Preventing Administrators from Turning Windows Firewall On or Off

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

By default, you must be a member of the Administrators group (or a member of a group that is a member of the Administrators group) to enable or disable Windows Firewall. This prevents users from inadvertently turning Windows Firewall on or off, which can result in individualized configurations that are difficult to troubleshoot and can reduce your organization's overall security.

You can secure Windows Firewall even further by preventing local administrators from enabling or disabling Windows Firewall. This is useful if you rely on Windows Firewall and you always want it enabled, or you use a non-Microsoft host firewall and you always want Windows Firewall disabled. Preventing local administrators from turning Windows Firewall on or off is also useful in a centrally-managed environment, such as a Group Policy environment or an environment in which you want to strictly enforce Windows Firewall configuration and policy settings.

When to perform this task

You should perform this task when required by your organization's security plan or when you want to strictly enforce Windows Firewall configuration and policy settings.

Task requirements

No special tools are required to complete this task.

Task procedures

To complete this task, perform the following procedures:

Prevent Local Administrators from Turning Windows Firewall On or Off

See Also

Concepts

Best Practices for Securing Windows Firewall
Known Issues for Securing Windows Firewall
Preventing Administrators from Creating Exceptions