1. Two interfaces are used to meet different needs.
Vista
The firewall has two independent graphical configuration interfaces: First, the basic configuration interface can pass the "security center" and "Control Panel" to access; Second, the advanced configuration interface, the user can be accessed as a plug-in after creating a custom MMC.
This prevents unintentional changes for novice users from causing connection disruptions, and provides a way for advanced users to fine-tune firewall settings and control outbound and inbound traffic. Users can also use the command in the netsh advfirewall context to configure the Vista
firewall from the command line. You can also script to automatically configure the firewall for a group of computers. You can also control the Vista
firewall through Group Policy. setting.
Second, the security under the default settings
The Windows
firewall in Vista
is configured with security by default, while still supporting the best ease of use. By default, most inbound traffic is blocked and outbound connections are allowed. Vista
Firewall works with Vista's Windows
service hardening new feature, so if the firewall detects behavior that is prohibited by the Windows
service hardening network rules, it blocks this behavior. The firewall also fully supports a pure IPv6 network environment.
Third, the basic configuration options
With the basic configuration interface, the user can start or close the firewall, or set the firewall to completely block all programs; can also allow exceptions exist (can specify which programs, services or ports are not blocked) And specify the scope of each exception (whether it applies to traffic from all computers, including computers on the Internet, computers on the LAN/subnet, or computers where you have specified an IP address or subnet); you can also specify the hope The firewall protects which connections and configures security logs and ICMP settings.
Fourth, ICMP message blocking
By default, inbound ICMP echo requests can pass through the firewall, and all other ICMP information is blocked. This is because the Ping tool is periodically used to send an echo request message for troubleshooting. However, the hacker can also send an echo request message to lock the target host. Users can block response request messages through the Advanced tab on the basic configuration interface.
Five, multiple firewall configuration files
The Vista
firewall with advanced security MMC plug-in allows users to create multiple firewall configuration files on the computer, so that different firewall configurations can be used for different environments. This is especially useful for portable computers. For example, when a user connects to a public wireless hotspot, it may require a more secure configuration than when connected to a home network. Users can create up to three firewall profiles: one for connecting to a Windows
domain, one for connecting to a private network, and one for connecting to a public network.
VI. IPSec Function
Through the advanced configuration interface, users can customize IPSec settings, specify security methods for encryption and integrity, determine whether the key life cycle is calculated by time or by session, and select the required DiffIE-Hellman key exchange algorithm. By default, the data encryption feature of an IPSec connection is disabled, but it can be enabled and which algorithms are selected for data encryption and integrity.
VII. Security Rules
Through the wizard, users can gradually create security rules to control how and when a secure connection is established between a single computer or a group of computers. It can also be based on criteria such as domain members or security status. To limit the connection, but to allow the specified computer to not meet the connection verification requirements; you can also create rules that require authentication when two specific computers (server-to-server) are connected, or tunnel rules to verify the connection between the gateways.
VIII. Customized Validation Rules
When creating a custom validation rule, you must specify a single computer or a group of computers (by IP address or address range) to become the connection endpoint. The user can request or request verification of an inbound connection, an outbound connection, or both.
IX. Inbound and Outbound Rules
Users can create inbound and outbound rules to block or allow specific programs or ports to connect; you can use pre-set rules or create custom rules," The New Rule Wizard helps you step through the steps of creating a rule; users can apply the rule to a group of programs, ports, or services, or apply the rule to all programs or a specific program; you can block a software from making all connections. Allow all connections, or only allow secure connections, and require encryption to protect the security of data sent over the connection; source and destination IP addresses can be configured for inbound and outbound traffic, as well as sources TCP and UDP port and destination TCP and UPD port configuration rules.
X. Active Directory-Based Rules
Users can create rules to block or allow connections based on Active Directory user, computer or group accounts, as long as the connection is through IPSec with Kerberos v5 (containing Active Directory account information) Protection of safety. Users can also perform Network Access Protection (NAP) policies using a Windows Firewall with advanced security features.
Windows
Meeting Space (WMS) is a new program built into Windows
Vista
that allows up to 10 collaborators to share desktops, files and presentations, and send personal messages to each other over the network. .