Understanding the "On with no exceptions" Mode Functionality of Windows Firewall

Windows XP SP2 includes an update to Windows Firewall. In addition to the features mentioned in other topics, Windows Firewall includes an "On with no exceptions" operational mode where all excepted ports are locked down. An excepted port is a static port that is allowed to accept anonymous connections from the network during typical operation. In this mode, excepted ports are closed in addition to the generally closed ports in Windows Firewall. If a virus is running in your organization and it requires one of the excepted ports to communicate, running Windows Firewall in the "On with no exceptions" mode will impair its effectiveness. Like the other features of Windows Firewall in Windows XP SP2, the "On with no exceptions" mode can also be toggled through Group Policy.

Recommendations

• Review the documentation in the Resource section about how to specify and deploy the Windows Firewall "On with no exceptions" mode through Group Policy.

• Deploy third-party products with similar lock-down functionality if you are not using Windows Firewall.

Resource

• For more information about using Group Policy objects to deploy Windows Firewall in your enterprise, see Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2.