Preventing Administrators from Creating Exceptions

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

By default, you must be a member of the Administrators group (or a member of a group that is a member of the Administrators group) to configure Windows Firewall exceptions. This prevents users from inadvertently configuring program and port exceptions, which can result in individualized configurations that are difficult to troubleshoot and can reduce your organization's overall security.

You can secure Windows Firewall even further by preventing local administrators from configuring Windows Firewall exceptions. This is useful if you have a centrally-managed environment, such as a Group Policy environment or an environment in which you want to strictly enforce Windows Firewall configuration and policy settings.

When to perform this task

You should perform this task when required by your organization's security plan or when you want to strictly enforce Windows Firewall configuration and policy settings.

Task requirements

No special tools are required to complete this task.

Task procedures

To complete this task, perform the following procedures:

Prevent Local Administrators from Creating Program Exceptions

Prevent Local Administrators from Creating Port Exceptions

See Also

Concepts

Best Practices for Securing Windows Firewall
Known Issues for Securing Windows Firewall
Preventing Administrators from Turning Windows Firewall On or Off