Step-by-Step Guide for Using Windows Firewall

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Set up Windows Firewall for the first time using a four-step process: review Windows Firewall limitations, turn on Windows Firewall, configure Windows Firewall exceptions, and configure advanced settings.

This step-by-step guide shows you how to start and configure Windows Firewall for the first time on a computer that is running Windows Server 2003 with Service Pack 1 (SP1).

Steps for Using Windows Firewall

Step 1: Review Windows Firewall limitations.

Step 2: Turn on Windows Firewall.

Step 3: Configure exceptions.

Step 4: Configure advanced settings.

Do not use this guide if you are:

  • Using domain-based Group Policy to configure Windows Firewall.

  • Using an automated installation technology to configure Windows Firewall during setup, such as a Netfw.inf file or an answer file.

  • Using Security Configuration Wizard (SCW) to configure Windows Firewall.

Note   SCW is the recommended method for starting and configuring Windows Firewall. For more information, see Configuring Windows Firewall with SCW on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=48116).

Step 1: Review Windows Firewall limitations.

It is recommended that you use Windows Firewall on all of your servers; however, there are a few server configurations on which you cannot run Windows Firewall. To determine whether Windows Firewall is appropriate for your server configuration, see Known issues for managing resets, startup, and shutdown on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=48117).

In addition, Windows Firewall is designed to be a supplemental security solution; it should be part of a security architecture that implements a variety of security technologies. For more information, see Best practices for managing Windows Firewall on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=48221) and Windows Firewall Technical Reference on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=42729).

You might not want to start Windows Firewall if a server requires you to open numerous ports or allow a large number of applications and services to receive unsolicited traffic. Because a significant volume of network traffic will be allowed to pass through Windows Firewall anyway, by disabling Windows Firewall, you eliminate the operational overhead associated with Windows Firewall configuration and maintenance. You also avoid any performance impact related to Windows Firewall. However, you should closely evaluate the design of any client or server that requires you to open numerous ports. Clients and servers that are configured for numerous roles or to provide numerous services can be a critical point of failure in your organization and might indicate poor infrastructure design.

Step 2: Turn on Windows Firewall.

Windows Firewall is turned off by default on Windows Server 2003. When you turn on Windows Firewall, you must also start the Windows Firewall/Internet Connection Sharing service, if it is not already running. If the Windows Firewall/Internet Connection Sharing service is not started, and you attempt to start Windows Firewall, a Windows Firewall dialog box will appear in the graphical user interface asking if you want to start the service.

To turn on Windows Firewall, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure.

To turn on Windows Firewall using Windows Firewall in Control Panel

  1. Open Control Panel, and double-click Windows Firewall.

    If a Windows Firewall dialog box displays a message asking if you want to turn on the Windows Firewall/Internet Connection Sharing service, click OK.

  2. On the General tab, click On.

  3. Click OK.

If a Windows Firewall setting appears dimmed in the graphical user interface, and you see For your security, some settings are controlled by Group Policy at the top of the General tab, the setting might be managed by Group Policy. In this case, you should not use this step-by-step guide.

If all Windows Firewall settings appear dimmed, and you see You must be a computer administrator to change these settings at the top of the General tab, you do not have administrative rights to configure Windows Firewall. For more information about administrative rights, see Default local groups on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=43150) and Default groups on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=43151). For more information about turning on Windows Firewall, see Enabling and disabling Windows Firewall on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=48118).

Step 3: Configure exceptions.

When you turn on Windows Firewall for the first time, all unsolicited incoming TCP/IP traffic is blocked on all network connections. This means that any programs or system services that are acting as servers, listeners, or peers will be unable to receive traffic through TCP and UDP ports. To allow programs and system services to receive unsolicited traffic through these ports, you must add the program or system service to the Windows Firewall exceptions list. In some cases, if you cannot add a program or system service to the exceptions list, you must determine which port or ports the program or system service uses and add the port or ports to the Windows Firewall exceptions list.

To configure exceptions, do the following:

Use Windows Firewall notifications to add programs to the exceptions list

By default, Windows Firewall displays a Windows Security Alert dialog box whenever a program attempts to listen for incoming traffic and the incoming traffic is blocked. If you are a member of the Administrators group, the Windows Security Alert dialog box will display the option to keep blocking the program or unblock the program. Unblocking a program adds the program to the exceptions list and allows unsolicited incoming traffic to reach the program.

To add programs to the exceptions list, do the following when you see a Windows Security Alert dialog box:

  1. Verify that the program listed in Name is a program that you installed and that it is not a malicious program (malware) or spyware.

  2. Hover your cursor over the program name to see the path and file name for the program's executable (.exe) file. Verify that the path and file name are correct.

  3. If the program is legitimate (not malware or spyware) and you want it to receive unsolicited incoming traffic, click Unblock.

    If the program is a malicious program, click Keep Blocking. You should immediately remove any malicious programs from your computer.

    If you are unsure, but you think it might be a legitimate program, click Ask Me Later. Windows Firewall will continue to block the program, but will prompt you again later.

Windows Firewall displays a Windows Security Alert dialog box only when a program is running and attempting to listen for incoming traffic. If a program is not running or does not attempt to listen for incoming traffic, Windows Firewall does not display a Windows Security Alert dialog box. You might see several Windows Security Alert dialog boxes over the course of several minutes or several hours as programs and system services start up on your server. You should respond to each of these dialog boxes to be sure add all required programs to the Windows Firewall exceptions list.

For more information, see Managing Windows Firewall Notifications on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=48222), Add a program to the exceptions list on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=48119), and Add a port to the exceptions list on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=48120).

Use the Windows Firewall Settings Technical Reference to determine which programs and ports to add to the exceptions list

Use the Windows Firewall Settings Technical Reference to find out how to configure program and port exceptions for your specific server configuration. The Windows Firewall Settings Technical Reference provides Windows Firewall configuration settings for server roles, system services, remote administration tools, and optional components.

Note

If you do not know which server roles or optional components are installed on your server, or you do not know which system services or remote administration tools your server uses, you should use SCW to configure Windows Firewall settings.

For more information, see Windows Firewall Settings on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=43155).

For detailed instructions about adding a program to the exceptions list, see Add a program to the exceptions list on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=48119).

For detailed instructions about adding a port to the exceptions list, see Add a port to the exceptions list on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=48120).

Step 4: Configure advanced settings.

To optimally configure Windows Firewall for your server, you must understand and configure the following:

Windows Firewall profiles

Windows Firewall settings can be configured in two profiles: a domain profile and a standard profile. This step-by-step guide has helped you configure settings in one profile only. For more information, see Managing Windows Firewall profiles on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=48121).

Windows Firewall scope settings

When you configure a program, port, or system service exception, you must also configure scope settings for the exception. Scope settings control from which addresses unsolicited traffic is allowed to originate. For more information about scope settings, see Configuring scope settings on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=48122).

ICMP settings

By default, Windows Firewall blocks all incoming Internet Control Message Protocol (ICMP) traffic and some outgoing ICMP traffic. This can prevent you from using certain troubleshooting tools, including the ping command. For more information about ICMP settings, see Configuring ICMP settings on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=48224).

Log file settings

Windows Firewall has a log file that you can use to troubleshoot and monitor Windows Firewall. By default, the log file is disabled. For more information, see Using the Security Log on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=48229) and Interpreting the Windows Firewall Log on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=48228).

Windows Firewall exceptions

Although you have added program, system service, and port exceptions to the exceptions list, it is likely you still need to add (or remove) exceptions for your server to function optimally. For more information about exceptions, see Managing Program, Port, and System Service Exceptions on the Microsoft Web site (https://go.microsoft.com/fwlink/?linkid=43261).

For more information about Windows Firewall, see Windows Firewall Help on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=33577).

See Also

Concepts

Deploying Windows Firewall