you change the settings for locking, change the firewall so that the current configuration is saved. Allow me to renew your customization at different needs.

Below, it is suggested to save the firewall configuration and restore the lockout settings.

To save the current firewall configuration, follow these steps:

Equipment Windows Firewall in Advanced Security Mode click on the message Export policy at the sphere of the console.

To confirm the installation of a firewall behind a lock, follow these steps:

Equipment Windows Firewall in Advanced Security Mode click on the message Reinforcing the meaning behind the lock at the sphere of the console.

After enabling Windows Firewall, press the button in security mode So for the renewal of the promotional value.

Visnovok

Useless methods for diagnosing and solving problems caused by the Windows firewall in advanced security mode. Including:

Featured functions Caution to review the firewall, the security rules are connected and the security is set.

Analysis of security auditing related to Windows firewall.

Creation of text files tasklistі netstat for random analysis

Intermediate screen (firewall or firewall) Windows doesn't respond. Slightly changed when moving from XP to Vista, Windows does not cope badly with its simple tasks, but does not have ambitions to become the best personal firewall. Vtіm, regardless of those that the Windows 7 firewall, having taken off a bit of new possibilities, still did not take away the blame that I had taken from the new one.

Hanging out with a home group

Pid hour Windows installation 7 admonish to create a “home group”. In the world, it is shown in a number of other computers with Windows 7 that they are also encouraged to come to the group. І all that is required for it - the password is up to it. However, when I have one computer under Windows 7, I am not worried about the process of entering the group of other computers, although I don’t want to make you aware of it. While any computer running Windows 7 can join the home group, computers running Windows 7 Home Basic and Windows 7 Starter cannot.

Computers in the same home group can split (otherwise seem to "split") printers and specific file libraries. For locks, the libraries of little ones, music, videos and documents are shared, however, the coristuvach can encircle them to the ruling court. Help in the operating system gives an explanation of how to enable a file or a folder from the folder, or how to make them more accessible for reading, or how to access them.

Have your home measure koristuvach can share your content for other computers and add-ons, and navigate for computers not under Windows 7 and navigate not for computers with familiar. Microsoft showed examples of how to share content for the Xbox 360. However, the company does not offer to connect to the Wii. Unfortunately, the Wii company did not qualify as a streaming media outlet.

Otzhe, naskolki home merge in Windows 7 safe? Sound the coristuvachi, as if they knew the failure to open files and folders, fix it all right, including the filewall, antivirus, etc. At the same hour, if we forgive the rozsharuvannya, then the connection can be as far as possible and disappear.

Just as Vista is sharing private (Public) and private (Private), then Windows 7 is sharing private (Home) and Work (Work). The HomeGroup is only available when choosing a home group. However, in working line your computer can still connect to other attachments. In its own place in the public domain (for example, without a dart in an Internet cafe), Windows 7 blocks access to you and leads you to other attachments for your security. Tse is small, but the reward is good.

Dual-mode firewall

In Vista and XP, firewall protection is brought up to new simple inclusion that vimknennya. Same Windows hour 7 proponuє coristuvachevі vіznі vіznі configіgurаії nalashtuvan' for private (home and robіtnikіv) and public merezh. In case of tsimu koristuvachevі it is not required to enter the firewall, to improve, let's say, at the local cafe. You can select a public measure, and the firewall itself will stop the entire set of intermediate parameters. Nayimovіrnіshe, koristuvachі establish a public measure of blocking all entrances. In Vista, it was impossible to grow without cutting off all incoming traffic at the power line of the coristuvach.

Deyakі koristuvachі not razumіyut, navіscho need a firewall. How does UAC work, why not a firewall or an overworld? In fact, the programs may have absolutely different numbers. UAC to follow the programs and their robots in the middle local system. Firewall is respectfully surprised at the input and output data. If you reveal two programs, like two heroes, to stand back to back and defeat zombie attacks, then, we can say, you won’t have mercy.

The first moment got me hooked new opportunity“Alert me if Windows Firewall is blocking new program". Isn't that a sign that Windows Firewall has taken away control over programs and become a real two-way firewall? I was given the bazhannya to increase my ability. І as a result of Windows Firewall without taking more money, lower maw.

It's been ten years since ZoneLabs popularized the two-way personal firewall. The ZoneAlarm program hijacked all ports of the computer (including Windows Firewall) and also allowed programs to access the Internet (which Windows Firewall did not do). I do not care about intelligent monitoring of program behavior, like, for example, Norton internet security 2010 and in other packages. But I'm sure that before the release of Windows 8, Microsoft still lets its firewall set up the decimal ZoneAlarm capabilities.

Microsoft miraculously knows that third-party firewalls and security packages and just turn on the Windows Firewall are installed in a very bad way. In the past, a lot of third-party security programs have automatically turned on Windows Firewall to eliminate conflicts. With Windows 7, Microsoft did it by itself. When the firewall is installed, the operating system turns on its own firewall and reminds you that "the firewall is set up to be controlled by such and such a program in such a window".

Chi will be vikoristovuvat chi ni, Windows Firewall present in the skin of Windows 7, volodiyuchi with this ground integration z operating system. So why not be better, how can third-party security programs be able to beat the Windows filewall for their own purposes? This idea lies behind the programming interface, let's call it the Windows filtering platform - Windows Filtering Platform. Ale chi koristuvatimutsya her rozrobnikov? About the next part.

Windows 7 Security: Windows Filtering Platform - Windows Filtering Platform

Firewalls are guilty of working on Windows 7 on a low level to absolutely hate Microsoft software. Microsoft technologies, like PatchGuard, present in 64-bit versions of Windows 7 (64-bit Windows 7 may have a low security edge over 32-bit Windows 7), block intruders and also protect the kernel from access to the new . Microsoft doesn't provide the same level of security as third-party software does. What is work?

The solution to the problem is the Windows filtering platform (WFP). The rest, in the words of Microsoft, allows you to build third-party firewalls on the key capabilities of Windows Firewall - allows you to add capabilities to them that can be configured and optionally enable and disable parts of Windows Firewall. As a result, you can choose your own firewall, which is similar to Windows Firewall.

Ale, how much is true for retailers of security programs? Chi become stink and speed up? I have drunk a small number of people and taken away a lot of opinions.

BitDefender LLC

Product distribution manager Julian Costache said that the company is now winning the Windows 7 platform. Pardon is known on the Microsoft team, which the largest software giant has confirmed. Tim is not less, Julian does not know if she will be victorious. So far, the stench has replaced the new WFP driver with the old TDI.

Check Point Software Technologies Ltd

Mirka Janus, Community Communications Manager at Check Point Software Technologies Ltd, said that the company has begun tagging WFP with Vista. It also stinks of vicoristing the platform and Windows 7. It's a good interface that supports it, but whether it's a sloppy program or an insane driver can be unsafe for a security product that relies on something new. ZoneAlarm always spirals into two balls - the balls of the borders of the same batch level. Starting with Vista, Microsoft propagated WFP as a way to filter networking issues that are supported. Starting with Windows 7 SP1, Microsoft is required to introduce WFP packet filtering.

“Lifting up the API means improved stability and reduced BSODs. A lot of drivers can be registered and the skin distributor of drivers does not need to worry about the sum of others. As if there were a driver, let's say, blocking, another registration could not be overridden by blocking. On the other hand, the insane driver can become a problem if you register it in other places. We don't rely on WFP for fencing security.”

F-Secure Corporation

F-Secure Corporation senior reporter Mikko Hypponen said that for some reason WFP has not become popular among security software retailers. At one time, this company was to finish the long-term WFP vicorystal, and I was very happy.

McAfee Inc.

For his part, McAfee architect Ahmed Sallam said that WFP is a thinner and more flexible mesh filtering interface, a lower front interface that is based on NDIS. McAfee actively promotes WFP in its security products.

At the same time, regardless of those that WFP may have positive capabilities, platform advances can speed up and cyber-malicious. The platform can allow scrambled programs to be added to the edge stack of the Windows kernel. Tom 64 bits Windows drivers the equal core of the guilty mother digital signatures, to steal the core from the beginning of the new shkidlivih programs. However, digital signatures are not binding on 32-bit versions.

So, theoretically, digital signatures can be used by a reasonable mechanism, but in reality, the authors of shkіdlivih programs can still come up with their own.

panda security

Panda Security spokesman Pedro Bustamante said that the company is pursuing the WFP platform, but not winning. The main shortcomings of WFP, the company respects, first, the ability to create technology, as it combines different technologies to maximize the coverage. The technology is marn, as the company cannot marvel at the entrance and exit packages to the car. Also, it can be a sensor for other technologies. There are no opportunities for WFP. In another way, WFP is supported only by Vista and newer operating systems. The platform does not have a vicious totality. And, thirdly, WFP is to be completed with a new platform, and the company is encouraged to better rely on more old and revised technologies.

Symantec Corp.

Symantec's director of advanced product management, Dan Nadir, said that WFP has yet to win in their products due to its novelty. Prote zgoda the company plans to migrate її y, tk. old interfaces, on which the stinks spit at once, they cannot give all the necessary functionality. WFP is respected as a platform, because The money was specially designed for ensuring the functional integrity of third-party software programs. In principle, in the future problems of consistency, the platform may have less. WFP is also well integrated with the Microsoft Network Diagnostic Framework. Tse is more scary, tk. Significantly easier search for specific programs that are on the front of the traffic. I, nareshti, WFP can be brought to a reduction in productivity and stability of the operating system, tk. platform unique emulation and problems from conflicts or driver stability.

On the other hand, according to Nadir, WFP can create the same problems that exist in any structure - retailers that spiral on WFP cannot close the silliness in the middle of WFP itself, just as they cannot expand the specific possibilities that promote WFP. Just as a lot of programs spy on WFP, the creators of small programs can theoretically try to attack WFP itself.

TrendMicro Inc.

Serving Director of Trend Micro Inc. Dale Liao, having said that the greatest advantage of the platform is the ingenuity of the operating system. Also, the standard firewall has become brown at once. Therefore, now the stench can focus on the meaningful ability of the koristuvach. It's nasty at WFP, those who, when the company's pardon is shown in the platform, are brought to checks and corrected by Microsoft.

WFP: Visnovok

As a result, the majority of my knowledge of security software developers is already based on WFP. Truth, deyaki in parallel with other technologies. Functional consistency is required, documentation and official platform are required, and the stability of the robot is also transferred. From the other, negative side, as all retailers spire to WFP, then the platform can potentially become a point of contention for everyone. І for її fixing їm happen to contact Microsoft. In addition, the platform still does not support the filtering of equal packets.

The great shortcomings of WFP are also those that can't be found in Windows XP. That retailers, who want to promote XP, will have to lead two parallel projects. In the meantime, since XP is in the market, I think WFP will become more popular among retailers.

Starting from Server 2008 and Vista in Windows, the WFP mechanism is being introduced,
represents a set of APIs and system services. For the help of a new one, it became possible
zaboronyati that allow z'єdnannya, keruvati okremim packages. qi
innovations were recognized for simplifying the life of retailers
zakhistiv. Introduced to the mesh architecture, the changes were bumped like kernel-mode, so
that user-mode part of the system. For the first time, the necessary functions are exported
fwpkclnt.sys, another - fwpuclnt.dll (letters "k" and "u" in the names of libraries
mean kernel and user are different). In these articles, we are told about the stagnation
WFP for crossover and filtering traffic, and after knowing the main
We will write our own simple filter with the help of WFP capabilities.

Basic understanding

Before we start coding, we need to get familiar with the terminology
Microsoft - and for the understanding of the statistics, it will be corny, and additional literature
it will be easier to read :). So let's go.

Classification- The process of determining what needs to be done with the package.
Three possible actions: allow, block or callout callout.

Callouts- tse set of functions for the driver, how to conduct an inspection
packages. stink special function, which vikonu categorization of packages Qia
function can take the following solution:

• allow(FWP_ACTION_PERMIT);
• blocking(FWP_ACTION_BLOCK);
• continue processing;
• ask for more data;
• interrupt the day.

Filters- the rules that indicate, in some ways, they call
the next callout. One driver can callout, and
rozrobkoyu driver s callout'om mi and occupied by tsіy statti. Before the speech, kolauti
є th ubudovani, for example, NAT-callout.

layer- tse sign, for which different filters are united (otherwise,
as MSDN says, "container").

Seemingly true, documentation from Microsoft, looking like a calamity, so far
do not look at the WDK butt. To that, as a raptom, you think of rozroblyat
seriously, you need to get familiar with them. Well, now it's smooth
Let's move on to practice. For successful compilation and testing you need WDK (Windows
Driver Kit), VmWare, virtual machine from the installed Windows and the WinDbg driver.
As for the WDK, I have a specially installed version 7600.16385.0 - everything is there
nebhіdnі lіbi
fwpkclnt.lib and ntoskrnl.lib) and apply the WFP wiki. Forced for the whole
the tools have already been aimed more than once, so we will not repeat it.

Coding

To initialize the callout, I wrote the BlInitialize function. Hot Algorithm
creating a callout and adding a filter like this:

1. FWPMENGINEOPEN0 zdіysnyuє vіdkrittya session;
2. FWPMTRANSACTIONBEGIN0- The beginning of the operation with WFP;
3. FWPSCALLOUTREGISTER0- Creation of a new callout;
4. FWPMCALLOUTADD0- adding a callout object to the system;
5. FWPMFILTERADD0- Adding a new filter(s);
6. FWPMTRANSACTIONCOMMIT0- Saving change (dodanih
   filters).

Beware that functions end in 0. Windows 7 does not work.
functions were changed, for example, FwpsCalloutRegister1 appeared (when
saving FwpsCalloutRegister0). They stink with arguments and, like a legacy,
prototypes of classifying functions, but for us it doesn’t matter at once - 0-functions
Universal.

FwpmEngineOpen0 and FwpmTransactionBegin0 are not like us
preparation stage. Naytsіkavіshe starts from the function
FwpsCalloutRegister0:

FwpsCalloutRegister0 Prototype

NTSTATUS NTAPI FwpsCalloutRegister0
__inout void *deviceObject,
__in const FWPS_CALLOUT0 *callout,
__out_opt UINT32 *calloutId
);

I have already said that callout is a set of functions, now the time has come
tell about the report. Structure FWPS_CALLOUT0
functions - classify (classifyFn) and two notifications (about
adding/deleting a filter (notifyFn) and closing a checked flow (flowDeleteFn)).
The first two functions are obov'azkovymi, the rest is needed only for the fluke, like
You want to monitor the packets themselves, and not just the order. So the structure
a unique identifier, callout GUID (calloutKey) is passed.

Registration code

FWPS_CALLOUT sCallout = (0);
sCallout.calloutKey = *calloutKey;
sCallout.classifyFn=BlClassify;
// classifying function
sCallout.notifyFn=(FWPS_CALLOUT_NOTIFY_FN0)BlNotify;
// function that tells you about adding/removing the filter
// create a new callout
status = FwpsCalloutRegister(deviceObject, &sCallout, calloutId);

WINAPI DWORD FwpmCalloutAdd0(
__in HANDLE engineHandle,
__in const FWPM_CALLOUT0 *callout,
__in_opt PSECURITY_DESCRIPTOR sd,
__out_opt UINT32 *id
);
typedef struct FWPM_CALLOUT0_(
calloutKey GUID;
FWPM_DISPLAY_DATA0 displayData; // callout description
UINT32 flags;
GUID *providerKey;
FWP_BYTE_BLOB providerData;
applicableLayer GUID;
UINT32 calloutId;
) FWPM_CALLOUT0;

In the FWPM_CALLOUT0 structure, we need the applicableLayer field - unique
equal identifier, which is given by the callout. Our mind is
FWPM_LAYER_ALE_AUTH_CONNECT_V4. "v4" at the name of the identifier means the version
IPv4 protocol, also FWPM_LAYER_ALE_AUTH_CONNECT_V6 for IPv6. vrakhovuyuchi
small IPv6 breadth on present moment, pratsyuvati mi will be only s
IPv4. CONNECT in the name means we have no control over the installation
z'ednannya, about the entrance and exit at this address, there are no packages! Vzagali
rіvnіv, crіm vikoristannogo us, rich - the stench of voiced in the header file
fwpmk.h from WDK.

Adding a callout object to the system

// callout name
displayData.name = L"Blocker Callout";
displayData.description = L"Blocker Callout";
mCallout.calloutKey = *calloutKey;
mCallout.displayData = displayData;
// callout description
//FWPM_LAYER_ALE_AUTH_CONNECT_V4
mCallout.applicableLayer = *layerKey;
status = FwpmCalloutAdd(gEngineHandle, &mCallout, NULL, NULL);

Since then, after that, as a callout of successful submissions to the system, it is necessary to create
filter, so please indicate that in some cases our callout will be called, and
- Yogo classifying function. The new filter is created by the FwpmFilterAdd0 function,
The FWPM_FILTER0 structure is passed as an argument.

FWPM_FILTER0 has one or more FWPM_FILTER_CONDITION0 structures (six
The number is assigned by the numFilterConditions field). The layerKey field is filled with a GUID
equal (layer), which we want to come. In this context, it is possible
FWPM_LAYER_ALE_AUTH_CONNECT_V4.

Let's take a look at the FWPM_FILTER_CONDITION0. First, in
the fieldKey field needs to be explicitly specified what we want to control - port, addresses,
the program for now. In this wippad WPM_CONDITION_IP_REMOTE_ADDRESS
tell the system how to read IP addresses. The value of the Key field is set,
What type of value will the FWP_CONDITION_VALUE structure have, which will enter before
FWPM_FILTER_CONDITION0. In this case, ipv4 addresses are moved into it. Yidemo
far. The matchType field is set to what order the match will be held
The value of FWP_CONDITION_VALUE is the same as what happened through the measure. There are a lot of options here:
you can specify FWP_MATCH_EQUAL, which means the same mind match, and
possible - FWP_MATCH_NOT_EQUAL, then in fact we can add such
by the order of switching off the filtering (addresses are not known).
More options FWP_MATCH_GREATER, FWP_MATCH_LESS and others (div. enum
FWP_MATCH_TYPE). In this case, we can FWP_MATCH_EQUAL.

I didn’t fool around a lot and just wrote my mind blocking
one selected IP address. Wow, if you try the program
insert the order with the chosen address, it will be called out classifying
function of our callout. Code, what is said, you can marvel
vrіztsі "Addition of the filter to the system".

Adding a filter to the system

filter.flags=FWPM_FILTER_FLAG_NONE;
filter.layerKey = *layerKey;
filter.displayData.name = L"Blocker Callout";
filter.displayData.description = L"Blocker Callout";
filter.action.type = FWP_ACTION_CALLOUT_UNKNOWN;
filter.action.calloutKey = *calloutKey;
filter.filterCondition = filterConditions;
// one smart filter
filter.numFilterConditions = 1;
//filter.subLayerKey = FWPM_SUBLAYER_UNIVERSAL;
filter.weight.type=FWP_EMPTY; // auto weight.
// add a filter to the given address
filterConditions.fieldKey = FWPM_CONDITION_IP_REMOTE_ADDRESS;
filterConditions.matchType = FWP_MATCH_EQUAL;
filterConditions.conditionValue.type = FWP_UINT32;
filterConditions.conditionValue.uint32 = ntohl(BLOCKED_IP_ADDRESS);
// Add a filter
status = FwpmFilterAdd(gEngineHandle, &filter, NULL, NULL);

Vzagali, zvichayno, filtering minds can be rich. For example, you can
Specify blocking of the connection with the last remote or local port (FWPM_CONDITION_IP_REMOTE_PORT
and FWPM_CONDITION_IP_LOCAL_PORT is valid). You can change all packages
song protocol or song program. And that's not all! It is possible, it is possible
for example, block the traffic of a singing koristuvach. Zagalom, є de
roam.

Vtim, let's turn to the filter. The classic function of our mind is simple
blocking the connection from the assigned address (BLOCKED_IP_ADDRESS), turning
FWP_ACTION_BLOCK:

Our classify function code

void BlClassify(
const FWPS_INCOMING_VALUES* inFixedValues,
const FWPS_INCOMING_METADATA_VALUES* inMetaValues,
VOID* packet,IN const FWPS_FILTER* filter,
UINT64 flowContext,FWPS_CLASSIFY_OUT* classifyOut)
{
// write the FWPS_CLASSIFY_OUT0 structure
if(classifyOut)( // blocking the package
classifyOut->actionType =
FWP_ACTION_BLOCK;
// When blocking a packet, it is necessary
off FWPS_RIGHT_ACTION_WRITE
classifyOut->rights&=~FWPS_RIGHT_ACTION_WRITE;
}
}

In practice, the classification function can also set FWP_ACTION_PERMIT,
FWP_ACTION_CONTINUE and int.

I need to remove all installed
callouts (guess what will happen if the system tries to callout
vivantage driver? That's right, BSOD). For whom is the function
FwpsCalloutUnregisterById. How parameter is passed is 32-bit
callout identifier, rotated by the FwpsCalloutRegister function.

Completion of callout work

NTSTATUS BlUninitialize()(
NTSTATUS ns;
if(gEngineHandle)(
FwpmEngineClose(gEngineHandle);

}
if(gBlCalloutIdV4)(
ns =FwpsCalloutUnregisterById(gBlCalloutIdV4);
}
return ns;
}

Yak bachish, programming the WFP filter is not so easy, shards
MS gave us a hard API. Before the speech, we were restored to our mind
driver filter, but you can also work with user mode! For example, sample from wdk
msnmntr (monitor of MSN Messenger traffic)
change the kernel-mode part of the filter.

Own GUID

To register a callout, you need a unique identifier. In order to
check your GUID (Globally Unique Identifier), use guidgen.exe to enter
at Visual Studio. Locate tools in (VS_Path) Common7 Tools. Imovirnіst kolіzії
too small, the GUID oscillators become 128 bits, and the total available is 2^128
identifiers.

Filter adjustment

To improve firewood, manually vicorate in Windbg + VmWare. For whom is it necessary
fix like a guest system (looks like Vista is running), so the host
windbg. If WinXP needed to edit boot.ini for a long time, then
for Vista+ console utility bcdedit. As a rule, it is necessary to turn on the reward:

BCDedit /dbgsettings SERIAL DEBUGPORT:1 BAUDRATE:115200 BCDedit /debug
ON (or BCDedit /set debug ON)

Now everything is ready! Run the batch file with the text below:

start windbg -b -k com:pipe,port=\\.\pipe\com_1,resets=0

and bachimo nalagodzhuvalny vysnovok at vіknі windbg (div. little ones).

Visnovok

Yak bachish, the scope of WFP harvesting is wide. Tobi virishuvati, yak
zastosuvat tі knowledge - for evil chi for good 🙂