Configuring Firewall Rules for Specific Connections
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
When you turn on Windows Firewall for the first time or restore Windows Firewall default settings, all unsolicited incoming TCP/IP traffic is blocked on all network connections. This means that any program or system service that attempts to listen for traffic on a TCP or UDP port will be unable to receive traffic. To allow programs and system services to receive unsolicited traffic through these ports, you must add the program or system service to the Windows Firewall exceptions list. In some cases, if you cannot add a program or system service to the exceptions list, you must determine which port or ports the program or system service uses and add the port or ports to the Windows Firewall exceptions list. However, adding programs and system services to the exceptions list is the recommended way to control the traffic that is allowed through Windows Firewall.
Note
A system service that runs within its own unique .exe file and is not hosted by a service container is considered to be a program and can be added to the exceptions list. In the same way, a program that behaves like a system service and runs no matter if a user is logged on to the computer is considered a program as long as it runs within its own unique .exe file. Do not add service containers or programs that host services, such as Svchost.exe, Dllhost.exe, and Inetinfo.exe, to the exceptions list.
You usually configure Windows Firewall on a global basis. For example, when you turn on Windows Firewall, Windows Firewall is enabled on all of the network connections on your computer and all network connections that you create on your computer. Likewise, when you create an exception, the exception applies to all network connections on the computer and all network connections that you create on the computer.
You can also configure Windows Firewall on a connection-specific (per-connection) or interface-specific basis. When you configure Windows Firewall on a per-connection basis, you can configure Windows Firewall differently for every network connection on your computer. This is useful if your computer has multiple network adapters or multiple network connections and you do not want Windows Firewall enabled on all connections or you want to open different ports for each network connection.
The most commonly configured per-connection exception is a port exception. Per-connection port exceptions are cumulative (between the global and per-connection exceptions). Be sure you understand how global and per-connection exceptions work before you use them.
When you open a port on a global basis, the port is open on every network connection on your computer; you cannot close the port on a per-connection basis. To open a port on a specific connection only, you must close the port globally and then open the port on the specific connection. To close a port on a specific connection, you must close the port globally and make sure that the port is not open on the connection you are configuring. The following table shows how global and per-connection port exceptions are combined.
Global Port Exception | Per-Connection Port Exception | Resultant Per-Connection Port Exception |
---|---|---|
Enabled (port open) |
Enabled (port open) |
Enabled (port open) on every connection |
Enabled (port open) |
Disabled (port closed) |
Enabled (port open) on every connection |
Enabled (port open) |
Not configured (no per-connection port exception) |
Enabled (port open) on every connection |
Disabled (port closed) |
Enabled (port open) |
Enabled (port open) |
Disabled (port closed) |
Disabled (port closed) |
Disabled (port closed) |
Disabled (port closed) |
Not configured (no per-connection port exception) |
Disabled (port closed) |
As with global exceptions, when you add a port to the exceptions list on a per-connection basis, you must specify the protocol (TCP or UDP) and the port number. You cannot specify protocols other than TCP or UDP, and you cannot add a port number without specifying either TCP or UDP. (For example, you cannot exclude traffic based on just a protocol.) When you add a TCP or UDP port to the exceptions list, the port is open (unblocked) whenever Windows Firewall is running and no matter if there is a program or system service listening for incoming traffic on the port.
In addition, per-connection port exceptions are created and applied without regard to which Windows Firewall profile a computer is using. For example, if your computer is using the domain profile and you configure a port exception for a specific connection, the port exception will be applied when the computer is using the domain profile and when the computer is using the standard profile. Furthermore, you cannot configure scope settings for a per-connection port exception. The scope of a per-connection port exception includes any computer that has access to the specific network connection.
In addition to adding port exceptions to the exceptions list, you can edit and delete port exceptions on a per-connection basis. Editing a port exception allows you to change the exception name, protocol, and port number. Deleting a port exception closes (blocks) the port and prevents the port from receiving unsolicited incoming traffic (unless a port exception or some other exception exists to allow unsolicited incoming traffic to reach the program).
Mitigating the Risks Associated with Exceptions
Each time you add a program, system service, or port to the exceptions list, you make your computer more accessible to attack. A common form of network attack uses port scanning software to identify computers that have open and unprotected ports. By adding numerous programs, system services, and ports to the exceptions list, you defeat the purpose of a firewall and increase the attack surface of your computer. This problem typically occurs when you configure a server for several different roles, and you need to open numerous ports to accommodate each role. You should closely evaluate the design of any server that requires you to open numerous ports. Servers that are configured for numerous roles or to provide numerous services can be a critical point of failure in your organization and might indicate poor infrastructure design.
To decrease your security risk, follow these guidelines when you configure port exceptions:
Create an exception only when you need it. If you think a program might require a port for unsolicited incoming traffic, do not add a port to the exceptions list until you verify that the program attempted to listen for unsolicited traffic. You can use the security event log to determine whether a program has attempted to listen for unsolicited incoming traffic.
Remove an exception when you no longer need it. If you add a port to the exceptions list on a server and then change the server's role or reconfigure its services and applications, be sure to update the exceptions list and remove those port exceptions that are no longer required.
When to perform this task
You should configure a per-connection port exception when you want to allow unsolicited incoming traffic through Windows Firewall on a specific connection. You should do this only if you know that a program or system service must receive unsolicited traffic. You typically perform this task on an ongoing basis as your server roles and server configurations change.
Task requirements
No special tools are required to complete this task.
Task procedures
To complete this task, perform the following procedure:
Add a Port to the Firewall Rules List for a Specific Connection
See Also
Concepts
Known Issues for Managing Firewall Rules
Configuring Program Firewall Rules
Configuring Port Firewall Rules
Configuring System Service Firewall Rules
Configuring Scope Settings