Configuring Port Firewall Rules
Updated: March 28, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
When you turn on Windows Firewall for the first time or restore Windows Firewall default settings, all unsolicited incoming TCP/IP traffic is blocked on all network connections. This means that any program or system service that attempts to listen for traffic on a TCP or UDP port will be unable to receive traffic. To allow programs and system services to receive unsolicited traffic through these ports, you must add the program or system service to the Windows Firewall exceptions list. In some cases, if you cannot add a program or system service to the exceptions list, you must determine which port or ports the program or system service uses and add the port or ports to the Windows Firewall exceptions list.
|A system service that runs within its own unique executable (.exe) file and is not hosted by a service container is considered to be a program. Such a system service can be added to the exceptions list. In the same way, a program that behaves like a system service and runs no matter if a user is logged on to the computer is also considered a program as long as it runs within its own unique .exe file. Do not add service containers or programs that host services, such as Svchost.exe, Dllhost.exe, and Inetinfo.exe, to the exceptions list.|
When you add a port to the exceptions list, you must specify the protocol (TCP or UDP) and port number. You cannot specify protocols other than TCP or UDP and you cannot add a port number without specifying either TCP or UDP. (For example, you cannot exclude traffic based on protocol alone.) When you add a TCP or UDP port to the exceptions list, the port is open (unblocked) whenever Windows Firewall is running and no matter if there is a program or system service listening for incoming traffic on the port. For this reason, if you need to allow unsolicited incoming traffic through Windows Firewall, you should create a program exception instead of a port exception. When you add a program to the exceptions list, Windows Firewall dynamically opens and closes the ports required by the program. When the program is running and listening for incoming traffic, Windows Firewall opens the required ports; when the program is not running or is not listening for incoming traffic, Windows Firewall closes the ports.
In addition to adding port exceptions to the exceptions list, you can edit and delete port exceptions. Editing a port exception allows you to change the port name, protocol, port number, and scope settings for the exception. Deleting a port exception closes (blocks) the port and prevents the port from receiving unsolicited traffic (unless another port exception or some other exception allows unsolicited incoming traffic to reach the program).
Mitigating the Risks Associated with Exceptions
Each time you add a program, system service, or port to the exceptions list, you make your computer more accessible to attack. A common form of network attack uses port scanning software to identify computers that have open and unprotected ports. By adding numerous programs, system services, and ports to the exceptions list, you defeat the purpose of a firewall and increase the attack surface of your computer. This problem typically occurs when you configure a server for several different roles, and you need to open numerous ports to accommodate each of the server roles. You should closely evaluate the design of any server that requires you to open numerous ports. Servers that are configured for numerous roles or configured to provide numerous services can be a critical point of failure in your organization and might indicate poor infrastructure design.
To decrease your security risk, follow these guidelines when you configure port exceptions:
Create an exception only when you need it. If you think a program might require a port for unsolicited incoming traffic, do not add a port to the exceptions list until you verify that the program attempted to listen for unsolicited traffic. By default, Windows Firewall displays a notification when a program attempts to listen for unsolicited traffic. You can also use the security event log to determine whether a system service has attempted to listen for unsolicited incoming traffic.
Never create an exception for a program or system service that you do not recognize. If Windows Firewall notifies you that a program has attempted to listen for unsolicited incoming traffic, verify the name of the program and the .exe file before you add a port to the exceptions list. Likewise, if you use the security event log to determine that a system service attempted to listen for unsolicited incoming traffic, verify that the system service is a valid component before you add a port to the exceptions list.
Remove an exception when you no longer need it. If you add a port to the exceptions list on a server and then change the server's role or reconfigure the services and applications on the server, be sure to update the exceptions list and remove port exceptions that are no longer required.
When to perform this task
You should configure a port exception when you cannot configure a program exception and you know that a program or system service must receive unsolicited incoming traffic. You typically perform this task on an ongoing basis as your server roles and server configurations change.
No special tools are required to complete this task.
If you know that a program or system service acts as a server, listener, or peer and you know which ports are used by the program or system service, use this procedure to add the ports to the exceptions list:
If you know that a program or system service acts as a server, listener, or peer, but you do not know the ports that the program or system service uses, you might be able to find this information in the Windows Firewall Settings Technical Reference. For more information, see Windows Firewall Settings on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=43155).
If you do not know which programs or system services act as servers, listeners, or peers, use the following procedure to identify the ports used by programs and system services to listen for unsolicited incoming traffic:
To edit or delete an existing program exception, use the following procedure: