Configuring System Service Firewall Rules

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

When you turn on Windows Firewall for the first time or restore Windows Firewall default settings, all unsolicited incoming TCP/IP traffic is blocked on all network connections. This means that any program or system service that attempts to listen for traffic on a TCP or UDP port will be unable to receive traffic. To allow programs and system services to receive unsolicited traffic through these ports, you must add the program or system service to the Windows Firewall exceptions list.

Note

If you cannot add a program or system service to the exceptions list, you must determine which port or ports the program or system service uses and add the port or ports to the Windows Firewall exceptions list. However, adding programs and system services to the exceptions list is the recommended way to control the traffic that is allowed through Windows Firewall.

Windows Firewall provides four preconfigured system service exceptions that you can enable or disable. When you enable a preconfigured exception, Windows Firewall adds the appropriate programs and ports to the exceptions list so that the system service can receive unsolicited incoming traffic. When you disable a preconfigured system service, Windows Firewall deletes the programs and ports from the exceptions list. The following table lists the preconfigured exceptions you can configure in Windows ServerĀ 2003.

Exception Description

File and Printer Sharing

Adds TCP ports 139 and 445 and UDP ports 137 and 138 to the exceptions list. This setting allows a computer to receive unsolicited traffic to shared files, folders, and printers.

Remote Desktop

Adds TCP port 3389 to the exceptions list. This setting allows a computer to be managed remotely with the Remote Desktop Connection feature.

UPnP Framework

Adds TCP port 2869 and UDP port 1900 to the exceptions list. This setting allows a computer to receive UPnP discovery requests from other computers and devices.

Remote Administration

Adds TCP ports 135 and 445 to the exceptions list. Also adds Svchost.exe and Lsass.exe to the exceptions list to allow hosted services to open additional, dynamically-assigned ports, typically in the range of 1024 to 1034. This setting allows a computer to be remotely managed with administrative tools, such as the Microsoft Management Console (MMC) and Windows Management Instrumentation (WMI). It also allows a computer to receive unsolicited incoming Distributed Component Object Model (DCOM) and remote procedure call (RPC) traffic.

Note

There is no predefined Remote Assistance exception in Windows Server 2003. If you want to use Remote Assistance on Windows Server 2003, you must enable the Remote Desktop exception or add TCP port 3389 to the Windows Firewall exceptions list.

In most scenarios, all of the preconfigured exceptions are disabled by default. However, the File and Printer Sharing exception might be enabled by default after you perform an upgrade from an older operating system that has shared folders or printers. The Remote Desktop exception might be enabled by default after you perform an upgrade from an older operating system that has Remote Desktop Connection enabled.

In addition to enabling and disabling preconfigured exceptions, you can edit the File and Printer Sharing, Remote Desktop, and UPnP Framework exceptions. Editing a preconfigured exception allows you to enable and disable the programs and ports that are associated with the preconfigured exception. This is useful for troubleshooting and for those cases in which you want to modify a preconfigured exception to suit a specific server configuration but do not want to add additional exceptions to the exceptions list. You cannot delete any of the preconfigured exceptions; disabling a preconfigured exception does not remove it from the exceptions list.

Note

You cannot edit the Remote Administration exception nor can you enable or disable it in the graphical user interface. You must use the netsh firewall command or Group Policy to enable or disable the Remote Administration exception.

Mitigating the Risks Associated with Exceptions

Each time you add a program, system service, or port to the exceptions list, you make your computer more accessible to attack. A common form of network attack uses port scanning software to identify computers that have open and unprotected ports. By adding numerous programs, system services, and ports to the exceptions list, you defeat the purpose of a firewall and increase the attack surface of your computer. This problem typically occurs when you configure a server for several different roles, and you need to open numerous ports to accommodate each of the server roles. You should closely evaluate the design of any server that requires you to open numerous ports. Servers that are configured for numerous roles or are configured to provide numerous services can be a critical point of failure in your organization and might indicate poor infrastructure design.

To decrease your security risk, follow these guidelines when you configure preconfigured exceptions:

  • Enable an exception only when you need it. If you think a program might require a port for unsolicited incoming traffic, do not enable a preconfigured exception until you verify that the program attempted to listen for unsolicited traffic and that the ports it uses are those that are opened by the preconfigured exception.

  • Never enable an exception for a program or system service that you do not recognize. If Windows Firewall notifies you that a program has attempted to listen for unsolicited incoming traffic, verify the name of the program and the executable (.exe) file before you enable a preconfigured exception. If you use the security event log to determine that a system service attempted to listen for unsolicited incoming traffic, verify that the system service is a valid component before you enable a preconfigured exception.

  • Disable preconfigured exceptions when you no longer need them. If you enable a preconfigured exception on a server, and then change the server's role or reconfigure the services and applications on the server, be sure to update the exceptions list and disable the preconfigured exceptions that are no longer required.

When to perform this task

You should configure the File and Printer Sharing, Desktop Connection, and UPnP Framework exceptions when your server provides or uses file and printer sharing, Remote Desktop Connection, or UPnP discovery. These exceptions are preconfigured for these services and features and are not meant to be used in any other way.

You should configure the Remote Administration exception on a server when you want to administer the server with a remote administration tool that uses RPC and DCOM. Malicious users often attempt to attack networks and computers using RPC and DCOM. You should contact the manufacturer of your remote administration tool to determine if it requires RPC and DCOM communication. If it does not, do not enable this exception.

Task requirements

No special tools are required to complete this task.

Task procedures

To complete this task, perform the following procedures:

Enable or Disable the File and Printer Sharing Firewall Rule

Enable or Disable the Remote Desktop Firewall Rule

Enable or Disable the UPnP Framework Firewall Rule

Enable or Disable the Remote Administration Firewall Rule

See Also

Concepts

Known Issues for Managing Firewall Rules
Configuring Program Firewall Rules
Configuring Port Firewall Rules
Configuring Firewall Rules for Specific Connections
Configuring Scope Settings