Best Practices for Managing Windows Firewall
Updated: March 28, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Use the following best practices when you administer Windows Firewall.
Use Security Configuration Wizard to configure Windows Firewall.
Security Configuration Wizard (SCW) is the recommended method for configuring Windows Firewall settings in Windows Server 2003. Using SCW ensures that your computer is configured appropriately for the installed roles and enabled services and that no unnecessary ports are opened based on those roles and services. For more information, see Configuring Windows Firewall with SCW.
Use Group Policy to manage Windows Firewall.
If your organization uses Group Policy, use the Windows Firewall Group Policy settings to manage and configure Windows Firewall. This will ensure more consistency among your Windows Firewall configurations and will allow you to secure Windows Firewall so that administrators and users who are logged on locally cannot configure Windows Firewall settings. For more information, see Administering Windows Firewall with Group Policy on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=43157).
Do not configure Windows Firewall settings on a computer-by-computer basis.
This can make your organization more accessible to attack because each computer has a different attack surface. When you configure Windows Firewall settings on a computer-by-computer basis, it becomes difficult to determine which computers are accessible to an attack by a worm or other malicious program that relies on unsolicited incoming traffic to spread.
Do not configure per-connection settings.
Per-connection settings (also called connection-specific settings or interface-specific settings) are applied without regard to the profile (standard or domain) used by the computer. This can make a computer more accessible to attack when it is connected to a public network, such as the Internet. You cannot restrict the scope of per-connection exceptions; these exceptions allow unsolicited traffic from any address. For more information, see Configuring Firewall Rules for Specific Connections.
Create program exceptions instead of port exceptions.
If you need to allow unsolicited incoming traffic through Windows Firewall, create a program exception instead of a port exception. When you create a program exception, Windows Firewall dynamically opens ports for the specified program and then closes those ports when the program is shut down. When you create a port exception, the specified port is open all of the time, which makes the computer more accessible to attack. For more information, see Configuring Program Firewall Rules.
Open the minimum number of ports.
If you have to open ports to allow unsolicited incoming traffic through Windows Firewall, be sure to open only those ports that you need. If a port handles intermittent or infrequent traffic, open and close the port as needed. If a computer configuration requires you to open numerous ports, you should evaluate the roles that are installed on the computer and the services that the computer is providing. This could indicate poor infrastructure design, and could make the computer a critical point of failure or attack.
Use scope settings to limit the scope of an exception.
If you create a program or port exception or enable a system service exception, be sure to configure the scope of the exception. The scope setting restricts an exception to computers that are directly reachable or to specific Internet Protocol version 4 (IPv4) addresses and address ranges. For more information about scope settings, see Configuring Scope Settings.
Turn off Windows Firewall if you are using a non-Microsoft host firewall.
Using Windows Firewall with another host firewall does not necessarily increase your security. In fact, it can cause your computer to behave erratically if the rules and policies of both firewalls are not complementary. You should turn off (disable) Windows Firewall if you are running a non-Microsoft host firewall.