Configuring Firewall Rules

Updated: February 16, 2010

Applies To: Windows 7, Windows Server 2008 R2

Because Windows Firewall with Advanced Security blocks all incoming unsolicited network traffic by default, you need to configure program, port, or system service rules for programs or services that are acting as servers, listeners, or peers. Program, port, and system service rules are managed on an ongoing basis as your server roles or configurations change. The roles and features that you can install by using Server Manager typically create and enable firewall rules for you when the role or feature is installed. They also remove or disable the rules when the role or feature is removed. A growing number of other, non-Microsoft programs and services also automatically configure Windows Firewall with a set of rules to permit their operation.

Important

Each filtering criteria that you add to a firewall rule adds increasing levels of restriction. For example, if you do not specify a program or service on the Program and Services tab, all programs and services will be allowed to connect, if their network traffic matches the other criteria in the rule. Adding more detailed criteria makes the rule progressively more restrictive and less likely to be matched.

In this section:

  • Configuring program or service settings

  • Configuring port and protocol settings

  • Configuring user or computer settings

  • Configuring scope settings

  • Configuring advanced settings

Note

To see practical examples that show you how to configure firewall rules, see the Step-by-Step Guide: Deploying Windows Firewall and IPsec Policies at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=183817).

Configuring program or service settings

To add a program to a firewall rule, you must specify the full path to the executable (.exe) file used by the program. A system service that runs within its own unique .exe file and is not hosted by a service container is considered to be a program and can be added to the rules list. In the same way, a program that behaves like a system service and runs whether or not a user is logged on to the computer is also considered a program, as long as it runs within its own unique .exe file.

Warning

Adding a service container or a program that host services, such as Svchost.exe, Dllhost.exe, and Inetinfo.exe, to the rules list without further restrictions in the rule might expose the computer to security threats. Adding these containers might also conflict with service hardening policies on computers running this version of Windows.

When you add a program to a firewall rule, Windows Firewall with Advanced Security dynamically opens (unblocks) or closes (blocks) the ports as requested by the program. When the program is running and listening for incoming traffic, Windows Firewall with Advanced Security opens the required ports; when the program is not running or is not listening for incoming traffic, Windows Firewall with Advanced Security closes the ports. Because of this dynamic behavior, adding programs to the firewall rules is the recommended method for allowing unsolicited incoming traffic through Windows Firewall with Advanced Security.

Note

You can use program rules to allow unsolicited incoming traffic through Windows Firewall with Advanced Security only if the program uses Windows Sockets (Winsock) to create port assignments. If a program does not use Winsock to assign ports, you must determine which ports the program uses and add those ports to the rules list.

To add a system service with its associated service security identifier (SID) to the rules list, you use the Programs and Services tab in the Firewall Rule Properties dialog box. This provides more precise control of services because a lot of services are hosted in processes like Svchost.exe. This method is more secure than adding the Svchost.exe process to the rules list.

Note

A system service that runs within its own unique .exe file and is not hosted by a service container is considered to be a program. Such a system service can be added to the rules list. In the same way, a program that behaves like a system service and runs whether or not a user is logged on to the computer is also considered a program as long as it runs within its own unique .exe file. Do not add service containers or programs that host services, such as Svchost.exe, Dllhost.exe, and Inetinfo.exe, to the rules list.

Configuring port and protocol settings

In some cases, if you cannot add a program or system service to the rules list, you must determine which port or ports the program or system service uses, and then add the port or ports to the Windows Firewall with Advanced Security rules list.

When you add a port to the rules list, you must specify the protocol and port number. When creating a custom rule, you can specify any protocol number and port number. When creating a port rule, you can specify TCP and UDP ports only. When you add a port to the rules list, the port is open (unblocked) whenever Windows Firewall with Advanced Security is running and whether or not there is a program or system service listening for incoming traffic on the port. For this reason, if you need to allow unsolicited incoming traffic through Windows Firewall with Advanced Security, you should create a program rule instead of a port rule. When you add a program to the rules list, Windows Firewall with Advanced Security dynamically opens and closes the ports required by the program. When the program is running and listening for incoming traffic, Windows Firewall opens the required ports; when the program is not running or is not listening for incoming traffic, Windows Firewall with Advanced Security closes the ports.

Configuring user or computer settings

You can configure the firewall rule to be applied only if specified users or groups request a connection or if a specified computer or group of computers request a connection. These settings will be added to any other restrictions you have specified for the rule.

Configuring scope settings

You can configure the firewall rule to be applied only if the Internet Protocol version 4 (IPv4) or Internet Protocol version 6 (IPv6) addresses match specified local and remote addresses. You can also specify groups of computers by IP subnet address, IP address range, or keyword (WINS computers, for example); however, you cannot specify an Active Directory group.

Configuring advanced settings

You usually configure Windows Firewall with Advanced Security on a global basis. For example, when you turn on Windows Firewall with Advanced Security, it is enabled on all of the network connections that already exist on your computer and all network connections that you create on your computer. Likewise, when you create a rule, the rule applies to all network connections that already exist on the computer and all network connections that you create on the computer.

You can also configure Windows Firewall with Advanced Security on an interface-type-specific basis. You can create a rule for each interface type on your computer, such as your LAN card or a wireless connection. This is useful if your computer has multiple interface types and you do not want Windows Firewall with Advanced Security enabled on all connections or you want to open different ports for each network connection.