In this series on troubleshooting the Windows XP firewall, I have shown you several issues that can prevent your customers' firewalls from operating. In this final tip I introduce scopes, which can prevent a confirmed active Windows XP firewall rule from working. I also explain how to configure firewall rules for Microsoft Vista.
Scopes allow you to differentiate between a public network and a private network. The basic idea is that, while security is always important, there may be some ports that can be open if the computer is on a trusted, private network. However, these same ports should be closed while the system is connected to a public network.
Using the Windows XP firewall applet
The Windows XP implementation of the scope feature doesn't fully differentiate between public and private networks. In Windows XP, a private network is considered to be any computer that exists in the same subnet as the computer that you're configuring. This tends to be problematic, because when connecting to a public Wi-Fi hot spot the workstation uses DHCP to acquire an IP address from the access point. Then the computer becomes a member of the same subnet as every other computer that's attached to the access point. Users do, however, have the option of protecting themselves by entering specific IP addresses, rather than simply defining the private network as being anyone with the same subnet.
To modify a scope of a customer's Windows XP firewall rule, open the Windows Firewall applet found in the Control Panel. When the Windows Firewall properties sheet opens, select the Exceptions tab. Then select the program or port that you want to take a closer look at and click the Edit button. You'll see a dialog box that's similar to the one shown in Figure A.
Figure A You can use the Change Scope button to change the port's scope.
Notice that the dialog box contains a Change Scope button. Click this button, and you'll see a dialog box similar to the one that's shown in Figure B. Here, you can configure the program or port rule to apply to any computer (the equivalent to a public network), your customer's network (subnet) only or to a custom list of IP addresses.
Figure B The Change Scope dialog box allows you to specify for which computers the ports will be unblocked.
Configuring firewall rules on Windows Vista
This series on firewall troubleshooting focuses on Windows XP because that's what the majority of customers are still using, but the general concepts also apply to Windows Vista. However, there are various differences between the Windows XP firewall rules and the Windows Vista firewall rules, and there's one major difference in particular that I want to point out.
Most of Vista's basic firewall settings can be controlled via the Control Panel. However, in an effort to simplify the interface for the average home user, Microsoft removed from Vista's Control Panel some settings that are available in Windows XP. To gain additional control over the Vista firewall, you'll need to access a separate console by entering the MMC command at the Run prompt located on the Accessories menu.
In response to this command, Windows opens an empty Microsoft Management Console. Choose the Add/Remove Snap-In command from the console's File menu for a list of the available console snap-ins. Choose the Windows Firewall option from the list, and then click Add. When prompted, verify that the Local Computer option is selected, and then click Finish, followed by OK.
Space limitations prevent me from discussing every available option, but there are two aspects of this console that I want to show you. First, navigate through the console tree to Windows Firewall With Advanced Security | Monitoring, and you'll see a summary of the firewall's current configurations, as shown in Figure C. This is useful for troubleshooting Microsoft Vista firewalls.
Figure C Obtain greater control over Vista firewall rules via the Windows Firewall with Advanced Security console.
The other thing that I want to point out is the Private Profile and Public Profile sections at the bottom of the figure. As in Windows XP, scopes exist in Windows Vista, but they are greatly expanded. As you can see in Figure C, Vista allows you to establish completely separate profiles for public and private networks.
Another major difference between Vista and Windows XP is that Vista includes a Domain scope. The Domain scope takes effect when the computer functions as a part of a domain. This allows Windows to truly differentiate between a corporate network and a public Wi-Fi connection.
To see how scopes are implemented in Vista, select the Inbound Rules container, right-click on one of the existing rules, and choose the Properties command from the resulting shortcut menu. This displays the firewall rule's properties sheet. If you look at the properties sheet's Advanced tab, you can see that Vista allows you to control which profiles the rule is a part of (Domain, Private or Public), as shown in Figure D.
Figure D Windows Vista's firewall creates separate profiles for each scope.
You might notice that there is a separate tab for Scope. The Scope tab allows you to specify for which IP addresses the rule should apply. Notice in Figure E that Vista differentiates between local and remote addresses.
Figure E Windows Vista differentiates between local and remote addresses.
About the author
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer he has written for Microsoft, CNET, ZDNet, TechTarget, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal Web site at www.brienposey.com.