Export (0) Print
Expand All
Expand Minimize

How to Configure Windows Firewall in a Small Business Environment Using Group Policy

Published: December 9, 2004 | Updated : July 21, 2006

On This Page

Introduction
Before You Begin
Adding Hotfixes to Administrative Workstations and Windows Small Business Server 2003
Create and Update a Group Policy Object
Configuring Windows Firewall Settings Using Group Policy
Applying Configuration with GPUpdate
Verifying Windows Firewall Settings Are Applied
Related Information

Introduction

This document explains how to configure the features of Windows Firewall on computers running Microsoft® Windows® XP Professional Service Pack 2 (SP2) in a small or medium-sized business (SMB) environment. The environment might include domain controllers running Microsoft Windows Small Business Server 2003, Microsoft Windows Server™ 2003, or Microsoft Windows 2000 Server.

The most efficient way to manage Windows Firewall settings in an organization's network is to use the Active Directory® directory service and configure Windows Firewall settings in Group Policy. Active Directory and Group Policy allow you to centrally configure settings for Windows Firewall and apply those settings to all Windows XP SP2 client computers.

Windows XP SP2 includes new administrative templates for Group Policy objects (GPOs) to enhance security for your client computer and domain including functionality for Windows Firewall. To apply these templates you might have to install hotfixes, depending on the operating system of the domain server or workstation in use.

After these templates are applied, any Group Policy updates will include settings for Windows Firewall. Group Policy updates are sent from the domain controller to all members of the domain and may also be requested by a domain member through the use of the GPUpdate utility.

To configure Windows Firewall, use the Group Policy Object Editor while logged in as a member of the Domain Admins group or the Group Policy Creator/Owner security group.

The following table lists the default settings for Windows Firewall.

Table 1. Default Windows Firewall Settings

Option

Default configuration

Modify when

Network connection settings

All connections

You no longer require the protection of Windows Firewall on a specific network connection or you require individual settings for each network connection.

Program exceptions

Remote Assistance only

You need to receive connections from other programs or services to your computer.

Port exceptions

None

You require connections from another computer that uses specific ports on your computer.

ICMP exceptions

None

You require other computers to verify that your computer is running and TCP/IP is configured correctly.

Notifications

On

You no longer wish to receive notification when other computers attempt to connect to your computer and fail.

Logging

Off

You require a record of connections or connection attempts made to your computer.

Don't allow exceptions

Off

You learn that your computer has a security vulnerability or you use your computer in a less secure environment such as an airport lounge.

The tasks to configure Windows Firewall using Group Policy are:

  • Add hotfixes to the GPO administrative workstations and Windows Small Business Server 2003.

  • Create and update GPOs.

  • Configure Windows Firewall settings with Group Policy.

  • Apply configuration with GPUpdate.

  • Verify Windows Firewall settings are applied.

Complete the tasks described in this document to help keep your computer safe from computer worms and other malicious code and continue to allow connections to and from the Internet.

Microsoft strongly recommends that you test any Windows Firewall Group Policy settings in a test environment before you deploy them in your production environment to ensure that your Group Policy configuration does not cause downtime or loss of productivity.

For definitions of security-related terms, see the following:

Objective of this Security Document

By conducting the processes detailed in this document, you will protect your Windows XP Professional clients from unauthorized users and malicious software by using a host–based firewall. In addition, these steps will enable advanced security management with Active Directory.

Before You Begin

Important   The instructions in this document were developed with the default menu that displays when you click the Start button. If you have modified your Start menu, the steps might differ slightly.

Windows XP with SP2 can be used on client computers in an Active Directory domain using domain controllers that run one of the following:

  • Windows Server 2003

  • Windows Small Business Server 2003

  • Windows 2000 Server SP4 or later

In most networks, the network hardware firewall, proxy, and other security systems provide a level of protection from the Internet to network computers.

If you do not have a host firewall (a locally installed software firewall) such as Windows Firewall, on your computer’s network connections, you are vulnerable to malicious programs that might be introduced by other computers when they attach to your network. Also, you are vulnerable when you use your computer away from your network, such as when you use a laptop computer at home or you connect to a hotel or airport network.

Before you install hotfixes, make sure that you have a good backup of the computer, including a backup of the registry.

For more information on how to back up the registry, see the following:

Adding Hotfixes to Administrative Workstations and Windows Small Business Server 2003

If you manage GPO settings on computers that run earlier operating systems or service packs (for example, Windows XP with SP1 or Windows Server 2003), you must install a hotfix (KB842933) so policy settings appear correctly in the Group Policy Object Editor.

If you use Small Business Server 2003 you must install an additional hotfix (KB872769). By default, Small Business Server 2003 disables Windows Firewall. The hotfix resolves this issue.

Note   The listed hotfixes are not included as part of Microsoft Update and must be installed separately. These hotfixes must be applied to all affected computers individually.

The KB842933 hotfix applies to the following:

  • Microsoft Windows Server 2003, Web Edition

  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)

  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)

  • Microsoft Windows Server 2003, Enterprise Edition for Itanium–based Systems

  • Microsoft Windows XP Professional SP1

  • Microsoft Windows Small Business Server 2003 Premium Edition

  • Microsoft Windows Small Business Server 2003 Standard Edition

  • Microsoft Windows 2000 Advanced Server

  • Microsoft Windows 2000 Server

  • Microsoft Windows 2000 Professional Edition

The KB872769 hotfix applies to the following:

  • Microsoft Windows Small Business Server 2003 Standard Edition

  • Microsoft Windows Small Business Server 2003 Premium Edition

For more information or to obtain these hotfixes, see the following:

  • Microsoft Knowledge Base article 842933 on the Microsoft Help and Support Web site at http://go.microsoft.com/fwlink/?linkid=35474.

  • Microsoft Knowledge Base article 872769 on the Microsoft Help and Support Web site at http://go.microsoft.com/fwlink/?linkid=35477.

For additional information about how to download Microsoft Support files, see the following:

Requirements to Perform This Task

You will need the following to complete this task:

  • Credentials. You must log on to the client computer with an account that is a member of the Domain Admins or Local Administrators security group.

  • Tools. The appropriate downloaded hotfix for your operating system as explained in Knowledge Base articles 842933 and 872769.

How to Add Hotfixes

To add hotfix 842933 to Windows Small Business Server 2003 , Windows 2000 Server SP4 or later , Windows XP SP1 , or Windows Server 2003

  1. From the Windows desktop, click Start, click Run, type the path and file name of the downloaded hotfix, and then click OK.

  2. On the Welcome to KB842933 Setup Wizard screen, click Next.

  3. On the License page, review the terms of the license agreement. To continue, click I Agree and then click Next.

  4. On the Completing the KB842933 Setup Wizard screen, click Finish to complete the hotfix installation and restart the computer.

  5. Repeat steps 1 through 4 for all affected computers (servers and management workstations).

To add hotfix 872769 to Windows Small Business Server 2003

  1. From the Windows desktop, click Start, click Run, type the path and file name of the downloaded 872769 hotfix, and then click OK.

  2. On the Welcome to KB872769 Setup Wizard screen, click Next.

  3. On the License page, review the terms of the license agreement. To continue, click I Agree and then click Next.

  4. On the Completing the KB872769 Setup Wizard page, click Finish to complete the hotfix installation and restart the computer.

Create and Update a Group Policy Object

Windows XP SP2 adds settings to the Administrative Templates. To configure these new settings, you must update each GPO with the new Administrative Templates found in Windows XP SP2. If you do not update the GPOs, the Windows Firewall settings are not available.

On a Windows XP SP2 computer, you can use Microsoft Management Console (MMC) with the Group Policy Object Editor snap-in installed to update GPOs by simply opening an existing GPO.

After a GPO has been updated, you can configure the network protection settings that are appropriate for your computers that run Windows XP SP2. In the following exercise we will create a new GPO that will immediately have these updated network protection settings.

Requirements to Perform This Task

You will need the following to complete this task:

  • Credentials. You must log on to a Windows XP SP2 computer that is an Active Directory domain client, and you must use an account that is a member of the Domain Admins or the Group Policy Creator/Owner security group.

  • Tools. Microsoft Management Console (MMC) with the Group Policy Object Editor snap-in installed.

Creating and Updating Group Policy Objects

To update Group Policy Objects with Windows XP SP2 new administrative templates

  1. From the Windows XP SP2 desktop, click Start, click Run, type mmc, and then click OK.

  2. On the File menu, click Add/Remove Snap-in.

  3. On the Standalone tab, click Add.

  4. In the Available Standalone Snap-ins list, locate then click Group Policy Object Editor, and then click Add.

  5. In the Select Group Policy Object dialog box, click Browse.

  6. In the Browse for a Group Policy Object dialog box (shown in the following screen shot), click the Create New Group Policy Object button and name this new GPO Test Client Windows Firewall Policy.

    WFGP01.GIF

  7. Click OK, and then click Finish to close the Group Policy Wizard and apply the new administrative template to the selected GPO.

  8. In the Add Standalone Snap-in dialog box, click Close.

  9. In the Add/Remove Snap-in dialog box, click OK.

  10. Close the MMC, click File then click Exit. Do not save changes to the console settings.

    Note   Although you do not save console changes, this procedure imports the new Administrative Templates from Windows XP SP2 into the GPO. The Templates must be imported into each defined GPO.

  11. Repeat the preceding steps for every GPO used to apply Group Policy to Windows XP SP2–based computers.

To update your GPOs for network environments using Active Directory and Windows XP SP2, Microsoft recommends that you use the Group Policy Management Console, a free download. For more information, see the following:

Configuring Windows Firewall Settings Using Group Policy

There are two sets of Windows Firewall settings to configure:

  • Domain profile. These settings are used by computers that are connected to a network that contains domain controllers for the domain of which the computers are a member.

  • Standard profile. These settings are used by computers when they are not connected to a network, for example, when you travel with a laptop computer.

If you do not configure standard profile settings, the default values remain unchanged. Microsoft highly recommends that you configure both domain and standard profile settings, and that you enable Windows Firewall for both profiles. The only exception is if you are already using a third-party host firewall product (a locally installed software firewall). Microsoft recommends that you disable Windows Firewall if you are already using a third-party host firewall product.

The standard profile settings are typically more restrictive than the domain profile, because the standard profile settings do not include applications and services that are only used in a managed domain environment.

In a GPO, both the domain profile and standard profile contain the same set of Windows Firewall settings. Windows XP SP2 relies on network determination to apply correct profile settings.

Note   For more information about network determination, see "Network Determination Behavior for Network-Related Group Policy Settings" on the Microsoft TechNet Web site at http://go.microsoft.com/fwlink/?linkid=35480.

This section describes the possible Windows Firewall settings in a GPO and the recommended settings for a SMB environment. It also demonstrates how to configure the four major types of GPO settings.

Requirements to Perform This Task

You will need the following to complete this task:

  • Credentials. You must log on to a Windows XP SP2 computer that is an Active Directory domain client, and you must use an account that is a member of either the Domain Admins security group or the Group Policy Creator/Owner security group.

  • Tools. Microsoft Management Console (MMC) with the Group Policy Object Editor snap-in installed.

Note   To open a GPO, use either an MMC with the Group Policy Object Editor snap-in or the Active Directory Users and Computers console. To use the Active Directory Users and Computers console on a Windows XP client computer, you must first run Aadminpak.msi from the Windows Server 2003 CD.

Configuring Windows Firewall Settings Using Group Policy

Use the Group Policy snap-in to modify the Windows Firewall settings in the appropriate GPOs.

After you complete the following steps tp configure the Windows Firewall settings, wait for the settings to be applied to client computers by the standard refresh cycles or use the GPUpdate utility on the client computer. By default, these refresh cycles are every 90 minutes, with a random offset of +/- 30 minutes. The next refresh of Computer Configuration Group Policy will download the new Windows Firewall settings and applies them to computers that run Windows XP SP2.

To configure Windows Firewall settings using Group Policy

  1. From the Windows XP SP2 desktop, click Start, click Run, type mmc, and then click OK.

  2. On the File menu, click Add/Remove Snap-in.

  3. On the Standalone tab, click Add.

  4. In the Available Standalone Snap-ins list, locate and click Group Policy Object Editor, and then click Add.

  5. In the Select Group Policy Object dialog box, click Browse.

  6. Select the Test Client Windows Firewall Policy GPO, click OK, and then click Finish.

  7. Click Close to close the Add Stand-alone Snap-in box, and then on the Add/Remove Snap-in box click OK.

  8. In the console tree of the Group Policy Object Editor, open Computer Configuration, Administrative Templates, Network, Network Connections, and then Windows Firewall (shown in the following screen shot).

    WFGP02.GIF

  9. Select either Domain Profile (shown in the following screen shot) or Standard Profile.

    WFGP03.GIF

    The following table summarizes the Windows Firewall Group Policy recommended settings for the domain and standard profiles.

    Table 2. Windows Firewall Setting Recommendations

    Setting

    Description

    Domain profile

    Standard profile

    Protect all network connections

    Specifies that all network connections have Windows Firewall enabled.

    Enabled.

    Enabled.

    Do not allow exceptions

    Specifies that all unsolicited incoming traffic is dropped, including excepted traffic.

    Not configured.

    Enabled, unless you must configure program exceptions.

    Define program exceptions

    Defines excepted traffic in terms of program file names.

    Enabled and configured with the programs (applications and services) used by the computers running Windows XP SP2 on your network.

    Enabled and configured with the programs (applications and services) used by the computers running Windows XP SP2 on your network.

    Allow local program exceptions

    Enables local configuration of program exceptions.

    Disabled, unless you want local administrators to configure program exceptions locally

    Disabled.

    Allow remote administration exception

    Enables remote configuration using tools.

    Disabled, unless you want to be able to remotely administer your computers with MMC snap-ins.

    Disabled.

    Allow file and print sharing exception

    Specifies whether file and printer sharing traffic is allowed.

    Disabled, unless the computers running Windows XP SP2 are sharing local resources.

    Disabled.

    Allow ICMP exceptions

    Specifies the types of ICMP messages that are allowed.

    Disabled, unless you wish to use the ping command to troubleshoot.

    Disabled.

    Allow Remote Desktop exception

    Specifies whether the computer can accept a Remote Desktop-based connection request.

    Enabled.

    Enabled.

    Allow UPnP framework exception

    Specifies whether the computer can receive unsolicited UPnP messages.

    Disabled.

    Disabled.

    Prohibit notifications

    Disables notifications.

    Disabled.

    Disabled.

    Allow logging

    Allows traffic logs and configures log file settings.

    Not configured.

    Not configured.

    Prohibit unicast response to multicast or broadcast requests

    Discards the unicast packets received in response to a multicast or broadcast request message.

    Enabled.

    Enabled.

    Define port exceptions

    Specifies excepted traffic in terms of TCP and UDP.

    Disabled.

    Disabled.

    Allow local port exceptions

    Enables local configuration of port exceptions.

    Disabled.

    Disabled.

  10. Double-click each setting listed in Table 2, click Enabled, Disabled or Not Configured, and then click OK.

Enabling Exceptions for Ports

To enable exceptions for ports

  1. In either the Domain Profile or the Standard Profile settings area, double-click Windows Firewall: Define port exceptions. The following dialog box will display.

    WFGP04.GIF

  2. Select Enabled, and then click Show. The Show Contents dialog box (shown in the following screen shot) will display.

    WFGP05.GIF

  3. Click Add, and the Add Item dialog box will display. Type the information about the port that you want to block or enable. The syntax is as follows:

    port:transport:scope:status:name

    • port is the port number

    • transport is TCP or UDP

    • scope is either * (for all computers) or a list of the computers that are allowed to access the port

    • status is either enabled or disabled

    • name is a text string used as a label for this entry

    The example shown in the following screen shot is named WebTest and enables TCP port 80 for all connections.

    WFGP06.GIF

  4. After you enter the information, click OK to close the Add Item dialog box. The Show Contents dialog box (shown in the following screen shot) will display.

    WFGP07.GIF

  5. Click OK to close the Show Contents dialog box.

  6. Click OK to close Windows Firewall: Define port exceptions Properties.

Enabling Exceptions for Programs

To enable exceptions for programs

  1. In either the Domain Profile or the Standard Profile settings area, double-click Windows Firewall: Define program exceptions. The following dialog box will display.

    WFGP08.GIF

  2. Select Enabled, and then click Show. The Show Contents dialog box (shown in the following screen shot) will display.

    WFGP09.GIF

  3. Click Add, and the Add Item dialog box will display. Type the information about the program that you want to block or enable. The syntax is as follows:

    path:scope:status:name

    • path is the program path and file name

    • scope is either * (for all computers) or a list of the computers that are allowed to access the program

    • status is either enabled or disabled

    • name is a text string used as a label for this entry

    The example shown in the following screen shot is named Messenger and enables the Windows Messenger program at %program files%\messenger\msmsgs.exe for all connections.

    WFGP10.GIF

  4. After you enter the information, click OK to close the Add Item dialog box. The Show Contents dialog box (shown in the following screen shot) will display.

    WFGP11.GIF

  5. Click OK to close the Show Contents dialog box.

  6. Click OK to close Windows Firewall: Define program exceptions Properties.

Configuring Basic ICMP Options

To configure basic ICMP options

  1. In either the Domain Profile or the Standard Profile settings area, double-click Windows Firewall: Allow ICMP exceptions. The following dialog box will display.

    WFGP12.GIF

  2. Select Enabled, and then select the appropriate ICMP exception or exceptions to enable. The example in this screen shot selects Allow inbound echo request.

    You can also select Disabled to disable one or more ICMP exceptions.

  3. Click OK to close Windows Firewall: Allow ICMP exceptions Properties.

Logging Dropped Packets and Successful Connections

To log dropped packets and successful connections

  1. In either the Domain Profile or the Standard Profile settings area, double-click Windows Firewall: Allow logging. The following dialog box will display.

    WFGP13.GIF

  2. Select Enabled, select Log dropped packets, and then select Log successful connections. Type a Log file path and name, and leave the default Size limit (KB) for the log file size. Then click OK.

    Note   Ensure that the log file is saved in a secured location to prevent accidental or deliberate modification.

  3. When you have completed making changes to the Windows Firewall settings, close the console.

    Note   When you close the console, you will be prompted to save the console. Regardless of whether you save the console, your GPO settings will be saved.

  4. If prompted to save console settings, click No.

Applying Configuration with GPUpdate

The GPUpdate utility refreshes Active Directory–based Group Policy settings. After you configure Group Policy, you can wait for the settings to apply to client computers by the standard refresh cycles. By default, these refresh cycles are every 90 minutes, with a random offset of +/- 30 minutes. To refresh Group Policy right away, you can use the GPUpdate utility.

Requirements to Perform This Task

You will need the following to complete this task:

  • Credentials. You must be logged on to a Windows XP SP2 computer that is an Active Directory domain client, and you must use an account that is a member of the Domain Users group.

Running GPUpdate

To run GPUpdate

  1. From the Windows XP SP2 desktop click Start, and then click Run.

  2. In the Run dialog box type cmd, and then click OK.

  3. At the command prompt type GPUpdate, and then press ENTER. You should a screen similar to the following:

    WFGP14.GIF

  4. To close the command prompt type Exit, and then press ENTER.

Verifying Windows Firewall Settings Are Applied

Note   When you use Group Policy to configure Windows Firewall, you can prevent access to some elements of the configuration for local administrators. If you have prevented access, some tabs and options in the Windows Firewall dialog box are unavailable on user's local computers.

Requirements to Perform This Task

You will need the following to complete this task:

  • Credentials. You must be logged on to a Windows XP SP2 computer that is an Active Directory domain client, and you must use an account that is a member of the Domain Users group.

To verify Windows Firewall settings are applied

  1. From the Windows XP SP2 desktop, click Start, and then click Control Panel.

  2. Under Pick a category, click Security Center. A screen similar to the following will display.

    WFGP15.GIF

  3. Under Manage security settings for, click Windows Firewall.

  4. Click the General, Exceptions, and Advanced tabs, and verify that the configuration in Group Policy is also applied to Windows Firewall on the client computer.

If the configuration settings are not applied, you must troubleshoot the application of Group Policy. To do so, see the following:

Related Information

For more information about the Windows XP SP2 firewall, see the following:

For more information about Windows XP SP2 security, see the following:

For definitions of security-related terms, see the following:

Download

Get the How to Configure Windows Firewall in a Small Business Environment Using Group Policy


Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft