By using the Software Configuration Wizard (SCW), you can create firewall rules to allow this computer to send traffic to or receive traffic from programs, system services, computers, or users. Firewall rules can be created to take one of three actions for all connections that match the rule's criteria: allow the connection, only allow a connection that is secured through the use of Internet Protocol security (IPsec), or explicitly block the connection.
Firewall rules allow traffic through the firewall but do not secure that traffic. To secure traffic with IPsec, you can create connection security rules. However, the creation of a connection security rule does not allow the traffic through the firewall. You must create a firewall rule to do this, if the traffic is not allowed by the default behavior of the firewall. Connection security rules are not applied to programs or services; they are applied between two computers. The Windows Firewall with Advanced Security snap-in (FW.msc) must be used to create connection security rules.
Rules can be created for either inbound traffic or outbound traffic. The rule can be configured to specify the program, service, protocol, or port. As your IT environment changes, you can change, create, or delete rules.
Firewall rules are applied in the following order of priority:
- Authenticated bypass (rules that override
- Block connection
- Allow connection
Inbound rules explicitly allow or explicitly block traffic attempting to access the computer that matches the criteria in the rule. For example, you can configure a rule to explicitly allow traffic secured by IPsec for Remote Desktop through the firewall but block the same traffic if it is not secured by IPsec. When Windows is first installed, inbound traffic is blocked; to allow traffic, you must create an inbound rule.
Outbound rules explicitly allow or explicitly block traffic originating from the computer that matches the criteria in the rule. For example, you can configure a rule to explicitly block outbound traffic to a specific computer through the firewall but allow the same traffic to other computers. Outbound traffic is allowed by default, so you must create an outbound rule to block traffic.
Programs and Services tab
Because Windows Firewall with Advanced Security blocks all incoming unsolicited TCP/IP traffic by default, you might need to configure program, port, and system service rules for programs or services that are acting as servers, listeners, or peers. Program, port, and system service rules must be managed on an ongoing basis as your server roles or configurations change.
The settings for a firewall rule add increasing levels of restriction to the criteria for which connection requests will match the rule. For example, if you do not specify a program or service on the Program and Services tab, all programs and services will be allowed to connect if they match other criteria. Therefore, adding more detailed criteria makes the rule progressively more restrictive and less likely to be matched.
To add a program to the rules list, you must specify the full path to the executable (.exe) file used by the program. A system service that runs within its own unique .exe file and is not hosted by a service container is considered to be a program and can be added to the rules list. In the same way, a program that functions like a system service and runs whether or not a user is logged on to the computer is also considered a program, as long as it runs within its own unique .exe file.
Adding programs that host services, such as Svchost.exe, Dllhost.exe, and Inetinfo.exe, to the rules list without further restrictions in the rule might expose the computer to security threats. Also, adding these programs might conflict with other service-hardening policies on computers running Windows Server 2008 R2 or Windows Server 2008.
When you add a program to the rules list, Windows Firewall with Advanced Security dynamically opens (unblocks) and closes (blocks) the ports required by the program. When the program is running and listening for incoming traffic, Windows Firewall with Advanced Security opens the required ports; when the program is not running or is not listening for incoming traffic, Windows Firewall with Advanced Security closes the ports. Because of this dynamic behavior, adding programs to the rules list is the recommended method for allowing unsolicited incoming traffic through Windows Firewall with Advanced Security.
You can use program rules to allow unsolicited incoming traffic through Windows Firewall with Advanced Security only if the program uses Windows Sockets (Winsock) to create port assignments. If a program does not use Winsock to assign ports, you must determine which ports the program uses and add those ports to the rules list.
Protocols and Ports tab
In some cases, if you cannot add a program or system service to the rules list, you must determine which port or ports the program or system service uses and then add the port or ports to the Windows Firewall with Advanced Security rules list.
On the Protocols and Ports tab, you can select from a list of the most commonly used protocols and their associated protocol number. If the protocol that you need to add is not in the list, you can select Custom and specify the protocol number.
If you select either the TCP or UDP protocol, you can then specify the local and remote ports to which the rule applies. When you add a TCP or UDP port to the rules list, the port is open (unblocked) whenever Windows Firewall with Advanced Security is running, whether or not there is a program or system service listening for incoming traffic on the port. For this reason, if you need to allow unsolicited incoming traffic through Windows Firewall with Advanced Security, you should create a program rule instead of a port rule.
Use the Scope tab to specify an IP address, a subnet, or a range of IP addresses. You can use both IPv4 and IPv6 IP addresses.
Local IP addresses
Under Local IP Addresses, you can configure the firewall rule to be applied when the target computer is the local computer. You can further identify when the rule applies to the local computer by specifying an IP address or IP address range to apply the rule to computers that reside in a certain branch of your network.
Remote IP addresses
Under Remote IP Addresses, you can configure the firewall rule to be applied when the target computer is a remote computer. You can further identify when the rule applies to remote computers by specifying an IP address or IP address range to apply the rule to computers that reside in a certain branch of your network.
About specifying IP addresses
- IPv4. If your network uses IPv4
addressing, you can specify a single IP address, such as
172.30.160.169, or a subnet, such as 220.127.116.11/24.
- IPv6. If your network uses IPv6
addressing, you can specify a single IP address as eight sets of
four hexadecimal digits separated by colons (or in an equivalent
allowed format) or as a subnet.
- For both formats, to specify a range of
addresses, just specify the first (From) and last
(To) IP addresses included in the rule.