Change the Scope of a Firewall Rule
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Use this procedure to configure the scope of an exception when you add or change a port, program, or system service exception. This procedure is useful when you want to create an exception but you want to make the exception less accessible, particularly to malicious users.
You cannot configure scope settings for port exceptions that are configured on a per-connection basis. The scope of a per-connection port exception includes any IP address. Also, you cannot configure scope settings for Internet Control Message Protocol (ICMP) exceptions. The scope of an ICMP exception includes any IP address.
Administrative Credentials
To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure.
Special Considerations
You can configure Windows Firewall settings in the standard profile or the domain profile. The domain profile is used when a computer is connected to a network in which the computer's domain account resides. The standard profile is used when a computer is connected to a network in which the computer's domain account does not reside, such as a public network or the Internet. Make sure Windows Firewall is using the correct profile when you perform this procedure.
For more information about Windows Firewall profiles, see Managing Windows Firewall Profiles.
Using the My network (subnet) only option can make your computer more accessible than you expect. Make sure that you clearly understand how this option restricts scope before you use it.
To change the scope of an exception
This procedure can be performed using the graphical user interface or the command prompt.
Using the graphical user interface
To change the scope of an exception
Open Windows Firewall, and click the Exceptions tab.
In Programs and Services, click the exception that you want to configure, and click Edit.
Click Change scope, and do one of the following:
If you want to enable the exception for all computers, click Any computer (including those on the Internet), and then click OK.
If you want to enable the exception for computers that can be reached directly by your computer, click My network (subnet) only, and then click OK.
If you want to enable the exception for specific IPv4 IP addresses or IPv4 IP address ranges, click Custom list, enter the specific IP addresses or IP address ranges, and then click OK.
If a Windows Firewall setting appears dimmed in the graphical user interface, and on the General tab, you see For your security, some settings are controlled by Group Policy, the setting might be managed by Group Policy. If all Windows Firewall settings appear dimmed, and on the General tab, you see You must be a computer administrator to change these settings, you do not have administrative rights to configure Windows Firewall.
Using the command prompt
To change the scope of an exception
If you are changing the scope of a program exception, type the following at the command prompt, and press ENTER:
netsh firewall set allowedprogram program = program name = name mode = mode scope = scope addresses = addresses
If you are changing the scope of a system service exception, type the following at the command prompt, and press ENTER:
netsh firewall set service type = type mode = mode scope = scope addresses = addresses
If you are changing the scope of a port exception, type the following at the command prompt, and press ENTER:
netsh firewall set portopening protocol = protocol port = port name = name mode = mode scope = scope addresses = addresses
Substitute values for the placeholders in italics. The following table lists possible values for each placeholder.
| Placeholder | Possible Values | Description |
|---|---|---|
program |
Path and file name for the .exe file. |
Specifies the program to add to the exceptions list. |
protocol |
TCP, UDP, All |
Specifies the protocol for the port. Use All to specify both TCP and UDP. |
port |
Any number from 1 to 65,535 |
Specifies the port number. |
type |
Fileandprint, Remoteadmin, Remotedesktop, Upnp, All |
Specifies the service to configure. Use All to specify all services. |
name |
Any string less than 256 characters |
Specifies the friendly name for the exception, which is displayed in the graphical user interface. You must enclose name in quotation marks. |
mode |
enable, disable |
Specifies whether the exception is enabled or disabled. |
scope |
All, Subnet, Custom |
Specifies the scope setting. |
addresses |
Comma-separated list of IPv4 addresses or ranges of IPv4 addresses |
Specifies the IPv4 addresses or IPv4 address ranges if you use the Custom scope setting. |
If you get an "Access Denied" message when you run a command, you do not have administrative rights to configure Windows Firewall. If you get an "Ok" message but the command does not take effect, the setting might be managed by Group Policy.
Notes
To start Windows Firewall, click Start, point to Control Panel, and then click Windows Firewall.
To open a command prompt, click Start, point to All programs, point to Accessories, and then click Command Prompt.
You can also use Group Policy settings to perform this procedure and configure other Windows Firewall settings.
Windows Firewall is not included in the original release of the Windows Server 2003 operating systems.
See Also
Concepts
Configuring Scope Settings
Known Issues for Managing Firewall Rules