Viewing Rules

  • Article

Updated: December 1, 2009

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

Rules allow specified programs, protocols, or services to pass through the firewall. For example, when you enable Remote Desktop in Windows 7 or Windows Vista, Windows creates a rule to allow inbound Remote Desktop connection attempts to reach the computer. To view current rules in Windows Firewall with Advanced Security, in the console tree, click either the Inbound Rules folder or the Outbound Rules folder. Figure 6 shows an example of the Inbound Rules folder. The Inbound Rules folder shows all of the rules currently defined on the computer. To see only the rules that are currently active and enforced, click the Inbound Rules node under Monitoring instead.

To enable a rule, click the rule, and in the Actions list, click Enable Rule. To disable a rule, click the rule, and then click Disable Rule.

Note

If Group Policy has configured Windows Firewall with Advanced Security settings on your computer, then you might not be able to enable or disable firewall or connection security rules. If this is the case, then the Enable Rule and Disable Rule options in the Actions list do not appear.

To view and modify the properties for a rule, click the rule and then click Properties. The property sheet for a rule (shown in Figure 7) displays the tabs and options listed in Table 1.

Table 1. Properties for a rule that can be configured

Tab Option Use

General

Name

Type a name for the rule.

Description

Type a description for the rule.

Enabled

Turn the rule on or off. This setting indicates whether the rule is active. Disabled rules do not affect traffic that is allowed or blocked.

Action

Configure the following options:

  • Allow the connection. Use to allow any connection that matches all criteria specified by the rule. This option does not check whether the traffic is protected by IPsec.

  • Allow the connection if it is secure. Use to allow any connection that is protected by IPsec and that matches all criteria specified in the rule. You can further specify that the connection must also be encrypted in order to be allowed. You must separately create a connection security rule that specifies how traffic is protected; otherwise, the traffic will never match this rule.

    Note
    In Windows Vista and Windows Server 2008, this option was called Allow only secure connections.

  • Block the connection. Use to create a rule that blocks connections that meet the criteria specified in the rule.

Programs and Services

Programs

Specify the full path to the executable file on the local computer.

Services

Specify the short name of the service to which the rule applies. This is mapped to the security identifier (SID) associated with the service.

Computers

Authorized computers

Specify that connections related to this rule are allowed only from a group of computers that you create. You can select this option only if you have also selected the option Allow the connection if it is secure and if the connection has been protected using a credential that provides the Active Directory identity information (most commonly, computer Kerberos v5).

Exceptions

Specify computers that are not permitted to match this rule, even if they are a member of a computer group that is in the Authorized computers list. This simplifies rule creation by supporting “all computers except this one” type of rules.

Users

Authorized users

Specify that connections related to this rule are allowed only from a group of users that you create. You can select this option only if you have also selected the option Allow only secure connections and if the connection has been protected using a credential that provides the Active Directory identity information (most commonly, computer Kerberos v5).

Exceptions

Specify users that are not permitted to match this rule, even if they are a member of a user group that is in the Authorized users list. This simplifies rule creation by supporting “all users except this one” type of rules.

Protocols and Ports

Protocol Type

Specify any type of IP protocol (for example, TCP or UDP).

Protocol Number

Windows automatically specifies a port number based on the protocol type. If you are using a custom protocol type, you can specify a protocol number.

Local port

Specify the local port over which traffic can pass. In Windows 7 and Windows Server 2008 R2 you can specify a port range, such as 5000-5010. You can also specify one of the following keywords:

  • RPC Dynamic Ports

  • RPC Endpoint Mapper

  • IPHTTPS

  • Edge Traversal

Remote port

Specify the remote port over which traffic can pass. In Windows 7 and Windows Server 2008 R2 you can specify a port range, such as 5000-5010.

Internet Control Message Protocol (ICMP) Settings

Specify ICMP types and codes. This option is available only if the protocol type is ICMPv4 or ICMPv6.

Scope

Local IP address and Remote IP address

Specify the local and remote IPv4 or IPv6 addresses, ranges of addresses, and subnets to which the rule applies.

Advanced

Profiles

Specify the profiles to which the rule applies. This can be any combination of domain, public, and private profiles.

Interface types

Specify which interface type a computer connection security rule is applied to, such a local area network, wireless network adapter, or other connection type.

Edge traversal

Specify whether unsolicited inbound packets that have passed through an edge device such as a NAT router are permitted