Enabling and Disabling Windows Firewall
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
To protect your computer with Windows Firewall, you must turn on (enable) Windows Firewall and start the Windows Firewall/Internet Connection Sharing service. If the Windows Firewall/Internet Connection Sharing service is not running and you attempt to start Windows Firewall, in the graphical user interface, a dialog box will be displayed to ask if you want to start the service; if you are using the command prompt, a warning will appear to inform you that the service has not been started.
Note
The Windows Firewall/Internet Connection Sharing service does not stop when you turn off Windows Firewall. Although unsolicited incoming traffic will not be blocked, as long as the Windows Firewall/Internet Connection Sharing service is still running, Windows Firewall events will be written to the security event log.
Turning Windows Firewall on and off
If you turn on the Windows Firewall/Internet Connection Sharing service after you have started any programs or system services that are listed in the program exceptions list, you should do the following:
Restart your computer.
Start the programs that are listed in the exceptions list.
Windows Firewall cannot track the state of a program's traffic or a system service's traffic if the program or system service is started before the Windows Firewall/Internet Connection Sharing service is started. This problem typically occurs when you stop the Windows Firewall/Internet Connections Sharing service to install and configure software, and then turn on the Windows Firewall/Internet Connection Sharing service after you start the software program.
Turning Windows Firewall on with no exceptions
When you turn on Windows Firewall, you can also configure a special setting that blocks all traffic that has been added to the exceptions list. This setting appears in the graphical user interface as the Don't allow exceptions check box. When you use this setting, all of the exceptions in the Windows Firewall exceptions list are disabled and all unsolicited incoming TCP/IP traffic is blocked.
Using the Don't allow exceptions setting will prevent the display a Windows Security Alert dialog box when a program or system service attempts to listen for incoming traffic. However, Windows Firewall will continue to write notification events to the security log.
Turning Windows Firewall on or off for a specific connection
By default, when you turn Windows Firewall on or off, you are enabling or disabling Windows Firewall on every network connection on the computer. However, you can also turn Windows Firewall on or off on a connection-specific or interface-specific basis. When you do this, Windows Firewall filters traffic for each connection based on the connection-specific settings you configure.
When you turn on Windows Firewall globally, Windows Firewall is turned on for every connection on your computer unless you explicitly turn it off on a per-connection basis. However, if you turn off Windows Firewall globally, Windows Firewall is turned off for every connection on your computer; you cannot turn on Windows Firewall on a per-connection basis. In short, to turn Windows Firewall on or off on a per-connection basis, you must turn on Windows Firewall globally and then turn Windows Firewall on or off for each individual connection. The following table shows how global and per-connection settings are combined.
| Global Setting | Per-Connection Setting | Resultant Per-Connection Setting |
|---|---|---|
On |
On |
On |
On |
Off |
Off |
Off |
Off |
Off |
Off |
On |
Off |
When to perform this task
You should turn on Windows Firewall after you install Windows Server 2003 with Service Pack 1 (SP1). This includes:
Installations of SP1 on servers that are running Windows Server 2003.
Slipstream installations of Windows Server 2003 with SP1 on new servers.
Upgrades from older operating systems to Windows Server 2003 with SP1.
Note
You should not turn on Windows Firewall when you are running Routing and Remote Access, a perimeter firewall, such as Microsoft Internet Security and Acceleration (ISA) Server 2004, or a non-Microsoft host firewall.
When your computer is connected to a public network, such as the Internet, or a nonsecure private network, you can turn on Windows Firewall and use the Don't allow exceptions setting to disable all exceptions in the exceptions list. You can also use the Don't allow exceptions setting when your computer or organization is being attacked by a malicious program that relies on unsolicited incoming traffic to spread and you need to protect your computer while you install security updates, virus signatures, or security software.
After you have started and configured it, you rarely need to turn off Windows Firewall except to install software or perform troubleshooting.
You usually do not need to configure Windows Firewall on a connection-specific basis, but you might want to if you have a multihomed computer and you do not want Windows Firewall to protect every connection on your computer.
Task requirements
No special tools are required to complete this task.
Task procedures
To complete this task, perform the following procedures:
Turn Windows Firewall On or Off
Turn Windows Firewall On or Off for a Specific Connection
Turn Windows Firewall On with No Exceptions
See Also
Concepts
Configuring Windows Firewall with SCW
Restoring Windows Firewall Default Settings
Known Issues for Managing Resets, Startup, and Shutdown