Help: Administering Windows Firewall through Control Panel

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Administering Windows Firewall through Control Panel

The most common way to configure Windows Firewall settings on a single computer is to use Windows Firewall in Control Panel. You must be a member of the Administrators group on the local computer to configure settings in Windows Firewall in Control Panel. If you are not a member of the Administrators group, all of the settings in Windows Firewall will appear dimmed.

The Windows Firewall user interface consists of three tabs: the General tab, the Exceptions tab, and the Advanced tab.

General tab

You can disable and enable Windows Firewall for all connections on the General tab. The settings can be configured as follows:

Setting Description

On

Enables Windows Firewall for all of the network connections that are selected on the Advanced tab. Windows Firewall is enabled to allow only solicited traffic and incoming traffic that has been added to the exceptions list.

Don't allow exceptions

Allows solicited incoming traffic only. Incoming traffic that has been added to the exceptions list is not allowed. The settings on the Exceptions tab are ignored and all of the network connections are protected, regardless of the settings on the Advanced tab. In addition, Windows Firewall does not display a notification when a program attempts to listen for unsolicited incoming traffic.

Off

Disables Windows Firewall. This is not recommended, especially for network connections that are directly accessible from the Internet, unless you are already using a non-Microsoft host firewall.

On Windows Server 2003, the default setting for Windows Firewall is Off for all connections and all newly created connections. If you turn Windows Firewall on, Windows Firewall can affect the communications of programs or services that rely on unsolicited incoming traffic. In this case, you must identify those programs that are no longer working and add them to the exceptions list or determine which ports the programs use and add the ports to the exceptions list.

Exceptions tab

You can configure the following settings on the Exceptions tab:

Setting UI element Description

Program and port exceptions

Add Program button

Add Port button

Edit button

Used to display the Add a Program dialog box, which allows you to select a program from a list or browse for a program's executable (.exe) file.

Used to display the Add a Port dialog box, which allows you to specify a name for the port exception, a port number, and a port type (TCP or UDP).

Used to display the Edit a Port or Edit a Program dialog box, which allows you to modify the exception settings for the port or program.

All of the programs or services enabled from the Exceptions tab are enabled for all of the connections that are selected on the Advanced tab.

For more information about program exceptions, see Help: Understanding Windows Firewall exceptions.

Program and port scope options

Change Scope button

Available in the Add a Port, Add a Program, Edit a Port, or Edit a Program dialog boxes. There are three scope options:

  • Any computer (including those on the Internet)

  • My network (subnet) only

  • Custom list

For more information about scope options, see Help: Understanding Windows Firewall scope options.

Windows Firewall notifications

Display a notification when Windows Firewall blocks a program check box

Select or clear to configure the way Windows Firewall handles notifications.

If selected, Windows Firewall displays a notification when a program that is not in the exceptions list attempts to listen for incoming traffic.

If cleared, notifications do not appear.

For more information about notifications, see Help: Understanding Windows Firewall notifications.

Advanced tab

You can configure the following settings on the Advanced tab:

Setting Description

Network Connection Settings

Used to configure the following settings:

  • Specify individual connection on which Windows Firewall is enabled. To enable Windows Firewall on a connection, select the check box next to the connection name. To disable Windows Firewall on a connection, clear the check box. By default, all of the network connections have Windows Firewall enabled. If a network connection does not appear in Network Connection Settings, then it is a non-standard networking connection, such as a custom dialer from an Internet service provider (ISP).

    If you clear all of the check boxes in Network Connection Settings, then Windows Firewall is not protecting your computer even if, on the General tab, you have selected On. Also, the settings in Network Connection Settings are ignored if you have selected Don’t allow exceptions on the General tab, in which case all interfaces are protected.

  • Configure advanced settings for an individual network connection. Click the network connection name, and then clicking Settings. The Advanced Settings dialog box is displayed.

    On the Advanced Settings dialog box, from the Services tab, you can configure specific services (by TCP or UDP port only). From the ICMP tab, you can enable specific types of ICMP traffic.

Security Logging

Configure Windows Firewall logging options by clicking Settings in Security Logging. When you do this, the Log Settings dialog box is displayed, which allows you to configure whether to log discarded (dropped) packets or successful connections and specify the name, location, and maximum size of the log file. By default, the log file is named pfirewall.log and it is saved in the systemroot folder. The default maximum size is 4096 kilobytes (KB).

ICMP Settings

Configure Internet Control Message Protocol (ICMP) exceptions by clicking Settings in ICMP. When you do this, the ICMP dialog box is displayed, which allows you to enable and disable the types of incoming ICMP messages that Windows Firewall allows for all the connections selected on the Advanced tab. ICMP messages are used for diagnostics, reporting error conditions, and configuration. By default, no ICMP messages in the list are allowed.

Restore Defaults

Restore Windows Firewall default settings. All of the entries in the exceptions list are deleted and all settings and options are restored to their original state. Clicking Restore Defaults also enables Windows Firewall on all connections, which can cause your programs and system services to behave improperly because this is not the standard. This might also cause Internet Connection Sharing (ICS) and Network Bridge to fail.

Note

  • If a setting is managed by Group Policy, or you do not have the administrative rights to configure a setting, the setting will appear dimmed when you open Windows Firewall in Control Panel.

See Also

Concepts

Help: Understanding Windows Firewall
Help: Administering Windows Firewall with Netsh
Help: Administering Windows Firewall with Group Policy
Help: Windows Firewall How To...
Help: Understanding Windows Firewall scope options