Help: Change the scope of a Windows Firewall exception

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To change the scope of a Windows Firewall exception

  1. Open Windows Firewall, and click the Exceptions tab.

  2. In Programs and Services, click the exception that you want to configure, and click Edit.

  3. Click Change scope, and do one of the following:

    If you want to enable the exception for all computers, click Any computer (including those on the Internet), and then click OK.

    If you want to enable the exception for computers that can be reached directly from your local subnet, click My network (subnet) only, and then click OK.

    If you want to enable the exception for specific IP addresses or IP address ranges, click Custom list, enter the specific IP addresses or IP address ranges, and then click OK.

Notes

  • To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure.

  • To start Windows Firewall, click Start, point to Control Panel, and then click Windows Firewall.

  • You can also use the netsh command with the firewall context to perform this procedure and configure other Windows Firewall settings.

  • You can also use Group Policy settings to perform this procedure and configure other Windows Firewall settings.

  • You can configure Windows Firewall settings in the standard profile or the domain profile. The domain profile is used when a computer is connected to a network in which the computer's domain account resides. The standard profile is used when a computer is connected to a network in which the computer's domain account does not reside, such as a public network or the Internet. Make sure Windows Firewall is using the correct profile when you perform this procedure.

  • If a Windows Firewall setting appears dimmed in the graphical user interface, and on the General tab, you see For your security, some settings are controlled by Group Policy, the setting might be managed by Group Policy. If all Windows Firewall settings appear dimmed, and on the General tab, you see You must be a computer administrator to change these settings, you do not have administrative rights to configure Windows Firewall.

  • On Windows Server 2003, Windows Firewall is turned off by default and the Windows Firewall/Internet Connection Sharing service is disabled by default. You might have to start the Windows Firewall/Internet Connection Sharing service if you try to perform this procedure and you have never started Windows Firewall.

  • Windows Firewall is not included in the original release of the Windows Server 2003 operating systems.

  • The My network (subnet) only and Custom list scope options do not necessarily increase your security. Malicious users can circumvent these scope restrictions by spoofing an IP address that appears to be directly reachable or is part of the custom list.

  • When you use the My network (subnet) only scope option, Windows Firewall does not perform any IP configuration testing or subnet mask interpretation to determine whether the traffic is coming from a computer that is a neighbor on a locally attached subnet. Instead, Windows Firewall determines whether the traffic is originating from an address that can be reached directly based on routes in the IP version 4 (IPv4) routing table. If it is, this traffic is considered to match the My network (subnet) only scope.

See Also

Concepts

Help: Understanding Windows Firewall exceptions
Help: Administering Windows Firewall with Netsh
Help: Administering Windows Firewall with Group Policy
Help: Determine which profile Windows Firewall is using