Configuring Program Firewall Rules
Updated: March 28, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
When you turn on Windows Firewall for the first time or restore Windows Firewall default settings, all unsolicited incoming TCP/IP traffic is blocked on all network connections. This means that any program or system service that attempts to listen for traffic on a TCP or UDP port will be unable to receive traffic. To allow programs and system services to receive unsolicited traffic through these ports, you must add the program or system service to the Windows Firewall exceptions list.
|In some cases, if you cannot add a program or system service to the exceptions list, you must determine which port or ports the program or system service uses and add the port or ports to the Windows Firewall exceptions list.|
To add a program or system service to the exceptions list, you must specify the executable (.exe) file used by the program or system service. A system service that runs within its own unique .exe file and is not hosted by a service container, such as Svchost.exe, is considered to be a program and can be added to the exceptions list. In the same way, a program that behaves like a system service and runs no matter if a user is logged on to the computer is also considered a program as long as it runs within its own unique .exe file. You cannot add a system service to the exceptions list unless the system service runs within its own unique .exe file. Also, you should not add service containers or programs that host services, such as Svchost.exe, Dllhost.exe, and Inetinfo.exe, to the exceptions list.
When you add a program to the exceptions list, Windows Firewall dynamically opens (unblocks) and closes (blocks) the ports required by the program. When the program is running and listening for incoming traffic, Windows Firewall opens the required ports; when the program is not running or is not listening for incoming traffic, Windows Firewall closes the ports. Because of this dynamic behavior, adding programs to the exceptions list is the recommended method for allowing unsolicited incoming traffic through Windows Firewall.
|You can use program exceptions to allow unsolicited incoming traffic through Windows Firewall only if the program uses Windows Sockets (Winsock) to create port assignments. If a program does not use Winsock to assign ports, you must determine which ports the program uses and add those ports to the exceptions list.|
In addition to adding program exceptions, you can also edit and delete program exceptions. Editing a program exception allows you to change the path or file name that is associated with the program and configure scope settings for the exception. Deleting a program exception removes the exception from the exceptions list and prevents the program from receiving unsolicited incoming traffic (unless a port exception or some other exception allows unsolicited incoming traffic to reach the program).
Mitigating the Risks Associated with Exceptions
Each time you add a program to the exceptions list, you make your computer more accessible to attack. A common form of network attack uses port scanning software to identify computers that have open and unprotected ports. By adding numerous programs to the exceptions list, you defeat the purpose of a firewall and increase the attack surface of your computer. This problem typically occurs when you configure a server for several different roles and you must open numerous ports to accommodate each of the server roles. You should closely evaluate the design of any server that requires you to open numerous ports. Servers that are configured for numerous roles or to provide numerous services can be a critical point of failure in your organization and might indicate poor infrastructure design.
To decrease your security risk, follow these guidelines when you configure program exceptions:
Create an exception only when you need it. If you think a program might require a port for unsolicited incoming traffic, do not add the program to the exceptions list until you verify that the program attempted to listen for unsolicited traffic. By default, Windows Firewall displays a notification when a program attempts to listen for unsolicited traffic.
Never create an exception for a program that you do not recognize. If Windows Firewall notifies you that a program has attempted to listen for unsolicited traffic, verify the name of the program and the .exe file before you add the program to the exceptions list.
Remove an exception when you no longer need it. If you add a program to the exceptions list on a server and then change the server's role or reconfigure the services and applications on the server, be sure to update the exceptions list and remove exceptions that are no longer required.
When to perform this task
You should configure a program exception when you can identify the .exe file for a program and you know that a program must receive unsolicited incoming traffic. You typically perform this task on an ongoing basis as your server roles and server configurations change.
No special tools are required to complete this task.
You can create most program exceptions by using the Windows Firewall notification feature. By default, Windows Firewall displays a Windows Security Alert dialog box (notification) whenever a program attempts to listen for incoming traffic and the incoming traffic is blocked. If you are a member of the Administrators group (or a member of a group that is a member of the Administrators group), the Windows Security Alert dialog box provides a Keep Blocking option, which adds the program to the exceptions list but does not enable the exception and an Unblock option, which adds the program to the exceptions list and enables the exception so that unsolicited incoming traffic can reach the program. If you are not a member of the Administrators group, a notification appears, but it does not display the options to unblock or continue to block the program. The notification is informational only.
|Many program exceptions are also created programmatically through the Windows Firewall application programming interfaces (APIs). Programs that use the Windows Firewall APIs can add themselves to the exceptions list without any user notification or input.|
The notification feature is useful if you do not know which programs are acting as servers, listeners, or peers (that is, are listening for unsolicited incoming traffic). However, you might have to use other methods to configure program exceptions if:
You disable the notification feature.
You are not logged on to a computer as an administrator when you see the Windows Security Alert dialog box.
A program runs as a system service even though it runs within its own .exe file.
You turn on Windows Firewall with the Don't allow exceptions option.
If you know that a program acts as a server, listener, or peer and you know the program's .exe file name and the path to the .exe file, use this procedure to add the program to the exceptions list:
If you know that a program acts as a server, listener, or peer, but you do not know the program's .exe file name, you might be able to find this information in the Windows Firewall Settings Technical Reference. For more information, see Windows Firewall Settings on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=43155).
If you do not know which programs act as servers, listeners, or peers, use the following procedure to identify programs that listen for unsolicited incoming traffic, and then add the program to the exceptions list:
To edit or delete an existing program exception, use the following procedure: