Protecting Your Computer Using Windows Vista's Firewall

While firewalls have gotten rather intelligent in recent years--many will automatically block and open necessary ports for known applications and services--sometimes it's necessary to tweak firewall settings. In this article, I'll cover some basic ways to tweak the settings Windows Vista firewall and provide a brief overview of some of the services it provides. I'll be talking about the basic firewall settings in this article and will cover the Windows Firewall with Advanced Security application in another article.

Let's suppose you have multiple computers on your home network connected to a single router and you want to be able to use Remote Desktop Connection on more than one computer. To do this, you have to set each computer to listen for RDC connections on different ports so when a request is made, the request is routed to the correct machine. In addition to changing the listening port and setting a routing rule on your router (for a helpful article on how to do this, see here) , you also have to open the port in your firewall. (While we'll be tweaking Windows firewall, be sure to use only one good firewall on your computer. Multiple firewalls typically provide no extra security and they most likely will slow your system down slightly.)

Zones

The Windows Vista firewall supports limited-feature security zones. This means that the firewall will monitor all traffic on specific network connection on your computer. Monitoring can be turned off for each connection independently. The firewall does not support independent exceptions for each zone so whatever exceptions you have set applies to all zones currently being protected. By default, the firewall will protect every network connection and you should change this only under special circumstances.

To check or change your security zones, open Vista's firewall by clicking the start button and typing "firewall" in the search field. From the result list, choose "Windows Firewall" (be sure not to choose Windows Firewall with Advanced Security).

1. Click on the Advanced tab (see image 1)
2. In the Network connections group box, choose the network connections you want to protect by checking the box next to each connection

Setting Exceptions

A firewall exception is a port (a network communication channel that specific programs use to communicate over a given network connection) or the network communication of an entire program that will not be blocked by the firewall. This is useful when you know a given program is safe and don't need the traffic on that port blocked. Many users will not encounter the need for manual exceptions but on occasion, setting a port exception becomes necessary. By reviewing the steps below, you can get a feel for how Vista's firewall handles automatic exceptions as well.

In this example, we'll set an exception on a port that will be listening for new RDC requests. Setting an exception for a program works in much the same way. When you create an exception for a program, you're telling the firewall to allow the program to communicate over the network (either your local network or local and internet access) regardless of the ports it uses. The network access is isolated to that program even if another application uses the same port. When you create an exception for a port, any application can use it. Further, if you scope the exception to include internet access, programs on the internet attempting to commuincate with your computer over that port will be able to do so. In our example, a Remote Desktop client will attempt to communicate from the internet to the computer so we'll need to open a port.

Let's say we want our computer to listen on port 3395 for RDC connections. To open up this port number in Windows Vista Firewall, do the following.

1. Open the firewall application per the instructions above under "Zones"
2. Click on the Exceptions tab (see image 2)
3. Click the "Add Port" button. This will open the "Add a Port" dialog box.
4. In the "Name" field, enter a name for the exception. This can be any legal name you choose. We'll call ours, "RDC3395".
5. In the "Port Number" field, enter 3395.
6. Make sure the TCP radio button is selected (it is selected by default)
7. Click the "Change Scope" button. Ensure that the "Any Computer" radio button is selected (it is selected by default). (see image 4)
8. Click OK on all open dialog boxes to close them and set the exception on the firewall.

Your firewall now has port 3395 open for RDC connections and will not attempt to block network traffic on that port. Because opening ports can expose your computer to malicious software, you should only open a port if it's absolutely necessary. Vista's firewall will take care of the most common exceptions.

In a future article, we'll look at the more granular features available in the advanced version of the firewall.