384 APPENDIX A Confi guring Windows Firewall One of the most common problems that administrators face in new installations of Windows is that by default, clients running Windows do not respond to ping (ICMP Echo Request) messages. Although you can solve this problem by creating an allow rule for ICMP Echo Requests in the WFAS console, you can also confi gure a client to respond to pings simply by creating an exception for File And Printer Sharing in Control Panel. Troubleshooting Windows Firewall by Using the WFAS Console Because the WFAS console is the main confi guration tool for Windows Firewall, it is also its main troubleshooting tool. You can use the WFAS console to perform troubleshooting procedures such as reviewing the fi rewall confi guration in the Monitoring node, reviewing settings confi gured in the fi rewall properties, verifying all locally defi ned fi rewall rules, and verifying Connection Security Rules. NOTE CONNECTION SECURITY RULES Connection Security Rules are used to apply IPSec security requirements to inbound and outbound connections. REVIEWING THE FIREWALL CONFIGURATION IN THE MONITORING NODE The Monitoring node in the WFAS console, shown in Figure A-14, can be used to review the fi rewall confi guration. Specifi cally, through the Monitoring node, you can review the following: ■ The active profi le ■ The fi rewall state ■ General settings (including notifi cation settings) ■ Logging settings ■ Active (enabled) fi rewall rules on the computer ■ Active connection security rules on the computer and detailed information concerning their settings ■ Active security associations for IPSec connections MORE INFO USING THE WFAS CONSOLE For additional information on monitoring by using the WFAS console, visit http://technet .microsoft.com/en-us/library/dd421717(WS.10).aspx. N O T E CO NNE C TI O N S E CU RITY R U LE S C onnect i on Secur i ty Rules are used to apply IPSec secur i ty requ i rements to i nbound and o utbound connections . M O RE INF O US IN G THE WFA S CO N SO LE F or additional in f ormation on monitorin g b y usin g the WFAS console, visit h tt p ://tec h n et .microsoft.com/en-us/library/dd421717(WS.10).aspx . x x Z01A627093.indd 384Z01A627093.indd 384 2/18/2010 2:02:53 PM2/18/2010 2:02:53 PM APPENDIX A 385 FIGURE A-14 The Monitoring node of the WFAS console REVIEWING WINDOWS FIREWALL PROPERTIES Windows Firewall properties are the settings confi gured in the properties of the root node of the WFAS console tree (that is, the node named Windows Firewall With Advanced Security). You can also access Windows Firewall properties by selecting the root node and then clicking Windows Firewall Properties in the center pane, as shown in Figure A-15. FIGURE A-15 Opening Windows Firewall Properties Z01A627093.indd 385Z01A627093.indd 385 2/18/2010 2:02:53 PM2/18/2010 2:02:53 PM 386 APPENDIX A Confi guring Windows Firewall These settings affect the following behaviors for the Domain, Private, and Public profi les: ■ Whether incoming or outgoing connections as a whole are blocked ■ Whether a notifi cation occurs when an incoming network program is blocked ■ Whether the local computer allows unicast responses to any broadcast or multicast messages that it sends on the network ■ Whether logging is performed for successful connections ■ Whether logging is performed for dropped packets Be sure to review these settings when troubleshooting Windows Firewall. VERIFYING FIREWALL RULES When you are troubleshooting an issue with Windows Firewall, you often need to review all the fi rewall rules, both active and inactive, that are confi gured in the WFAS console. You can take this step by using the Inbound Rules and Outbound Rules nodes. Through these nodes, you can see all rules created on the system, even those you might have confi gured as an allowed program (exception) in Control Panel. If, for example, you fi nd that a network program cannot communicate with the local computer, you should verify the following by investigating fi rewall rules: ■ Verify that an inbound allow rule defi ned for that program is confi gured for the active fi rewall profi le. ■ If the rule exists, verify that the rule itself is active. (Active rules are designated with a green check icon, and inactive rules are designated with a gray check icon.) •• If the rule is inactive when you believe it should be active, check the properties of the rule to ensure that you have defi ned traffi c for the rule correctly. •• If the desired inbound allow rule is active, verify that no other rules such as inbound deny rules are preventing it from functioning as you expect. Deny rules override allow rules. If no allow rule for the program exists, create a new rule for that program. VERIFYING CONNECTION SECURITY RULES Connection Security Rules enforce IPSec authentication on specifi ed connections. If a Connection Security Rule requires security, it can block traffi c from a program even if Firewall Rules allow it. For example, an active Connection Security Rule might require that all inbound traffi c be authenticated. In this case, traffi c from a network source that cannot be authenticated is dropped even if you have created an allow rule for the traffi c in question. For this reason, you need to review Connection Security Rules when you are troubleshooting Windows Firewall. If you need to allow traffi c from a remote source that cannot be authenticated, be sure to confi gure an exemption for that remote source. Alternatively, you can modify Connection Security Rules so that they only request authentication but do not require it. Z01A627093.indd 386Z01A627093.indd 386 2/18/2010 2:02:53 PM2/18/2010 2:02:53 PM APPENDIX A 387 Troubleshooting Windows Firewall with Group Policy When you are troubleshooting Windows Firewall, be sure to review Group Policy and Local Computer Policy settings (including those in Local Security Policy) because these settings affect the Windows Firewall confi guration. Group Policy provides two places to confi gure Windows Firewall in every GPO. As mentioned earlier in this chapter, every GPO contains a Windows Firewall With Advanced Security node in Computer Confi guration\Policies\Windows Settings\Security Settings. This part of a GPO enables you to defi ne fi rewall rules that are created automatically on every computer running Windows Vista and later that falls within the scope of the policy. The second location in a GPO where you can confi gure Windows Firewall settings is found in Computer Confi guration\Policies\Administrative Templates\Network\Network Connections. This location is shown in Figure A-16. FIGURE A-16 Windows Firewall settings in Group Policy Through this location in the Administrative Templates section of a GPO, you can confi gure the following Windows Firewall–related policy settings: ■ Windows Firewall: Allow Authenticated IPSec Bypass Unlike the other settings mentioned in this list, this policy setting appears at the root of the Windows Firewall folder in Administrative Templates. This setting allows the computers that you specify to bypass the local Windows Firewall if they can authenticate by using IPSec. ■ Windows Firewall: Allow Local Program Exceptions This policy setting allows administrators to use Control Panel to defi ne a local program exceptions list. When set to Disabled, this policy setting prevents administrators from creating Windows Firewall exceptions in Control Panel. If an administrator is unable to create program exceptions, you should check this policy setting. Z01A627093.indd 387Z01A627093.indd 387 2/18/2010 2:02:53 PM2/18/2010 2:02:53 PM 388 APPENDIX A Confi guring Windows Firewall ■ Windows Firewall: Defi ne Inbound Program Exceptions This policy setting allows you to defi ne fi rewall exceptions for a set list of programs. These programs are then defi ned as allowed programs in Windows Firewall on all computers that fall within the scope of the policy. When you disable this setting, the program exceptions list that you have defi ned in this policy setting is deleted. ■ Windows Firewall: Protect All Network Connections This setting allows you to force Windows Firewall into an “on” or “off” state. ■ Windows Firewall: Do Not Allow Exceptions If you enable this policy setting, any exceptions that you defi ne in Control Panel are ignored. ■ Windows Firewall: Allow Inbound File And Printer Sharing Exception If you enable this policy setting, Windows Firewall opens these ports so that this computer can receive print jobs and requests for access to shared fi les. Note that allowing File And Printer Sharing also allows clients to receive and respond to ping (ICMP Echo Request) messages. ■ Windows Firewall: Allow ICMP Exceptions This policy setting allows you to defi ne the specifi c type of ICMP message types that Windows Firewall allows. ■ Windows Firewall: Allow Logging This policy setting allows Windows Firewall to record information about the unsolicited incoming messages that it receives. If you enable this policy setting, Windows Firewall writes the information to a log fi le. ■ Windows Firewall: Prohibit Notifi cations This policy setting prevents Windows Firewall from displaying notifi cations to the user when a program requests that Windows Firewall add the program to the program exceptions list. ■ Windows Firewall: Allow Local Port Exceptions This policy setting allows administrators to enable or disable the port exceptions list. If you disable this policy setting, port exceptions are ignored. ■ Windows Firewall: Allow Inbound Remote Administration Exception This policy setting allows remote administration of the local computer by using administrative tools such as the Microsoft Management Console (MMC) and Windows Management Instrumentation (WMI). ■ Windows Firewall: Allow Inbound Remote Desktop Exceptions This policy setting allows the local computer to receive inbound Remote Desktop requests (through TCP port 3389). If you disable this policy setting, Windows Firewall blocks this port, which prevents this computer from receiving Remote Desktop requests. ■ Windows Firewall: Prohibit Unicast Response To Multicast Or Broadcast Requests This policy prevents the local computer from receiving unicast responses to its outgoing multicast or broadcast messages. This policy does not affect Dynamic Host Confi guration Protocol (DHCP). ■ Windows Firewall: Allow Inbound UPnP Framework Exceptions This policy allows the local computer to receive unsolicited inbound Universal Plug and Play (UPnP) messages sent by network devices, such as routers with built-in fi rewalls. Z01A627093.indd 388Z01A627093.indd 388 2/18/2010 2:02:54 PM2/18/2010 2:02:54 PM APPENDIX A 389 Quick Check ■ Which policy setting should you enable if you want to allow remote administrators to manage client computers through an MMC? Quick Check Answer ■ Windows Firewall: Allow Inbound Remote Administration Exception Troubleshooting Windows Firewall by Using Firewall Logs Windows Firewall logging is not enabled by default. If you are experiencing a fi rewall issue that you cannot resolve, or if you want to have the option of troubleshooting by using fi rewall logs in the future, you should enable logging. To enable logging on Windows Firewall on client computers throughout the network, you should use a GPO to enable the Allow Logging policy setting discussed in the previous section. To enable Windows Firewall logging on a single computer, open Windows Firewall properties and then in the Logging area, click Customize, as shown in Figure A-17. FIGURE A-17 You can enable Windows Firewall logging in the Properties dialog box of the root node of the WFAS console. This action opens the Customize Logging Settings dialog box shown in Figure A-18, which lets you confi gure: ■ Where the log fi le is created and how big the fi le can grow ■ Whether you want the log fi le to record information about dropped packets, successful connections, or both Q uick Chec k ■ Which polic y settin g should y ou enable i f y ou want to allow remote adm i n i strators to mana g e cl i ent computers throu g h an MMC ? Q uic k C h ec k Answe r ■ W i ndows F i rewall: Allow Inbound Remote Adm i n i strat i on Except i o n Q Z01A627093.indd 389Z01A627093.indd 389 2/18/2010 2:02:54 PM2/18/2010 2:02:54 PM 390 APPENDIX A Confi guring Windows Firewall FIGURE A-18 Enabling logging for dropped packets and successful connections Note that if you choose to log successful connections, make sure that you have plenty of storage space available. If you need to move the default location of the log to provide enough storage space, you need to assign the Windows Firewall service account write permissions to the folder containing the fi le. Troubleshooting Windows Firewall by Using Event Logs You can also use the Windows event logs to monitor Windows Firewall and to troubleshoot any issues that may arise. The event logs for Windows Firewall are found in the following location in Event Viewer: Applications and Services Logs\Microsoft\Windows\Windows Firewall with Advanced Security As shown in Figure A-19, there are four event logs you can use for monitoring and troubleshooting Windows Firewall activity: ■ ConnectionSecurity ■ ConnectionSecurityVerbose ■ Firewall ■ FirewallVerbose The two verbose logs are disabled by default because of the large amounts of information they collect. To enable these logs, right-click them and select Enable Log. Z01A627093.indd 390Z01A627093.indd 390 2/18/2010 2:02:54 PM2/18/2010 2:02:54 PM APPENDIX A 391 FIGURE A-19 Viewing the event logs for Windows Firewall PRACTICE Creating Exceptions for Windows Firewall In this practice, you compare and contrast creating Windows Firewall exceptions through two different methods: by using Control Panel and by using Local Security Policy. This practice requires a two-computer domain, with the domain controller running Windows Server 2008 R2 and the client running Windows 7. EXERCISE 1 Creating a Program Exception for File And Printer Sharing In this exercise, you attempt to ping the client computer from the server. Next, you create a fi rewall exception for File And Printer Sharing, test the ability to ping again, and fi nally revert to the original default confi guration. NOTE CREATE THIS EXCEPTION ONLY WHEN A CLIENT NEEDS FILE AND PRINTER SHARING It is useful to know that making an exception for File And Printer Sharing also creates an exception for Ping. However, you shouldn’t use this method to enable Ping if the client does not also need File And Printer Sharing. Doing so would expose the client system unnecessarily to potential attacks. If you want to be able to ping a client that does not need File And Printer Sharing, use the WFAS console to create an inbound allow rule for ICMP Echo Requests as described in Exercise 2. NO T E CREATE THIS EXCEPTION ONLY WHEN A CLIENT NEEDS FILE AND PRINTER SHARING E It is use f ul to know that makin g an exception f or File And Printer Sharin g also creates an exception for Ping. However, you shouldn’t use this method to enable Ping if the client does not also need File And Printer Sharin g . Doin g so would expose the client s y stem unnecessaril y to potential attacks. If y ou want to be able to pin g a client that does not need File And Printer Sharing, use the WFAS console to create an inbound allow rule f or ICMP Echo Requests as described in Exercise 2. Z01A627093.indd 391Z01A627093.indd 391 2/18/2010 2:02:54 PM2/18/2010 2:02:54 PM 392 APPENDIX A Confi guring Windows Firewall 1. Log on to the domain from the client computer with a domain administrator account. 2. Open Control Panel, browse to System And Security, and then, in the Windows Firewall category, click Allow A Program Through Windows Firewall. 3. On the Allowed Programs page, verify that File And Printer Sharing is not selected. If it is selected, click Change Settings, clear the Domain, Home/Work (Private), and Public check boxes associated with File And Printer Sharing, and then click OK. Leave Control Panel open. 4. Log on to the domain controller. Open a command prompt and attempt to ping the client by name. The ping attempt fails. 5. Return to the client. Again, click Allow A Program Through Windows Firewall. 6. On the Allowed Programs page, click Change Settings, and then click the check box to the left of File And Printer Sharing. 7. Verify that the Domain check box is now selected, and then click OK. 8. Return to the domain controller. Attempt to ping the client again. The ping now succeeds. The File And Printer Sharing exception creates an exception for ping as well as for fi le sharing. 9. Return to the client and open Control Panel. Remove the File And Printer Sharing exception that you just created, and then click OK. EXERCISE 2 Enforcing an Allow Rule Through Local Security Policy Although Exercise 1 demonstrates a simple way to allow ping requests through Windows Firewall, this method has two disadvantages. First, it creates a fi rewall exception for File And Printer Sharing, which is unnecessary if you want to allow only ping requests through the fi rewall. If a computer does not host any shared folders or printers, it is not optimal to allow network access to the computer in this way. Second, the Control Panel method does not enforce the allow rule that you created. The rule can be deleted or disabled easily by an administrator. In this exercise, you open Local Security Policy and create a persistent allow rule to allow ICMP Echo requests through Windows Firewall. You then test the effects of this new rule. 1. Log on to the domain controller if you have not already done so, and verify that you cannot ping the client computer. If you can ping the client computer, remove any fi rewall exceptions that you have created that allow you to ping the client computer successfully. 2. If you have not already done so, log on to the domain from the client as a domain administrator. 3. On the client, click Start, type Local Security Policy in the Search Programs And Files text box, and then click Local Security Policy from the Start menu. Z01A627093.indd 392Z01A627093.indd 392 2/18/2010 2:02:54 PM2/18/2010 2:02:54 PM APPENDIX A 393 4. In Local Security Policy, navigate to Security Settings\Windows Firewall With Advanced Security\Windows Firewall With Advanced Security – Local Group Policy Object\ Inbound Rules. 5. Right-click the Inbound Rules node and then click New Rule from the shortcut menu. The New Inbound Rule Wizard appears. 6. On the Rule Type page, click Custom, and then click Next. 7. On the Program page, click Next. 8. On the Protocols And Ports page, from the Protocol Type drop-down list box, select ICMPv4. 9. In the Customize ICMP Settings window, select Specifi c ICMP types, select Echo Request, and then click OK. 10. On the Protocols And Ports page, click Next. 11. On the Scope Page, click Next. 12. On the Action page, ensure that the Allow The Connection check box is selected, and then click Next. 13. On the Profi le page, click Next. 14. On the Name page, give the rule a name of Allow Ping, and then click Finish. The Allow Ping rule now appears in Local Security Policy. 15. Restart the client computer. 16. When the computer fi nishes restarting, attempt to ping the computer from the domain controller. The ping attempt is successful. 17. Log on to the domain from the client computer by using your domain administrator account. 18. Open the WFAS console by clicking Start, All Programs, Administrative Tools, and Windows Firewall With Advanced Security. 19. In the WFAS console tree, select the Inbound Rules node and wait for the list of rules to populate. The Allow Ping rule appears fi rst in the list. 20. Right-click the rule and review the options on the associated shortcut menu. No options for Delete Rule or Disable Rule are available. Unlike the other rules visible in the WFAS console, this rule cannot be disabled or deleted because it is enforced through the Local Security Policy. Similarly, you could enforce this rule throughout the network by using Group Policy. 21. Close all open windows. Z01A627093.indd 393Z01A627093.indd 393 2/18/2010 2:02:54 PM2/18/2010 2:02:54 PM [...]... client-side cache, a feature that might be required in some high-security environments Exclude Files From Being Cached FIGURE B-23 The Configure Background Sync policy setting in Windows 7 The Exclude Files From Being Cached setting is shown in Figure B-24 Managing Offline Files Z02A6 270 9 3.indd 411 APPENDIX B 411 2/18/2010 3:53:14 PM FIGURE B-24 The Exclude Files From Being Cached policy setting in Windows. .. Figure B-13 Managing Offline Files Z02A6 270 9 3.indd 403 APPENDIX B 403 2/18/2010 3:53:13 PM FIGURE B-13 Viewing all your offline files Using Sync Center to Manage Synchronizations Sync Center is a tool in Windows 7 that allows you to set up and manage synchronizations To open Sync Center, click Start, type sync center, and then press Enter Sync Center is shown in Figure B-14 FIGURE B-14 Sync Center in Windows. .. running Windows Server 2008 R2 ■ A client computer running Windows 7 that is a member of the same domain 1 Log on to the domain controller with a domain administrator account 2 Create a folder named Share1 in the root of the C:\ drive 3 Right-click the Share1 folder, select Share With from the shortcut menu, and then click Specific People Managing Offline Files Z02A6 270 9 3.indd 4 17 APPENDIX B 4 17 2/18/2010... Wizard, as shown in Figure B-16 FIGURE B-16 Creating a synchronization schedule 2 Select the item in the list for which you want to set up a synchronization schedule, and then click Next This step opens the When Do You Want This Sync To Begin? page, as shown in Figure B- 17 Managing Offline Files Z02A6 270 9 3.indd 405 APPENDIX B 405 2/18/2010 3:53:13 PM FIGURE B- 17 Choosing when to begin the sync 3 Choose... Figure B-20 Managing Offline Files Z02A6 270 9 3.indd 4 07 APPENDIX B 4 07 2/18/2010 3:53:14 PM FIGURE B-20 Viewing the disk usage limits for Offline Files This tab shows you the amount that is allocated for Offline Files and how much is currently in use To adjust the limits available for Offline Files, click Change Limits This step opens the Offline Files Disk Usage Limits dialog box, shown in Figure B-21 FIGURE... Microsoft Windows before Windows Vista FIGURE B-22 Locating Offline Files settings in a GPO The following is a list of the 10 Group Policy settings that affect Offline Files in Windows 7: ■ Administratively Assigned Offline Files This policy setting allows you to enforce specific network shares or shared files to be available offline ■ This policy setting is new for Windows 7 and Windows Server 2008 R2 It... on the Windows Explorer toolbar, as shown in Figure B-11 402 APPENDIX B Z02A6 270 9 3.indd 402 Managing User Files and Settings 2/18/2010 3:53:13 PM FIGURE B-11 Choosing the option to work offline Then, when you are ready to reconnect to the network folder, click Work Online, as shown in Figure B-12 This step once again synchronizes your local copy with the version on the network share FIGURE B-12 Choosing... Caching policy setting in Windows 7 This policy setting allows you to force only administratively assigned folders to be synchronized at logon ■ Turn On Economical Application Of Administrative Assigned Offline Files ■ Configure Slow-Link Mode This policy enables you to determine when clients use slow-link mode (Slow link mode is enabled by default for computers running Windows 7 and Windows Server 2008 R2... FIGURE B-26 Restoring a previous version of a file FIGURE B- 27 Choosing a version to restore 414 APPENDIX B Z02A6 270 9 3.indd 414 Managing User Files and Settings 2/18/2010 3:53:15 PM To restore a previous version, select the copy that you wish to restore and then click Restore If you choose to restore a previous version saved by a restore point, you see the dialog box shown in Figure B-28 FIGURE B-28 Restoring... backup, Windows treats the procedure as a file copy, and you are prompted with the dialog box shown in Figure B-29 FIGURE B-29 Restoring a previous version from a backup Managing Offline Files Z02A6 270 9 3.indd 415 APPENDIX B 415 2/18/2010 3:53: 17 PM Note the following points about restoring previous versions of files and folders: ■ Not all previous versions of files and folders are available to be restored Windows . Windows 7. Z02A6 270 9 3.indd 395Z02A6 270 9 3.indd 395 2/18/2010 3:52: 57 PM2/18/2010 3:52: 57 PM 396 APPENDIX B Managing User Files and Settings Understanding Offl ine Files Offl ine Files is a Windows. visit h tt p ://tec h n et .microsoft.com/en-us/library/dd42 171 7(WS.10).aspx . x x Z01A6 270 9 3.indd 384Z01A6 270 9 3.indd 384 2/18/2010 2:02:53 PM2/18/2010 2:02:53 PM APPENDIX A 385 FIGURE A-14 The Monitoring node. creating Windows Firewall exceptions in Control Panel. If an administrator is unable to create program exceptions, you should check this policy setting. Z01A6 270 9 3.indd 387Z01A6 270 9 3.indd 3 87 2/18/2010