locked
Windows Firewall Security Rules precedence / priority RRS feed

  • Question

  • Hi everyone,

    I'm trying to understand how the precedence for windows firewall's security rules works and how to set it up, or even to know if there is any notion of precedence at all with these rules.

    To be more specific, I have a Direct Access infrastructure which is up and running, but I'm trying to set it up to use ECDSA certificates for authentication instead of the default RSA ones.

    It works when I modify the original Direct Access security rules (the ones automatically generated by the DA wizard via GPO), but I'd rather not modify the original rules (I suppose this is not really supported, plus the custom settings are erased every time you modify a setting using the wizard) so I'd rather have my own custom rules with just this setting in them.

    That's easy enough to do using custom GPOs, but then I can't find how to prioritize my custom rules over the native ones... I believed for a while that setting the GPO precedence and giving a higher priority to my custom GPO would do the trick, but it seems that it doesn't always work, some clients are still trying to use the original DA security rule.

    Any idea?

    Thanks!

    Monday, August 3, 2015 9:28 AM

Answers

  • Hi CyrAz,

    As far as I know, I'm afraid we could not change the priority of the rules.

    We could disable the rules in GPO, but it may result in some errors.

    Best Regards,

    Leo


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Proposed as answer by Leo Han Tuesday, August 18, 2015 8:46 AM
    • Marked as answer by Leo Han Monday, August 24, 2015 7:43 AM
    Thursday, August 6, 2015 8:13 AM

All replies

  • Hi,

    Windows firewall rules are part of Server's local settings. Proceeding is obvious first among all when you consider GPO proceedings Local Site Domain OU (LSDOU).

    Start>Run>wf.msc> firewall settings console open, then set inbound & outbound rules according to your requirement. These rules you can configure based on application/service .exe file path or port number which the perticulay app/service can use.

    Please refer Add or Edit Firewall Rule link to know more..

     

     


    Regards, Ravikumar P

    Monday, August 3, 2015 9:52 AM
  • Hi,

    Thanks but inboud/outobund rules are not what I'm talking about.

    I'm asking about the connection security rules, the ones used to establish IPSEC tunnels :

    These are the ones automatically created by Direct Access' wizard, and what I want is to create custom ones with just a different authentication method (ecdsa certificate instead of RSA) (so far so good) and to use these custom rules in place of the original ones, without deleting the original ones; so I need the custom ones to be proceeded first (this is what I need help with)



    • Edited by CyrAz Monday, August 3, 2015 12:08 PM
    Monday, August 3, 2015 12:07 PM
  • Hi CyrAz,

    As far as I know, it is not recommended to modify the orginal GPOs.

    If you really want to modify it, we could follow the guide:
    Appendix A – Manual DirectAccess Server Configuration:
    https://technet.microsoft.com/en-us/library/ee649214%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    Best Regards,

    Leo


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, August 4, 2015 9:12 AM
  • I am perfectly aware that it is not recommended to modify the original GPO, which is precisely why my question is "how can I create another security rule contained in another GPO and have it apply instead of the original security rule" !

    So far I've been able to create this other security rule in another GPO, the issue is that it is not always applied instead of the original one; hence the title of this topic about rule precedence/priority!

    • Edited by CyrAz Tuesday, August 4, 2015 11:35 AM
    Tuesday, August 4, 2015 11:33 AM
  • Hi Cyraz,

    We could enforce the GPO.

    Right click on the GPO and click Enforced.

    About the security rule, we could disable the rule we don't want.

    Best Regards,

    Leo


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, August 5, 2015 6:52 AM
  • The GPO is applied since my custom Security Rules are pushed to the clients, so I don't think enforcing the GPO would change anything :

    Then I don't want to disable the security rule because this would imply modifying the original GPO, which is precisely what I'm trying to avoid.

    Hence once again my question about prioritizing the security rules!


    • Edited by CyrAz Wednesday, August 5, 2015 12:20 PM
    Wednesday, August 5, 2015 12:20 PM
  • I believe you can't customize priority of local Group Policies, by defult its take first in precedance. Instead you can have a chance to customize other three policies (Site Domain& OU) and change the priority order.

    Disable Local connection security policies and then configure Group Policy Based Connection Security Rules

    I would recommend you post your query Group Policy forum, where GP experts guide you in right direction.


    Regards, Ravikumar P

    Wednesday, August 5, 2015 1:18 PM
  • This is not about group policies, really (defiinitely not about local ones at least); unless there is something I didn't understand here.
    Wednesday, August 5, 2015 1:42 PM
  • Hi CyrAz,

    As far as I know, I'm afraid we could not change the priority of the rules.

    We could disable the rules in GPO, but it may result in some errors.

    Best Regards,

    Leo


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Proposed as answer by Leo Han Tuesday, August 18, 2015 8:46 AM
    • Marked as answer by Leo Han Monday, August 24, 2015 7:43 AM
    Thursday, August 6, 2015 8:13 AM
  • I indeed definitely don't want to disable the rules in the original GPO, the issue would be the same as if I modified them (they would be re-enabled/re-created everytime I'd change something on the Direct Access wizard)
    • Edited by CyrAz Thursday, August 6, 2015 1:55 PM
    Thursday, August 6, 2015 1:55 PM
  • It's very difficult to understand how a firewall can be managed without rule precedence.  Even old versions of ISA had ordered rules, and you could modify behavior by sorting them differently.  For instance, here's a simple example.  If I make a GPO that has the two following rules mandating two different security levels for IPSec for communicating with my server (server is at 10.10.5.5) and I want all machines to have IPSec *required* when they communicate with the server, except one machine (10.10.5.8), which has IPSec *requested* for communicating with the same server.  This allows me to still access the server from that one machine if there's something wrong with my PKI and IPSec stops working.  So here are the two rules:

    Rule 1. From 10.10.5.0/24 to 10.10.5.5 require secure communications.

    Rule 2. From 10.10.5.8 to 10.10.5.5 request secure communications.

    Now, if I can't control which order those rules are processed, I don't know what I can expect, because they overlap.  If I try to connect from my special computer at 10.10.5.8 to the server at 10.10.5.5, will IPSec be requested or required?  

    This is basic firewall/security stuff.  Can't believe I have to ask this kind of question.


    Once more into the breach, dear friends.

    Tuesday, January 12, 2016 5:17 PM
  • Even though this is an old thread, it still comes up in searches. I have to agree that is it REALLY frustrating to ask what seems to be a simple question on a forum like this only to get lots of answers or suggestions that don't address the question (or even read all of the question!) or point out the recommendations against doing whatever is requested. It makes it really difficult to move forward from the problem, as well as consuming too much time for no reward!!

    I think part of the problem with these forums is that some people are just throwing out responses to try to get points or recognition without ever really taking the time to understand the question.

    The Windows Firewall is not what anyone in the networking world would call a real firewall, as firewalls for over a decade have had rule ordering/precedence. It's just a advanced filter. Overlapping rules - you know, from elementary math, called a union? - are impossible for a single site. You could maybe work some precedence with OU's and sites, but that's ridiculous.

    I've found no way to achieve the concept of rule ordering with Windows Firewall, which is pretty amazing considering how many years it has been available. (Much like PKI, which never seems to advance, either.)

    Third-party software is the best way to achieve a true firewall but then you lose the ability to manage it via GPO (unless you can find a vendor that offers administrative templates for their product).

    Seeing this thread end unanswered is pretty frustrating considering this is hosted on TechNet.

    Tuesday, April 24, 2018 6:35 AM