Help: Understanding Windows Firewall exceptions

Article
10/08/2009

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Understanding Windows Firewall exceptions

When you first turn on Windows Firewall or you restore Windows Firewall default settings, all unsolicited incoming traffic is blocked on all network connections. This means that any program or system service that attempts to listen for traffic on a TCP or UDP port will be unable to receive network traffic. To allow programs and system services to receive unsolicited traffic through these ports, you need to add the program or system service to the Windows Firewall exceptions list, or you need to determine which port or ports the program or system service uses and add the port or ports to the Windows Firewall exceptions list. Adding programs, system services, and ports to the exceptions list is the most commonly used way to control which traffic is allowed to pass through Windows Firewall.

Note

You can also control which traffic is allowed to pass through Windows Firewall by configuring the Windows Firewall: Allow authenticated IPSec bypass Group Policy setting. However, this is not a commonly used method of controlling the traffic that passes through Windows Firewall.

Configuring exceptions

You can add exceptions to the Windows Firewall exceptions list on a global basis or on a per-connection basis. Global exceptions are applied to all of the network connections on a computer, including new connections that you create. The recommended method for configuring global Windows Firewall exceptions is to use the Security Configuration Wizard (SCW).You can also add global exceptions for programs, system services, and ports to the Windows Firewall exceptions list by using the Exceptions tab in Windows Firewall in Control Panel. You can also add global exceptions for programs, system services, and ports by using the netsh firewall commands and the Windows Firewall Group Policy settings. Per-connection exceptions are applied to specific network connections. You can add per-connection exceptions for system services and ports by configuring Network Connections Settings on the Advanced tab in Windows Firewall in Control Panel and by using the netsh firewall set portopening and netsh firewall set icmpsettings commands. You cannot configure per-connection exceptions by using the Windows Firewall Group Policy settings.

You can also configure exceptions by enabling or disabling the preconfigured Windows Firewall exceptions by using the Exceptions tab in Windows Firewall in Control Panel, the netsh firewall set commands, or the Windows Firewall Group Policy settings. The following table lists the preconfigured exceptions, all of which are disabled by default:

Exception	Description
File and Printer Sharing	Opens TCP ports 139 and 445 and UDP ports 137 and 138. Allows a computer to receive unsolicited traffic to shared files, folders, and printers.
Remote Desktop	Opens TCP port 3389. Allows a computer to be managed remotely with the Remote Desktop Connection feature.
UPnP Framework	Opens TCP port 2869 and UDP port 1900. Allows a computer to receive UPnP discovery requests from other computers and devices.
Remote administration	Opens TCP ports 135 and 445. Allows Svchost.exe and Lsass.exe to receive unsolicited incoming traffic and allows hosted services to open additional dynamically-assigned ports, typically in the range of 1024 to 1034. Allows a computer to be remotely managed with administrative tools such as the Microsoft Management Console (MMC) and Windows Management Instrumentation (WMI).
ICMP	Includes a suite of Internet Control Messages Protocol (ICMP) exceptions. ICMP exceptions allow you to control how a computer responds to and sends ICMP messages, including messages that are used by the ping command.

Note

You can programmatically configure Windows Firewall exceptions by using the Windows Firewall application programming interface (API).

Mitigating the risks associated with exceptions

Each time you add a program, system service, or port to the exceptions list, you make your computer more accessible to attack. A common network attack uses port scanning software to identify computers that have open and unprotected ports. By adding numerous programs, system services, and ports to the exceptions list, you defeat the purpose of a firewall and increase the attack surface of your computer. This problem typically occurs when you configure a server for several different roles, and you need to open numerous ports to accommodate each of the server roles. You should closely evaluate the design of any server that requires you to open numerous ports. Servers that are configured for numerous roles or configured to provide numerous services can be a critical point of failure in your organization and usually indicate poor infrastructure design.

To help decrease your security risk, follow these guidelines:

Create an exception only when you need it

If you think a program or system service might require a port for unsolicited incoming traffic, do not add the program or system service to the exceptions list until you verify that the program or system service attempted to listen for unsolicited traffic. By default, Windows Firewall displays a notification when a program attempts to listen for unsolicited traffic. You can also use the security event log to determine whether a system service has attempted to listen for unsolicited traffic.

Never allow an exception for a program that you do not recognize

If Windows Firewall notifies you that a program has attempted to listen for unsolicited traffic, verify the name of the program and the executable (.exe) file before you add the program to the exceptions list. Likewise, if you use the security event log to identify system services that have attempted to listen for unsolicited traffic, verify that the service is a legitimate system service before you add a port to the exceptions list for the system service.

Remove an exception when you no longer need it

If you add a program, system service, or port to the exceptions list on a server, and then change the server's role or reconfigure the services and applications on the server, be sure to update the exceptions list and remove all of the exceptions that are no longer necessary.

Best practices for creating exceptions

In addition to the general guidelines for managing exceptions, use the following best practices when adding a program, system service, or port to the exceptions list.

Adding programs

Always try to add a program (.exe file) or a system service that runs within an .exe file to the exceptions list before you try to add a port. When you add a program to the exceptions list, Windows Firewall dynamically opens the required ports for the program. When the program is running, Windows Firewall allows incoming traffic through the required ports; when the program is not running, Windows Firewall blocks any incoming traffic that is sent to the ports.

Adding system services

Do not add system services to the exceptions list if the system service runs within Svchost.exe. Adding Svchost.exe to the exceptions list allows any system service running inside every instance of Svchost.exe to receive unsolicited incoming traffic. You should add system services to the exceptions list only if the system service runs within an .exe file or you can enable a preconfigured Windows Firewall system service exception, such as the UPnP Framework exception or the File and Printer Sharing exception.

Adding ports

You should add a port to the exceptions list as a last resort. When you add a port to the exceptions list, Windows Firewall allows incoming traffic through the port, regardless whether there is a program or system service listening on the port for incoming traffic.