Deploying Windows Firewall

Deploying Windows Firewall
Updated: June 8, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2
To protect your network from the growing number of malicious attacks, you need to
adopt a defense-in-depth strategy. A defense-in-depth strategy incorporates a variety of
network security technologies into your security architecture and implements those
technologies in a layered structure that extends from your perimeter network (outer layer)
to every computer in your organization (inner layer). By providing host firewall
protection on the innermost layer of your network, Windows Firewall, a new security
component in Microsoft® Windows Server™ 2003 with Service Pack 1 (SP1), can be an
effective part of your defense-in-depth security strategy.
In This Chapter
Overview of Windows Firewall Deployment
Step-by-Step Guide for Using Windows Firewall
Deploying Windows Firewall with Group Policy
Deploying Windows Firewall During an Unattended Installation
Deploying Windows Firewall with a Netfw.inf File

Overview of Windows Firewall Deployment
By default, Windows Firewall is turned off (disabled) in Windows Server 2003 with
Service Pack 1 (SP1). In addition, when Windows Firewall is turned on, all unsolicited
incoming Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6) traffic
that uses UDP or TCP is blocked. Therefore, to deploy Windows Firewall you must turn
on (enable) Windows Firewall and configure Windows Firewall settings so that
unsolicited incoming traffic is allowed to reach the programs and services that are acting
as servers, listeners, or peers.
The Security Configuration Wizard (SCW) is the recommended tool for deploying
Windows Firewall in small, medium, and large organizations. SCW is an optional
component that must be installed through Add or Remove Programs in Control Panel.
SCW guides you through the process of creating a security policy, based on the roles
performed by a given server. Once a policy is created, it can be edited or applied to one
or more similarly configured servers. For more information, see Configuring Windows
Firewall with SCW on the Microsoft Web site (http://go.microsoft.com/fwlink/?
LinkId=48116).
In addition to SCW, there are several other deployment tools that are suitable for small-
scale and large-scale deployments of Windows Firewall.
Small-Scale Deployments
If you are deploying Windows Firewall to a small number of servers, you can use
Windows Firewall in Control Panel to turn on Windows Firewall and configure Windows
Firewall settings on a server-by-server basis. This deployment method is not efficient if
you are deploying more than a few servers, and can result in inconsistencies among your
server configurations. Therefore, this deployment method is recommended only for small
organizations or for servers that require special configuration settings. For more
information about deploying Windows Firewall by using Windows Firewall in Control
Panel, see the Step-by-Step Guide for Using Windows Firewall.
Large-Scale Deployments
If you are deploying Windows Firewall to a large number of servers, you can use one of
the following tools to automate the startup and configuration of Windows Firewall.
Windows Firewall Group Policy Settings
Windows Server 2003 with SP1 includes several new Group Policy settings that allow
you to configure Windows Firewall using domain-based or local Group Policy. Using the
Windows Firewall Group Policy settings is the recommended method for deploying
Windows Firewall in organizations that use Active Directory. For more information
about deploying Windows Firewall with Group Policy, see Deploying Windows Firewall
with Group Policy.
Unattended Installation Answer File
Windows Server 2003 with SP1 includes several new answer file entries that allow you to
enable or disable Windows Firewall and configure Windows Firewall settings. This
deployment solution is recommended if your organization does not use Active Directory
or Group Policy and you are rolling out slipstream installations of Windows Server 2003.
For more information about using an answer file to deploy Windows Firewall, see
Deploying Windows Firewall During an Unattended Installation.
Netfw.inf Information File
Windows Server 2003 with SP1 includes a Netfw.inf file that you can use to configure
Windows Firewall settings while you are installing SP1 or while you are performing a
slipstream installation of Windows Server 2003 with SP1. The Netfw.inf file is primarily
used by original equipment manufacturers (OEMs) in a manufacturing environment, but
it can also be used in a corporate environment during a large-scale rollout. For more
information, see Deploying Windows Firewall with a Netfw.inf File.
Step-by-Step Guide for Using Windows Firewall
Set up Windows Firewall for the first time using a four-step process: review Windows
Firewall limitations, turn on Windows Firewall, configure Windows Firewall exceptions,
and configure advanced settings.
This step-by-step guide shows you how to start and configure Windows Firewall for the
first time on a computer that is running Windows Server 2003 with Service Pack 1 (SP1).
Steps for Using Windows Firewall

Step 1: Review Windows Firewall limitations.
Step 2: Turn on Windows Firewall.
Step 3: Configure exceptions.
Step 4: Configure advanced settings.
Do not use this guide if you are:
• Using domain-based Group Policy to configure Windows Firewall.
• Using an automated installation technology to configure Windows Firewall

during setup, such as a Netfw.inf file or an answer file.
• Using Security Configuration Wizard (SCW) to configure Windows Firewall.
Note SCW is the recommended method for starting and configuring Windows Firewall.
For more information, see Configuring Windows Firewall with SCW on the Microsoft
Web site (http://go.microsoft.com/fwlink/?LinkId=48116).
Step 1: Review Windows Firewall limitations.
It is recommended that you use Windows Firewall on all of your servers; however, there
are a few server configurations on which you cannot run Windows Firewall. To
determine whether Windows Firewall is appropriate for your server configuration, see
Known issues for managing resets, startup, and shutdown on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=48117).
In addition, Windows Firewall is designed to be a supplemental security solution; it

should be part of a security architecture that implements a variety of security
technologies. For more information, see Best practices for managing Windows Firewall
on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=48221) and Windows
Firewall Technical Reference on the Microsoft Web site
You might not want to start Windows Firewall if a server requires you to open numerous
ports or allow a large number of applications and services to receive unsolicited traffic.
Because a significant volume of network traffic will be allowed to pass through Windows
Firewall anyway, by disabling Windows Firewall, you eliminate the operational overhead
associated with Windows Firewall configuration and maintenance. You also avoid any
performance impact related to Windows Firewall. However, you should closely evaluate
the design of any client or server that requires you to open numerous ports. Clients and
servers that are configured for numerous roles or to provide numerous services can be a
critical point of failure in your organization and might indicate poor infrastructure design.
Step 2: Turn on Windows Firewall.

Windows Firewall is turned off by default on Windows Server 2003. When you turn on
Windows Firewall, you must also start the Windows Firewall/Internet Connection
Sharing service, if it is not already running. If the Windows Firewall/Internet Connection
Sharing service is not started, and you attempt to start Windows Firewall, a Windows
Firewall dialog box will appear in the graphical user interface asking if you want to start
the service.
To turn on Windows Firewall, you must be a member of the Administrators group on the
local computer, or you must have been delegated the appropriate authority. If the
computer is joined to a domain, members of the Domain Admins group might be able to
perform this procedure.
To turn on Windows Firewall using Windows Firewall in Control Panel
1. Open Control Panel, and double-click Windows Firewall.
If a Windows Firewall dialog box displays a message asking if you want to turn
on the Windows Firewall/Internet Connection Sharing service, click OK.
2. On the General tab, click On.

3. Click OK.
If a Windows Firewall setting appears dimmed in the graphical user interface, and you
see For your security, some settings are controlled by Group Policy at the top of the
General tab, the setting might be managed by Group Policy. In this case, you should not
use this step-by-step guide.
If all Windows Firewall settings appear dimmed, and you see You must be a computer
administrator to change these settings at the top of the General tab, you do not have
administrative rights to configure Windows Firewall. For more information about
administrative rights, see Default local groups on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=43150) and Default groups on the Microsoft
Web site (http://go.microsoft.com/fwlink/?LinkId=43151). For more information about
turning on Windows Firewall, see Enabling and disabling Windows Firewall on the
Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=48118).
Step 3: Configure exceptions.
When you turn on Windows Firewall for the first time, all unsolicited incoming TCP/IP
traffic is blocked on all network connections. This means that any programs or system
services that are acting as servers, listeners, or peers will be unable to receive traffic
through TCP and UDP ports. To allow programs and system services to receive
unsolicited traffic through these ports, you must add the program or system service to the
Windows Firewall exceptions list. In some cases, if you cannot add a program or system
service to the exceptions list, you must determine which port or ports the program or
system service uses and add the port or ports to the Windows Firewall exceptions list.
To configure exceptions, do the following:
Use Windows Firewall notifications to add programs to the exceptions list
By default, Windows Firewall displays a Windows Security Alert dialog box whenever
a program attempts to listen for incoming traffic and the incoming traffic is blocked. If
you are a member of the Administrators group, the Windows Security Alert dialog box
will display the option to keep blocking the program or unblock the program. Unblocking
a program adds the program to the exceptions list and allows unsolicited incoming traffic
to reach the program.
To add programs to the exceptions list, do the following when you see a Windows
Security Alert dialog box:
1. Verify that the program listed in Name is a program that you installed and that it
is not a malicious program (malware) or spyware.
2. Hover your cursor over the program name to see the path and file name for the
program's executable (.exe) file. Verify that the path and file name are correct.
3. If the program is legitimate (not malware or spyware) and you want it to receive
unsolicited incoming traffic, click Unblock.
If the program is a malicious program, click Keep Blocking. You should

immediately remove any malicious programs from your computer.
If you are unsure, but you think it might be a legitimate program, click Ask Me
Later. Windows Firewall will continue to block the program, but will prompt you
again later.
Windows Firewall displays a Windows Security Alert dialog box only when a program
is running and attempting to listen for incoming traffic. If a program is not running or
does not attempt to listen for incoming traffic, Windows Firewall does not display a
Windows Security Alert dialog box. You might see several Windows Security Alert
dialog boxes over the course of several minutes or several hours as programs and system
services start up on your server. You should respond to each of these dialog boxes to be
sure add all required programs to the Windows Firewall exceptions list.
For more information, see Managing Windows Firewall Notifications on the Microsoft
Web site (http://go.microsoft.com/fwlink/?LinkId=48222), Add a program to the
exceptions list on the Microsoft Web site (http://go.microsoft.com/fwlink/?
LinkId=48119), and Add a port to the exceptions list on the Microsoft Web site
Use the Windows Firewall Settings Technical Reference to determine which

programs and ports to add to the exceptions list
Use the Windows Firewall Settings Technical Reference to find out how to configure
program and port exceptions for your specific server configuration. The Windows
Firewall Settings Technical Reference provides Windows Firewall configuration settings
for server roles, system services, remote administration tools, and optional components.
Note
If you do not know which server roles or optional components are installed on your
server, or you do not know which system services or remote administration tools your
server uses, you should use SCW to configure Windows Firewall settings.
For more information, see Windows Firewall Settings on the Microsoft Web site
For detailed instructions about adding a program to the exceptions list, see Add a
program to the exceptions list on the Microsoft Web site
For detailed instructions about adding a port to the exceptions list, see Add a port to the
exceptions list on the Microsoft Web site (http://go.microsoft.com/fwlink/?
LinkId=48120).
Step 4: Configure advanced settings.
To optimally configure Windows Firewall for your server, you must understand and
configure the following:
Windows Firewall profiles
Windows Firewall settings can be configured in two profiles: a domain profile and a
standard profile. This step-by-step guide has helped you configure settings in one profile
only. For more information, see Managing Windows Firewall profiles on the Microsoft
Web site (http://go.microsoft.com/fwlink/?LinkId=48121).
Windows Firewall scope settings
When you configure a program, port, or system service exception, you must also
configure scope settings for the exception. Scope settings control from which addresses
unsolicited traffic is allowed to originate. For more information about scope settings, see
Configuring scope settings on the Microsoft Web site (http://go.microsoft.com/fwlink/?
LinkId=48122).
ICMP settings
By default, Windows Firewall blocks all incoming Internet Control Message Protocol
(ICMP) traffic and some outgoing ICMP traffic. This can prevent you from using certain
troubleshooting tools, including the ping command. For more information about ICMP
settings, see Configuring ICMP settings on the Microsoft Web site
Log file settings
Windows Firewall has a log file that you can use to troubleshoot and monitor Windows
Firewall. By default, the log file is disabled. For more information, see Using the Security
Log on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=48229) and
Interpreting the Windows Firewall Log on the Microsoft Web site
Windows Firewall exceptions
Although you have added program, system service, and port exceptions to the exceptions
list, it is likely you still need to add (or remove) exceptions for your server to function
optimally. For more information about exceptions, see Managing Program, Port, and
System Service Exceptions on the Microsoft Web site (http://go.microsoft.com/fwlink/?
linkid=43261).
For more information about Windows Firewall, see Windows Firewall Help on the
Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=33577).
See Also
Concepts
Deploying Windows Firewall
Deploying Windows Firewall with Group Policy
For organizations that use Active Directory, the recommended method for deploying and
managing Windows Firewall is to use the new Windows Firewall Group Policy settings.
When you use Group Policy to configure Windows Firewall, administrators will be
unable to use the Netsh firewall command or Windows Firewall in Control Panel to
configure the Windows Firewall settings that are managed through Group Policy. In other
words, any Windows Firewall settings that are managed through Group Policy appear
dimmed and are not accessible through Windows Firewall in Control Panel and cannot be
configured through the Netsh firewall command.
You can configure Windows Firewall Group Policy settings in either the domain profile
or the standard profile. The domain profile settings are used whenever the computer is
joined to a network that contains the domain controllers for the domain in which the
computer's computer account resides. The standard profile settings are used whenever the
computer is joined to a network that does not contain the domain controllers for the
domain in which the computer's computer account resides. Both the domain profile and
standard profile contain the same set of Windows Firewall settings.
For more information about the Windows Firewall Group Policy settings, see "Windows
Firewall Tools and Settings" in the Windows Firewall Technical Reference on the
Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=42729). For more
information about using Group Policy settings to deploy Windows Firewall in
Windows XP with Service Pack 2 (SP2), see "Managing Windows XP Service Pack 2
Features Using Group Policy" on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=31974). Although the article is written
specifically for Windows XP with SP2, most of the concepts and information apply to
deployments of Windows Firewall in Windows Server 2003 with SP1.
Deploying Windows Firewall During an Unattended Installation
The answer file for unattended installations of Windows Server 2003 with Service Pack 1
(SP1) has been updated to include a section for configuring Windows Firewall. You can
use the new Windows Firewall parameters to turn on Windows Firewall and configure
Windows Firewall settings if you are deploying clean installations of Windows
Server 2003 with SP1. You cannot use an answer file to perform an unattended
installation if you are installing SP1 on a computer that already has Windows
Server 2003 installed.
Note
If you use an unattended installation answer file to automate the configuration of
Windows Firewall settings, the settings that you specify in the answer file are deleted and
are not reapplied when you restore Windows Firewall default settings. However, if you
use a Netfw.inf to configure Windows Firewall settings, the settings specified in Netfw.inf
are reapplied to the computer when you restore Windows Firewall default settings. If you
want to restore the Windows Firewall settings that you configured during an unattended
installation with an answer file, you must configure the settings manually.
For more information about using the Windows Firewall parameters in an unattended
installation answer file, see "Windows Firewall Tools and Settings" in the Windows
Firewall Technical Reference on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=42729). For more information about the
Windows Firewall parameters that are available for use in an unattended installation
answer file, see "Unattended Installation Tools and Settings" in the Unattended
Installation Technical Reference on the Microsoft Web site
Deploying Windows Firewall with a Netfw.inf File
You can use the Netfw.inf file to turn on Windows Firewall and configure Windows
Firewall settings during an installation of Windows Server 2003 with Service Pack 1
(SP1). The Netfw.inf file is typically used by original equipment manufacturers (OEMs)
in a manufacturing setting, but it can also be used in a corporate environment during a
large-scale rollout of SP1; however, unattended installation is the preferred method for
deploying Windows Firewall in a corporate environment.
Note
If you use a Netfw.inf file to automate the configuration of Windows Firewall settings, the
settings that you specify in Netfw.inf are reapplied to the computer when you restore
Windows Firewall default settings. Any Windows Firewall settings that you specify in an
answer file, such as Unattend.txt, are deleted and are not restored. If you want to restore
the Windows Firewall settings that you configured during installation with an answer file,
you must configure the settings manually.
For more information about using the Netfw.inf file to deploy Windows Firewall, see
"Windows Firewall Tools and Settings" in the Windows Firewall Technical Reference on
the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=42729).

Deploying Windows Firewall

Загружено:

Сведения о документе

Исходное описание:

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Deploying Windows Firewall

Загружено:

Авторское право:

Доступные форматы

Deploying Windows Firewall

Updated: June 8, 2005

Step-by-Step Guide for Using Windows Firewall