deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

updating content

Browse Source
This commit is contained in:
Brian Lich 2016-05-27 11:40:00 -07:00
parent 955d5a8cbb
commit f268382871
5 changed files with 154 additions and 435 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
windows/keep-secure/TOC.md
View File

@ -430,8 +430,8 @@
#### [Configure Windows Defender in Windows 10](configure-windows-defender-in-windows-10.md)
#### [Troubleshoot Windows Defender in Windows 10](troubleshoot-windows-defender-in-windows-10.md)
### [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md)
#### [Isolating Windows Store Apps on Your Network](isolating-windows-store-apps-on-your-network.md)
#### [Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012](securing-end-to-end-ipsec-connections-by-using-ikev2-in-windows-server-2012.md)
#### [Isolating Windows Store Apps on Your Network](isolating-apps-on-your-network.md)
#### [Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012](securing-end-to-end-ipsec-connections-by-using-ikev2.md)
#### [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md)
#### [Windows Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md)
##### [Understanding the Windows Firewall with Advanced Security Design Process](understanding-the-windows-firewall-with-advanced-security-design-process.md)

184
windows/keep-secure/isolating-windows-store-apps-on-your-network.md → windows/keep-secure/isolating-apps-on-your-network.md
View File

@ -1,18 +1,24 @@
---
title: Isolating Windows Store Apps on Your Network (Windows 10)
description: Isolating Windows Store Apps on Your Network
ms.assetid: fee4cf1b-6dee-4911-a426-f678a70f4c6f
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Isolating Windows Store Apps on Your Network
**Applies to**
- Windows 10
- Windows Server 2016 Technical Preview
When you add new computers and devices that are running Windows 8 to your network, you may want to customize your Windows Firewall configuration to isolate the network access of the new Windows Store apps that run on them. Developers who build Windows Store apps can declare certain app capabilities that enable different classes of network access. A developer can decide what kind of network access the app requires and configure this capability for the app. When the app is installed on a computer running Windows 8, appropriate firewall rules are automatically created to enable access. Administrators can then customize the firewall configuration to further fine-tune this access if they desire more control over the network access for the app.
When you add new devices to your network, you may want to customize your Windows Firewall configuration to isolate the network access of the new Windows Store apps that run on them. Developers who build Windows Store apps can declare certain app capabilities that enable different classes of network access. A developer can decide what kind of network access the app requires and configure this capability for the app. When the app is installed on a device, appropriate firewall rules are automatically created to enable access. You can then customize the firewall configuration to further fine-tune this access if they desire more control over the network access for the app.
For example, a developer can decide that their app should only connect to trusted local networks (such as at home or work), and not to the Internet. In this way, developers can define the scope of network access for their app. This network isolation prevents an app from accessing a network and a connection type (inbound or outbound) if the connection has not been configured for the app. Then the network administrator can customize the firewall to further restrict the resources that the app can access.
The ability to set and enforce these network boundaries ensures that apps that get compromised can only access networks where they have been explicitly granted access. This significantly reduces the scope of their impact on other apps, the computer, and the network. In addition, apps can be isolated and protected from malicious access from the network.
The ability to set and enforce these network boundaries ensures that apps that get compromised can only access networks where they have been explicitly granted access. This significantly reduces the scope of their impact on other apps, the device, and the network. In addition, apps can be isolated and protected from malicious access from the network.
When creating new Windows Store apps, a developer can define the following network capabilities for their app:
@ -30,52 +36,46 @@ When creating new Windows Store apps, a developer can define the following netwo
- **Proximity**
Provides near-field communication (NFC) with devices that are in close proximity to the computer. Proximity may be used to send files or connect with an application on a proximate device.
Provides near-field communication (NFC) with devices that are in close proximity to the device. Proximity may be used to send files or connect with an application on a proximate device.
**In this document**
**In this topic**
To isolate Windows Store apps on your network, you need to use Group Policy to define your network isolation settings and create custom Windows Store app firewall rules.
- [Prerequisites](#bkmk-prereq)
- [Prerequisites](#prerequisites)
- [Step 1: Define your network](#bkmk-step1)
- [Step 1: Define your network](#step-1-Define-your-network)
- [Step 2: Create custom firewall rules](#bkmk-step2)
- [Step 2: Create custom firewall rules](#step-2-create-custom-firewall-rules)
## Prerequisites
- A domain controller is installed on your network, and your devices are joined to the Windows domain.
- A domain controller is installed on your network, and your computers are joined to the Windows domain.
- Your Windows Store app is installed on the client device.
- Your Windows Store app is installed on your client computer.
- The Remote Server Administration Tools (RSAT) are installed on your client device. When you perform the following steps from your client device, you can select your Windows Store app when you create Windows Firewall rules.
- The Remote Server Administration Tools (RSAT) are installed on your client computer. When you perform the following steps from your client computer, you can select your Windows Store app when you create Windows Firewall rules.
**Note**  
You can install the RSAT on your computer running Windows 8 from the [Microsoft Download Center](http://go.microsoft.com/fwlink/p/?LinkID=238560).
>**Note:**  You can install the RSAT on your device running Windows 10 from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
 
## <a href="" id="bkmk-step1"></a>Step 1: Define your network
## Step 1: Define your network
The **Home\\Work Networking** capability enables access to intranet resources. Administrators can use Group Policy settings to define the scope of the intranet. This ensures that Windows Store apps can access intranet resources appropriately.
The Windows Store Internet Explorer app that is included with Windows 8 uses the network capabilities to detect which zone it should use. The browser uses the network capabilities to ensure that it operates in the correct security zone.
A network endpoint is considered part of the **Home\\Work Network** if:
- It is part of the local subnet of a trusted network.
For example, home users generally flag their network as Trusted. Local computers will be designated as such.
For example, home users generally flag their network as Trusted. Local devices will be designated as such.
- A computer is on a network, and it is authenticated to a domain controller.
- A device is on a network, and it is authenticated to a domain controller.
- Endpoints within the intranet address space are considered private.
- Endpoints within the local subnet are considered private.
- The computer is configured for DirectAccess, and the endpoint is part of the intranet address space.
- The device is configured for DirectAccess, and the endpoint is part of the intranet address space.
The intranet address space is composed of configured Active Directory sites and subnets, and it is configured for Windows network isolation specifically by using Group Policy. You can disable the usage of Active Directory sites and subnets by using Group Policy by declaring that your subnet definitions are authoritative.
@ -109,113 +109,32 @@ All other endpoints that do not meet the previously stated criteria are consider
If you want the proxy definitions that you previously created to be the single source for your proxy definition, click **Enabled**. Otherwise, leave the **Not Configured** default so that you can add additional proxies by using local settings or network isolation heuristics.
## <a href="" id="bkmk-step2"></a>Step 2: Create custom firewall rules
## Step 2: Create custom firewall rules
Windows Store apps can declare many capabilities in addition to the network capabilities discussed previously. For example, apps can declare capabilities to access user identity, the local file system, and certain hardware devices.
The following table provides a complete list of the possible app capabilities.
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th>Capability</th>
<th>Name</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p><strong>Internet (Client)</strong></p></td>
<td><p>internetClient</p></td>
<td><p>Your outgoing Internet connection.</p></td>
</tr>
<tr class="even">
<td><p><strong>Internet (Client &amp; Server)</strong></p></td>
<td><p>internetClientServer</p></td>
<td><p>Your Internet connection, including incoming unsolicited connections from the Internet The app can send information to or from your computer through a firewall. You do not need to declare <strong>internetClient</strong> if this capability is declared.</p></td>
</tr>
<tr class="odd">
<td><p><strong>Home\Work Networking</strong></p></td>
<td><p>privateNetworkClientServer</p></td>
<td><p>A home or work network. The app can send information to or from your computer and other computers on the same network.</p></td>
</tr>
<tr class="even">
<td><p><strong>Document Library Access</strong></p></td>
<td><p>documentsLibrary</p></td>
<td><p>Your Documents library, including the capability to add, change, or delete files. The package can only access file types that are declared in the manifest. The app cannot access document libraries on HomeGroup computers.</p></td>
</tr>
<tr class="odd">
<td><p><strong>Picture Library Access</strong></p></td>
<td><p>picturesLibrary</p></td>
<td><p>Your Pictures library, including the capability to add, change, or delete files. This capability also includes Picture libraries on HomeGroup computers and picture file types on locally connected media servers.</p></td>
</tr>
<tr class="even">
<td><p><strong>Video Library Access</strong></p></td>
<td><p>videosLibrary</p></td>
<td><p>Your Videos library, including the capability to add, change, or delete files. This capability also includes Video libraries on HomeGroup computers and video file types on locally connected media servers.</p></td>
</tr>
<tr class="odd">
<td><p><strong>Music Library Access</strong></p></td>
<td><p>musicLibrary</p></td>
<td><p>Your Music library, including the capability to add, change, or delete files. This capability also includes Music libraries on HomeGroup computers and music file types on locally connected media servers.</p></td>
</tr>
<tr class="even">
<td><p><strong>Default Windows Credentials</strong></p></td>
<td><p>defaultWindowsCredentials</p></td>
<td><p>Your Windows credentials for access to a corporate intranet. This application can impersonate you on the network.</p></td>
</tr>
<tr class="odd">
<td><p><strong>Removable Storage</strong></p></td>
<td><p>removableStorage</p></td>
<td><p>A removable storage device, such as an external hard disk, USB flash drive, or MTP portable device, including the capability to add, change, or delete specific files. This package can only access file types that are declared in the manifest.</p></td>
</tr>
<tr class="even">
<td><p><strong>Shared User Certificates</strong></p></td>
<td><p>sharedUserCertificates</p></td>
<td><p>Software and hardware certificates or a smart card, which the app uses to identify you. This capability can be used by an employer, a bank, or government services to identify you.</p></td>
</tr>
<tr class="odd">
<td><p><strong>Location</strong></p></td>
<td><p>location</p></td>
<td><p>Provides access to the user's current location.</p></td>
</tr>
<tr class="even">
<td><p><strong>Microphone</strong></p></td>
<td><p>microphone</p></td>
<td><p>Provides access to the microphone's audio feed.</p></td>
</tr>
<tr class="odd">
<td><p><strong>Near-field Proximity</strong></p></td>
<td><p>proximity</p></td>
<td><p>Required for near-field communication (NFC) between devices in close proximity. NFC can be used to send files or connect with an app on a proximate device.</p></td>
</tr>
<tr class="even">
<td><p><strong>Text Messaging</strong></p></td>
<td><p>sms</p></td>
<td><p>Provides access to computer text messaging functionality.</p></td>
</tr>
<tr class="odd">
<td><p><strong>Webcam</strong></p></td>
<td><p>webcam</p></td>
<td><p>Provides access to the webcam's video feed.</p></td>
</tr>
<tr class="even">
<td><p><strong>Other devices (represented by GUIDs)</strong></p></td>
<td><p>&lt;GUID&gt;</p></td>
<td><p>Includes specialized devices and Windows Portable Devices.</p></td>
</tr>
</tbody>
</table>
| Capability | Name | Description |
| - | - | - |
| **Internet (Client)** | internetClient | Your outgoing Internet connection.|
| **Internet (Client &amp; Server)** | internetClientServer| Your Internet connection, including incoming unsolicited connections from the Internet The app can send information to or from your device through a firewall. You do not need to declare **internetClient** if this capability is declared.
| **Home\Work Networking** |privateNetworkClientServer| A home or work network. The app can send information to or from your device and other devices on the same network.|
| **Document Library Access**| documentsLibrary| Your Documents library, including the capability to add, change, or delete files. The package can only access file types that are declared in the manifest.|
| **Picture Library Access**| picturesLibrary| Your Pictures library, including the capability to add, change, or delete files.|
| **Video Library Access**| videosLibrary| Your Videos library, including the capability to add, change, or delete files.|
| **Music Library Access**| musicLibrary|Your Music library, including the capability to add, change, or delete files.|
| **Default Windows Credentials**| defaultWindowsCredentials| Your Windows credentials for access to a corporate intranet. This application can impersonate you on the network.|
| **Removable Storage** | removableStorage| A removable storage device, such as an external hard disk, USB flash drive, or MTP portable device, including the capability to add, change, or delete specific files. This package can only access file types that are declared in the manifest.|
| **Shared User Certificates**| sharedUserCertificates| Software and hardware certificates or a smart card, which the app uses to identify you. This capability can be used by an employer, a bank, or government services to identify you.|
| **Location**| location| Provides access to the user's current location.|
| **Microphone** | microphone| Provides access to the microphone's audio feed.|
| **Near-field Proximity** | proximity| Required for near-field communication (NFC) between devices in close proximity. NFC can be used to send files or connect with an app on a proximate device.|
| **Text Messaging** | sms| Provides access to text messaging functionality.|
| **Webcam** | webcam| Provides access to the webcam's video feed.|
| **Other devices (represented by GUIDs)** | &lt;GUID&gt;| Includes specialized devices and Windows Portable Devices.|
 
In Windows Server 2012, it is possible to create a Windows Firewall policy that is scoped to a set of apps that use a specified capability or scoped to a specific Windows Store app.
You can create a Windows Firewall policy that is scoped to a set of apps that use a specified capability or scoped to a specific Windows Store app.
For example, you could create a Windows Firewall policy to block Internet access for any apps on your network that have the Documents Library capability.
@ -255,16 +174,13 @@ For example, you could create a Windows Firewall policy to block Internet access
17. Click **Predefined set of computers**, select **Internet**, and click **OK**.
This scopes the rule to block traffic to Internet computers.
This scopes the rule to block traffic to Internet devices.
18. Click the **Programs and Services** tab, and in the **Application Packages** area, click **Settings**.
19. Click **Apply to application packages only**, and then click **OK**.
**Important**  
You must do this to ensure that the rule applies only to Windows Store apps and not to other applications and programs. Non-Windows Store applications and programs declare all capabilities by default, and this rule would apply to them if you do not configure it this way.
 
>**Important:**  You must do this to ensure that the rule applies only to Windows Store apps and not to other apps. Desktop apps declare all capabilities by default, and this rule would apply to them if you do not configure it this way.
20. Click **OK** to close the **Properties** dialog box.
@ -328,16 +244,6 @@ Use the following procedure if you want to block intranet access for a specific
23. Close Group Policy Management.
## <a href="" id="bkmk-links"></a>See also
## See also
- [Windows Firewall with Advanced Security Overview](windows-firewall-with-advanced-security.md)
 
 

80
windows/keep-secure/securing-end-to-end-ipsec-connections-by-using-ikev2-in-windows-server-2012.md
View File

@ -1,18 +1,22 @@
---
title: Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012 (Windows 10)
description: Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012
ms.assetid: 290d61e6-ec8c-48b9-8dcd-d0df6df24181
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012
# Securing End-to-End IPsec connections by using IKEv2
**Applies to**
- Windows 10
- Windows Server 2016 Technical Preview
In Windows Server 2012, Internet Key Exchange version 2 (IKEv2) support is broadened from previous Windows versions.
IKEv2 offers the following:
For example, in Windows Server 2012, IKEv2 does the following:
- Supports additional scenarios, including IPsec end-to-end transport mode connections
- Supports IPsec end-to-end transport mode connections
- Provides interoperability for Windows with other operating systems that use IKEv2 for end-to-end security
@ -24,30 +28,25 @@ For example, in Windows Server 2012, IKEv2 does the following:
- Uses certificates for the authentication mechanism
In Windows Server 2008 R2, IKEv2 is available as a virtual private network (VPN) tunneling protocol that supports automatic VPN reconnection. IKEv2 allows the security association to remain unchanged despite changes in the underlying connection.
You can use IKEv2 as a virtual private network (VPN) tunneling protocol that supports automatic VPN reconnection. IKEv2 allows the security association to remain unchanged despite changes in the underlying connection.
**In this document**
- [Prerequisites](#bkmk-prereqs)
- [Prerequisites](#prerequisites)
- [Computers joined to a domain](#bkmk-step1)
- [Devices joined to a domain](#devices-joined-to-a-domain)
- [Computers not joined to a domain](#bkmk-step2)
- [Device not joined to a domain](#devices-not-joined-to-a-domain)
- [Troubleshooting](#bkmk-troubleshooting)
- [Troubleshooting](#troubleshooting)
**Note**  
This topic includes sample Windows PowerShell cmdlets. For more information, see [How to Run a Windows PowerShell Cmdlet](http://go.microsoft.com/fwlink/p/?linkid=230693).
 
>**Note:**  This topic includes sample Windows PowerShell cmdlets. For more info, see [How to Run a Windows PowerShell Cmdlet](http://go.microsoft.com/fwlink/p/?linkid=230693).
## Prerequisites
These procedures assume that you already have a public key infrastructure (PKI) in place for device authentication.
These procedures assume that you already have a public key infrastructure (PKI) in place for computer authentication.
## <a href="" id="bkmk-step1"></a>Computers joined to a domain
## Devices joined to a domain
The following Windows PowerShell script establishes a connection security rule that uses IKEv2 for communication between two computers (CLIENT1 and SERVER1) that are joined to the corp.contoso.com domain as shown in Figure 1.
@ -65,10 +64,7 @@ This script does the following:
- Indicates the certificate to use for authentication.
**Important**  
The certificate parameters that you specify for the certificate are case sensitive, so make sure that you type them exactly as specified in the certificate, and place the parameters in the exact order that you see in the following example. Failure to do so will result in connection errors.
 
>**Important:**  The certificate parameters that you specify for the certificate are case sensitive, so make sure that you type them exactly as specified in the certificate, and place the parameters in the exact order that you see in the following example. Failure to do so will result in connection errors.
- Creates the IKEv2 connection security rule called **My IKEv2 Rule**.
@ -106,15 +102,11 @@ New-NetIPsecRule -DisplayName "My IKEv2 Rule" -RemoteAddress any -Phase1AuthSet
-InboundSecurity Require -OutboundSecurity Request -KeyModule IKEv2 -PolicyStore GPO:$gponame
```
## <a href="" id="bkmk-step2"></a>Computers not joined to a domain
## Devices not joined to a domain
Use a Windows PowerShell script similar to the following to create a local IPsec policy on the devices that you want to include in the secure connection.
Use a Windows PowerShell script similar to the following to create a local IPsec policy on the computers that you want to include in the secure connection.
**Important**  
The certificate parameters that you specify for the certificate are case sensitive, so make sure that you type them exactly as specified in the certificate, and place the parameters in the exact order that you see in the following example. Failure to do so will result in connection errors.
 
>**Important:**  The certificate parameters that you specify for the certificate are case sensitive, so make sure that you type them exactly as specified in the certificate, and place the parameters in the exact order that you see in the following example. Failure to do so will result in connection errors.
![powershell logo](images/powershelllogosmall.gif)**Windows PowerShell commands**
@ -132,23 +124,18 @@ New-NetIPsecRule -DisplayName "My IKEv2 Rule" -RemoteAddress any -Phase1AuthSet
Make sure that you install the required certificates on the participating computers.
**Note**  
- For local computers, you can import the certificates manually if you have administrator access to the computer. For more information, see [Import or export certificates and private keys](http://windows.microsoft.com/windows-vista/Import-or-export-certificates-and-private-keys).
- You need a root certificate and a computer certificate on all computers that participate in the secure connection. Save the computer certificate in the **Personal/Certificates** folder.
- For remote computers, you can create a secure website to facilitate access to the script and certificates.
 
## <a href="" id="bkmk-troubleshooting"></a>Troubleshooting
>**Note:**  
- For local devices, you can import the certificates manually if you have administrator access to the computer. For more info, see [Import or export certificates and private keys](http://windows.microsoft.com/windows-vista/Import-or-export-certificates-and-private-keys).
- You need a root certificate and a computer certificate on all devices that participate in the secure connection. Save the computer certificate in the **Personal/Certificates** folder.
- For remote devices, you can create a secure website to facilitate access to the script and certificates.
## Troubleshooting
Follow these procedures to verify and troubleshoot your IKEv2 IPsec connections:
**Use the Windows Firewall with Advanced Security snap-in to verify that a connection security rule is enabled.**
1. On the **Start** screen, type **wf.msc**, and then press ENTER.
1. Open the Windows Firewall with Advanced Security console.
2. In the left pane of the Windows Firewall with Advanced Security snap-in, click **Connection Security Rules**, and then verify that there is an enabled connection security rule.
@ -179,19 +166,18 @@ Follow these procedures to verify and troubleshoot your IKEv2 IPsec connections:
6. Open the wfpdiag.xml file with your an XML viewer program or Notepad, and then examine the contents. There will be a lot of data in this file. One way to narrow down where to start looking is to search the last “errorFrequencyTable” at the end of the file. There might be many instances of this table, so make sure that you look at the last table in the file. For example, if you have a certificate problem, you might see the following entry in the last table at the end of the file:
``` syntax
<item><error>ERROR_IPSEC_IKE_NO_CERT</error>
<frequency>32</frequency>
<item>
<error>ERROR_IPSEC_IKE_NO_CERT</error>
<frequency>32</frequency>
</item>
```
In this example, there are 32 instances of the **ERROR\_IPSEC\_IKE\_NO\_CERT** error. So now you can search for **ERROR\_IPSEC\_IKE\_NO\_CERT** to get more details regarding this error.
You might not find the exact answer for the issue, but you can find good hints. For example, you might find that there seems to be an issue with the certificates, so you can look at your certificates and the related cmdlets for possible issues.
## <a href="" id="bkmk-links"></a>See also
## See also
- [Windows Firewall with Advanced Security Overview](windows-firewall-with-advanced-security.md)
- [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md)
 

174
windows/keep-secure/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
View File

@ -1,21 +1,22 @@
---
title: Windows Firewall with Advanced Security Administration with Windows PowerShell (Windows 10)
description: Windows Firewall with Advanced Security Administration with Windows PowerShell
ms.assetid: 3e1e53af-015e-427d-a027-c2e8ceee799d
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Windows Firewall with Advanced Security Administration with Windows PowerShell
**Applies to**
- Windows 10
- Windows Server 2016 Technical Preview
The Windows Firewall with Advanced Security Administration with Windows PowerShell Guide provides essential scriptlets for automating Windows Firewall with Advanced Security management in Windows Server 2012. It is designed for IT pros, system administrators, IT managers, and others who use and need to automate Windows Firewall with Advanced Security management in Windows.
The Windows Firewall with Advanced Security Administration with Windows PowerShell Guide provides essential scriptlets for automating Windows Firewall with Advanced Security management. It is designed for IT pros, system administrators, IT managers, and others who use and need to automate Windows Firewall with Advanced Security management in Windows.
In Windows Server 2012 and Windows 8, administrators can use Windows PowerShell to manage their firewall and IPsec deployments. This object-oriented scripting environment will make it easier for administrators to manage policies and monitor network conditions than was possible in Netsh. Windows PowerShell allows network settings to be self-discoverable through the syntax and parameters in each of the cmdlets. This guide demonstrates how common tasks were performed in Netsh and how you can use Windows PowerShell to accomplish them.
**Important**  
The netsh commands for Windows Firewall with Advanced Security have not changed since the previous operating system version. The netsh commands for Windows Firewall with Advanced Security in Windows Server 2012 are identical to the commands that are provided in Windows Server 2008 R2.
 
You can use Windows PowerShell to manage your firewall and IPsec deployments. This object-oriented scripting environment will make it easier for you to manage policies and monitor network conditions than was possible in netsh. Windows PowerShell allows network settings to be self-discoverable through the syntax and parameters in each of the cmdlets. This guide demonstrates how common tasks were performed in netsh and how you can use Windows PowerShell to accomplish them.
In future versions of Windows, Microsoft might remove the netsh functionality for Windows Firewall with Advanced Security. Microsoft recommends that you transition to Windows PowerShell if you currently use netsh to configure and manage Windows Firewall with Advanced Security.
@ -25,88 +26,30 @@ Windows PowerShell and netsh command references are at the following locations.
## Scope
This guide does not teach you the fundamentals of Windows Firewall with Advanced Security, which can be found in [Windows Firewall with Advanced Security Overview](windows-firewall-with-advanced-security.md). It does not teach the fundamentals of Windows PowerShell, and it assumes that you are familiar with the Windows PowerShell language and the basic concepts of Windows PowerShell. For more information about Windows PowerShell concepts and usage, see the reference topics in the [Additional resources](#bkmk-additionalresources) section of this guide.
This guide does not teach you the fundamentals of Windows Firewall with Advanced Security, which can be found in [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md). It does not teach the fundamentals of Windows PowerShell, and it assumes that you are familiar with the Windows PowerShell language and the basic concepts of Windows PowerShell. For more info about Windows PowerShell concepts and usage, see the reference topics in the [Additional resources](#additional-resources) section of this guide.
## Audience and user requirements
This guide is intended for IT pros, system administrators, and IT managers, and it assumes that you are familiar with Windows Firewall with Advanced Security, the Windows PowerShell language, and the basic concepts of Windows PowerShell.
## System requirements
## In this topic
To run the scripts and scriptlets in this guide, install and configure your system as follows:
- Windows Server 2012
- Windows PowerShell 3.0 (included in Windows Server 2012)
- Windows NetSecurity Module for Windows PowerShell (included in Windows Server 2012)
- Windows PowerShell ISE (optional feature in Windows PowerShell 3.0, which is installed by using Server Manager)
**Note**  
In Windows PowerShell 3.0, modules are imported automatically when you get or use any cmdlet in the module. You can still use the **Import-Module** cmdlet to import a module.
Use **Import-Module** if you are using Windows PowerShell 2.0, or if you need to use a feature of the module before you use any of its cmdlets. For more information, see [Import-Module](http://go.microsoft.com/fwlink/p/?linkid=141553).
Use **Import-PSSnapIn** to use cmdlets in a Windows PowerShell snap-in, regardless of the version of Windows PowerShell that you are running.
 
## In this guide
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Topic</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>[Set profile global defaults](#bkmk-profileglobaldefaults)</p></td>
<td><p>Enable and control firewall behavior</p></td>
</tr>
<tr class="even">
<td><p>[Deploy basic firewall rules](#bkmk-deploying)</p></td>
<td><p>How to create, modify, and delete firewall rules</p></td>
</tr>
<tr class="odd">
<td><p>[Manage Remotely](#bkmk-remote)</p></td>
<td><p>Remote management by using <code>-CimSession</code></p></td>
</tr>
<tr class="even">
<td><p>[Deploy basic IPsec rule settings](#bkmk-deployingipsec)</p></td>
<td><p>IPsec rules and associated parameters</p></td>
</tr>
<tr class="odd">
<td><p>[Deploy secure firewall rules with IPsec](#bkmk-deploysecurerules)</p></td>
<td><p>Domain and server isolation</p></td>
</tr>
<tr class="even">
<td><p>[Additional resources](#bkmk-additionalresources)</p></td>
<td><p>More information about Windows PowerShell</p></td>
</tr>
</tbody>
</table>
 
| Section | Description |
| - | - |
| [Set profile global defaults](#set-profile-global-defaults) | Enable and control firewall behavior|
| [Deploy basic firewall rules](#deploy-basic-firewall-rules)| How to create, modify, and delete firewall rules|
| [Manage Remotely](#manage-remotely) | Remote management by using `-CimSession`|
| [Deploy basic IPsec rule settings](#deploy-basic-ipsec-rule-settings) | IPsec rules and associated parameters|
| [Deploy secure firewall rules with IPsec](#deploy-secure-firewall-rules-with-ipsec) | Domain and server isolation|
| [Additional resources](#additional-resources) | More information about Windows PowerShell|
## <a href="" id="bkmk-profileglobaldefaults"></a>Set profile global defaults
Global defaults set the system behavior in a per profile basis. Windows Firewall with Advanced Security supports Domain, Private, and Public profiles.
Global defaults set the device behavior in a per-profile basis. Windows Firewall with Advanced Security supports Domain, Private, and Public profiles.
### Enable Windows Firewall
Windows Firewall drops traffic that does not correspond to allowed unsolicited traffic, or traffic that is sent in response to a request by the computer. If you find that the rules you create are not being enforced, you may need to enable Windows Firewall. Here is how to do this on a local domain computer:
Windows Firewall drops traffic that does not correspond to allowed unsolicited traffic, or traffic that is sent in response to a request by the device. If you find that the rules you create are not being enforced, you may need to enable Windows Firewall. Here is how to do this on a local domain device:
**Netsh**
@ -114,9 +57,7 @@ Windows Firewall drops traffic that does not correspond to allowed unsolicited t
netsh advfirewall set allprofiles state on
```
Windows PowerShell
The following Windows PowerShell cmdlet or cmdlets perform the same function as the preceding procedure. Enter each cmdlet on a single line, even though they may appear word-wrapped across several lines here because of formatting constraints.
**Windows PowerShell**
``` syntax
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True
@ -124,7 +65,7 @@ Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True
### Control firewall behavior
The global default settings can be defined through the command-line interface. These modifications are also available through the Windows Firewall with Advanced Security MMC snap-in.
The global default settings can be defined through the command-line interface. These modifications are also available through the Windows Firewall with Advanced Security console.
The following scriptlets set the default inbound and outbound actions, specifies protected network connections, and allows notifications to be displayed to the user when a program is blocked from receiving inbound connections. It allows unicast response to multicast or broadcast network traffic, and it specifies logging settings for troubleshooting.
@ -141,11 +82,9 @@ Windows PowerShell
``` syntax
Set-NetFirewallProfile -DefaultInboundAction Block -DefaultOutboundAction Allow NotifyOnListen True -AllowUnicastResponseToMulticast True LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log
```
## <a href="" id="bkmk-deploying"></a>Deploy basic firewall rules
## Deploy basic firewall rules
This section provides scriptlet examples for creating, modifying, and deleting firewall rules.
@ -153,7 +92,7 @@ This section provides scriptlet examples for creating, modifying, and deleting f
Adding a firewall rule in Windows PowerShell looks a lot like it did in Netsh, but the parameters and values are specified differently.
Here is an example of how to allow the Telnet application to listen on the network. This firewall rule is scoped to the local subnet by using a keyword instead of an IP address. Just like in Netsh, the rule is created on the local computer, and it becomes effective immediately.
Here is an example of how to allow the Telnet application to listen on the network. This firewall rule is scoped to the local subnet by using a keyword instead of an IP address. Just like in Netsh, the rule is created on the local device, and it becomes effective immediately.
**Netsh**
@ -202,7 +141,7 @@ Note that this does not batch your individual changes, it loads and saves the en
### Modify an existing firewall rule
When a rule is created, Netsh and Windows PowerShell allow the administrator to change rule properties and influence, but the rule maintains its unique identifier (in Windows PowerShell this is specified with the *-Name* parameter).
When a rule is created, Netsh and Windows PowerShell allow you to change rule properties and influence, but the rule maintains its unique identifier (in Windows PowerShell this is specified with the *-Name* parameter).
For example, you could have a rule **Allow Web 80** that enables TCP port 80 for inbound unsolicited traffic. You can change the rule to match a different remote IP address of a Web server whose traffic will be allowed by specifying the human-readable, localized name of the rule.
@ -287,7 +226,7 @@ Enable-NetFirewallRule -DisplayGroup “Windows Firewall Remote Management” -V
### Delete a firewall rule
Rule objects can be disabled so that they are no longer active. In Windows PowerShell, the **Disable-NetFirewallRule** cmdlet will leave the rule on the system, but put it in a disabled state so the rule no longer is applied and impacts traffic. A disabled firewall rule can be re-enabled by **Enable-NetFirewallRule**. This is different from the **Remove-NetFirewallRule**, which permanently removes the rule definition from the system.
Rule objects can be disabled so that they are no longer active. In Windows PowerShell, the **Disable-NetFirewallRule** cmdlet will leave the rule on the system, but put it in a disabled state so the rule no longer is applied and impacts traffic. A disabled firewall rule can be re-enabled by **Enable-NetFirewallRule**. This is different from the **Remove-NetFirewallRule**, which permanently removes the rule definition from the device.
The following cmdlet deletes the specified existing firewall rule from the local policy store.
@ -303,7 +242,7 @@ Windows PowerShell
Remove-NetFirewallRule DisplayName “Allow Web 80”
```
Like with other cmdlets, you can also query for rules to be removed. Here, all blocking firewall rules are deleted from the system.
Like with other cmdlets, you can also query for rules to be removed. Here, all blocking firewall rules are deleted from the device.
Windows PowerShell
@ -311,7 +250,7 @@ Windows PowerShell
Remove-NetFirewallRule Action Block
```
Note that it may be safer to query the rules with the **Get** command and save it in a variable, observe the rules to be affected, then pipe them to the **Remove** command, just as we did for the **Set** commands. The following example shows how the administrator can view all the blocking firewall rules, and then delete the first four rules.
Note that it may be safer to query the rules with the **Get** command and save it in a variable, observe the rules to be affected, then pipe them to the **Remove** command, just as we did for the **Set** commands. The following example shows how you can view all the blocking firewall rules, and then delete the first four rules.
Windows PowerShell
@ -321,34 +260,32 @@ $x
$x[0-3] | Remove-NetFirewallRule
```
## <a href="" id="bkmk-remote"></a>Manage remotely
## Manage remotely
Remote management using WinRM is enabled by default. The cmdlets that support the *CimSession* parameter use WinRM and can be managed remotely by default.
Remote management using WinRM is enabled by default on Windows Server 2012. The cmdlets that support the *CimSession* parameter use WinRM and can be managed remotely by default. This is important because the default and recommended installation mode for Windows Server 2012 is Server Core which does not include a graphical user interface.
The following example returns all firewall rules of the persistent store on a computer named **RemoteComputer**.
The following example returns all firewall rules of the persistent store on a device named **RemoteDevice**.
Windows PowerShell
``` syntax
Get-NetFirewallRule CimSession RemoteComputer
Get-NetFirewallRule CimSession RemoteDevice
```
We can perform any modifications or view rules on remote computers by simply using the *CimSession* parameter. Here we remove a specific firewall rule from a remote computer.
We can perform any modifications or view rules on remote devices by simply using the *CimSession* parameter. Here we remove a specific firewall rule from a remote device.
Windows PowerShell
``` syntax
$RemoteSession = New-CimSession ComputerName RemoteComputer
$RemoteSession = New-CimSession ComputerName RemoteDevice
Remove-NetFirewallRule DisplayName “AllowWeb80” CimSession $RemoteSession -Confirm
```
## <a href="" id="bkmk-deployingipsec"></a>Deploy basic IPsec rule settings
## Deploy basic IPsec rule settings
An Internet Protocol security (IPsec) policy consists of rules that determine IPsec behavior. IPsec supports network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection.
An Internet Protocol security (IPsec) policy consists of rules that determine IPsec behavior. IPsec supports network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection. For more information about IPsec, see [Windows Firewall with Advanced Security Learning Roadmap](http://technet.microsoft.com/library/dd772715(WS.10).aspx).
Windows PowerShell can create powerful, complex IPsec policies like in Netsh and the Windows Firewall with Advanced Security MMC snap-in. However, because Windows PowerShell is object-based rather than string token-based, configuration in Windows PowerShell offers greater control and flexibility.
Windows PowerShell can create powerful, complex IPsec policies like in Netsh and the Windows Firewall with Advanced Security console. However, because Windows PowerShell is object-based rather than string token-based, configuration in Windows PowerShell offers greater control and flexibility.
In Netsh, the authentication and cryptographic sets were specified as a list of comma-separated tokens in a specific format. In Windows PowerShell, rather than using default settings, you first create your desired authentication or cryptographic proposal objects and bundle them into lists in your preferred order. Then, you create one or more IPsec rules that reference these sets. The benefit of this model is that programmatic access to the information in the rules is much easier. See the following sections for clarifying examples.
@ -356,7 +293,7 @@ In Netsh, the authentication and cryptographic sets were specified as a list of
### Create IPsec rules
The following cmdlet creates basic IPsec transport mode rule in a Group Policy Object. An IPsec rule is simple to create; all that is required is the display name, and the remaining properties use default values. Inbound traffic is authenticated and integrity checked using the default quick mode and main mode settings. These default settings can be found in the MMC snap-in under Customize IPsec Defaults.
The following cmdlet creates basic IPsec transport mode rule in a Group Policy Object. An IPsec rule is simple to create; all that is required is the display name, and the remaining properties use default values. Inbound traffic is authenticated and integrity checked using the default quick mode and main mode settings. These default settings can be found in the console under Customize IPsec Defaults.
**Netsh**
@ -408,7 +345,7 @@ Windows PowerShell
New-NetIPsecRule -DisplayName “Require Inbound Authentication” -InboundSecurity Require -OutboundSecurity Request Phase1AuthSet MyCertAuthSet -KeyModule IKEv2 RemoteAddress $nonWindowsGateway
```
For more information about IKEv2, including scenarios, see [Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012](securing-end-to-end-ipsec-connections-by-using-ikev2-in-windows-server-2012.md).
For more info about IKEv2, including scenarios, see [Securing End-to-End IPsec Connections by Using IKEv2](securing-end-to-end-ipsec-connections-by-using-ikev2.md).
### Copy an IPsec rule from one policy to another
@ -428,8 +365,6 @@ $Rule | Copy-NetPhase1AuthSet NewPolicyStore domain.costoso.com\new_gpo_name
### Handling Windows PowerShell errors
****
To handle errors in your Windows PowerShell scripts, you can use the *ErrorAction* parameter. This is especially useful with the **Remove** cmdlets. If you want to remove a particular rule, you will notice that it fails if the rule is not found. When removing rules, if the rule isnt already there, it is generally acceptable to ignore that error. In this case, you can do the following to suppress any “rule not found” errors during the remove operation.
Windows PowerShell
@ -488,7 +423,7 @@ Windows PowerShell
Show-NetIPsecRule PolicyStore ActiveStore
```
You can monitor main mode security associations for information such as which peers are currently connected to the computer and which protection suite is used to form the security associations.
You can monitor main mode security associations for information such as which peers are currently connected to the device and which protection suite is used to form the security associations.
Use the following cmdlet to view existing main mode rules and their security associations:
@ -520,9 +455,9 @@ It is important to note that the revealed sources do not contain a domain name.
### Deploy a basic domain isolation policy
IPsec can be used to isolate domain members from non-domain members. Domain isolation uses IPsec authentication to require that the domain computer members positively establish the identities of the communicating computers to improve security of an organization. One or more features of IPsec can be used to secure traffic with an IPsec rule object.
IPsec can be used to isolate domain members from non-domain members. Domain isolation uses IPsec authentication to require that the domain-joined devices positively establish the identities of the communicating devices to improve security of an organization. One or more features of IPsec can be used to secure traffic with an IPsec rule object.
To implement domain isolation on your network, the computers in the domain receive IPsec rules that block unsolicited inbound network traffic that is not protected by IPsec. Here we create an IPsec rule that requires authentication by domain members. Through this, you can isolate domain member computers from computers that are non-domain members. In the following examples, Kerberos authentication is required for inbound traffic and requested for outbound traffic.
To implement domain isolation on your network, the devices in the domain receive IPsec rules that block unsolicited inbound network traffic that is not protected by IPsec. Here we create an IPsec rule that requires authentication by domain members. Through this, you can isolate domain-joined devices from devices that are not joined to a domain. In the following examples, Kerberos authentication is required for inbound traffic and requested for outbound traffic.
**Netsh**
@ -535,15 +470,13 @@ Windows PowerShell
``` syntax
$kerbprop = New-NetIPsecAuthProposal Machine Kerberos
$Phase1AuthSet = New-NetIPsecPhase1AuthSet -DisplayName "Kerberos Auth Phase1" -Proposal $kerbprop PolicyStore domain.contoso.com\domain_isolation
New-NetIPsecRule DisplayName “Basic Domain Isolation Policy” Profile Domain Phase1AuthSet $Phase1AuthSet.Name InboundSecurity Require OutboundSecurity Request PolicyStore domain.contoso.com\domain_isolation
```
### Configure IPsec tunnel mode
The following command creates an IPsec tunnel that routes traffic from a private network (192.168.0.0/16) through an interface on the local computer (1.1.1.1) attached to a public network to a second computer through its public interface (2.2.2.2) to another private network (192.157.0.0/16). All traffic through the tunnel is checked for integrity by using ESP/SHA1, and it is encrypted by using ESP/DES3.
The following command creates an IPsec tunnel that routes traffic from a private network (192.168.0.0/16) through an interface on the local device (1.1.1.1) attached to a public network to a second device through its public interface (2.2.2.2) to another private network (192.157.0.0/16). All traffic through the tunnel is checked for integrity by using ESP/SHA1, and it is encrypted by using ESP/DES3.
**Netsh**
@ -559,8 +492,7 @@ $QMCryptoSet = New-NetIPsecQuickModeCryptoSet DisplayName “esp:sha1-des3”
New-NetIPSecRule -DisplayName “Tunnel from HQ to Dallas Branch” -Mode Tunnel -LocalAddress 192.168.0.0/16 -RemoteAddress 192.157.0.0/16 -LocalTunnelEndpoint 1.1.1.1 -RemoteTunnelEndpoint 2.2.2.2 -InboundSecurity Require -OutboundSecurity Require -QuickModeCryptoSet $QMCryptoSet.Name
```
## <a href="" id="bkmk-deploysecurerules"></a>Deploy secure firewall rules with IPsec
## Deploy secure firewall rules with IPsec
In situations where only secure traffic can be allowed through the Windows Firewall, a combination of manually configured firewall and IPsec rules are necessary. The firewall rules determine the level of security for allowed packets, and the underlying IPsec rules secure the traffic. The scenarios can be accomplished in Windows PowerShell and in Netsh, with many similarities in deployment.
@ -568,7 +500,7 @@ In situations where only secure traffic can be allowed through the Windows Firew
Configuring firewalls rule to allow connections if they are secure requires the corresponding traffic to be authenticated and integrity protected, and then optionally encrypted by IPsec.
The following example creates a firewall rule that requires traffic to be authenticated. The command permits inbound Telnet network traffic only if the connection from the remote computer is authenticated by using a separate IPsec rule.
The following example creates a firewall rule that requires traffic to be authenticated. The command permits inbound Telnet network traffic only if the connection from the remote device is authenticated by using a separate IPsec rule.
**Netsh**
@ -605,15 +537,15 @@ New-NetIPSecRule -DisplayName “Authenticate Both Computer and User” -Inbound
### Isolate a server by requiring encryption and group membership
To improve the security of the computers in an organization, an administrator can deploy domain isolation in which domain-members are restricted. They require authentication when communicating among each other and reject non-authenticated inbound connections. To improve the security of servers with sensitive data, this data must be protected by allowing access only to a subset of computers within the enterprise domain.
To improve the security of the devices in an organization, you can deploy domain isolation in which domain-members are restricted. They require authentication when communicating among each other and reject non-authenticated inbound connections. To improve the security of servers with sensitive data, this data must be protected by allowing access only to a subset of devices within the enterprise domain.
IPsec can provide this additional layer of protection by isolating the server. In server isolation, sensitive data access is restricted to users and computers with legitimate business need, and the data is additionally encrypted to prevent eavesdropping.
IPsec can provide this additional layer of protection by isolating the server. In server isolation, sensitive data access is restricted to users and devices with legitimate business need, and the data is additionally encrypted to prevent eavesdropping.
### Create a firewall rule that requires group membership and encryption
To deploy server isolation, we layer a firewall rule that restricts traffic to authorized users or computers on the IPsec rule that enforces authentication.
To deploy server isolation, we layer a firewall rule that restricts traffic to authorized users or devices on the IPsec rule that enforces authentication.
The following firewall rule allows Telnet traffic from user accounts that are members of a custom group created by an administrator called “Authorized to Access Server.” This access can additionally be restricted based on the computer, user, or both by specifying the restriction parameters.
The following firewall rule allows Telnet traffic from user accounts that are members of a custom group called “Authorized to Access Server.” This access can additionally be restricted based on the device, user, or both by specifying the restriction parameters.
A Security Descriptor Definition Language (SDDL) string is created by extending a user or groups security identifier (SID). For more information about finding a groups SID, see: [Finding the SID for a group account](http://technet.microsoft.com/library/cc753463(WS.10).aspx#bkmk_FINDSID).
@ -670,9 +602,9 @@ Set-NetFirewallSetting -RemoteMachineTransportAuthorizationList $secureMachineGr
### Create firewall rules that allow IPsec-protected network traffic (authenticated bypass)
Authenticated bypass allows traffic from a specified trusted computer or user to override firewall block rules. This is helpful when an administrator wants to use scanning servers to monitor and update computers without the need to use port-level exceptions. For more information, see [How to enable authenticated firewall bypass](http://technet.microsoft.com/library/cc753463(WS.10).aspx).
Authenticated bypass allows traffic from a specified trusted device or user to override firewall block rules. This is helpful when an administrator wants to use scanning servers to monitor and update devices without the need to use port-level exceptions. For more information, see [How to enable authenticated firewall bypass](http://technet.microsoft.com/library/cc753463(WS.10).aspx).
In this example, we assume that a blocking firewall rule exists. This example permits any network traffic on any port from any IP address to override the block rule, if the traffic is authenticated as originating from a computer or user account that is a member of the specified computer or user security group.
In this example, we assume that a blocking firewall rule exists. This example permits any network traffic on any port from any IP address to override the block rule, if the traffic is authenticated as originating from a device or user account that is a member of the specified device or user security group.
**Netsh**
@ -687,7 +619,7 @@ Windows PowerShell
New-NetFirewallRule DisplayName “Inbound Secure Bypass Rule" Direction Inbound Authentication Required OverrideBlockRules $true -RemoteMachine $secureMachineGroup RemoteUser $secureUserGroup PolicyStore domain.contoso.com\domain_isolation
```
## <a href="" id="bkmk-additionalresources"></a>Additional resources
## Additional resources
For more information about Windows PowerShell concepts, see the following topics.

147
windows/keep-secure/windows-firewall-with-advanced-security.md
View File

@ -1,147 +1,42 @@
---
title: Windows Firewall with Advanced Security Overview (Windows 10)
description: Windows Firewall with Advanced Security Overview
ms.assetid: 596d4c24-4984-4c14-b104-e2c4c7d0b108
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Windows Firewall with Advanced Security Overview
**Applies to**
- Windows 10
- Windows Server 2016 Technical Preview
This is an overview of the Windows Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features in Windows Server 2012.
This is an overview of the Windows Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features.
**Did you mean…**
## Feature description
- [Windows Firewall with Advanced Security in Windows Server 2008 R2](http://technet.microsoft.com/library/cc732283(WS.10).aspx)
Windows Firewall with Advanced Security is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Firewall with Advanced Security blocks unauthorized network traffic flowing into or out of the local device. Windows Firewall with Advanced Security also works with Network Awareness so that it can apply security settings appropriate to the types of networks to which the device is connected. Windows Firewall and Internet Protocol Security (IPsec) configuration settings are integrated into a single Microsoft Management Console (MMC) named Windows Firewall with Advanced Security, so Windows Firewall is also an important part of your networks isolation strategy.
## <a href="" id="bkmk-over"></a>Feature description
Windows Firewall with Advanced Security is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a computer, Windows Firewall with Advanced Security blocks unauthorized network traffic flowing into or out of the local computer. Windows Firewall with Advanced Security also works with Network Awareness so that it can apply security settings appropriate to the types of networks to which the computer is connected. Windows Firewall and Internet Protocol Security (IPsec) configuration settings are integrated into a single Microsoft Management Console (MMC) named Windows Firewall with Advanced Security, so Windows Firewall is also an important part of your networks isolation strategy.
## <a href="" id="bkmk-app"></a>Practical applications
## Practical applications
To help address your organizational network security challenges, Windows Firewall with Advanced Security offers the following benefits:
- **Reduces the risk of network security threats.**  Windows Firewall with Advanced Security reduces the attack surface of a computer, providing an additional layer to the defense-in-depth model. Reducing the attack surface of a computer increases manageability and decreases the likelihood of a successful attack. Network Access Protection (NAP), a feature of Windows Server 2012, also helps ensure client computers comply with policies that define the required software and system configurations for computers that connect to your network. The integration of NAP helps prevent communications between compliant and noncompliant computers.
- **Reduces the risk of network security threats.**  Windows Firewall with Advanced Security reduces the attack surface of a device, providing an additional layer to the defense-in-depth model. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack.
- **Safeguards sensitive data and intellectual property.**  With its integration with IPsec, Windows Firewall with Advanced Security provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data.
- **Extends the value of existing investments.**  Because Windows Firewall with Advanced Security is a host-based firewall that is included with Windows Server 2012, and prior Windows operating systems and because it is tightly integrated with Active Directory® Domain Services (AD DS) and Group Policy, there is no additional hardware or software required. Windows Firewall with Advanced Security is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API).
## <a href="" id="bkmk-new"></a>New and changed functionality
The following table lists some of the new features for Windows Firewall with Advanced Security in Windows Server 2012.
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th>Feature/functionality</th>
<th>Windows Server 2008 R2</th>
<th>Windows Server 2012</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>Internet Key Exchange version 2 (IKEv2) for IPsec transport mode</p></td>
<td><p></p></td>
<td><p>X</p></td>
</tr>
<tr class="even">
<td><p>Windows Store app network isolation</p></td>
<td><p></p></td>
<td><p>X</p></td>
</tr>
<tr class="odd">
<td><p>Windows PowerShell cmdlets for Windows Firewall</p></td>
<td><p></p></td>
<td><p>X</p></td>
</tr>
</tbody>
</table>
 
### <a href="" id="ikev2-for-ipsec-transport-mode-"></a>IKEv2 for IPsec transport mode
In Windows Server 2012, IKEv2 supports additional scenarios including IPsec end-to-end transport mode connections.
**What value does this change add?**
Windows Server 2012 IKEv2 support provides interoperability for Windows with other operating systems using IKEv2 for end-to-end security, and Supports Suite B (RFC 4869) requirements.
**What works differently?**
In Windows Server 2008 R2, IKEv2 is available as a virtual private network (VPN) tunneling protocol that supports automatic VPN reconnection. IKEv2 allows the security association to remain unchanged despite changes in the underlying connection.
In Windows Server 2012, IKEv2 support has been expanded.
### Windows Store app network isolation
Administrators can custom configure Windows Firewall to fine tune network access if they desire more control of their Windows Store apps.
**What value does this change add?**
The feature adds the ability to set and enforce network boundaries ensure that apps that get compromised can only access networks where they have been explicitly granted access. This significantly reduces the scope of their impact to other apps, the system, and the network. In addition, apps can be isolated and protected from malicious access from the network.
**What works differently?**
In addition to firewall rules that you can create for program and services, you can also create firewall rules for Windows Store apps and their various capabilities.
### Windows PowerShell cmdlets for Windows Firewall
Windows PowerShell has extensive cmdlets to allow Windows Firewall configuration and management.
**What value does this change add?**
You can now fully configure and manage Windows Firewall, IPsec, and related features using the very powerful and scriptable Windows PowerShell.
**What works differently?**
In previous Windows versions, you could use Netsh to perform many configuration and management functions. This capability has been greatly expanded using the more powerful Windows PowerShell scripting language.
## <a href="" id="bkmk-links"></a>See also
See the following topics for more information about Windows Firewall with Advanced Security in Windows Server 2012.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Content type</th>
<th>References</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p><strong>Deployment</strong></p></td>
<td><p>[Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012](securing-end-to-end-ipsec-connections-by-using-ikev2-in-windows-server-2012.md) | [Isolating Windows Store Apps on Your Network](isolating-windows-store-apps-on-your-network.md) | [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md)</p></td>
</tr>
<tr class="even">
<td><p><strong>Troubleshooting</strong></p></td>
<td><p>[Troubleshooting Windows Firewall with Advanced Security in Windows Server 2012](http://social.technet.microsoft.com/wiki/contents/articles/13894.troubleshooting-windows-firewall-with-advanced-security-in-windows-server-2012.aspx)</p></td>
</tr>
</tbody>
</table>
 
 
 
- **Extends the value of existing investments.**  Because Windows Firewall with Advanced Security is a host-based firewall that is included with the operating system, there is no additional hardware or software required. Windows Firewall with Advanced Security is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API).
## In this section
| Topic | Description
| - | - |
| [Isolating Windows Store Apps on Your Network](isolating-apps-on-your-network.md) | You can customize your Windows Firewall configuration to isolate the network access of Windows Store apps that run on devices. |
| [Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012](securing-end-to-end-ipsec-connections-by-using-ikev2.md) | You can use IKEv2 to help secure your end-to-end IPSec connections. |
| [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md) | Learn more about using Windows PowerShell to manage the Windows Firewall. |
| [Windows Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md) | Learn how to create a design for deploying Windows Firewall with Advanced Security. |
| [Windows Firewall with Advanced Security Deployment Guide](windows-firewall-with-advanced-security-deployment-guide.md) | Learn how to deploy Windows Firewall with Advanced Security. |