Help: Windows Firewall features
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Windows Firewall features
Windows Firewall has several features and functional differences that make it different from its predecessor, Internet Connection Firewall (ICF). Some of the features and functional differences between Windows Firewall and Internet Connection Firewall include:
Global configuration options that apply to all connections
New Windows Firewall component in Control Panel
New Don't Allow Exceptions operating mode
Incoming traffic scoping for Internet Protocol version 4 (IPv4)
Exceptions that can be specified by program or system service name
Built-in support for Internet Protocol version 6 (IPv6)
New configuration options
Global configuration options that apply to all connections
Windows Firewall allows you to configure settings that apply to all the connections of the computer. In Windows Server 2003 with no service packs installed, ICF settings are configured per connection, which means that if you want to enable ICF on multiple connections and configure exceptions, you must configure each connection separately. When you change a global Windows Firewall setting, the change is applied to all the connections on which Windows Firewall is enabled. Windows Firewall does allow per-connection configuration; however, connection-specific configuration overrides global configuration.
New Windows Firewall component of Control Panel
To enable or disable ICF, you select or clear the Protect my computer and network by limiting or preventing access to this computer from the Internet check box, which appears on the Advanced tab of a connection's properties dialog box. You can also click the Settings button on a connection's properties dialog box and configure general exceptions, logging settings, and ICMP exceptions.
In Windows Firewall, the check box on the Advanced tab of a connection's properties dialog box has been replaced with a Settings button, which launches the new Windows Firewall component in Control Panel. You can also start Windows Firewall by clicking Windows Firewall in Control Panel. The Windows Firewall dialog box allows you to configure general settings, exceptions for programs (applications and services), connection-specific settings, log settings, and ICMP exceptions. You can also reset Windows Firewall to its default configuration.
New operating mode
ICF is either enabled (that is, allows only solicited traffic and traffic that is specified in the exceptions list) or disabled (allows all traffic). Windows Firewall has these same operating modes, but allows you to select a new operating mode that enables Windows Firewall and ignores all exceptions. When Windows Firewall is running in this new mode, all unsolicited incoming traffic is dropped, including traffic that is specified in the exceptions list. This new mode can be used when connecting to the Internet from a public location, such as a hotel or airport, or inside an organization's network to temporarily lock down computers during a network attack or when a malicious program is spreading. After the network attack is over and appropriate updates have been installed to prevent future attacks, Windows Firewall can be returned to the normal operating mode that allows exceptions. All of the original settings for exceptions are maintained.
ICF is active only on the connections on which it is enabled when the Internet Connection Firewall/Internet Connection Sharing (ICS) service starts successfully. Therefore, there is a delay between when the computer is active on the network and when the connections are protected with ICF. This delay makes the computer accessible to attacks during startup.
In Windows Firewall, there is a startup policy that performs stateful packet filtering, thereby allowing the computer to perform basic networking startup tasks using Dynamic Host Configuration Protocol (DHCP) and the Domain Name System (DNS) protocol to configure the computer and communicate with a domain controller to obtain Group Policy updates. The startup policy does not include any settings that you have configured for Windows Firewall, including settings that you have configured in Group Policy. After the Windows Firewall/ICS service is started, Windows Firewall uses the settings that you configured for Windows Firewall and removes the startup policy. The startup policy settings cannot be configured.
Incoming traffic scoping
In ICF, allowed traffic can originate from any IPv4 address. In Windows Firewall, you can specify where allowed traffic originates. This configuration setting is known as the scope option and it allows you to limit the scope of an exception to traffic that originates from any IPv4 address; originates from an IPv4 address that can be reached directly (based on IPv4 routing table entries); originates from one or more specific IPv4 addresses or from one or more ranges of IPv4 addresses.
For incoming IPv6 traffic, Windows Firewall allows you to specify whether exceptions allow traffic that originates from any IPv6 address or from an IPv6 address that can be reached directly (based on IPv6 routing table entries).
Exceptions can be specified by program name
In ICF, you manually configure exceptions by specifying the set of TCP and UDP ports that correspond to the traffic of a specific program, which can be either an application or service. This can make configuration difficult for users who do not know the set of TCP and UDP ports for the application or service. Also, this configuration does not work for applications that do not listen on a specific set of UDP or TCP ports.
To make it easier to configure exceptions, Windows Firewall allows you to specify the set of TCP or UDP ports or the file name of the program. When the program runs, Windows Firewall monitors the ports on which the program listens and opens the ports.
To allow you to quickly enable exceptions for commonly allowed, incoming unsolicited traffic, Windows Firewall has predefined exceptions, such as File and Printer Sharing and Remote Desktop. In addition, the notification mechanism in Windows Firewall prompts local administrators with a Windows Security Alert message to allow them to add new programs to the program exceptions list automatically.
Built-in support for IPv6
IPv6 support is included with Windows Firewall and is automatically enabled on all IPv6 connections. Both IPv4 and IPv6 share the same settings for traffic that is on the exceptions list. For example, if you allow file and print sharing traffic, then both IPv4- and IPv6-based unsolicited incoming file and printer sharing traffic is allowed.
Windows Firewall does not support the same scope options for IPv6 traffic as IPv4 traffic.
New configuration options
The only way to enable or disable ICF is through the Network Connections folder, the Network Setup Wizard, or the Internet Connection Wizard. To configure exceptions, you must either use the Network Connections folder or your application must be ICF-aware, in which case it adds exceptions to the exceptions list automatically.
In Windows Firewall, there are several ways to configure settings and options, including the following:
Netsh is a command-line tool that you can use to configure settings for network components. However, to configure a component, the component must support a set of commands through a netsh context. Windows Firewall provides the firewall context, which can be used to configure Windows Firewall settings through a suite of commands. Using netsh firewall, you can create scripts to automatically configure a set of Windows Firewall settings for both IPv4 and IPv6 traffic. You can also use netsh firewall commands to display the configuration and status of the Windows Firewall.
Group Policy settings
Windows Firewall provides several new Group Policy settings so you can centrally configure and manage large numbers of computers in an organization that uses the Active Directory directory service. These new Group Policy settings allow you to configure Windows Firewall operational modes, exceptions, and other settings.
Windows Firewall allows you to configure settings in two different profiles: a domain profile and a standard profile. The domain profile is the set of Windows Firewall settings that are needed when the computer is connected to the network that contains the domain controllers of the organization. For example, the domain profile might contain exceptions for the applications needed by a managed computer in an enterprise network. The standard profile is the set of Windows Firewall settings that are needed when the computer is not connected to the network that contains the domain controllers of the organization (for example, when an employee uses the organization's laptop on the road and connects to the Internet using a public broadband or wireless Internet service provider). Because the organization's laptop is directly connected to the Internet, the standard profile should contain more restrictive settings than the domain profile.
Internet Connection Firewall is included only in the original releases of Windows Server 2003, Standard Edition, and Windows Server 2003, Enterprise Edition.
Windows Firewall is not included in the original release of the Windows Server 2003 operating systems.