- Network/Cloud Edition
- Windows7FirewallControl Network/Cloud Edition allows setting application network access permission individually per-user. The zones can be set for Administrator, Guest and any other user for a particular application separately. The feature is useful with Terminal Server (Windows Server 2008) extremely, the Network/Cloud Edition can be launched on any Vista/Windows8/7 running computer however.
- Internet Explorer (for instance) can be permitted to connect to any site for administrators, to corporate local network web server only for regular users and unable to browse any web server for guests.
- How to configure per-user access
- The "User" column of the Programs list shows username and access zone set to applications for the user. The "User" parameter can be changed with the Edit Application dialog's user selection option. Any application will follow specified zone if launched by a specific/selected user registered on the computer, server or the domain.
- The following per-user management logic must be supposed. If a specific user is set to an application with a zone, the application will follow the chosen zone when the application is launched in name of the user only. If the application with a zone is set to "Any User", the application will follow the zone when the application is launched in name of any the other user.
- For example, you set Internet Explorer with Web+FTPZone for "Any User", Internet Explorer with DisableAll for Guest and Internet Explorer set with LocalOnly for JohnSmith. Internet Explorer will follow the zones for the users above as specified and Web+FTPZone for the other users including Administrators, Regular Users and so on.
- Windows7FirewallControl is able to detect non-listed applications only, so if you set an application permissions for a specific user and do not set the application to "Any User", the application launched in name of any other user will not be detected for the second time and will be blocked entirely as any other initial access attempt is blocked. The hint may be used to create special security schemes however.
- Cloud and LAN Protection
- Cloud or Network is a set of computers that work together, share common resources, perform a common task and resides under the same administration. However it does not mean all the computers in the set should have equal access permissions to each other, to the external network or to the Internet.
- The samples are evident. Often a home computer with a home bookkeeping system installed should not be accesses from a computer used for gaming and a home media server must not available to a kid dedicated PC. In the case of Cloud, an SQL server can be accessed by Web server, but not from outside the cloud directly, Web server can access SQL server, but not a Media Server (of any) directly.
- In other words, any in-Network/in-Cloud located computer may have special security policy for the other network/cloud participants. The problem is solved by installing multiple firewalls on every the network/cloud connected computer typically. Multiple products can be managed separately only and must be licensed individually sometimes. As the result, the general solution will be costly and the related management will take time.
- The universal solution is in creating virtual sub networks inside local network or cloud practically. Regardless of how the computers are connected to each other, running under the same routing hardware or not, connected with the segments of a single physical network or not, virtual sub network will allow you creating a sub networks for every single purpose.
- For instance, Business sub network will allow bookkeeping system to access the internet, but will not allow the access from a "kitchen" PC. Entertainment sub network will allow the "kitchen" PC to access a home Media Server and but server will not be accessed from within a kid PC. Kid sub network will allow the access to a file server but not to the media server, etc.
- How It Works
- Windows7FirewallControl (Network/Cloud Edition) automatically installs security agents on all computers of the local network or cloud automatically. The agent installation can be configured from the Agents List. Windows7FirewallControl detects other local network computers automatically if it is possible (not blocked or disabled by the computer intentionally). A computer can be added (removed) to (from) the list manually as well.
After the agents are installed Windows7FirewallControl allows you creating virtual sub networks in a form of rules sets. The rules determine mutual permissions for accessing each other in local network/cloud environment. All the configurations are made from a single control panel. Windows7FirewallControl distributes the sub network related information to all the agents then automatically. So the agents are able control the mutual in-network/in-cloud traffic.
- Agent List
- The Agents List displays all the computers reachable in the network/cloud and the agent's installation states. All the agent intallation/deinstallation operations are performed in background. The "Agents Processing" checkbox switched the background procedure on or off. All the agents can be marked for Installation/DeInstallation/Ignoring by the dedicated buttons at once.
- Windows7FirewallControl installs the security agents accordingly to the remote OS version and bitness. In-Lan computers are detected and added to the list by Windows7FirewallControl automatically.
- The Agent names are equal to computers names set during the computers installation/configuration. The computers/agents can be added, deleted and edited (by keyboard hotkeys, right mouse click menu, by double clicking the item or by the toolbar) manually anytime. User/Password is credentials of the administration account of remote computer. The credentials are required to perform the remote agent installation. The credentials are applied by clicking the "Apply" button.
- The Edit Agent dialog allows specifying (editing) the agent's name, agent's IP (v4 or v6) address and configure the agent's specific state, i.e. the need to install/uninstall/monitor or ignore the agent installation status. The Host field and the IPv4/v6 buttons helps to determine IP address by computer name. IP address takes precedence in the agent information usage starting from IPv4 address. If no IP address is specified the remote computers will be found by specified Agent name. User/Password information is used to override the common user/password specification from the entire Agents List. After an agent state is changed the background procedure will start reflecting the desired state to the listed computers.
- Networks List
- The Networks List allows creating virtual sub networks, i.e. sets of computers to be included (excluded) to (from) mutual network operations. The number of sub networks in not limited. The sub networks can be added to (or removed from) the list or edited anytime by keyboard hotkeys, right mouse click context menu or by the toolbar.
The Edit sub network dialog allows managing the sub network, i.e. specifying computers separately or computer groups (by IP address range). The items (computers or groups) can be temporarily excluded from the specification by un-checking the Enable checkbox. The items can be arbitrarily named. IP address field sets the IP/IP-range for the item and final permissions for the item. The item (computer or group) can be allowed for the mutual operations or disallowed. The Host field and IPv4/v6 buttons helps to find IP address by computer name. The Result combo box sets permissions for the current sub network item. The entire sub network can be switched off temporarily by un-checking "Enable Network".
- Rules Precedence
- The virtual sub network is the list of computers of computer groups set for the mutual communication. Every item (computer or group) can be set either set to Enable (allowing in-sub-network communications) or Disable (rejecting from the sub network participation).
The Disable state takes the absolute precedence. The Enable state can be overwritten by per-application setting (See Programs for the details). If an application is not listed in the Programs tab and the target sub network item is enabled, the final permission will be enabling. If the application is listed the final permission depends on a zone applied to the application. If the zone is ruleless the application is enabled. If there are rules in the zone set to the application, the application will follow the rules.
The entire rules priority is (descending)
- Sub network disabling items
- Rules from a zone set to the applications (if any)
- Sub network enabling items (*)
- AllApplications zone (if any) from the Settings tab (*)
- Zone results (for rules zone) sets to application
(*) if a destination computer is encountered in a sub network or AllApplications zone, application access to the destination (the sub network) will not be detected and the application will not be inserted into the Programs List automatically. Such complex (at first sight) priority structure provides you with maximum flexibility while configuring per-application and per-sub-network access.
- Remote Application Management
- After the security agent is installed on a remote machine. Windows7FirewallControl is able to configure per-application settings (The Programs tab), the zone repository (the zones tab), the Default and AllApplications zones (the Settings tab) and the blocking statistics (the Statistics tab) of the remote computer. All the other configurations are available for the local (controlling) computer only.
- All remote management operations are performed with DCOM (distributed COM). Windows7FirewallControl creates a special dedicated user account automatically. All remote operations are performed using this account exclusively. Since Windows is solely responsible for account processing, all the operations are as safe as any other remote access. The account permissions can be managed by native Windows tools easily.
- Agents Installation Requirements
- Windows7FirewallControl installs the security agents (if configured) on remote computer automatically. However the remote installation must not be disabled intentionally.
- Windows7FirewallContorl has to know administrative account credentials for the installation. The remote installation is not allowed for non-administrators. If the administrative account password is empty, the access (the ability to install the agent remotely) has to be enabled in Start/ControlPanel/AdmninistrativeTools/LocalSecurityPolicy. "LocalPolicies/SecurityOptions/Accounts:Limit local account use o blank passwords..." must be disabled. Empty passwords for administrators are strongly not recommended though.
- The remote installation is performed via predefined shares (ADMIN$ and IPC$). So the shares must be enabled (the default state) and the sharing must be enabled. On Vista and Windows8/7 ADMIN$ share is disabled after installation by default. In order to enable, use regedit to add new DWORD parameter for LocalAccountTokenFilterPolicy equal to 1 to the "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" key. See http://support.microsoft.com/kb/947232 for the details. The "Use Simple Sharing" option of XP (Explorer/Tools/FolderOptions/View) prevents the shares from the accessibility on XP.
- There is a set of other requirements fulfilled by the setup automatically. The settings can be altered accidentally/manually after the setup finished. The following is required anyway.
Note: Windows XP Home Edition has limited network abilities. So the Home Edition remote controlling may be limited
- WindowsFirewall must include the following entries enabled (of the installation folder)
- Windows7FirewallControl.exe (to receive events from a remote point under the control)
- WindowsFirewallService.exe (to be controlled remotely)
- "File And Print Sharing" service (required to pass incoming remote controlling commands to Windows7FirewallService).
- Additional user (W7FirewallControl) is created locally. The correspondent login is used to communicate (bidirectionaly) with remote Windows7FirewallControl agent/product installation. The additional user presence may cause the login screen on the system after Reboot/SwitchUser preventing the system from auto login. In order to revert back to login automatically:
- Press the Windows key + R on your keyboard to launch the "Run" dialog box.
- Type in control userpasswords2
- Press Enter. The User Accounts window will display.
- Uncheck the option "Users must enter a user name and password to use this computer"
- Click "OK"
- You will then be prompted to enter the current password and confirm it.
- After doing so, you will no longer be prompted to enter your password upon login.
- Local Security policy changed to "Classic". The policy only allows authenticating remote users as themselves. Otherwise all the remote users will be authenticated as Guests without the ability to reach the remote agent/installation