Firewall Rule Properties - Programs and Services

Applies To: Windows Server 2008

Programs and services

Use this tab to specify how Windows Firewall with Advanced Security will match criteria based on which program or service on the local computer is sending the packets to the peer computer. When this criteria is matched, and all other criteria are matched, Windows Firewall with Advanced Security will take the action that you specify in the Action section of the General tab.


All programs that meet the specified conditions

Use this option to specify that packets being sent by any program will match.

This program

Use this option to match packets from a specified program. You can either specify the program path (including environment variables) or you can browse to the program executable (.exe) file and select it.


Click Settings to match packets from all services on the computer or a specified service. You can also specify that only packets sent by services will apply to this firewall rule. For more information about specifying services, see Customize Service Settings.

Configuring program or service settings

To add a program to the rule, you must specify the .exe file used by the program. A system service that runs within its own unique .exe file and is not hosted by a service container is considered to be a program and can be added to the rule. In the same way, a program that behaves like a system service and runs whether or not a user is logged on to the computer is also considered a program as long as it runs within its own unique .exe file.

Adding service containers or programs that host services, such as Svchost.exe, Dllhost.exe, and Inetinfo.exe, to the rules list without further restrictions in the rule might expose the computer to security threats. Also, adding these containers might conflict with other service-hardening policies on computers running this version of Windows.

When you add a program to the rule, Windows Firewall with Advanced Security dynamically opens (unblocks) and closes (blocks) the ports required by the program. When the program is running and listening for incoming traffic, Windows Firewall with Advanced Security opens the required ports; when the program is not running or is not listening for incoming traffic, Windows Firewall with Advanced Security closes the ports. Because of this dynamic behavior, adding programs to a rule is the recommended method for allowing unsolicited incoming traffic through Windows Firewall with Advanced Security.

You can use program rules to allow unsolicited incoming traffic through Windows Firewall with Advanced Security only if the program uses Windows Sockets (Winsock) to create port assignments. If a program does not use Winsock to assign ports, you must determine which ports the program uses and add those ports to the rules list.

In addition to adding program rules, you can also edit and delete program rules. Editing a program rule allows you to change the path or file name that is associated with the program and configure scope settings for the rule. Deleting a program from the rules list prevents the program from receiving unsolicited incoming traffic (unless a port rule or some other rule allows unsolicited incoming traffic to reach the program).

To add a system service with an associated service SID to the rule, you use the Programs and Services tab in the <Rule Name> Properties dialog box. This provides more precise control of services because a lot of services are hosted in processes like Svchost.exe. This method is more secure than adding the Svchost.exe process to the rules list.

Additional references

Community Additions