Help: Administering Windows Firewall with Group Policy

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Administering Windows Firewall with Group Policy

If your organization uses the Active Directory directory service, you can configure and manage Windows Firewall with the new Windows Firewall Group Policy settings. When you use Group Policy to configure Windows Firewall, local administrators and users will be unable to locally configure some Windows Firewall configuration settings by using Windows Firewall in Control Panel. Specifically, when a Windows Firewall setting is configured through Group Policy, the equivalent setting appears dimmed in Windows Firewall in Control Panel.

Windows Firewall Group Policy Settings

There are two sets of Windows Firewall policy settings:

  • The domain profile settings, which are used when a computer is connected to a network that contains the organization's domain controllers.

  • The standard profile settings, which are used when a computer is connected to a network that does not contain the organization's domain controllers.

If you do not configure profile settings, their default values are applied. Therefore, it is highly recommended that you configure both domain and standard profile settings so that you maintain your desired level of security in the event your computer changes from one profile to another. Also, the standard profile settings are typically more restrictive that the domain profile settings because the standard profile settings do not need to include applications and services that are used only in a managed domain environment. Both the domain profile and standard profile contain the same set of Windows Firewall configuration settings.

The following Group Policy settings are available for managing Windows Firewall. These settings can be found at the following location in the Group Policy Editor snap-in:

  • Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile or Standard Profile
Group Policy setting Description

Windows Firewall: Protect all network connections

Used to specify that all network connections have Windows Firewall enabled.

Windows Firewall: Do not allow exceptions

Used to specify that all unsolicited incoming traffic is dropped, including traffic that has been added to the exceptions list.

Windows Firewall: Define program exceptions

Used to define by application file names traffic that has been added to the exceptions list.

Windows Firewall: Allow local program exceptions

Used to enable local configuration of program exceptions.

Windows Firewall: Allow remote administration exception

Used to enable remote procedure calls (RPC) and Distributed Component Object Model (DCOM), which are necessary for many remote administration using tools such as Microsoft Management Console (MMC) and Windows Management Instrumentation (WMI).

Windows Firewall: Allow file and printer sharing exception

Used to specify whether file and printer sharing traffic is allowed.

Windows Firewall: Allow ICMP exceptions

Used to specify the types of unsolicited Internet Control Message Protocol (ICMP) traffic allowed.

Windows Firewall: Allow Remote Desktop exception

Used to specify whether the computer can accept a Remote Desktop-based connection request.

Windows Firewall: Allow UPnP framework exception

Used to specify whether the computer can participate in UPnP discovery.

Windows Firewall: Prohibit notifications

Used to disable notifications when an application uses new Windows Firewall application programming interfaces (APIs) to request traffic that has been added to the exceptions list.

Windows Firewall: Allow logging

Used to enable logging of discarded traffic, successful connections, and configure log file settings.

Windows Firewall: Prohibit unicast response to multicast or broadcast requests

Used to discard the unicast packets sent in response to a multicast or broadcast request.

Windows Firewall: Define port exceptions

Used to specify by TCP and UDP ports traffic that has been added to the exceptions list.

Windows Firewall: Allow local port exceptions

Used to enable local configuration of port exceptions.

You can also configure the Windows Firewall: Allow authenticated IPSec bypass police setting, which can be found at the following location in the Group Policy Editor snap-in:

Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall

This policy setting allows unsolicited incoming messages from specified systems that authenticate using IPSec.

Notes

  • Windows Firewall is not included in the original release of the Windows ServerĀ 2003 operating systems.

  • You cannot use Group Policy to configure Windows Firewall per-connection settings.

  • Group Policy settings must be refreshed before they take effect.

See Also

Concepts

Help: Understanding Windows Firewall
Help: Administering Windows Firewall
Help: Windows Firewall How To...