Firewall Rules

Applies To: Windows 7, Windows Server 2008

Understanding Windows Firewall with Advanced Security rules

You create firewall rules to allow this computer to send traffic to, or receive traffic from, programs, system services, computers, or users. Firewall rules can be created to take one of three actions for all connections that match the rule's criteria: allow the connection, only allow a connection that is secured through the use of Internet Protocol security (IPsec), or explicitly block the connection.

Rules can be created for either inbound traffic or outbound traffic. The rule can be configured to specify the computers or users, program, service, or port and protocol. You can specify which type of network adapter the rule will be applied to: local area network (LAN), wireless, remote access, such as a virtual private network (VPN) connection, or all types. You can also configure the rule to be applied when a specific profile is in use, or when any profile is being used.

As your IT environment changes, you might have to change, create, disable, or delete rules.

Firewall rules are applied with the following precedence:

  • Authenticated bypass (in other words, rules that override block rules)

  • Block connection

  • Allow connection

  • Default profile behavior (allow connection or block connection, as specified on the Profile tab of the Windows Firewall with Advanced Security Properties dialog)

Inbound rules

Inbound rules explicitly allow, or explicitly block, traffic that matches the criteria in the rule. For example, you can configure a rule to explicitly allow traffic secured by IPsec for Remote Desktop through the firewall, but block the same traffic if it is not secured by IPsec. When Windows is first installed, inbound traffic is blocked; to allow traffic, you must create an inbound rule. You can also configure the action that Windows Firewall with Advanced Security takes, whether connections are allowed or blocked, when no inbound rule applies.

Outbound rules

Outbound rules are rules that explicitly allow, or explicitly deny, traffic originating from the computer that matches the criteria in the rule. For example, you can configure a rule to explicitly block outbound traffic to a computer through the firewall, but allow the same traffic for other computers. Outbound traffic is allowed by default, so you must create an outbound rule to block traffic.

The default action, whether connections are allowed or blocked by default, can be configured.

Firewall rules allow traffic through the firewall, but do not secure that traffic. To secure traffic with IPsec, you can create connection security rules. However, the creation of a connection security rule does not allow the traffic through the firewall. You must create a firewall rule to do this, if the traffic is not allowed by the default behavior of the firewall. Connection security rules are not applied to programs or services; they are applied between the computers that make up the two endpoints.

Note

As a best practice, give the firewall rules a unique name. Unique names makes management using the netsh commands much easier.

Configuring rules

Because Windows Firewall with Advanced Security blocks all incoming unsolicited TCP/IP traffic by default, you might need to configure program, port, and system service rules for programs or services that are acting as servers, listeners, or peers. Program, port, and system service rules must be managed on an ongoing basis as your server roles or configurations change.

Important

The settings for a firewall rule add increasing levels of restriction to the criteria for which connection requests will match the rule. For example, if you do not specify a program or service on the Program and Services tab, all programs and services will be allowed to connect, if they match other criteria. Therefore, adding more detailed criteria makes the rule progressively more restrictive and less likely to be matched.

Configuring program or service settings

To add a program to the rules list, you must specify the full path to the executable (.exe) file used by the program. A system service that runs within its own unique .exe file and is not hosted by a service container is considered to be a program and can be added to the rules list. In the same way, a program that behaves like a system service and runs whether or not a user is logged on to the computer is also considered a program, as long as it runs within its own unique .exe file.

Warning

Adding service containers or programs that host services, such as Svchost.exe, Dllhost.exe, and Inetinfo.exe, to the rules list without further restrictions in the rule might expose the computer to security threats. Also, adding these containers might conflict with other service hardening policies on computers running this version of Windows.

When you add a program to the rules list, Windows Firewall with Advanced Security dynamically opens (unblocks) and closes (blocks) the ports required by the program. When the program is running and listening for incoming traffic, Windows Firewall with Advanced Security opens the required ports; when the program is not running or is not listening for incoming traffic, Windows Firewall with Advanced Security closes the ports. Because of this dynamic behavior, adding programs to the rules list is the recommended method for allowing unsolicited incoming traffic through Windows Firewall with Advanced Security.

Note

You can use program rules to allow unsolicited incoming traffic through Windows Firewall with Advanced Security only if the program uses Windows Sockets (Winsock) to create port assignments. If a program does not use Winsock to assign ports, you must determine which ports the program uses and add those ports to the rules list.

To add a system service with a service security identifier (SID) associated with it to the rules list, you use the Programs and Services tab in the Firewall Rule Properties dialog box. This provides more precise control of services because a lot of services are hosted in processes like Svchost.exe. This is a more secure method than adding the Svchost.exe process to the rules list.

Note

A system service that runs within its own unique executable (.exe) file and is not hosted by a service container is considered to be a program. Such a system service can be added to the rules list. In the same way, a program that behaves like a system service and runs whether or not a user is logged on to the computer is also considered a program as long as it runs within its own unique .exe file. Do not add service containers or programs that host services, such as Svchost.exe, Dllhost.exe, and Inetinfo.exe, to the rules list.

Configuring port and protocol settings

In some cases, if you cannot add a program or system service to the rules list, you must determine which port or ports the program or system service uses, and then add the port or ports to the Windows Firewall with Advanced Security rules list.

When you add a port to the rules list, you must specify the protocol and port number (you can specify ports with only the TCP and UDP protocols). When you add a TCP or UDP port to the rules list, the port is open (unblocked) whenever Windows Firewall with Advanced Security is running and whether or not there is a program or system service listening for incoming traffic on the port. For this reason, if you need to allow unsolicited incoming traffic through Windows Firewall with Advanced Security, you should create a program rule instead of a port rule. When you add a program to the rules list, Windows Firewall with Advanced Security dynamically opens and closes the ports required by the program. When the program is running and listening for incoming traffic, Windows Firewall opens the required ports; when the program is not running or is not listening for incoming traffic, Windows Firewall with Advanced Security closes the ports.

Configuring user or computer settings

You can configure the firewall rule to be applied only if specified users or groups request a connection or if a specified computer or group of computers request a connection. These settings will be added to any other restrictions you have specified for the rule.

Configuring scope settings

You can configure the firewall rule to be applied only if a specified computer is the local computer and a specified computer is the remote computer. You can also specify groups of computers by individual IP address, subnet, IP address range, or keyword (WINS computers, for example); however, you cannot specify an Active Directory group.

Configuring advanced settings

You usually configure Windows Firewall with Advanced Security on a global basis. For example, when you turn on Windows Firewall with Advanced Security, it is enabled on all of the network connections that already exist on your computer and all network connections that you create on your computer. Likewise, when you create a rule, the rule applies to all network connections that already exist on the computer and all network connections that you create on the computer.

You can also configure Windows Firewall with Advanced Security on an interface-type-specific basis. You can create a rule for each interface type on your computer, such as your LAN card or a wireless connection. This is useful if your computer has multiple interface types and you do not want Windows Firewall with Advanced Security enabled on all connections or you want to open different ports for each network connection.

Additional references

Firewall Profiles

Connection Security Rules