Windows Firewall Quick Fixes

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Most Windows Firewall problems do not require extensive troubleshooting and can be fixed by making a simple configuration change. This section provides the most common Windows Firewall problems and their solutions. You can use the information in this section to resolve problems in the same way you would use a FAQ to find answers to common questions. Read this section before you begin any advanced troubleshooting.

Common Windows Firewall Problems

Listed below are common Windows Firewall problems and quick fixes:

I turned on Windows Firewall, but the programs in the exceptions list are not working properly.

Windows Firewall displays a Windows Security Alert when a program attempts to listen on a port, but the alert tells me to contact my system administrator and does not prompt me to unblock the program.

Windows Firewall does not display a Windows Security Alert when a program or system service attempts to listen on a port.

No one can ping my computer with the ping command.

I disabled ping by blocking incoming echo traffic, but other computers can still ping my computer.

I cannot access shared folders or printers on a computer that has Windows Firewall enabled.

I cannot use Remote Desktop to access another computer.

I cannot use remote administration tools to manage my servers.

I cannot get my FTP program to work with Windows Firewall.

I added a program to the exceptions list in Windows Firewall in Control Panel, but the program does not show up in the exceptions list when I take the computer off the managed network.

Some or all of the settings in Windows Firewall appear dimmed.

I added a program to the exceptions list in Group Policy, but the program does not behave as though it’s in the exceptions list.

I used the My network (subnet) only scope option, but traffic originating beyond my subnet is getting through Windows Firewall.

I used the My network (subnet) only option to change the scope of a program exception, but some computers in my subnet are being blocked by Windows Firewall.

I turned on Windows Firewall, but the programs in the exceptions list are not working properly.

This can happen on a server if you turn on Windows Firewall after you have started a program (for example, if you have started a Web server or an e-mail server and then start Windows Firewall). Windows Firewall might not be able to track the state of a program’s network traffic if the program is started before you start Windows Firewall. This is true no matter how you start Windows Firewall (through Control Panel, Group Policy, or the command prompt).

Windows Firewall displays a Windows Security Alert when a program attempts to listen on a port, but the alert tells me to contact my system administrator and does not prompt me to unblock the program.

There are two conditions under which you might see this Windows Security Alert (referred to throughout this documentation as a notification).

Windows Firewall displays this notification when a program attempts to listen on a port and the user who started the program is not a member of the Administrators group. If you are not a member of the Administrators group, you cannot configure the exceptions list, so Windows Firewall does not prompt you to unblock the program by adding the program to the exceptions list. To change the notification so that you are prompted to unblock a program, you must log on to the computer using an account that is a member of the Administrators group. You can then either wait for the notification to appear and click Unblock, or you can use Windows Firewall to add the program to the exceptions list.

To add a program to the exceptions list

1. Open Windows Firewall, and then click the Exceptions tab.

2. On the Exceptions tab, click Add Program, and then follow the instructions that appear on your screen.

Windows Firewall also displays this notification if the Windows Firewall: Allow local program exceptions policy setting is disabled or if the Windows Firewall: Allow local program exceptions policy setting is not configured and the Windows Firewall: Define program exceptions policy setting is either disabled or enabled. Windows Firewall displays this notification under these conditions even if you are a member of the Administrators group. To change the notification so that you are prompted to unblock a program, you must either enable the Windows Firewall: Allow local program exceptions policy setting or, if this policy setting is not configured, change the Windows Firewall: Define program exceptions policy setting to Not Configured.

To enable the Allow local program exceptions policy setting

1. Open the Group Policy Object Editor snap-in to edit the Group Policy object (GPO) that is used to manage Windows Firewall settings in your organization.

2. Open Computer Configuration, open Administrative Templates, open Network, open Network Connections, open Windows Firewall, and then click either Domain Profile or Standard Profile.

3. Double-click Windows Firewall: Allow local program exceptions, and on the Settings tab, click Enabled.

To set the Define program exceptions policy setting to Not Configured

1. Open the Group Policy Object Editor snap-in to edit the GPO that is used to manage Windows Firewall settings in your organization.

2. Open Computer Configuration, open Administrative Templates, open Network, open Network Connections, open Windows Firewall, and then click either Domain Profile or Standard Profile.

3. Double-click Windows Firewall: Define program exceptions, and on the Settings tab, click Not Configured.

Windows Firewall does not display a Windows Security Alert when a program or system service attempts to listen on a port.

There are several reasons Windows Firewall might not display a Windows Security Alert (notification) when a program or system service attempts to listen on a port.

• Notifications are displayed only if you enable the display notification option and have disabled or not configured the Windows Firewall: Prohibit notifications policy setting.

To enable notifications

1. Open Windows Firewall.

2. On the Exceptions tab, select the Display a notification when Windows Firewall blocks a program check box.

To disable the Prohibit notifications policy setting

1. Open the Group Policy Object Editor snap-in to edit the GPO that is used to manage Windows Firewall settings in your organization.

2. Open Computer Configuration, open Administrative Templates, open Network, open Network Connections, open Windows Firewall, and then click either Domain Profile or Standard Profile.

3. Double-click Windows Firewall: Prohibit Notifications, and on the Settings tab, select either Not Configured or Disabled.

• Windows Firewall will not display notifications for system services or programs that run when there is no user logged on to the computer. Most system services run this way, as do many server programs. However, Windows Firewall does write an event (Event ID 861) to the security event log for any system service or program that attempts to listen on a port, no matter if a notification is displayed. You must enable auditing for Windows Firewall events for Windows Firewall events to appear in the security event log.

To enable auditing of Windows Firewall events

1. Open the Group Policy Object Editor snap-in to edit the GPO that is used to manage Windows Firewall settings in your organization.

2. Open Windows Settings, open Security Settings, open Local Policies, and then click Audit Policy.

3. Double-click Audit process tracking, select the Success and Failure check boxes, and then click OK.

4. Double-click Audit policy change, select the Success and Failure check boxes, and then click OK.

To view Windows Firewall notification events in Event Viewer

1. Open Event Viewer.

2. Click Security, and then look for Event ID 861.

• Windows Firewall cannot display notifications if you select the Don't allow exceptions check box in Windows Firewall in Control Panel or if you enable the Windows Firewall: Do not allow exceptions policy setting in the Group Policy Object Editor. There are no Windows Firewall settings that allow you to override this behavior. To display notifications, you must clear the Don't allow exceptions check box or set the Windows Firewall: Do not allow exceptions policy setting to Disabled or Not Configured; however, doing so lessens the level of security that Windows Firewall provides when you are connected to a public network, such as the Internet. Instead of allowing exceptions through Windows Firewall so notifications are displayed, it is recommended that you use Event Viewer to identify programs and system services that attempt to listen on a port.

To configure Windows Firewall to allow exceptions

1. Open Windows Firewall in Control Panel.

2. On the General tab, clear the Don't allow exceptions check box.

To configure Group Policy so Windows Firewall allows exceptions

1. Open the Group Policy Object Editor snap-in to edit the GPO that is used to manage Windows Firewall settings in your organization.

2. Open Computer Configuration, open Administrative Templates, open Network, open Network Connections, open Windows Firewall, and then click either Domain Profile or Standard Profile.

3. Double-click Windows Firewall:Do not allow exceptions, and on the Settings tab, click either Not Configured or Disabled.

• Windows Firewall does not display notifications for programs that rely on the Winsock driver to dynamically bind to a UDP port (sometimes referred to as wildcard binds). If a program uses this method to bind to a UDP port, you might be able to use the netstat command and other troubleshooting tools to determine which UDP port is being used. For more information, see Fixing Program Problems.

No one can ping my computer with the ping command.

This happens because, by default, Windows Firewall blocks all Internet Control Message Protocol (ICMP) traffic. When someone pings your computer, an ICMP Echo message (also known as an Echo Request message) is sent to your computer; your computer sends back an ICMP Echo Reply message to the computer that sent the ICMP Echo message. By default, Windows Firewall discards the incoming ICMP Echo message. To configure your computer so that it does not discard ICMP Echo messages and can respond with ICMP Echo Reply messages, you must configure Windows Firewall to allow incoming echo traffic.

To allow incoming echo request traffic

1. Open Windows Firewall, and then click the Advanced tab.

2. In ICMP, click Settings.

3. In the ICMP Settings dialog box, select the Allow incoming echo request check box.

I disabled ping by blocking incoming echo traffic, but other computers can still ping my computer.

This happens when TCP port 445 is added to the exceptions list. By default, TCP port 445 is added to the exceptions list when you enable File and Printer Sharing in the Windows Firewall exceptions list or when you enable the Windows Firewall: Allow remote administration exception policy setting in Group Policy. To disable ping, you must remove TCP port 445 from the exceptions list. You can do this by disabling File and Printer Sharing in the Windows Firewall exceptions list or by editing File and Printer Sharing in the exceptions list settings so that TCP port 445 is disabled. You can also do this by disabling the Windows Firewall: Allow remote administration exception policy setting.

To disable the File and Printer Sharing exception so ping is disabled

1. Open Windows Firewall, and then click the Exceptions tab.

2. Clear the File and Printer Sharing check box.

To edit the File and Printer Sharing exception so ping is disabled

1. Open Windows Firewall, and then click the Exceptions tab.

2. Click File and Printer Sharing, and then click Edit.

3. In the Edit a Service dialog box, clear the TCP 445 check box.

To disable the Allow remote administration exception so ping is disabled

1. Open the Group Policy Object Editor snap-in to edit the GPO that is used to manage Windows Firewall settings in your organization.

2. Open Computer Configuration, open Administrative Templates, open Network, open Network Connections, open Windows Firewall, and then click either Domain Profile or Standard Profile.

3. In the details pane, double-click Windows Firewall: Allow remote administration exception, and then click either Not Configured or Disabled.

I cannot access shared folders or printers on a computer that has Windows Firewall enabled.

This happens when Windows Firewall blocks incoming traffic through UDP ports 137 and 138 and TCP ports 139 and 445. To allow access to shared folders and printers, you must enable the predefined exception for file and printer sharing, which will dynamically allow incoming traffic on UDP ports 137 and 138 and TCP ports 139 and 445.

To enable the File and Printer Sharing exception

1. Open Windows Firewall, and then click the Exceptions tab.

2. Select the File and Printer Sharing check box.

I cannot use Remote Desktop to access another computer.

This happens when Windows Firewall blocks incoming traffic through TCP port 3389 on the computer you are trying to access. To use Remote Desktop to communicate with a remote computer, you must enable the predefined exception for Remote Desktop on the remote computer, which will dynamically allow incoming traffic on TCP port 3389.

To enable the Remote Desktop exception

1. On the remote computer, open Windows Firewall, and then click the Exceptions tab.

2. Select the Remote Desktop check box.

I cannot use remote administration tools to manage my servers.

This happens when Windows Firewall blocks incoming remote procedure call (RPC) or DCOM traffic on your servers. Remote administration tools, such the Microsoft Management Console (MMC) and Windows Management Instrumentation (WMI), use RPC and DCOM to communicate with servers. By default, Windows Firewall blocks communication through TCP ports 135 and 445. To fix this problem, you can enable the Windows Firewall: Allow remote administration exceptionpolicy setting on your servers. If you enable this policy setting, you must specify the Internet Protocol version 4 (IPv4) addresses or address ranges from which these incoming messages are allowed.

To enable the Allow remote administration exception

1. Open the Group Policy Object Editor snap-in to edit the GPO that is used to manage Windows Firewall settings in your organization.

2. Open Computer Configuration, open Administrative Templates, open Network, open Network Connections, open Windows Firewall, and then click either Domain Profile or Standard Profile.

3. In the details pane, double-click Windows Firewall: Allow remote administration exception, click Enabled, and then, in Allow unsolicited incoming messages from, type the IPv4 addresses or address ranges for this exception.

I cannot get my FTP program to work with Windows Firewall.

This happens when your FTP program uses active FTP instead of passive (PASV) FTP. Windows Firewall uses the Application Layer Gateway (ALG) Service to process active FTP traffic. If the ALG Service is not running, try starting it.

To start the Application Layer Gateway Service

1. Open the Services snap-in.

2. Double-click Application Layer Gateway Service.

3. On the General tab, if the Service status is not Started, click Start.

If the ALG Service is running and you still cannot get your FTP program to work with Windows Firewall, try adding the FTP program to the exceptions list.

To add a program to the Windows Firewall exceptions list

1. Open Windows Firewall, and then click the Exceptions tab.

2. Click Add Program, and then follow the directions that appear on your screen.

I added a program to the exceptions list in Windows Firewall in Control Panel, but the program does not show up in the exceptions list when I take the computer off the managed network.

This happens when you add a program to the exceptions list for one profile (for example, the domain profile), and the computer is using the exceptions list for the other profile (for example, the standard profile). An example of this occurs when a portable computer is running on your corporate domain and you add a program to the exceptions list by using Windows Firewall in Control Panel. In this case, the program is added to the exceptions list for the domain profile. If the portable computer is then used outside of the office and is not connected to the corporate domain, the exceptions list for the standard profile is used; the program will not show up in the exceptions list because it was added to the exceptions list for the domain profile only. To fix this problem, you must do the following:

• Determine to which exceptions list (domain profile or standard profile) the program was added.

• Add the program to the appropriate exceptions list.

To determine to which exceptions list a program has been added

• At the command prompt, type netsh firewall show all, and press ENTER.

To add a program to the exceptions list for a specific profile

1. To add a program to the domain profile, type the following:

   netsh firewall set allowedprogram your_program_path\your_program your_program_name enable domain

   Where your_program_path is the path to your program’s executable (.exe) file, your_program is the name of your program’s .exe file, and your_program_name is the friendly name that you want to show up in the exceptions list.

2. Press ENTER.

3. To add a program to the standard profile, type the following:

   netsh firewall set allowedprogram your_program_path\your_program your_program_name enable standard

   Where your_program_path is the path to your program’s executable (.exe) file, your_program is the name of your program’s .exe file, and your_program_name is the friendly name that you want to show up in the exceptions list.

4. Press ENTER.

Some or all of the settings in Windows Firewall appear dimmed.

This happens when you do not have the appropriate user rights on the computer you are trying to administer. It can also happen if your company uses Group Policy to manage Windows Firewall.

Windows Firewall dims all of the options in Windows Firewall if you are not a member of the Administrators group. To configure Windows Firewall options, have your domain administrator or accounts administrator add you to the Administrators group on the computer you want to administer.

Windows Firewall also dims any options that are configured through Group Policy. This includes options that are configured through Local Group Policy or through domain-based Group Policy. You can use the Resultant Set of Policy snap-in to determine which Windows Firewall policies are being applied to a computer as well as in which GPO the policies are stored.

To determine which policies are being applied to the computer

1. At the command prompt, type rsop.msc, and press ENTER.

2. In the console tree, open Computer Configuration, open Administrative Templates, open Network, and then click Network Connections.

3. In the console tree, click Windows Firewall, and double-click any policies that appear in the details pane to learn more about the policy.

4. In console tree, click Domain Profile, and double-click any policies that appear in the details pane to learn more about the policy.

5. In the console tree, click Standard Profile, and double-click any policies that appear in the details pane to learn more about the policy.

I added a program to the exceptions list in Group Policy, but the program does not behave as though it’s in the exceptions list.

This can occur for several reasons. Attempt each of the following possible fixes in the order in which they appear.

Make sure that you used the correct profile when you added the program to the exceptions list. You can configure Windows Firewall policy settings in either a domain profile or a standard profile. Domain profile settings are applied when a computer is connected to a network that contains the domain controllers for the domain in which its computer account resides. Standard profile settings are applied when a computer is not connected to a network that contains the domain controllers for the domain in which its computer account resides, such as a public network.

To verify Group Policy settings in the domain profile or standard profile

1. Open the Group Policy Object Editor snap-in to edit the GPO that is used to manage Windows Firewall settings in your organization.

2. Open Computer Configuration, open Administrative Templates, open Network, open Network Connections, and then open Windows Firewall.

3. In the console tree, click Domain Profile to see the Group Policy settings that are configured when the computer uses the domain profile.

4. In the console tree, click Standard Profile to see the Group Policy settings that are configured when the computer uses the standard profile.

Make sure that the Group Policy settings have been refreshed on the computer you are administering. Local policies take effect immediately, but domain-based Group Policies are refreshed every 90 minutes (unless the computer is a domain controller, in which case policies are refreshed every 5 minutes). If you are unsure whether any policy changes have been applied to the computer, you can force Group Policy to refresh the policies on a computer by running gpupdate /force at the command line.

Make sure that policies are being applied from the correct GPO. You can determine this by using the Resultant Set of Policy snap-in.

To determine in which GPO a policy setting is stored

1. At the command prompt, type rsop.msc, and press ENTER.

2. In the console tree, open Computer Configuration, open Administrative Templates, open Network, and then click Network Connections.

3. In the console tree, double-click any policies that appear in the details pane to determine in which GPO the policy is stored.

4. In the console tree, click Windows Firewall, and double-click any policies that appear in the details pane to determine in which GPO the policy is stored.

5. In console tree, click Domain Profile, and double-click any policies that appear in the details pane to determine in which GPO the policy setting is stored.

6. In the console tree, click Standard Profile, and double-click any policies that appear in the details pane to determine in which GPO the policy is stored.

Finally, make sure that you typed the path or program name correctly when you added it to the exceptions list. Windows Firewall does not check for errors, nor does it check whether the program exists. This allows you to add programs to the exceptions list before you install the program. Also, make sure that the path you used applies to the computer you are troubleshooting. If possible, use environment variables in the path so that the path is valid for multiple computer configurations.

I used the My network (subnet) only scope option, but traffic originating beyond my subnet is getting through Windows Firewall.

This can happen because of the way in which Windows Firewall determines traffic that matches the My network (subnet) only scope option. When you use the My network (subnet) only scope option, Windows Firewall does not perform any IP configuration testing or subnet mask interpretation to determine whether the traffic is coming from a computer that is a neighbor on a locally attached subnet. Instead, Windows Firewall determines whether the traffic is originating from an address that is directly reachable based on routes in the IPv4 and Internet Protocol version 6 (IPv6) routing tables (which you can view with the route print command). If it is, this traffic is considered to match the My network (subnet) only scope. Because Windows Firewall defines traffic for the My network (subnet) only scope in this way, there are situations in which Windows Firewall allows unexpected or unanticipated traffic.

An example of this occurs when you have a multihomed server with two network interfaces: for example, one interface for the accounting department’s subnet and one interface for the marketing department’s subnet. If you use the My network (subnet) only scope option to restrict the scope of an exception on this computer, Windows Firewall will allow traffic originating from both subnets because the addresses for the address ranges of both subnets are directly reachable. To ensure that Windows Firewall allows only exceptions traffic from one subnet for IPv4 traffic, select the Custom list option and configure the IPv4 address range for the desired subnet. You cannot specify custom address ranges for IPv6 traffic.

Another example of this occurs when a computer is configured with a default route to the Internet for which all locations are directly reachable. This can occur when you use an ISP to directly connect a computer to the Internet through a high-speed connection. In this case, Windows Firewall sees all locations on the Internet as directly reachable when you use the My network (subnet) only scope option. You can restrict the scope of an exception by selecting the Custom list scope option and designating specific IPv4 addresses or IPv4 address ranges.

To configure a scope with specific IPv4 addresses or IPv4 address ranges

1. Open Windows Firewall, and then click the Exceptions tab.

2. If you are configuring the scope of a program or system service that is already in the exceptions list, click the program or system service, click Edit, and then do the following:

   1. Click the port that you want to configure, and then click Change Scope.

   2. Click Custom list, and then enter the comma-separated list of IPv4 addresses or IPv4 address ranges.

3. If you are adding a program or system service, click Add Program; if you are adding a port, click Add Port. Then do one of the following:

   1. In the Add a Program dialog box, click the program or system service that you want to configure, or click Browse and find the program or system service that you want to configure.

   2. In the Add a Port dialog box, type the exception name, type the port, and then select TCP or UDP.

4. Click Change scope.

5. In the Change Scope dialog box, click Custom list, and then enter the comma-separated list of IPv4 addresses and subnets.

I used the My network (subnet) only option to change the scope of a program exception, but some computers in my subnet are being blocked by Windows Firewall.

This happens when a computer roams from one subnet to another. For example, if you create a shared folder on your computer, and then configure the File and Printer Sharing exception with the My network (subnet) only scope option, only directly reachable computers will be able to access your shared folder. But if one of the neighboring computers on your subnet is a portable computer, and a user moves the portable computer to a network segment outside your local subnet, the DHCP server will assign a new IP address configuration to the portable computer. When the portable computer attempts to access your shared folder, Windows Firewall determines that the computer is not directly reachable and discards the incoming connection requests.

To fix this problem, you can use the Custom list scope option to specify a list of IP addresses or IP address ranges from which traffic is allowed.

To configure a scope with specific IPv4 addresses or IPv4 address ranges

1. Open Windows Firewall, and then click the Exceptions tab.

2. If you are configuring the scope of a program or system service that is already in the exceptions list, click the program or system service, click Edit, and then do the following:

   1. Click the port that you want to configure, and then click Change Scope.

   2. Click Custom list, and then enter the comma-separated list of IPv4 addresses or IPv4 address ranges.

3. If you are adding a program or system service, click Add Program; if you are adding a port, click Add Port. Then do one of the following:

   1. In the Add a Program dialog box, click the program or system service that you want to configure, or click Browse and find the program or system service that you want to configure.

   2. In the Add a Port dialog box, type the exception name, type the port, and then select TCP or UDP.

4. Click Change scope.

5. In the Change Scope dialog box, click Custom list, and then enter the comma-separated list of IPv4 addresses and subnets.