Help: Administering Windows Firewall with Group Policy
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Administering Windows Firewall with Group Policy
If your organization uses the Active Directory directory service, you can configure and manage Windows Firewall with the new Windows Firewall Group Policy settings. When you use Group Policy to configure Windows Firewall, local administrators and users will be unable to locally configure some Windows Firewall configuration settings by using Windows Firewall in Control Panel. Specifically, when a Windows Firewall setting is configured through Group Policy, the equivalent setting appears dimmed in Windows Firewall in Control Panel.
Windows Firewall Group Policy Settings
There are two sets of Windows Firewall policy settings:
The domain profile settings, which are used when a computer is connected to a network that contains the organization's domain controllers.
The standard profile settings, which are used when a computer is connected to a network that does not contain the organization's domain controllers.
If you do not configure profile settings, their default values are applied. Therefore, it is highly recommended that you configure both domain and standard profile settings so that you maintain your desired level of security in the event your computer changes from one profile to another. Also, the standard profile settings are typically more restrictive that the domain profile settings because the standard profile settings do not need to include applications and services that are used only in a managed domain environment. Both the domain profile and standard profile contain the same set of Windows Firewall configuration settings.
The following Group Policy settings are available for managing Windows Firewall. These settings can be found at the following location in the Group Policy Editor snap-in:
- Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile or Standard Profile
| Group Policy setting | Description |
|---|---|
Windows Firewall: Protect all network connections |
Used to specify that all network connections have Windows Firewall enabled. |
Windows Firewall: Do not allow exceptions |
Used to specify that all unsolicited incoming traffic is dropped, including traffic that has been added to the exceptions list. |
Windows Firewall: Define program exceptions |
Used to define by application file names traffic that has been added to the exceptions list. |
Windows Firewall: Allow local program exceptions |
Used to enable local configuration of program exceptions. |
Windows Firewall: Allow remote administration exception |
Used to enable remote procedure calls (RPC) and Distributed Component Object Model (DCOM), which are necessary for many remote administration using tools such as Microsoft Management Console (MMC) and Windows Management Instrumentation (WMI). |
Windows Firewall: Allow file and printer sharing exception |
Used to specify whether file and printer sharing traffic is allowed. |
Windows Firewall: Allow ICMP exceptions |
Used to specify the types of unsolicited Internet Control Message Protocol (ICMP) traffic allowed. |
Windows Firewall: Allow Remote Desktop exception |
Used to specify whether the computer can accept a Remote Desktop-based connection request. |
Windows Firewall: Allow UPnP framework exception |
Used to specify whether the computer can participate in UPnP discovery. |
Windows Firewall: Prohibit notifications |
Used to disable notifications when an application uses new Windows Firewall application programming interfaces (APIs) to request traffic that has been added to the exceptions list. |
Windows Firewall: Allow logging |
Used to enable logging of discarded traffic, successful connections, and configure log file settings. |
Windows Firewall: Prohibit unicast response to multicast or broadcast requests |
Used to discard the unicast packets sent in response to a multicast or broadcast request. |
Windows Firewall: Define port exceptions |
Used to specify by TCP and UDP ports traffic that has been added to the exceptions list. |
Windows Firewall: Allow local port exceptions |
Used to enable local configuration of port exceptions. |
You can also configure the Windows Firewall: Allow authenticated IPSec bypass police setting, which can be found at the following location in the Group Policy Editor snap-in:
Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall
This policy setting allows unsolicited incoming messages from specified systems that authenticate using IPSec.
Notes
Windows Firewall is not included in the original release of the Windows Server 2003 operating systems.
You cannot use Group Policy to configure Windows Firewall per-connection settings.
Group Policy settings must be refreshed before they take effect.
See Also
Concepts
Help: Understanding Windows Firewall
Help: Administering Windows Firewall
Help: Windows Firewall How To...