Identify Blocked Servers, Listeners, and Peers
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
This procedure is useful when you do not know which programs act as servers, listeners, or peers, and you want to add those programs to the exceptions list.
Administrative Credentials
You do not need administrative credentials to perform this procedure.
Special Considerations
You can configure Windows Firewall settings in the standard profile or the domain profile. The domain profile is used when a computer is connected to a network in which the computer's domain account resides. The standard profile is used when a computer is connected to a network in which the computer's domain account does not reside, such as a public network or the Internet. Make sure Windows Firewall is using the correct profile when you perform this procedure.
For more information about Windows Firewall profiles, see Managing Windows Firewall Profiles.
You should verify scope settings for any exceptions that you change. For more information about scope settings, see Configuring Scope Settings.
To identify programs that are listening for but cannot receive incoming traffic
This procedure can be performed using the graphical user interface or the command prompt. The graphical user interface method will help you identify programs that have attempted to listen for incoming traffic. The command prompt method will help you identify programs that are currently listening for incoming traffic.
Using the graphical user interface
You can use the security log in Event Viewer to identify programs and system services that attempted to listen for unsolicited incoming traffic but whose incoming traffic was blocked by Windows Firewall. You must first configure auditing so that Windows Firewall events are written to the security log.
Use the following procedure to configure auditing:
Enable Auditing of Windows Firewall Events
After you configure auditing, use the following procedure to view Windows Firewall events in the security log:
View Windows Firewall Events in Event Viewer
Programs that attempted to listen for but were unable to receive incoming traffic have the following attributes:
Type: Failure Audit
Event ID: 861
Using the command prompt
You can use the netsh firewall command to identify programs that are currently listening for but cannot receive incoming traffic because Windows Firewall is blocking it.
To identify programs that are listening for but cannot receive incoming traffic
Type the following at the command prompt, and press ENTER:
netsh firewall show state verbose = enable
Search the output text for Ports on which programs want to receive incoming connections.
If this section does not appear in the output text, then there are no easily recognizable programs currently listening for unsolicited incoming traffic.
For each program listed in Ports on which programs want to receive incoming connections, determine whether the program’s ports are already open. To do this, search the command line output text for Ports currently open on all network interfaces. If the open ports and protocols match the ports and protocols used by the program, then the program is already able to receive unsolicited incoming traffic.
If the ports associated with a program are not already open, then the program is listening for but cannot receive unsolicited incoming traffic.
If you get an "Access Denied" message when you run a command, you do not have administrative rights to configure Windows Firewall. If you get an "Ok" message but the command does not take effect, the setting might be managed by Group Policy.
Notes
To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command Prompt.
Windows Firewall is not included in the original release of the Windows Server 2003 operating systems.
See Also
Concepts
Configuring Program Firewall Rules
Known Issues for Managing Firewall Rules
Identify Unblocked Servers, Listeners, and Peers