Once you’ve reduced the ability for unauthorized users to log on to your Windows computers, the next step is to harden other access methods. Computers communicate with other devices and computers on a network by sending messages to a destination port address. The combination of a protocol, a host name or address, and a port number identifies the intended target location for a message. For example, assume a Transport Control Protocol (TCP) message travels to www.myserver.com at port 80. Port 80 is the commonly used port for web traffic. It is likely that there is a web server on the server at the address www.myserver.com. If this server is a web server, then you would want to accept TCP traffic on port 80. If you didn’t accept the traffic, your web server would never receive any web requests and essentially wouldn’t be able to do its job.

Identify all of the network server and client services that require access to ports. In the previous example, you know that the web server needs port 80 to be open. If other services are running on the same computer, investigate which ports each service needs. Once you know what your computer needs to operate, modify your firewall settings to open those ports. Depending on which ports you need, you may find that they’re already open. Close all other ports. If a specific server computer does not run a web server, it generally doesn’t need port 80 open. The SCT tools and baselines help you define firewall rules that correspond to server roles and services required to support those roles. You can customize your firewall rules to fine-tune your network infrastructure security for Windows server computers.

In legacy versions of Windows, you would make firewall changes directly in the Windows Firewall maintenance utility. Starting with Windows 7 and Windows Server 2008, you now can maintain firewall rules in two different ways. One way is to use the Windows Firewall with the Advanced Security maintenance utility. Alternatively, you can use the Local Group Policy Editor to manage firewall settings. Using Group Policy to manage your firewall makes maintenance easier. Create one or more Group Policy Objects (GPOs) for firewall settings in AD and apply them to groups of computers without having to edit each one. FIGURES 11-6 and 11-7 show the Windows Firewall with Advanced Security and editing firewall settings in the Group Policy Management Editor.

Regardless of the method you use to edit firewall settings, close all ports and disallow all connections except for those ports and applications you need. Fewer entry points to your computers make them more secure.