JSI Tip 7909. How do I use Group Policy to manage Windows Firewall settings?

You can use the Netsh Firewall Context to manage Windows Firewall, formerly ICF (Internet Connection Firewall), settings.

You can also use Local Group Policy or the Default Domain Group Policy to set Windows Firewall Group Policy Objects (GPOs).

Starting with Windows XP SP2, the Windows Firewall GPOs are located at:

Computer Configuration / Administrative Templates / Network / Network Connections / Windows Firewall.

If you expand Winows Firewall through Domain Profile, you see the following GPOs:

The 'Windows Firewall: Protect all network connections' Explain tab contains:

Turns on Windows Firewall, which replaces Internet Connection Firewall on all computers that are running Windows XP Service Pack 2.

If you enable this policy setting, Windows Firewall runs and ignores the "Prohibit use of Internet Connection Firewall on your DNS domain network" policy setting.

If you do not configure this policy setting, Windows Firewall runs unless you enable the "Computer ConfigurationAdministrative TemplatesNetworkNetwork ConnectionsProhibit use of Internet Connection Firewall on your DNS domain network" policy setting.

If you disable this policy setting, Windows Firewall does not run. This is the only way to ensure that Windows Firewall does not run and local computer administrators cannot start it.

The 'Windows Firewall: Do not allow exceptions' Explain tab contains:

Specifies that Windows Firewall blocks all unsolicited incoming messages. This policy setting overrides all other Windows Firewall policy settings that allow such messages.

If you enable this policy setting, you should also enable the "Windows Firewall: Protect all network connections" policy setting; otherwise, local computer administrators can work around the "Windows Firewall: Do not allow exceptions" policy setting by turning off the firewall.

If you disable or do not configure this policy setting, Windows Firewall applies other policy settings that allow unsolicited incoming messages.

The 'Windows Firewall: Define program exceptions' Explain tab contains:

Allows you to view and change a list of programs and specify whether each program is allowed to receive unsolicited incoming messages. Windows Firewall manages two such lists: the first is defined by Group Policy settings, and the second is defined by the actions of local computer administrators. Windows Firewall ignores the second list unless you enable the "Windows Firewall: Allow local program exceptions" policy setting.

If you enable this policy setting, you can view and change the list of program exceptions defined by Group Policy settings. If you add a program to this list and set its status to Enabled, that program can receive unsolicited incoming messages on any port it asks Windows Firewall to open, even if that port is blocked by using the "Windows Firewall: Define port exceptions" policy setting. To view the program list, enable the policy setting and then click the Show button. To add a program, enable the policy setting, note the syntax in the shaded area below, click the Show button, click the Add button, and then type a definition string that uses the syntax format. To remove a program, click its definition, and then click the Remove button. To edit a definition, remove the current definition from the list and add a new one with different parameters. To allow local computer administrators to add programs to the list, enable this policy setting and the "Windows Firewall: Allow local program exceptions" policy setting.

If you disable this policy setting, the program exceptions list defined by Group Policy is deleted, and the one defined by local computer administrators is ignored.

If you do not configure this policy setting, Windows Firewall will only use the list defined by local computer administrators.

Notes:

If you type an invalid definition string, Windows Firewall adds it to the list without checking for errors. This allows you to add programs that you have not installed yet, but be aware that you can accidentally create multiple entries for the same program with conflicting Scope or Status values. Scope parameters are combined for multiple entries. If the Status parameter of a definition string is set to "disabled," Windows Firewall prohibits incoming messages to this program. If entries have different Status values, then any definition with the Status set to "disabled" overrides all definitions with the Status set to "enabled," and the program does not receive the messages. Therefore, if you set the Status to "disabled," you can prevent local computer administrators from enabling the program.

Windows Firewall opens ports for the program only when the program is running and "listening" for incoming messages. If the program is not running, or is running but not listening for those messages, Windows Firewall does not open its ports.

The 'Windows Firewall: Allow local program exceptions' Explain tab contains:

Allows you to specify that local computer administrators can supplement "Windows Firewall: Define program exceptions" list.

If you enable this policy setting, and you define a program exceptions list by using the "Windows Firewall: Define program exceptions" policy setting, local computer administrators can add definitions to the list.

If you disable or do not configure this policy setting, local computer administrators cannot add definitions to the list defined by the "Windows Firewall: Define program exceptions" policy setting.

The 'Windows Firewall: Allow remote administration exception' Explain tab contains:

Allows remote administration of this computer using administrative tools like the Microsoft Management Console (MMC) and Windows Management Instrumentation (WMI). To do this, Windows Firewall opens TCP ports 135 and 445. Services typically use these ports to communicate using remote procedure (RPC) calls and Dynamic COM (DCOM). In effect, Windows Firewall adds SVCHOST.EXE and LSASS.EXE to the program exceptions list: it allows hosted services to open additional, dynamically-assigned ports, typically in the range of 1024 to 1034.

If you enable this policy setting, Windows Firewall allows the computer to receive the unsolicited incoming messages associated with remote administration. You must specify whether those messages are allowed from computers anywhere on the network or only from computers on the local subnet.

If you disable or do not configure this policy setting, Windows Firewall blocks port 135 and does not open 445. Also, in effect, it adds SVCHOST.EXE and LSASS.EXE to the program exceptions list with the Status of "disabled." Because disabling this policy setting does not block TCP port 445, it does not conflict with the "Windows Firewall: Allow file and printer sharing exception" policy setting.

Note: Malicious users often attempt to attack networks and computers using RPC and DCOM. We recommend that you contact the manufacturers of your critical programs to determine if they require RPC and DCOM communication. If they do not, then do not enable this policy setting.

The 'Windows Firewall: Allow file and printer sharing exception' Explain tab contains:

Allows file and printer sharing. To do this, Windows Firewall opens UDP ports 137 and 138, and TCP ports 139 and 445.

If you enable this policy setting, Windows Firewall allows this computer to receive the unsolicited incoming messages generated by computers that attempt to send print jobs or access shared files. You must specify whether these messages are allowed from computers anywhere on the network or only from computers on the local subnet.

If you disable this policy setting, Windows Firewall blocks these ports and prohibits the Server service from receiving incoming messages. As a result, shared files and printers on this computer will be unavailable from other computers.

If you do not configure this policy setting, Windows Firewall does not block these ports or prohibit the Server service from receiving incoming messages, but neither does it open the ports or enable the Server service. In most cases, if you do not configure this policy setting, the result is the same as disabling the policy setting: shared files and printers on this computer will be unavailable from other computers.

The 'Windows Firewall: Allow ICMP exceptions' Explain tab contains:

Defines the set of Internet Control Message Protocol (ICMP) messages that are enabled. Utilities can use ICMP messages to determine the status of other computers. For example, Ping uses the echo request. If you do not enable the "Allow inbound echo request" message type, Windows Firewall blocks echo request messages sent by Ping running on other computers, but it does not block outbound echo request messages sent by Ping running on this computer.

If you enable this policy setting, you must specify which ICMP message types Windows Firewall allows this computer to send or receive.

If you disable or do not configure this policy setting, Windows Firewall blocks all incoming and outgoing ICMP message types shown in the list. As a result, utilities that use ICMP messages might not be able to send those messages to or from this computer. If you enable this policy setting and allow certain message types, then later disable this policy setting, Windows Firewall deletes the list of message types that you had enabled.

Notes:

If any policy setting opens TCP port 445, Windows Firewall allows inbound echo requests, even if the "Windows Firewall: Allow ICMP exceptions" policy setting would block them. Policy settings that can open TCP port 445 include "Windows Firewall: Allow file and printer sharing exception," "Windows Firewall: Allow remote administration exception," and "Windows Firewall: Define port exceptions."

Other Windows Firewall policy settings affect only incoming messages, but several of the options of the "Windows Firewall: Allow ICMP exceptions" policy setting affect outgoing communication.

The 'Windows Firewall: Allow Remote Desktop exception' Explain tab contains:

Allows this computer to receive the unsolicited incoming messages created by Remote Desktop requests sent from another computer. To do this, Windows Firewall opens TCP port 3389.

If you enable this policy setting, you must specify whether the incoming Remote Desktop requests to this computer are permitted from computers anywhere on the network or only from computers on the local subnet.

If you disable or do not configure this policy setting, Windows Firewall blocks TCP port 3389, which prevents access to Remote Desktop.

The 'Windows Firewall: Allow UPnP framework exception' Explain tab contains:

Opens the ports required to allow this computer to receive unsolicited Plug and Play messages sent by network devices, such as routers with built-in firewalls. To do this, Windows Firewall opens TCP port 2869, and UDP port 1900.

If you enable this policy setting, Windows Firewall opens these ports and allows the computer to receive Plug and Play messages. You must specify whether the incoming Plug and Play messages to this computer are permitted from devices anywhere on the network or only from devices on the local subnet.

If you disable this policy setting, Windows Firewall blocks these ports, which prevents the computer from receiving Plug and Play messages.

If you do not configure this policy setting, Windows Firewall does not block or open these ports. In most cases, this has the same effect as disabling this policy setting: it prevents the computer from receiving Plug and Play messages.

The 'Windows Firewall: Prohibit notifications' Explain tab contains:

Prevents Windows Firewall from displaying notifications to the user when a program requests that Windows Firewall add the program to the program exceptions list.

If you enable this policy setting, Windows Firewall prevents the display of these notifications.

If you disable or do not configure this policy setting, Windows Firewall allows the display of these notifications.

The 'Windows Firewall: Allow logging' Explain tab contains:

Allows Windows Firewall to record information about the unsolicited incoming messages that it receives.

If you enable this policy setting, Windows Firewall writes the information to a log file. You must provide the name, location, and maximum size of the log file. The location can contain environment variables. You must also specify whether to record information about incoming messages that the firewall blocks (drops), and information about successful incoming and outgoing connections. Windows Firewall does not provide an option to log successful incoming messages.

If you disable or do not configure this policy setting, Windows Firewall does not record information in the log file. If you enable this policy setting, and Windows Firewall creates the log file and adds information, then upon disabling this policy setting, Windows Firewall leaves the log file intact.

The 'Windows Firewall: Prohibit unicast response to multicast or broadcast requests' Explain tab contains:

Prevents this computer from receiving unicast responses to its outgoing multicast or broadcast messages.

If you enable this policy setting, and this computer sends multicast or broadcast messages to other computers, Windows Firewall blocks the unicast responses sent by those other computers.

If you disable or do not configure this policy setting, and this computer sends a multicast or broadcast message to other computers, Windows Firewall waits as long as three seconds for unicast responses from the other computers, and then blocks all later responses.

Note: This policy setting has no effect if the unicast message is a response to a Dynamic Host Configuration Protocol (DHCP) multicast message sent by this computer. Windows Firewall always permits those DHCP unicast responses. However, this policy setting can interfere with the NetBIOS messages that detect name conflicts.

The 'Windows Firewall: Define port exceptions' Explain tab contains:

Allows you to define a port exceptions list that Windows Firewall uses to open or block ports. Windows Firewall manages two such lists: the first is defined by Group Policy settings, and the second is defined by the actions of local computer administrators. Windows Firewall ignores the second list unless you enable the "Windows Firewall: Allow local port exceptions" policy setting.

If you enable this policy setting, you can view and change the port exceptions list defined by Group Policy settings. To view the list, enable the policy setting and then click the Show button. To add a port, enable the policy setting, note the syntax in the shaded area below, click the Show button, click the Add button, and then type a definition string that uses the syntax format. To remove a port, click its definition, and then click the Remove button. To edit a definition, remove the current definition from the list and add a new one with different parameters. The Scope parameter of a definition string specifies which set of computers can send messages intended for this program: "*" allows messages from all computers on the network; "localsubnet" allows messages only from computers on the same subnet as this computer.

If you disable this policy setting, Windows Firewall blocks all ports in the exceptions list defined by Group Policy, except those opened by other policy settings. Windows Firewall ignores the list defined by local computer administrators. If you enable this policy setting and later disable it, Windows Firewall deletes the port exceptions list specified by Group Policy.

If you do not configure this policy setting, other policy settings can open ports. Windows Firewall ignores entries in the port exceptions list defined by this policy setting, but uses the list defined by local computer administrators.

Notes:

Windows Firewall does not check the definition string for syntax errors. If you type an invalid definition string, Windows Firewall adds the invalid definition to the list without displaying a warning or error message. If you type multiple entries for the same port, and any entry disables a port, it overrides all entries that enable that port. If multiple entries for the same port have different scopes, the scopes are additive.

To allow local computer administrators to open additional ports, enable this policy setting and the "Windows Firewall: Allow local port exceptions" policy setting.

The 'Windows Firewall: Allow local port exceptions' Explain tab contains:

Allows you to distribute a port exceptions list with entries that local computer administrators cannot override, but that they can supplement with other opened or blocked ports.

If you enable this policy setting, and define a port exceptions list by using the "Windows Firewall: Define port exceptions" policy setting, local computer administrators can add definitions to that list.

If you disable or do not configure this policy setting, local computer administrators cannot add definitions to that list.