Share via


Enable Predefined Inbound Rules on Windows XP or Windows Server 2003

Applies To: Windows 7, Windows Essential Business Server, Windows SBS 2003, Windows SBS 2008, Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Vista

The firewall included with Windows Server 2003 with SP1 and Windows XP with SP2 supports a few predefined rules that you can include in a GPO. The support for these rules allows you to easily deploy firewall settings for commonly used network functions.

Warning

The predefined rules included with Windows Firewall in Windows Server 2003 and Windows XP do not have the flexibility of the rules for Windows Firewall with Advanced Security in Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2. Use the predefined rules described here only for computers running Windows Server 2003 and Windows XP. For computers running Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2, see Enable Predefined Inbound Rules on Windows 7, Windows Vista, Windows Server 2008, or Windows Server 2008 R2.

Use the procedures in this topic to create firewall exception rules for:

  • File and printer sharing

  • ICMP

  • Remote administration

  • Remote Desktop

  • UPnP

Administrative credentials

To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.

File and printer sharing

To share files and printers with other computers, you must permit inbound requests from the client computers that want to access the files. Enabling this firewall exception rule opens UDP ports 137 and 138 and TCP ports 139 and 445 to the IP addresses specified in the rule.

To enable inbound file and printer sharing network traffic

  1. On a computer that has the Group Policy Management feature installed, click Start, click Administrative Tools, and then click Group Policy Management.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  3. In the navigation pane, expand Forest: YourForestName, expand Domains, expand YourDomainName, expand Group Policy Objects, right-click the GPO in which you want to create the rule, and then click Edit.

  4. In the Group Policy Management Editor navigation pane, expand Computer Configuration, expand Policies, expand Administrative Templates, expand Network, expand Network Connections, and then expand Windows Firewall.

  5. Expand Domain Profile or Standard Profile. Rules created in the Domain Profile section apply whenever the client computer is connected to a network on which it can contact a domain controller for its assigned Active Directory domain. Rules created in the Standard section apply when the computer cannot contact a domain controller for its domain.

  6. In the details pane, double-click Windows Firewall: Allow inbound fire and printer sharing exception.

  7. On the Setting tab, click Enabled.

  8. In the Allow unsolicited incoming messages from these IP addresses text box, type the string that represents the addresses of the computers from which you are willing to accept this inbound network traffic. The string can be any of, or a comma-separated list of, the following items:

    Text Meaning

    An IP address, such as 10.0.0.1

    Network traffic from that IP address is allowed.

    A subnet description, such as 10.2.3.0/24

    Network traffic from any IP address on the specified subnet is allowed.

    localsubnet

    Network traffic from any IP address recognized as being on the same subnet as the local computer is allowed.

    *

    Network traffic from any address on any network is allowed. Do not combine this with the other elements.

    For example, if you want to allow network traffic from only a computer at IP address 10.0.0.1, from any computer on your local subnet or network 10.2.3.0/24, then type 10.0.0.1,10.2.3.0/24,localsubnet in the Allow unsolicited incoming messages from these IP addresses text box.

  9. Click OK to save your changes.

ICMP

Internet Control Message Protocol (ICMP) is typically used to troubleshoot network connectivity problems and to enable computers to send flow control messages to each other to optimize network traffic throughput. Only the specified ICMP packet types are allowed inbound through Windows Firewall.

To enable inbound ICMP network traffic

  1. On a computer that has the Group Policy Management feature installed, click Start, click Administrative Tools, and then click Group Policy Management.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  3. In the navigation pane, expand Forest: YourForestName, expand Domains, expand YourDomainName, expand Group Policy Objects, right-click the GPO in which you want to create the rule, and then click Edit.

  4. In the Group Policy Management Editor navigation pane, expand Computer Configuration, expand Policies, expand Administrative Templates, expand Network, expand Network Connections, and then expand Windows Firewall.

  5. Expand Domain Profile or Standard Profile. Rules created in the Domain Profile section apply whenever the client computer is connected to a network on which it can contact a domain controller for its assigned Active Directory domain. Rules created in the Standard section apply when the computer cannot contact a domain controller for its domain.

  6. In the details pane, double-click Windows Firewall: Allow ICMP exceptions.

  7. On the Setting tab, click Enabled.

  8. Select the box next to each ICMP subtype that you want to allow through Windows Firewall. Because of their usefulness in diagnosing and troubleshooting, we recommend that you enable each subtype unless you have a security reason to prevent it.

  9. Click OK to save your changes.

Remote administration

Remote administration allows you to perform tasks on one computer by using the Microsoft Management Console (MMC) or programs that use Windows Management Instrumentation (WMI) from a different computer over the network. These administrative tools typically use remote procedure call (RPC) and Distributed Component Object Model (DCOM). Enabling this firewall exception rule opens TCP ports 135 and 445 to the IP addresses specified in the rule. It also allows SVCHOST.EXE and LSASS.EXE to listen on dynamically assigned TCP ports in the range of 1024 to 1034.

To enable inbound remote administration network traffic

  1. On a computer that has the Group Policy Management feature installed, click Start, click Administrative Tools, and then click Group Policy Management.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  3. In the navigation pane, expand Forest: YourForestName, expand Domains, expand YourDomainName, expand Group Policy Objects, right-click the GPO in which you want to create the rule, and then click Edit.

  4. In the Group Policy Management Editor navigation pane, expand Computer Configuration, expand Policies, expand Administrative Templates, expand Network, expand Network Connections, and then expand Windows Firewall.

  5. Expand Domain Profile or Standard Profile. Rules created in the Domain Profile section apply whenever the client computer is connected to a network on which it can contact a domain controller for its assigned Active Directory domain. Rules created in the Standard section apply when the computer cannot contact a domain controller for its domain.

  6. In the details pane, double-click Windows Firewall: Allow inbound remote administration exception.

  7. On the Setting tab, click Enabled.

  8. In the Allow unsolicited incoming messages from these IP addresses text box, type the string that represents the addresses of the computers from which you are willing to accept this inbound network traffic. The string can be any of, or a comma-separated list of, the following items:

    Text Meaning

    An IP address, such as 10.0.0.1

    Network traffic from that IP address is allowed.

    A subnet description, such as 10.2.3.0/24

    Network traffic from any IP address on the specified subnet is allowed.

    localsubnet

    Network traffic from any IP address recognized as being on the same subnet as the local computer is allowed.

    *

    Network traffic from any address on any network is allowed. Do not combine this with the other elements.

    For example, if you want to allow network traffic from only a computer at IP address 10.0.0.1, from any computer on your local subnet or network 10.2.3.0/24, then type 10.0.0.1,10.2.3.0/24,localsubnet in the Allow unsolicited incoming messages from these IP addresses text box.

  9. Click OK to save your changes.

Remote Desktop

Remote desktop enables you to connect to a remote computer and access all of your programs, files, and network resources. Enabling this firewall exception rule opens TCP port 3389 to the IP addresses specified in the rule.

To enable inbound Remote Desktop network traffic

  1. On a computer that has the Group Policy Management feature installed, click Start, click Administrative Tools, and then click Group Policy Management.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  3. In the navigation pane, expand Forest: YourForestName, expand Domains, expand YourDomainName, expand Group Policy Objects, right-click the GPO in which you want to create the rule, and then click Edit.

  4. In the Group Policy Management Editor navigation pane, expand Computer Configuration, expand Policies, expand Administrative Templates, expand Network, expand Network Connections, and then expand Windows Firewall.

  5. Expand Domain Profile or Standard Profile. Rules created in the Domain Profile section apply whenever the client computer is connected to a network on which it can contact a domain controller for its assigned Active Directory domain. Rules created in the Standard section apply when the computer cannot contact a domain controller for its domain.

  6. In the details pane, double-click Windows Firewall: Allow inbound Remote Desktop exception.

  7. On the Setting tab, click Enabled.

  8. In the Allow unsolicited incoming messages from these IP addresses text box, type the string that represents the addresses of the computers from which you are willing to accept this inbound network traffic. The string can be any of, or a comma separated list of, the following items:

    Text Meaning

    An IP address, such as 10.0.0.1

    Network traffic from that IP address is allowed.

    A subnet description, such as 10.2.3.0/24

    Network traffic from any IP address on the specified subnet is allowed.

    localsubnet

    Network traffic from any IP address recognized as being on the same subnet as the local computer is allowed.

    *

    Network traffic from any address on any network is allowed. Do not combine this with the other elements.

    For example, if you want to allow network traffic from only a computer at IP address 10.0.0.1, from any computer on your local subnet or network 10.2.3.0/24, then type 10.0.0.1,10.2.3.0/24,localsubnet in the Allow unsolicited incoming messages from these IP addresses text box.

  9. Click OK to save your changes.

UPnP

The UPnP™ standard is a set of protocols that allow computers to easily detect, configure, and use peripheral devices connected through the network, such as network-attached printers, Internet gateways, and consumer electronics equipment. Enabling this firewall exception rule opens TCP port 2869 and UDP port 1900 to the IP addresses specified in the rule.

To enable inbound UPnP network traffic

  1. On a computer that has the Group Policy Management feature installed, click Start, click Administrative Tools, and then click Group Policy Management.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  3. In the navigation pane, expand Forest: YourForestName, expand Domains, expand YourDomainName, expand Group Policy Objects, right-click the GPO in which you want to create the rule, and then click Edit.

  4. In the Group Policy Management Editor navigation pane, expand Computer Configuration, expand Policies, expand Administrative Templates, expand Network, expand Network Connections, and then expand Windows Firewall.

  5. Expand Domain Profile or Standard Profile. Rules created in the Domain Profile section apply whenever the client computer is connected to a network on which it can contact a domain controller for its assigned Active Directory domain. Rules created in the Standard section apply when the computer cannot contact a domain controller for its domain.

  6. In the details pane, double-click Windows Firewall: Allow inbound UPnP framework exception.

  7. On the Setting tab, click Enabled.

  8. In the Allow unsolicited incoming messages from these IP addresses text box, type the string that represents the addresses of the computers from which you are willing to accept this inbound network traffic. The string can be any of, or a comma-separated list of, the following items:

    Text Meaning

    An IP address, such as 10.0.0.1

    Network traffic from that IP address is allowed.

    A subnet description, such as 10.2.3.0/24

    Network traffic from any IP address on the specified subnet is allowed.

    localsubnet

    Network traffic from any IP address recognized as being on the same subnet as the local computer is allowed.

    *

    Network traffic from any address on any network is allowed. Do not combine this with the other elements.

    For example, if you want to allow network traffic from only a computer at IP address 10.0.0.1, from any computer on your local subnet or network 10.2.3.0/24, then type 10.0.0.1,10.2.3.0/24,localsubnet in the Allow unsolicited incoming messages from these IP addresses text box.

  9. Click OK to save your changes.

If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to return to the checklist.