Create an Inbound Program Rule on Windows XP or Windows Server 2003

Updated: January 27, 2010

Applies To: Windows 7, Windows Essential Business Server, Windows SBS 2003, Windows SBS 2008, Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Vista

To allow inbound network traffic to a specified program or service, use the Windows Firewall node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows the program to listen and receive inbound network traffic on any port.


Unlike in Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2, Windows Firewall in earlier versions of Windows does not support the creation of a rule that restricts network traffic to both a specified program and a specified port number. If you create a program rule, then that program can receive inbound network traffic on any port on which it listens. If you create a port rule, then any program listening on the specified port receives the inbound network traffic. For information about creating a port rule on Windows XP or Windows Server 2003, see Create an Inbound Port Rule on Windows XP or Windows Server 2003.

Administrative credentials

To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.

To create an inbound firewall rule for a program or service

  1. On a computer that has the Group Policy Management feature installed, click Start, click Administrative Tools, and then click Group Policy Management.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  3. In the navigation pane, expand Forest: YourForestName, expand Domains, expand YourDomainName, expand Group Policy Objects, right-click the GPO in which you want to create the rule, and then click Edit.

  4. In the Group Policy Management Editor, expand Computer Configuration, expand Policies, expand Administrative Templates, expand Network, expand Network Connections, and then expand Windows Firewall.

  5. Expand Domain Profile or Standard Profile. Rules created in the Domain Profile section apply whenever the client computer is connected to a network on which it can contact a domain controller for its assigned Active Directory domain. Rules created in the Standard section apply when the computer cannot contact a domain controller for its domain.

  6. In the details pane, double-click Windows Firewall: Define inbound program exceptions.

  7. On the Setting tab, click Enabled, and then click Show.

  8. In the Show Contents dialog box, click Add.

  9. In the Add item dialog box, type the full path to the executable file that you want to receive inbound network traffic, and then click OK on each dialog box to save your changes.


Use environment variables instead of hard-coded paths when the path to the file might vary from computer to computer. For example, use:

  • %WINDIR% instead of c:\windows

  • %PROGRAMFILES% or %PROGRAMFILES(x86)% instead of c:\program files

  • %USERPROFILE% to reference the user’s personal folder

If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to return to the checklist.