Appendix A: Windows Firewall Group Policy Settings

This appendix describes the details of the following Windows Firewall Group Policy settings found in the Group Policy snap-in in the following locations:

  • Computer Configuration/Administrative Templates/Network/Network Connections/Windows Firewall

    • Windows Firewall: Allow authenticated IPSec bypass
  • Computer Configuration/Administrative Templates/Network/Network Connections/Windows Firewall/Domain Profile and Computer Configuration/Administrative Templates/Network/Network Connections/Windows Firewall/Standard profile

    • Windows Firewall: Protect all network connections

    • Windows Firewall: Do not allow exceptions

    • Windows Firewall: Define program exceptions

    • Windows Firewall: Allow local program exceptions

    • Windows Firewall: Allow remote administration exception

    • Windows Firewall: Allow file and print sharing exception

    • Windows Firewall: Allow ICMP exceptions

    • Windows Firewall: Allow Remote Desktop exception

    • Windows Firewall: Allow UPnP framework exception

    • Windows Firewall: Prohibit notifications

    • Windows Firewall: Allow logging

    • Windows Firewall: Prohibit unicast response to multicast or broadcast requests

    • Windows Firewall: Define port exceptions

    • Windows Firewall: Allow local  port exceptions

      Note  Windows Firewall Group Policy settings are subject to Group Policy inheritance rules and behaviors. For more information, see the topic titled "Policy inheritance" in Windows 2000 Server Help or Windows Server 2003 Help and Support.

On This Page

Windows Firewall: Allow Authenticated IPSec Bypass
Windows Firewall: Protect All Network Connections
Windows Firewall: Do Not Allow Exceptions
Windows Firewall: Define Program Exceptions
Windows Firewall: Allow Local Program Exceptions
Windows Firewall: Allow Remote Administration Exception
Windows Firewall: Allow File and Print Sharing Exception
Windows Firewall: Allow ICMP Exceptions
Windows Firewall: Allow Remote Desktop Exception
Windows Firewall: Allow UPnP Framework Exception
Windows Firewall: Prohibit Notifications
Windows Firewall: Allow Logging
Windows Firewall: Prohibit Unicast Response to Multicast or Broadcast Requests
Windows Firewall: Define Port Exceptions
Windows Firewall: Allow Local Port Exceptions

Windows Firewall: Allow Authenticated IPSec Bypass

The Windows Firewall: Allow authenticated IPSec bypass setting allows you to specify that the Windows Firewall does not process IPSec-secured traffic from specified computers.

The IPsec bypass only applies to computers that are the responder to an IPsec SA negotiation. The initiator of the session does not set the bypass flag for the connection, so the firewall on the initiator still inspects the packets. If the responder uses the same IPsec SA to connect back to the initiator, the packets are filtered out by the firewall on the initiator.

The following figure shows the Windows Firewall: Allow authenticated IPSec bypass setting.

WSFP1205.gif

When IPSec is used to secure traffic, IPSec peers must perform mutual computer-level authentication before secured traffic is sent. This mutual authentication is typically performed in an Active Directory environment using Kerberos v5 or with public key certificates. In both cases, credentials that are administered by a central IT organization establish the trust in the IPSec peer.

The Windows Firewall: Allow authenticated IPSec bypass setting can be enabled for organization networks that:

  • Use IPSec to protect traffic.

  • Enable the Windows Firewall.

  • Assume that if the traffic is IPSec-protected, then it does not need to be inspected by the firewall.

One common use of this setting is to prevent Windows Firewall from processing the IPSec-protected traffic of a network security vulnerability scanning system.

You can select the following:

  • Not Configured (default) or Disabled

    Windows Firewall processes IPSec-secured traffic. The difference between the Not Configured and Disabled settings is based on Group Policy inheritance rules.

  • Enabled

    Windows Firewall does not process IPSec-secured traffic.

When you select Enabled, you must type or paste the Security Descriptor Definition Language (SDDL) string that corresponds to the group accounts for the computers to which this policy applies. The format of the SDDL string to enter in the text box for a single group is:

O:DAG:DAD:(A;;RCGW;;;SID)

in which SID is the Security Identifier (SID) of a group account. To obtain the SID of a group account, use the Getsid.exe tool from Windows 2000 Server Resource Kit Tools or Windows Server 2003 Resource Kit Tools. Getsid.exe is typically used to compare the SIDs of two accounts on different domain controllers, but you can also use it to obtain the SID of a specified user or group account.

To obtain a SID for a group account, use the following syntax:

getsid \\ domain_controller group_account **\\**domain_controller group_account

in which domain_controller is the computer name of a domain controller and group_account is the group account name.

Here is an example for a domain controller named EXAMPLE2 for the example.com domain:

Note Some parts of the following code snippet have been displayed in multiple lines only for better readability. These should be entered in a single line.

              C:\>getsid \\example2 IPSecComputers
              \\example2 IPSecComputers
              The SID for account EXAMPLE\IPSecComputers matches
              account EXAMPLE\IPSecComputers
              The SID for account EXAMPLE\IPSecComputers is
              S-1-5-21-3575094098-3669797271-991787341-1127
              The SID for account EXAMPLE\IPSecComputers is
              S-1-5-21-3575094098-3669797271-991787341-1127
            

Therefore, the SID for the IPSecComputers group account is S-1-5-21-3575094098-3669797271-991787341-1127.

For this example, the entry in the Windows Firewall: Allow authenticated IPSec bypass setting to specify that the IPSec-secured traffic that is received from computers that are members of the IPSecComputers group is not processed by the Windows Firewall is the following:

O:DAG:DAD:(A;;RCGW;;;S-1-5-21-3575094098-3669797271-991787341-1127)

If you have more than one group, then the syntax for the SDDL string is:

O:DAG:DAD:(A;;RCGW;;;SID1) (A;;RCGW;;;SID2) (A;;RCGW;;;SID3)...

Windows Firewall: Protect All Network Connections

The Windows Firewall: Protect all network connections setting allows you to specify the operating mode of Windows Firewall, and is shown in the following figure.

WSFP1206.gif

You can select the following:

  • Not Configured (default)

    No change to the status of Windows Firewall is made. Local administrators may enable or disable Windows Firewall locally, such as from the General tab of the Windows Firewall component in Control Panel.. The Windows Firewall runs unless you enable the Prohibit use of Internet Connection Firewall on your DNS domain network Group Policy setting.

  • Enabled

    Windows Firewall is enabled to protect all network connections and local administrators cannot enable or disable Windows Firewall locally. The Prohibit use of Internet Connection Firewall on your DNS domain network Group Policy setting is ignored.

  • Disabled

    Disables Windows Firewall. Local administrators cannot enable the Windows Firewall.

Windows Firewall: Do Not Allow Exceptions

The Windows Firewall: Do not allow exceptions setting is used to discard all incoming unsolicited traffic, including excepted traffic, and is shown in the following figure.

WSFP1207.gif

You can select the following:

  • Not Configured (default)

    Local administrators can enable or disable the operational mode in which no exceptions are allowed, such as from the General tab of the Windows Firewall component in Control Panel.

  • Enabled

    Excepted traffic is not allowed. You should also enable the Windows Firewall: Protect all network connections setting. Otherwise, local administrators can thwart the Windows Firewall: Do not allow exceptions setting by disabling the Windows Firewall locally. Enabling this setting does not affect other Windows Firewall local or Group Policy settings, which are restored when you set this setting to Not Configured or Disabled.

  • Disabled

    Local administrators cannot enable the operational mode in which no exceptions are allowed.

Windows Firewall: Define Program Exceptions

The Windows Firewall: Define program exceptions setting allows you to configure excepted traffic by specifying the program's file name, and is shown in the following figure.

WSFP1208.gif

You can select the following:

  • Not Configured (default)

    No excepted traffic is configured. Local administrators can specify allowed programs locally, such as from the Exceptions tab of the Windows Firewall component in Control Panel, unless the Windows Firewall: Allow local program exceptions setting is set to Disabled.

  • Enabled

    The configured program exceptions are excepted traffic. All locally configured program exceptions are ignored, including settings pre-defined through setup files, as described in Appendix E and Appendix F.

  • Disabled

    No excepted traffic is configured. The program exceptions list defined by Group Policy is deleted and the one defined by local administrators is ignored, unless you enable the Windows Firewall: Allow local program exceptions policy setting.

To define the list of allowed programs, click Enabled, and then click Show. The Show Contents dialog box is displayed. An example is shown in the following figure.

WSFP1209_big.gif

See full-sized image

From Show Contents, you can add or remove an allowed program. You cannot edit an existing allowed program. To change an existing allowed program, remove it, and then add with the correct parameters.

To add a new allowed program, click Add. An example is shown in the following figure.

WSFP1210.gif

In Add Item, type the parameters for an allowed program using the following syntax:

ProgramPath : Scope :Enabled|**Disabled:**ApplicationName

  • ProgramPath

    Type the path and file name of the application as it is installed on the computers running Windows XP with SP2. You can use environment variables such as %ProgramFiles% when specifying the program path.

  • Scope

    The Scope parameter specifies the addresses from which the traffic is allowed. Type * to specify traffic originating from any source IPv4 address or a comma separated list of sources. The sources can be LocalSubnet to specify traffic originating from a directly reachable IPv4 address or one or more IPv4 addresses or IPv4 address ranges separated by commas. IPv4 address ranges typically correspond to subnets. For IPv4 addresses, type the IPv4 address in dotted decimal notation. For IPv4 address ranges, you can specify the range using a dotted decimal subnet mask or a prefix length. When you use a dotted decimal subnet mask, you can specify the range as an IPv4 network ID (such as 10.47.81.0/255.255.255.0) or by using an IPv4 address within the range (such as 10.47.81.231/255.255.255.0). When you use a network prefix length, you can specify the range as an IPv4 network ID (such as 10.47.81.0/24) or by using an IPv4 address within the range (such as 10.47.81.231/24). The following is an example list of sources:

    Note This command is shown on multiple lines for better readability; enter them as a single line.

                  LocalSubnet,10.91.12.56,10.7.14.9/255.255.255.0,10.
                  116.45.0/255.255.255.0,172.16.31.11/24,172.16.111.0/24
                

    IPv6 traffic supports the * and LocalSubnet scopes.

    Note  If you have any spaces between the entries in the list of sources or any other invalid characters, the scope is ignored and the setting behaves as if it were disabled. Please double-check your scope syntax before saving changes.

    Host names, DNS names, or DNS suffixes are not supported.

  • Enabled|Disabled

    This is the Status parameter. Type Enabled to allow incoming unsolicited traffic to this application. Type Disabled to prevent the program from being allowed in the exceptions list. This does not prevent excepted programs from running or receiving solicited incoming traffic if the ports are opened elsewhere or by another application.

  • ApplicationName

    Type a friendly name for the program. This becomes the name of the program in the list of allowed programs in the Windows Firewall settings of the computers running Windows XP with SP2.

The following is an example of an allowed program entry:

%ProgramFiles%\ExampleAppFolder\Example.exe:*:Enabled:Example Program

If you type an invalid program definition string, Windows Firewall adds it to the list without checking for errors. This allows you to add programs that you have not installed yet.

It is possible to create multiple entries for the same program with conflicting Scope or Status parameters. If entries have conflicting Scope parameters, any system specified by any entry can send messages to this program. If the Status parameter of a definition string is set to Disabled, Windows Firewall prohibits incoming messages to this program. If entries have different Status values, then any definition with the Status set to Disabled overrides all definitions with the Status set to Enabled, and the program does not receive the messages. Therefore, if you set the Status to Disabled, you can prevent local administrators from enabling the program.

Windows Firewall opens ports for the program only when the program is running and listening for incoming traffic. If the program is not running, or is running but not listening for those messages, Windows Firewall does not open its ports.

Windows Firewall: Allow Local Program Exceptions

The Windows Firewall: Allow local program exceptions setting allows you to specify whether local administrators are allowed to configure their own program exceptions, and is shown in the following figure.

WSFP1211.gif

You can select the following:

  • Not Configured (default)

    If the Windows Firewall: Define program exceptions setting is set to Not Configured, local administrators can add program exceptions locally, such as from the Exceptions tab of the Windows Firewall component in Control Panel.

  • Enabled

    Local administrators can add program exceptions.

  • Disabled

    Local administrators cannot add program exceptions.

Windows Firewall: Allow Remote Administration Exception

The Windows Firewall: Allow remote administration exception setting allows you to specify whether computers running Windows XP with SP2 can be remotely administered by applications that use TCP ports 135 and 445 (such as MMC and WMI), and is shown in the following figure.

WSFP1212.gif

Services that use these ports to communicate are using remote procedure calls (RPC) and Distributed Component Object Model (DCOM) to access remote hosts. In effect, Windows Firewall adds Svchost.exe and Lsass.exe to the program exceptions list and allows those services to open additional, dynamically assigned ports, typically in the range of 1024 to 1034. Windows Firewall also allows incoming ICMP Echo  messages (also known as the ICMP Echo Request messages).

You can select the following:

  • Not Configured (default)

    Remote administration is not allowed.

  • Enabled

    Windows Firewall allows the computer to receive the unsolicited incoming messages associated with remote administration. In Allow unsolicited incoming messages from, type * to specify traffic originating from any source IPv4 address or a comma-separated list of sources. The sources can be LocalSubnet to specify traffic originating from a directly reachable IPv4 address or one or more IPv4 addresses or IPv4 address ranges separated by commas. IPv4 address ranges typically correspond to subnets. For IPv4 addresses, type the IPv4 address in dotted decimal notation. For IPv4 address ranges, you can specify the range using a dotted decimal subnet mask or a prefix length. When you use a dotted decimal subnet mask, you can specify the range as an IPv4 network ID (such as 10.47.81.0/255.255.255.0) or by using an IPv4 address within the range (such as 10.47.81.231/255.255.255.0). When you use a network prefix length, you can specify the range as an IPv4 network ID (such as 10.47.81.0/24) or by using an IPv4 address within the range (such as 10.47.81.231/24). The following is an example list of sources:

    Note This command is shown on multiple lines for better readability; enter them as a single line.

                  LocalSubnet,10.91.12.56,10.7.14.9/255.255.255.0,10.
                  116.45.0/255.255.255.0,172.16.31.11/24,172.16.111.0/24
                

    IPv6 traffic supports the * and LocalSubnet scopes.

    Note  If you have any spaces between the entries in the list of sources or any other invalid characters, the scope is ignored and the setting behaves as if it were disabled. Please double-check your scope syntax before saving changes.

    Host names, DNS names, or DNS suffixes are not supported.

  • Disabled

    Remote administration is not allowed. Windows Firewall blocks port 135 and does not open 445. Also, in effect, it adds SVCHOST.EXE and LSASS.EXE to the program exceptions list with the Status of Disabled. Because disabling this policy setting does not block TCP port 445, it does not conflict with the Windows Firewall: Allow file and printer sharing exception setting. This does not prevent these programs from running or their corresponding ports from being opened.

Malicious users and programs often attempt to attack networks and computers using RPC and DCOM traffic. We recommend that you contact the manufacturers of your critical programs to determine if they require RPC and DCOM communication. If they do not, then do not enable this setting.

Note  If you only want to open a subset of the ports that this setting opens, leave this setting set to Not Configured and use the Windows Firewall: Define port exceptions setting to selectively open ports.

Windows Firewall: Allow File and Print Sharing Exception

The Windows Firewall: Allow file and print sharing exception setting specifies whether the ports for file and printer sharing are open, and is shown in the following figure.

WSFP1213.gif

You can select the following:

  • Not Configured (default)

    The ports for file and printer sharing are not opened. The shared files and printers on the computer will not be available from other computers. However, local administrators can configure the pre-defined File and Printer Sharing exception, such as from the Exceptions tab of the Windows Firewall component in Control Panel.

  • Enabled

    The following ports for file and printer sharing are opened:

    • UDP 137

    • UDP 138

    • TCP 139

    • TCP 445

    When you enable the pre-defined File and Printer Sharing exception, Windows Firewall also allows incoming ICMP Echo messages.

    In Allow unsolicited incoming messages from, type * to specify file and printer sharing traffic originating from any source IPv4 address or a comma-separated list of sources. The sources can be LocalSubnet to specify traffic originating from a directly reachable IPv4 address or one or more IPv4 addresses or IPv4 address ranges separated by commas. IPv4 address ranges typically correspond to subnets. For IPv4 addresses, type the IPv4 address in dotted decimal notation. For IPv4 address ranges, you can specify the range using a dotted decimal subnet mask or a prefix length. When you use a dotted decimal subnet mask, you can specify the range as an IPv4 network ID (such as 10.47.81.0/255.255.255.0) or by using an IPv4 address within the range (such as 10.47.81.231/255.255.255.0). When you use a network prefix length, you can specify the range as an IPv4 network ID (such as 10.47.81.0/24) or by using an IPv4 address within the range (such as 10.47.81.231/24). The following is an example list of sources:

    Note This command is shown on multiple lines for better readability; enter them as a single line.

                  LocalSubnet,10.91.12.56,10.7.14.9/255.255.255.0,10.
                  116.45.0/255.255.255.0,172.16.31.11/24,172.16.111.0/24
                

    IPv6 traffic supports the * and LocalSubnet scopes.

    Note  If you have any spaces between the entries in the list of sources or any other invalid characters, the scope is ignored and the setting behaves as if it were disabled. Please double-check your scope syntax before saving changes.

    Host names, DNS names, or DNS suffixes are not supported.

  • Disabled

    The ports for file and printer sharing are not opened and local administrators cannot configure the pre-defined File and Printer Sharing exception. The shared files and printers on the computer will not be available from other computers. Selecting Disabled does not prevent these ports from being used by other applications.

    Note  If you only want to open a subset of the ports that this setting opens, leave this setting set to Not Configured and use the Windows Firewall: Define port exceptions setting to selectively open ports.

Windows Firewall: Allow ICMP Exceptions

The Windows Firewall: Allow ICMP exceptions setting allows you to configure specific types of ICMP messages as excepted traffic, and is shown in the following figure.

WSFP1214.gif

You can select the following:

  • Not Configured (default)

    Local administrators can define ICMP exceptions, such as from the Advanced tab of the Windows Firewall component in Control Panel.

  • Enabled

    The specified unsolicited incoming ICMP traffic is allowed. When you select Enabled, you must also specify the specific types of ICMP messages that are allowed. Selecting Enabled overrides the local ICMP settings of Windows Firewall.

  • Disabled

    No unsolicited incoming ICMP traffic is allowed. Local administrators cannot define ICMP exceptions.

If you do not enable this setting and select Allow inbound echo request, tools that use the ICMP Echo message (also known as the ICMP Echo Request message) such as Ping or Tracert will not work. If you are running network management software uses ICMP Destination Unreachable messages, also select Allow outbound destination unreachable.

If any policy setting opens TCP port 445, Windows Firewall automatically allows incoming ICMP Echo messages, even if the Windows Firewall: Allow ICMP exceptions setting is disabled. Policy settings that can open TCP port 445 include Windows Firewall: Allow file and printer sharing exception, Windows Firewall: Allow remote administration exception, and Windows Firewall: Define port exceptions.

Other Windows Firewall policy settings affect only incoming messages, but several of the options of the Windows Firewall: Allow ICMP exceptions setting affect outgoing communication.

Windows Firewall: Allow Remote Desktop Exception

The Windows Firewall: Allow Remote Desktop exception setting allows you to specify whether Remote Desktop connections are allowed, and is shown in the following figure.

WSFP1215.gif

You can select the following:

  • Not Configured (default)

    Remote Desktop connections are not allowed. However, local administrators can configure the pre-defined Remote Desktop exception, such as from the Exceptions tab of the Windows Firewall component in Control Panel.

  • Enabled

    Remote Desktop connections are allowed. TCP port 3389 is opened.

    In Allow unsolicited incoming messages from, type * to specify Remote Desktop traffic originating from any source IPv4 address or a comma separated list of sources. The sources can be LocalSubnet to specify traffic originating from a directly reachable IPv4 address or one or more IPv4 addresses or IPv4 address ranges separated by commas. IPv4 address ranges typically correspond to subnets. For IPv4 addresses, type the IPv4 address in dotted decimal notation. For IPv4 address ranges, you can specify the range using a dotted decimal subnet mask or a prefix length. When you use a dotted decimal subnet mask, you can specify the range as an IPv4 network ID (such as 10.47.81.0/255.255.255.0) or by using an IPv4 address within the range (such as 10.47.81.231/255.255.255.0). When you use a network prefix length, you can specify the range as an IPv4 network ID (such as 10.47.81.0/24) or by using an IPv4 address within the range (such as 10.47.81.231/24). The following is an example list of sources:

    Note This command is shown on multiple lines for better readability; enter them as a single line.

                  LocalSubnet,10.91.12.56,10.7.14.9/255.255.255.0,10.
                  116.45.0/255.255.255.0,172.16.31.11/24,172.16.111.0/24
                

    IPv6 traffic supports the * and LocalSubnet scopes.

    Note  If you have any spaces between the entries in the list of sources or any other invalid characters, the scope is ignored and the setting behaves as if it were disabled. Please double-check your scope syntax before saving changes.

    Host names, DNS names, or DNS suffixes are not supported.

  • Disabled

    Remote Desktop connections are not allowed. Local administrators cannot configure the pre-defined Remote Desktop exception.

Windows Firewall: Allow UPnP Framework Exception

The Windows Firewall: Allow UPnP framework exception setting specifies whether the ports for UPnP traffic are open, and is shown in the following figure.

WSFP1216.gif

You can select the following:

  • Not Configured (default)

    The ports for UPnP traffic are not opened, which prevents the computer from receiving UPnP messages. However, local administrators can configure the pre-defined UPnP Framework exception, such as from the Exceptions tab of the Windows Firewall component in Control Panel.

  • Enabled

    The following ports for UPnP traffic are opened:

    • UDP 1900

    • TCP 2869

    In Allow unsolicited incoming messages from, type * to specify UPnP traffic originating from any source IPv4 address or a comma separated list of sources. The sources can be LocalSubnet to specify traffic originating from a directly reachable IPv4 address or one or more IPv4 addresses or IPv4 address ranges separated by commas. IPv4 address ranges typically correspond to subnets. For IPv4 addresses, type the IPv4 address in dotted decimal notation. For IPv4 address ranges, you can specify the range using a dotted decimal subnet mask or a prefix length. When you use a dotted decimal subnet mask, you can specify the range as an IPv4 network ID (such as 10.47.81.0/255.255.255.0) or by using an IPv4 address within the range (such as 10.47.81.231/255.255.255.0). When you use a network prefix length, you can specify the range as an IPv4 network ID (such as 10.47.81.0/24) or by using an IPv4 address within the range (such as 10.47.81.231/24). The following is an example list of sources:

    Note This command is shown on multiple lines for better readability; enter them as a single line.

                  LocalSubnet,10.91.12.56,10.7.14.9/255.255.255.0,10.
                  116.45.0/255.255.255.0,172.16.31.11/24,172.16.111.0/24
                

    IPv6 traffic supports the * and LocalSubnet scopes.

    Note  If you have any spaces between the entries in the list of sources or any other invalid characters, the scope is ignored and the setting behaves as if it were disabled. Please double-check your scope syntax before saving changes.

    Host names, DNS names, or DNS suffixes are not supported.

  • Disabled

    The ports for UPnP traffic are not opened, which prevents the computer from receiving unsolicited incoming UPnP messages. Local administrators cannot configure the pre-defined UPnP Framework exception.

    Note  If you only want to open a subset of the ports that this setting opens, leave this setting set to Not Configured and use the Windows Firewall: Define port exceptions setting to selectively open ports.

Windows Firewall: Prohibit Notifications

The Windows Firewall: Prohibit notifications setting specifies whether the Windows Firewall displays notification messages when applications listen on a port, and is shown in the following figure.

WSFP1217.gif

You can select the following:

  • Not Configured (default)

    The notification messages are displayed. However, local administrators can configure notification behavior, such as the Notify when Windows Firewall blocks a program option from the Exceptions tab of the Windows Firewall component in Control Panel.

  • Enabled

    The notification messages are not displayed.

  • Disabled

    The notification messages are displayed.  Local administrators cannot configure notification behavior.

When most applications request an open port, Windows Firewall adds the program to the program exceptions list with the default status value of Disabled. If you enable this policy setting, notifications are not displayed and the status value for the program exception remains Disabled until manually changed.

If you disable or do not configure this policy setting, Windows Firewall displays notification messages.

If the user is not a local administrator, the message informs them that they might need to contact a network administrator, which can alert the network administrator about possible malicious programs on the network.

If the user is a local administrator, and either you have enabled the Windows Firewall: Allow local program exceptions setting or you have not configured the Windows Firewall: Define program exceptions setting, then the notification message allows the user to specify whether to enable the application. If you disable the Windows Firewall: Define program exceptions setting, then the user will not be notified unless enabled locally.

Windows Firewall: Allow Logging

The Windows Firewall: Allow logging setting specifies whether the Windows Firewall logs activity information to a log file, and is shown in the following figure.

WSFP1218.gif

You can select the following:

  • Not Configured (default)

    Logging is not enabled.

  • Enabled

    Logging is enabled with the specified log file settings.

  • Not Configured (default)

    Logging is not enabled. Local administrators cannot enable logging, such as from the Advanced tab of the Windows Firewall component in Control Panel.

If enabled, you must provide the name, location, and maximum size of the log file (up to a maximum size of 32767 KB). When the log file becomes full, it is archived and a new file is created. The location can contain environment variables, such as %SystemRoot%. You can also separately specify whether you want to log the following:

  • Dropped packets, which correspond to incoming unsolicited traffic that was not excepted.

  • Successful connections, which correspond to successful incoming and outgoing connections.

There is no option to log incoming packets (solicited or unsolicited) that were not dropped.

Windows Firewall: Prohibit Unicast Response to Multicast or Broadcast Requests

The Windows Firewall: Prohibit unicast response to multicast or broadcast requests setting specifies whether unicast response message received in response to a multicast or broadcast message that was sent by the computer is dropped, and is shown in the following figure.

WSFP1219.gif

You can select the following:

  • Not Configured (default) or Disabled

    The received unicast response is accepted (not dropped) if received within 3 seconds. The difference between the Not Configured and Disabled settings is based on Group Policy inheritance rules.

  • Enabled

    The unicast response to a multicast or broadcast packet sent by the computer is dropped.

This setting has no effect if the unicast message is a response to a DHCP broadcast message sent by the computer. Windows Firewall always permits DHCP unicast responses. However, this policy setting can interfere with the unique NetBIOS name conflict detection process, in which a broadcast-based NetBIOS message is sent to register a NetBIOS unique name. If another computer on the network is using that same name, there is a name conflict and the current name owner sends a unicast NetBIOS Negative Name Registration Reply message. If the Windows Firewall drops this message, then the computer continues to use the duplicate name. If the computers are using Windows Internet Name Service (WINS), then the duplicate name is detected via the WINS server.

Windows Firewall: Define Port Exceptions

The Windows Firewall: Define port exceptions setting allows you to specify excepted traffic in terms of TCP and UDP ports, and is shown in the following figure.

WSFP1220.gif

You can select the following:

  • Not Configured (default)

    No excepted traffic is configured. Local administrators can specify open ports locally, such as from the Exceptions tab of the Windows Firewall component in Control Panel.

  • Enabled

    The configured ports are excepted traffic. Locally configured port exceptions are ignored, including settings pre-defined through setup files, as described in Appendix E and Appendix F.

  • Disabled

    No excepted traffic is configured. Local administrators cannot specify open ports locally, unless the Windows Firewall: Allow local port exceptions setting is set to Enabled.

To define the list of open ports, click Enabled, and then click Show. The Show Contents dialog box is displayed, as shown in the following figure.

WSFP1221_big.gif

See full-sized image

From Show Contents, you can add or remove an open port. You cannot edit an existing open port. To change an open port, remove it, and then add it with the correct parameters.

To add a new open port, click Add. An example is shown in the following figure.

WSFP1222.gif

In Add Item, type the parameters for an open port using the following syntax:

Port# :TCP|UDP:Scope:Enabled|**Disabled:**PortName

  • Port#

    Type the port number for the TCP or UDP Port.

  • TCP|UDP

    This is the Port Type parameter. Type TCP to specify a TCP port. Type UDP to specify a UDP port.

  • Scope

    The Scope parameter specifies the addresses from which the traffic is allowed. Type * to specify traffic originating from any source IPv4 address or a comma separated list of sources. The sources can be LocalSubnet to specify traffic originating from a directly reachable IPv4 address or one or more IPv4 addresses or IPv4 address ranges separated by commas. IPv4 address ranges typically correspond to subnets. For IPv4 addresses, type the IPv4 address in dotted decimal notation. For IPv4 address ranges, you can specify the range using a dotted decimal subnet mask or a prefix length. When you use a dotted decimal subnet mask, you can specify the range as an IPv4 network ID (such as 10.47.81.0/255.255.255.0) or by using an IPv4 address within the range (such as 10.47.81.231/255.255.255.0). When you use a network prefix length, you can specify the range as an IPv4 network ID (such as 10.47.81.0/24) or by using an IPv4 address within the range (such as 10.47.81.231/24). The following is an example list of sources:

    Note This command is shown on multiple lines for better readability; enter them as a single line.

                  LocalSubnet,10.91.12.56,10.7.14.9/255.255.255.0,10.
                  116.45.0/255.255.255.0,172.16.31.11/24,172.16.111.0/24
                

    IPv6 traffic supports the * and LocalSubnet scopes.

    Notes  If you have any spaces between the entries in the list of sources or any other invalid characters, the scope is ignored and the setting behaves as if it were disabled. Please double-check your scope syntax before saving changes.

    Host names, DNS names, or DNS suffixes are not supported.

  • Enabled|Disabled

    This is the Status parameter. Type Enabled to allow incoming unsolicited traffic to this port. Type Disabled to prevent the port from being allowed in the exceptions list.

  • PortName

    Type a friendly name for the traffic or program that uses the port. This becomes the name of the port in the list of open ports in the Windows Firewall settings of the computers running Windows XP with SP2.

The following is an example of a valid port entry:

23:TCP:*:Enabled:Telnet

Note  You can add the same application multiple times to the Open Ports list. An entry to enable an open port takes precedence over an entry to disable it.

For resources that describe what applications or protocols use which ports, see Appendix G.

Windows Firewall: Allow Local Port Exceptions

The Windows Firewall: Allow local port exceptions setting allows you to specify whether local administrators are allowed to configure their own port exceptions, and is shown in the following figure.

WSFP1223.gif

You can select the following:

  • Not Configured (default)

    Local administrators cannot add port exceptions setting unless the Windows Firewall: Define port exceptions setting is set to Not Configured. If the Windows Firewall: Define port exceptions setting is set to Enabled or Disabled, local administrators cannot define a local port exceptions list.

  • Enabled

    Local administrators can add port exceptions.

  • Disabled

    Local administrators cannot add port exceptions.