Managing Windows Firewall Notifications
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
By default, Windows Firewall displays a Windows Security Alert dialog box (referred to as a notification) when a program attempts to listen for unsolicited incoming traffic and the incoming traffic is blocked. If you are a member of the Administrators group on the computer (or you are a member of a group that is a member of the Administrators group), the notification provides you with the following options:
Unblock. This adds the program to the exceptions list in the profile that Windows Firewall is currently using and enables the program exception. If you choose this option, the Windows Security Alert dialog box will not be displayed again for the program even if you disable the program exception. The Windows Security Alert dialog box might appear again if the program attempts to listen for incoming traffic when Windows Firewall is using the other profile.
Keep Blocking. This adds the program to the exceptions list in the profile that Windows Firewall is currently using, but does not enable the exception. If you choose this option, the Windows Security Alert dialog box will not be displayed again for the program because the program is in the exceptions list. The Windows Security Alert dialog box might appear again if the program attempts to listen for incoming traffic when Windows Firewall is using the other profile.
Ask Me Later. No action is taken (that is, the program is not added the exceptions list). If you choose this option, the Windows Security Alert dialog box will appear the next time the program attempts to listen for unsolicited incoming traffic.
If you are not a member of the Administrators group on the computer, you will still see a Windows Security Alert dialog box when a program attempts to listen for unsolicited incoming traffic and the incoming traffic is blocked; however, the notification is informational only. You are not given the ability to take any action; the Unblock, Keep Blocking, or Ask Me Later options are not displayed.
Windows Firewall does not display a notification in the user interface (UI) when a system service attempts to listen for incoming traffic on a port and the incoming traffic is blocked. This is also true for any program that runs like a system service (that is, a program that runs under an account that has higher privilege than a user account, for example, the Local System account, or a program that runs even when there is no user logged on to the computer). You can use the security event log to determine whether a system service, or a program that runs like a system service, attempts to listen for incoming traffic. To do this, you must enable Audit process tracking and Audit policy change settings in Group Policy. When you do this, Windows Firewall will write a Failure Audit with Event ID 861 to the security event log any time a program or system service attempts to listen for incoming traffic. For more information about Windows Firewall events, see Using the Security Log.
In addition, there are two other instances when Windows Firewall might not display notifications:
Windows Firewall does not display notifications if you select the Don't allow exceptions check box in Windows Firewall in Control Panel, or if you enable the Do not allow exceptions setting in Group Policy, or if you use the netsh firewall set opmode exceptions = disable command. There are no Windows Firewall settings that allow you to override this behavior.
Windows Firewall does not display notifications for programs that rely on the Winsock driver to dynamically bind to a UDP port. If a program uses this method (sometimes referred to as wildcard binds) to bind to a UDP port, you might be able to use the netstat command and other troubleshooting tools to determine which UDP port is being used, and then add that port to the exceptions list.
You can disable the notification feature, which prevents Windows Firewall from displaying a Windows Security Alert dialog box. This might be necessary on remotely managed servers.
When to perform this task
You should manage Windows Firewall notifications as the notifications are displayed. If you do not want notifications to appear, you only have to disable notifications once unless you enable notifications or reset Windows Firewall settings.
Task requirements
No special tools are required to complete this task.
Task procedures
To enable or disable the notification feature, use the following procedure:
Enable or Disable Windows Firewall Notifications