What are Firewall Service Tags? Know their importance in allowing administrators to tag network devices.
Firewall Service Tags
Firewall Service Tags is a feature in Windows Firewall that allows administrators to tag network devices for a specific purpose. So, this is configuring firewall rules, administrators can restrict network access to devices that are tagged with a specific service tag. Then you can deny access to devices that are not tagged with the specific service tag.
Moreover, Firewall service tags are assigned to network interfaces during the installation of Windows Server 2003 Service Pack 1 (SP1) or later. Also, tags are used by services such as Quality of Service (QoS) and IP Security (IPsec). So, in the QoS case, tags allow the prioritization of traffic on the network.
In the IPsec case, tags allow administrators to control access and encrypt traffic between two networks. So, if a rule is configured to allow traffic from a specific service tag, then only network devices that are tagged can communicate. Also, these are devices with specific service tags.
Using Service Tags
Service tags can be used in firewall rules or QoS policies. The following example shows how to use a service tag in a firewall rule:
1. Launch the Group Policy Management Console by running GPMC.msc from an elevated command prompt.
2. Navigate to the following location
3. Right click on your domain and select “Create a GPO in this domain, and Link it here…. ” and name it “Test Service Tag”
4. Right click on your newly created GPO and select Edit
5. In Group Policy Management Editor navigate through Computer Configuration, then Windows Setting. Next, Security Settings. Then Windows Firewall with Advanced Security, Inbound Rules. Right click on Inbound Rules. Then select New Rule.
6. Select Program as Rule Type. Enter your program name as Program. For example, “Notepad” for Notepad, “iexplore” for Internet Explorer, etc. Click Next.
7. Select Allow the Connection if it is secure as Reason. Click Next.
8. Select Block the Connection if it is insecure as Action. Click Next
9. Select the appropriate protocol and port. Click Next.
10. Select Apply to these programs and subprograms. Next, if a service tag is not included in the list of programs, you can add it manually. Click Next.
11. Type in the appropriate service tag in the Service tag box. Click Next.
12. Leave the default options as they are and click Finish.
13. Close Group Policy Management Editor and wait for your policy to propagate throughout your domain.
How to Determine What Programs Match Program Name or Path?
The value of the Program allows you to specify a program that can be launched on the network device. For example, if you are trying to restrict access to Internet Explorer, you can create a rule. Also, this is for iexplore in Inbound Rules.
Lastly, set the Action to Block the connection if it is insecure. Hence, you can then test if an application is correctly identified by typing its name into the value field of the Program. So, if a rule is configured to deny traffic from a specific service tag, then only network devices that are not tagged with that specific service tag can communicate.
Thus, these will have no impact on application compatibility or application behavior. So, a correctly configured rule will reject communications regardless of whether the application or device is correctly identified or not.