Windows Firewall Service

Applies To: Windows Server 2008

The Windows Firewall service (MpsSvc) supports the creation of inbound and outbound firewall and connection security rules to filter and protect network traffic. The Windows Firewall service also implements service hardening rules to provide basic protection to common network services included with Windows. The firewall and connection security rules can be defined locally on the computer or deployed to large numbers of computers by using Group Policy.

Aspects

The following is a list of all aspects that are part of this managed entity:

Name Description

Firewall Configuration

Windows Firewall with Advanced Security supports several configuration settings that control how and when firewall and Internet Protocol security (IPsec) rules are applied. For example, changing the network location type, turning the firewall on or off, or resetting the firewall to its initial out-of-box configuration can affect which rules are applied to network traffic.

When appropriate auditing events are enabled (https://go.microsoft.com/fwlink/?linkid=92666), Windows reports when critical configuration changes occur that can affect the firewall and IPsec processing.

Firewall Rule Processing

Windows Firewall with Advanced Security receives its rules from local security policy stored in the system registry, and from Group Policy delivered by Active Directory. After receiving a new or modified policy, Windows Firewall must process each rule in the applied policies to interpret what network traffic is to be blocked, allowed, or protected by using Internet Protocol security (IPsec).

When appropriate auditing events are enabled (https://go.microsoft.com/fwlink/?linkid=92666), Windows reports successes and failures, both in retrieving policy and in processing the rules defined in the policy.

Firewall Service and Driver Initialization

The Windows Firewall service (MpsSvc) and its supporting driver must be running to provide the core firewall functionality and to manage the firewall and connection security rules that define how the firewall operates. When appropriate auditing events are enabled (https://go.microsoft.com/fwlink/?linkid=92666), Windows reports successes and failures in starting the required software components, or when the components stop operating due to a failure.

Note: Because the Windows Firewall services applies Windows service hardening rules to standard Windows Networking services, Microsoft does not support stopping the Windows Firewall service. If you do not want to use Windows Firewall, turn the firewall features off without stopping the service.

Firewall Service API

Windows can detect when an application attempts to use an obsolete application programming interface (API) to disable the firewall.

When appropriate auditing events are enabled (https://go.microsoft.com/fwlink/?linkid=92666), Windows reports when applications attempt to use obsolete API calls.

Firewall Service Block Notifications

Windows Firewall with Advanced Security can be configured to notify the user when an application is blocked by the firewall, and ask if the application should continue to be blocked in the future. This notification is turned on by default in Windows Vista, and turned off by default in Windows Server 2008.

When appropriate auditing events are enabled (https://go.microsoft.com/fwlink/?linkid=92666), Windows reports when applications are blocked by the firewall.

Windows Firewall with Advanced Security