Managing Firewall Protection

Applies To: Windows SBS 2008, Windows Small Business Server 2011 Standard

A firewall helps block malicious users, viruses, and worms that try to access your network from the Internet. For a small business environment, a firewall is the most effective and important first step you can take to help protect your network.

A firewall helps prevent unauthorized access to your local area network (LAN) from the Internet by blocking incoming network traffic that is attempting to use a closed port. It is recommended that you close all ports on the firewall that your applications and services do not require. A firewall hides information about your LAN from the Internet, such as computer names, network topology, and network device types. A firewall can also log traffic to and from the local network.

Server Firewall

Windows Firewall on Windows SBS 2008 is enabled during installation, and it helps protect the server from intrusions. After the installation finishes, only installed services are allowed through the firewall. The new firewall is set up so that each of the installed services and applications for Windows SBS 2008 can communicate through the firewall.

To allow other programs and services to receive traffic through the appropriate ports, you must add the program or service to the Windows Firewall exceptions list. In some cases, if you cannot add a program or service to the exceptions list, you must determine which port or ports the program or service uses, and then add the port or ports to the Windows Firewall exceptions list. You can learn the port numbers that must be opened from the documentation for your line-of- business application. For a list of well-known ports, see Internet Assigned Numbers Authority (IANA) Request for Comment (RFC) 1700 at

To learn how to open and close ports on Windows Firewall in Windows SBS 2008, click the following:


To help secure your network from unwanted intrusions, you should open only ports that are required to allow your network to run smoothly. When you stop using applications and services, you should close the associated ports.

Client Computer Firewall

Client computers on the network can become infected through a separate Internet connection, such as a laptop that is used on your internal network and on public networks. Or a virus can be introduced to a computer on your network from e-mail or from Web browsing. To help protect your internal network, when client computers that are running Windows XP Professional with Service Pack 2 (SP2) or Windows Vista join the local domain, Windows SBS 2008 uses Group Policy settings to configure the firewall on each client computer. After that, the client computer is monitored to assure that the firewall is not disabled or changed. The firewall configuration is specific to each computer rather than to each user.

For information about configuring Windows Firewall on Windows XP, see “Manually Configuring Windows Firewall in Windows XP Service Pack 2” at the Microsoft Web site (

For information about configuring Windows Firewall on Windows Vista, see “The New Windows Firewall in Windows Vista and Windows Server 2008” at the Microsoft Web site (

Additional resources

Understanding Windows Firewall Settings at the Microsoft Web site (