Prevent Local Administrators from Creating Program Exceptions

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

This procedure is useful if you want to prevent local administrators from using Windows Firewall in Control Panel or the netsh firewall command to configure program exceptions.

Administrative Credentials

To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure.

Special Considerations

You can configure Windows Firewall settings in the standard profile or the domain profile. The domain profile is used when a computer is connected to a network in which the computer's domain account resides. The standard profile is used when a computer is connected to a network in which the computer's domain account does not reside, such as a public network or the Internet. Make sure Windows Firewall is using the correct profile when you perform this procedure.

For more information about Windows Firewall profiles, see Managing Windows Firewall Profiles.

You should verify scope settings for any exceptions that you change. For more information about scope settings, see Configuring Scope Settings.

To prevent local administrators from creating program exceptions

This procedure can be performed using Group Policy. You cannot perform this procedure from the command prompt with the netsh firewall command or in the graphical user interface with Windows Firewall in Control Panel.

Using Group Policy

To prevent local administrators from creating program exceptions

  1. Open the Group Policy Object Editor snap-in to edit the Group Policy object (GPO) that is used to manage Windows Firewall settings in your organization.

  2. Open Computer Configuration, open Administrative Templates, open Network, open Network Connections, open Windows Firewall, and then open either Domain Profile or Standard Profile, depending on which profile you want to configure.

  3. In the details pane, double-click Windows Firewall: Allow local program exceptions.

  4. In the Windows Firewall: Allow local program exceptions properties dialog box, on the Settings tab, click Disabled, and then click OK.

Notes

  • Windows Firewall is not included in the original release of the Windows Server 2003 operating systems.

  • Group Policy settings must be refreshed before they take effect.

See Also

Concepts

Preventing Administrators from Creating Exceptions
Known Issues for Securing Windows Firewall
Prevent Local Administrators from Creating Port Exceptions