Overview of Windows Firewall Deployment
Updated: June 8, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
By default, Windows Firewall is turned off (disabled) in Windows Server 2003 with Service Pack 1 (SP1). In addition, when Windows Firewall is turned on, all unsolicited incoming Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6) traffic that uses UDP or TCP is blocked. Therefore, to deploy Windows Firewall you must turn on (enable) Windows Firewall and configure Windows Firewall settings so that unsolicited incoming traffic is allowed to reach the programs and services that are acting as servers, listeners, or peers.
The Security Configuration Wizard (SCW) is the recommended tool for deploying Windows Firewall in small, medium, and large organizations. SCW is an optional component that must be installed through Add or Remove Programs in Control Panel. SCW guides you through the process of creating a security policy, based on the roles performed by a given server. Once a policy is created, it can be edited or applied to one or more similarly configured servers. For more information, see Configuring Windows Firewall with SCW on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=48116).
In addition to SCW, there are several other deployment tools that are suitable for small-scale and large-scale deployments of Windows Firewall.
If you are deploying Windows Firewall to a small number of servers, you can use Windows Firewall in Control Panel to turn on Windows Firewall and configure Windows Firewall settings on a server-by-server basis. This deployment method is not efficient if you are deploying more than a few servers, and can result in inconsistencies among your server configurations. Therefore, this deployment method is recommended only for small organizations or for servers that require special configuration settings. For more information about deploying Windows Firewall by using Windows Firewall in Control Panel, see the Step-by-Step Guide for Using Windows Firewall.
If you are deploying Windows Firewall to a large number of servers, you can use one of the following tools to automate the startup and configuration of Windows Firewall.
Windows Firewall Group Policy Settings
Windows Server 2003 with SP1 includes several new Group Policy settings that allow you to configure Windows Firewall using domain-based or local Group Policy. Using the Windows Firewall Group Policy settings is the recommended method for deploying Windows Firewall in organizations that use Active Directory. For more information about deploying Windows Firewall with Group Policy, see Deploying Windows Firewall with Group Policy.
Unattended Installation Answer File
Windows Server 2003 with SP1 includes several new answer file entries that allow you to enable or disable Windows Firewall and configure Windows Firewall settings. This deployment solution is recommended if your organization does not use Active Directory or Group Policy and you are rolling out slipstream installations of Windows Server 2003. For more information about using an answer file to deploy Windows Firewall, see Deploying Windows Firewall During an Unattended Installation.
Netfw.inf Information File
Windows Server 2003 with SP1 includes a Netfw.inf file that you can use to configure Windows Firewall settings while you are installing SP1 or while you are performing a slipstream installation of Windows Server 2003 with SP1. The Netfw.inf file is primarily used by original equipment manufacturers (OEMs) in a manufacturing environment, but it can also be used in a corporate environment during a large-scale rollout. For more information, see Deploying Windows Firewall with a Netfw.inf File.