Use these settings to specify which users or user groups can connect to the local computer.

Important

To use these options, the firewall rule action must be set to Allow the connection if it is secure. To be considered secure, the network traffic must be protected by a connection security rule that requires authentication by using a method that includes user identification information, such as Kerberos version 5, NTLMv2, or a certificate with certificate-to-account mapping enabled.

To get to this wizard page
  1. In the Windows Firewall with Advanced Security MMC snap-in, right-click Inbound Rules, and then click New rule.

    Note

    This page is displayed for inbound rules only; it is not available for outbound rules.

  2. Click Next through the wizard until you reach the Action page.

  3. On the Action page, select Allow the connection if it is secure.

  4. Click Next through the wizard until you reach the Users page.

Authorized users

Use this section to identify the user or group accounts that are allowed to make the connection specified by the rule.

Only allow connections from these users

Select this option to specify which users can connect to this computer. Network traffic that is not authenticated as coming from a user on this list is blocked by Windows Firewall.

If you select the check box, then Add is enabled. Click Add, and then specify the user or group accounts in the Select Users, Computers, or Groups dialog box. To remove a user or group from the list, select the user or group, and then click Remove.

Exceptions

Use this section to identify user or group accounts that might be listed in Authorized users, possibly because the user or group account is a member of a group, but whose network traffic must be blocked by Windows Firewall. For example, User A is a member of Group B. Group B is included in Authorized users, so network traffic authenticated as coming from a user who is a member of Group B is allowed. However, by placing User A in the Exceptions list, network traffic authenticated as being from User A is not processed by this rule, and so is blocked by the default firewall behavior unless some other rule allows the traffic.

Skip this rule for connections from these users

Select this option to specify users or groups whose network traffic is an exception to this rule. Network traffic that is authenticated as coming from a user in this list is not processed by the rule, even if the user is also in Authorized users.

If you select the check box, then Add is enabled. Click Add, and then specify the user or group accounts in the Select Users, Computers, or Groups dialog box. To remove a user or group from the list, select the user or group, and then click Remove.

How to change these settings

After you create the firewall rule, you can change these settings in the Firewall Rule Properties dialog box. This dialog box appears when you double-click a rule in Inbound Rules. To change these settings, select the Users tab.

Additional references