Preventing Administrators from Creating Exceptions
Updated: March 28, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
By default, you must be a member of the Administrators group (or a member of a group that is a member of the Administrators group) to configure Windows Firewall exceptions. This prevents users from inadvertently configuring program and port exceptions, which can result in individualized configurations that are difficult to troubleshoot and can reduce your organization's overall security.
You can secure Windows Firewall even further by preventing local administrators from configuring Windows Firewall exceptions. This is useful if you have a centrally-managed environment, such as a Group Policy environment or an environment in which you want to strictly enforce Windows Firewall configuration and policy settings.
When to perform this task
You should perform this task when required by your organization's security plan or when you want to strictly enforce Windows Firewall configuration and policy settings.
No special tools are required to complete this task.
To complete this task, perform the following procedures: