Indicadores de Rentabilidad

In this exercise, you configure Windows Server 2008 R2 to block outbound requests by default. Then, you test it by attempting to visit a website with Internet Explorer. Next, you create an outbound rule to allow requests from Internet Explorer and verify that the outbound rule works correctly. Finally, you return your computer to its original state.

1. Open Internet Explorer and visit http://www.microsoft.com. If an Internet Explorer Enhanced Security Configuration dialog box appears, you can click Close to dismiss it. 2. In Server Manager, right-click Configuration\Windows Firewall With Advanced Security,

and then choose Properties.

3. Click the Domain Profile tab. From the Outbound Connections drop-down list, select Block. Repeat this step for the Private Profile and Public Profile tabs. Then click OK. 4. Open Internet Explorer and attempt to visit http://support.microsoft.com. You should

be unable to visit the website because outbound filtering is blocking Internet Explorer’s outgoing HTTP queries.

5. In Server Manager, within Configuration\Windows Firewall With Advanced Security, right- click Outbound Rules, and then choose New Rule. The New Outbound Rule Wizard appears. 6. On the Rule Type page, select Program. Then, click Next.

7. On the Program page, select This Program Path. In the box, type %programfiles% \internet explorer\iexplore.exe (the path to the Internet Explorer executable file). Click Next.

9. On the Profile page, accept the default selection of applying the rule to all three profiles. Click Next.

10. On the Name page, type allow internet explorer outgoing communications. Then click Finish.

11. In Internet Explorer, attempt to visit http://support.microsoft.com again. This time the connection succeeds because you created an outbound filter specifically for Internet Explorer.

12. In Server Manager, disable outbound filtering by right-clicking Configuration\Windows Firewall With Advanced Security, and then choosing Properties. On the Domain Profile tab, click the Outbound Connections list, and then click Allow (Default). Repeat this step for the Private Profile and Public Profile tabs. Click OK.

Lesson Summary

■ Firewalls are designed to drop unwanted communications (such as packets generated by a worm) while still allowing legitimate communications (such as packets generated by a network management tool).

■ Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 support three firewall profiles: Domain, Private, and Public. The Domain profile applies whenever a computer can communicate with its domain controller. The Private profile must be manually applied to a network. The Public profile applies any time a domain controller is not available, and a network has not been configured as Private.

■ Use the Windows Firewall With Advanced Security snap-in to create an inbound firewall rule that allows a server application to receive incoming connections.

■ Use the Windows Firewall With Advanced Security snap-in to create an outbound firewall rule that allows a client application to establish outgoing connections. You need to create outbound firewall rules only when you configure outbound connec- tions to be blocked by default.

■ You can edit the properties of a firewall rule to configure the scope, which limits the subnets an application can communicate with. Configuring scope can greatly reduce the risk of attacks from untrusted networks.

■ If you use IPsec in your environment, you can configure firewall rules to allow only secure connections and to allow only connections for authorized users and computers. ■ Group Policy is the most effective way to configure firewall settings for all computers in a domain. Using Group Policy, you can quickly improve the security of a large number of computers and control which applications are allowed to communicate on the network. ■ Windows Firewall logging identifies connections that Windows Firewall allows or blocks.

This information is very useful when troubleshooting a connectivity problem that might be caused by Windows Firewall.

■ If an application must accept incoming connections but the developers have not documented the communication ports that the application uses, you can use the Netstat tool to identify which ports the application listens on. With this information, you can then create Port firewall rules.

Lesson Review

You can use the following questions to test your knowledge of the information in Lesson 1, “Configuring Windows Firewall.” The questions are also available on the companion CD if you prefer to review them in electronic form.

Note answers

Answers to these questions and explanations of why each answer choice is correct or incorrect are located in the “Answers” section at the end of the book.

1. You need to install an internally developed automation tool on a computer running Windows Server 2008 R2. The tool acts as a network client and needs to connect to a server on your intranet using TCP port 88 and to a server on the Internet using TCP port 290. Additionally, a client component you install on your workstation running Windows 7 will connect to the computer running Windows Server 2008 R2 using TCP port 39. Windows Firewall is currently configured with the default settings on both computers. Which of the following changes do you need to make to allow the applica- tion to work?

A. On the computer running Windows Server 2008 R2, add a firewall rule to allow outbound connections on TCP port 290.

B. On the computer running Windows Server 2008 R2, add a firewall rule to allow inbound connections on TCP port 39.

C. On the computer running Windows Server 2008 R2, add a firewall rule to allow inbound connections on TCP port 290.

D. On your workstation, add a firewall rule to allow outbound connections on TCP port 39. 2. You have recently installed an internal server application on a computer running Windows

Server 2008 R2 that accepts incoming connections on TCP port 1036. The application does not include any access control capability. How can you configure the inbound firewall rule properties to allow connections only from authorized users in your domain? (Choose all that apply. Each answer forms part of the complete solution.)

A. On the General tab, click Allow Only Secure Connections.

B. On the Advanced tab, click These Profiles, and then select Domain.

C. On the Users And Computers tab, select Only Allow Connections From These Users. Then, add the Domain Users group.

D. On the Scope tab, in the Local IP Address group, select These IP Addresses. Then, add each of your internal networks.

3. You need to use Group Policy settings to configure firewall settings on your client com- puters running Windows XP and Windows 7. You would like to configure firewall rules using only the Windows Firewall node rather than the Windows Firewall With Advanced Security node. Which of the following features are not available when using the Windows Firewall node in Group Policy settings?

A. Filtering UDP traffic

B. Allowing a specific executable to accept incoming connections on any port number C. Dropping connections not originating from a specific subnet

D. Requiring IPsec authentication for a connection

Lesson 2: configuring network access protection