Go to www.sekchek.com

Windows Firewall Audit Tool: Glossary

Prepared: 11 February 2013
Document Purpose and Introduction
This document defines the fields and terms presented in SekChek’s Windows Firewall Audit tool report. Windows Firewall with Advanced Security is available from Windows Vista and Windows Server 2008.

Windows Firewall is a host-based firewall that filters incoming and outgoing connections based on its configuration. Host-based firewalls, which are distinct from network perimeter firewalls, provide protection for traffic generated inside a trusted network. While end-users typically configure Windows Firewall through the main Windows Firewall Control Panel, advanced configuration is performed via a MMC snap-in named Windows Firewall with Advanced Security.

Windows Firewall with Advanced Security supports separate profiles (sets of firewall and connection security rules) for when computers are members of a domain, or connected to a private or public network. It also supports the creation of rules for enforcing server and domain isolation policies.

Windows Firewall with Advanced Security supports more detailed rules than previous versions of Windows Firewall, including filtering based on users and groups in Active Directory, source and destination Internet Protocol (IP) addresses, IP port number, ICMP settings, IPsec settings, specific types of interfaces, and services.
Overview Section   [Top]
Profile TypeIndicates the type of Firewall profile. Windows Firewall supports three types of profile: Domain, Private and Public.

The Domain profile applies when a computer is connected to a network in which the computer’s domain account resides.

The Private profile applies when a computer is connected to a network in which the computer’s domain account does not reside, such as a home network. The Private profile settings should be more restrictive than the Domain profile settings.

The Public profile applies when a computer is connected to a domain through a public network such as those available in airports and coffee shops. The Public profile settings should be the most restrictive because the computer is connected to a public network where security is not tightly controlled.
Profile ActiveIndicates whether the profile is active. Values = Yes and No.
Firewall StateIndicates whether the firewall is enabled. On = Enabled; Off = Disabled.
Inbound ConnectionsThe default action for inbound traffic:
  • Block - default (Inbound connections that do not match a rule are blocked)
  • Block all connections (All inbound connections are blocked)
  • Allow (Inbound connections that do not match a rule are allowed)
Outbound ConnectionsThe default action for outbound traffic:
  • Block (Outbound connections that do not match a rule are blocked)
  • Allow - default (Outbound connections that do not match a rule are allowed)
Display NotificationsIndicates whether interactive firewall notifications are displayed when a program is blocked. Values = Yes and No.
Allow Unicast ResponseIndicates whether the firewall allows unicast responses to multicast and broadcast traffic. Values = Yes and No.
Other Report Sections   [Top]
NameThe name of the Firewall rule.
DescriptionA brief description of the Firewall rule.
Rule DirectionThe direction of traffic for which the rule applies: Inbound; or Outbound.

Inbound rules explicitly allow, or explicitly block, traffic that matches the criteria in the rule. For example, you can configure a rule to explicitly allow traffic secured by IPsec for Remote Desktop through the firewall, but block the same traffic if it is not secured by IPsec.

Outbound rules explicitly allow, or explicitly deny, traffic to the computer that matches the criteria in the rule. For example, you can configure a rule to explicitly block outbound traffic to a computer through the firewall, but allow the same traffic for other computers.
EnabledIndicates whether the rule is enabled or disabled.
ActionThe action for a rule and whether it it the default setting. Values = Allow and Block.

A Block action takes precedence over an Allow action unless the Override block rules option is selected when a firewall rule is created.
GroupThe group to which the Firewall rule belongs. Grouping allows multiple firewall rules to be grouped together for easier administration in the Windows Firewall Control Panel.
ProfilesThe profiles to which the rule belongs: Domain; Private; or Public.
Interface TypesSpecifies which interface type the connection security rule is applied to, including the local area network (LAN), a wireless network adapter, remote access, or all network connection types.
Edge TraversalEdge Traversal allows the application, service or port to which the rule applies to be globally addressable and accessible from outside a NAT or edge device.
ProgramsThe path and name of the program to which this rule applies.
ServicesThe name of the service to which this rule applies.
Local IP AddressThe local addresses to which the rule applies.
Remote IP AddressThe list of remote addresses to which the rule applies.
ProtocolThe IP protocol to which this rule applies. E.g. TCP, UDP and IPv6.
Local PortThe local ports to which the rule applies.
Remote PortThe remote ports to which the rule applies.
 
Other free security and audit tools from SekChek...    [Top]
»   Tools Library | PC Auditor | Windows Firewall Auditor | List Missing Windows Updates | List Installed Products | Search Event Log | Query Active Directory | Query Access Permissions | Sid Resolver | Find Orphaned Sids | List Open Files | Ping

Copyright© 2008-2013, SekChek IPS. All rights reserved.
SekChek® is a registered trademark of SekChek IPS. All other trademarks are the property of their respective owners.
www.sekchek.com

About SekChek IPS
SekChek® IPS is a leading provider of computer security review, auditing and benchmarking tools and has served many of the world’s largest companies and public institutions in 130 countries since 1996. SekChek’s clients include security and audit professionals in IT departments, audit firms, internal audit functions, regulatory compliance and corporate governance departments. SekChek’s benchmarking features compare security policies and controls against a unique statistics database containing more than 30 million anonymous and real-life security measurements compiled from 70,000 computer systems across all major industry sectors.