Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

Windows Firewall with Advanced Security provides a number of ways to implement settings on both local and remote computers. You can configure Windows Firewall with Advanced Security in the following ways:

  • Configure a local or remote computer by using either the Windows Firewall with Advanced Security snap-in or the Netsh advfirewall command.

  • Configure Windows Firewall with Advanced Security Group Policy settings by using the Group Policy Management Console (GPMC) or by using the Netsh advfirewall command.

Firewall rules from different sources are first merged together. Rules can be stored on the local computer, or in a variety of Group Policy objects (GPOs).

Windows Firewall with Advanced Security uses a specific order in which firewall rule evaluation takes place.

This order is as follows:

Order number Rule type Description


Windows Service Hardening

This type of rule restricts services from establishing connections. Service restrictions are configured out-of-the-box so that Windows Services can only communicate in the ways in which they are designed (i.e., restricting allowable traffic through a specific port). You must still create or enable a rule to allow these services to communicate; Windows Service Hardening rules only prevent the service from communicating in ways that it was not designed to do.

Independent software vendors can make use of public Windows Service Hardening APIs to restrict their own services.


Connection security rules

This type of rule defines how and in which circumstances computers authenticate using IPsec. Connection security rules are used in establishing server and domain isolation, as well as in enforcing Network Access Protection (NAP) policy, and enabling DirectAccess.


Authenticated bypass rules

This type of firewall rule allows a connection if the traffic is protected with IPsec, regardless of other inbound rules in place. Specified computers or users are allowed to bypass inbound rules that would otherwise block traffic: examples of this are vulnerability scanners: programs that scan other programs, computers, and networks for weaknesses.


Block rules

This type of rule explicitly blocks a particular type of incoming or outgoing traffic. A block rule overrides a matching allow rule, unless the allow rule has authenticated bypass enabled.


Allow rules

This type of rule explicitly allows a particular type of incoming or outgoing traffic.


Default rules

These rules define the action that takes place when a connection does not meet any of the parameters of a higher order rule. Out-of-the-box, the inbound default is to block connections, and the outbound default is to allow connections.


Within each category, rules are matched by the degree of their specificity. For example, if AllowRule1 has parameters A and B specified and AllowRule2 has parameters A, B, and C specified, then network traffic that matches parameters A, B, and C will apply AllowRule2 because it is a more specific match than AllowRule1.


This ordering of rules is always enforced, even when rules are coming from Group Policy. Rules, including those from Group Policy, are sorted and then applied. A domain administrator can configure a GPO to prevent any locally defined firewall rules from being enforced. This helps ensure that only the domain-administrator tested and deployed rules are used, and cannot be interfered with by possibly contradictory rules created locally on the computer.