Help: Understanding Windows Firewall notifications
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Understanding Windows Firewall notifications
By default, Windows Firewall displays a Windows Security Alert dialog box (referred to as a notification) when a program attempts to listen for unsolicited incoming traffic. If you are a member of the Administrators group on the computer, the notification gives you the ability to add the program to the exceptions list. If you are not a member of the Administrators group on the computer, the notification informs you that a program attempted to listen for incoming traffic but was blocked. You are not given the ability to add the program to the exceptions list if you are not a member of the Administrators group on the computer.
Windows Firewall does not display a notification in the user interface (UI) when a system service attempts to listen for incoming traffic on a port. This is also true for any program that runs like a system service (that is, a program that runs under an account that has higher privilege than a user account, for example, the Local System account, or a program that runs while there is no user logged onto the computer). However, you can use the security event log to determine whether a system service, or a program that runs like a system service, attempts to listen for incoming traffic. To do this you must enable the Audit process tracking policy and the Audit policy change policy. When you do this, Windows Firewall will write a Failure Audit with Event ID 861 to the security event log any time a program or system service attempts to listen for incoming traffic.
You can disable the notification feature in Windows Firewall by using the Exceptions tab in Windows Firewall in Control Panel, the netsh firewall set notifications command, or the Windows Firewall: Prohibit notifications policy setting. This might be necessary on servers that are remotely managed.