An aside about WFAS Profiles

Let's take a quick minute and direct our attention to those three firewall profiles, so that we can discuss what they mean. You see, every time your Windows computer makes a connection to a network, and if your firewall is enabled, the firewall will flag that network for one of these three firewalling profiles. You have probably seen the pop-up window that often appears when connecting to a new network, asking you whether this is a home, work, or public network. Sometimes computers are configured not to ask you this, and then they typically just lump all new networks into the Public category. The service in Windows that handles this distinction between networks is called Network Location Awareness (NLA).

When you make this decision, what you are really doing is telling Windows Firewall how to handle this network. You will see that when we create setting configurations or rules for WFAS, we always have to specify which of these three firewall profiles we want our rules to apply toward:

  • Domain Profile: This is the firewall profile most often engaged when you are plugged into your corporate network. That is because any time that NLA can discover a Domain Controller for the domain to which your computer is joined, it will automatically assign the Domain firewall profile. In essence, you could treat the Domain Profile as your "inside the network" profile.
  • Private Profile: Whenever NLA does not discover Domain Controllers, it then pegs the network as either a Private or Public profile. In the discovery box that is presented and asks you what kind of a network you are connecting to, if you choose either Home or Work you will then be assigned the Private Profile. The Work selection is a little bit confusing because you might think that would assign the Domain Profile, but it does not. Domain is only ever in effect if one of the Domain Controllers is able to be contacted by NLA. In general, people consider Private networks to be slightly more trusted (perhaps using fewer firewall rules) than Public networks.
  • Public Profile: If you chose Public from the list, or if you ignored the popup and didn't select anything at all like I usually do, then any new network that you plug into will default to falling into the Public Profile category. Typically, you want to consider Public Profile to be the least secure kinds of networks, where you would want the most stringent firewall rules and regulations to apply.

When creating our new GPO that forces Windows Firewall to always be enabled, we had to configure that setting in three different screens because the three firewall profiles are handled separately. You could easily have a mix where you enabled the firewall whenever your connected network was Public or Private, but perhaps disable the firewall when you are connected to your corporate LAN, where the Domain profile would then be engaged.

Firewall profiles are assigned to a particular NIC inside Windows, so it is definitely possible for a computer or server to be assigned multiple firewall profiles at the same time. If that server has multiple NICs installed, and they are connected to different networks (such as one on the internal network and the other inside a DMZ), you may find yourself with both the Domain and Public profiles being active at the same time. The WFAS rules defined for Domain would apply to traffic coming or going from the internal NIC, and WFAS rules defined for Public would be actively protecting the DMZ NIC.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.116.90.59