Appendix H: Windows Firewall in Windows Server 2008

Applies To: Windows Server 2008

In This Appendix

Overview: Windows Firewall with Advanced Security

Group Policy Setting for Disabling Windows Firewall

Additional References

Overview: Windows Firewall with Advanced Security

Windows Firewall provides protection against network attacks for computers on which it is enabled. Windows Firewall does this by checking all communications that cross the connection and selectively blocking certain communications, according to the configuration settings you specify. Windows Firewall is considered a "stateful" firewall; that is, it monitors outgoing requests and then attempts to pair each incoming response to an outgoing request. By default, incoming traffic that is not matched with an outgoing request is blocked.

In Windows Server 2008, you can use a single tool, the Windows Firewall with Advanced Security snap-in, to configure both Windows Firewall and Internet Protocol security (IPsec). The snap-in includes a variety of enhancements, described in the resources listed in Additional References, later in this section. Windows Firewall is enabled by default in Windows Server 2008, and after setup completes, Windows Firewall blocks all inbound traffic until the computer has the latest security updates installed.

Windows Server 2008 is designed to make it relatively easy to configure Windows Firewall with Advanced Security. For example, a variety of features in Windows Server 2008 are listed in the Exceptions list in Windows Firewall with Advanced Security, so that the person configuring the exception does not need to know technical details, only the name of the feature to be used.

You can use Windows Firewall along with your organization's perimeter firewall to enhance the protection of your computers. You can also use Windows Firewall to help protect a small network or single computer that is connected to the Internet.

Note

In Windows Server 2008, Server Manager includes the Security Information area under Server Summary. Information displayed there tells you whether Windows Firewall and other security-related features are turned on. From the Security Information area you can also run interfaces such as the Windows Firewall with Advanced Security snap-in.

Group Policy Setting for Disabling Windows Firewall

This section describes a Group Policy setting with which you can disable Windows Firewall. A variety of other Group Policy settings are available for controlling Windows Firewall. The settings are located in Computer Configuration under Policies (if present), in Administrative Templates\Network\Network Connections\Windows Firewall. For more information, see the settings or see the list of resources in Additional References, later in this section.

To disable Windows Firewall in a domain environment, the Group Policy setting you would use is located in Computer Configuration under Policies (if present), in Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile. The setting is called Windows Firewall: Protect all network connections. If you disable this policy setting, Windows Firewall does not filter or block any network traffic.

Important

Because the Windows Firewall service applies Windows service hardening rules to standard Windows Networking services, Microsoft does not support stopping the Windows Firewall service. If you do not want to use Windows Firewall, turn the firewall features off by using the Group Policy settings described in this section, without stopping the service.

Note that in Computer Configuration under Policies (if present), in Administrative Templates\Network\Network Connections, the setting called Prohibit use of Internet Connection Firewall on your DNS domain network still exists. This setting has no effect if Windows Firewall: Protect all network connections is enabled or disabled. However, if Windows Firewall: Protect all network connections is set to Not Configured, you can still prevent Windows Firewall from running by enabling Prohibit use of Internet Connection Firewall on your DNS domain network. (Internet Connection Firewall is the former name for Windows Firewall.)

Additional References