Group Policies

Allows this computer to receive unsolicited inbound Plug and Play messages sent by network devices such as routers with built-in firewalls. To do this Windows Firewall opens TCP port 2869 and UDP port 1900. If you enable this policy setting Windows Firewall opens these ports so that this computer can receive Plug and Play messages. You must specify the IP addresses or subnets from which these incoming messages are allowed. In the Windows Firewall component of Control Panel the “UPnP framework” check box is selected and administrators cannot clear it. If you disable this policy setting Windows Firewall blocks these ports which prevents this computer from receiving Plug and Play messages. If an administrator attempts to open these ports by adding them to a local port exceptions list Windows Firewall does not open the ports. In the Windows Firewall component of Control Panel the “UPnP framework” check box is cleared and administrators cannot select it. If you do not configure this policy setting Windows Firewall does not open these ports. Therefore the computer cannot receive Plug and Play messages unless an administrator uses other policy settings to open the required ports or enable the required programs. In the Windows Firewall component of Control Panel the “UPnP framework” check box is cleared. Administrators can change this check box. “

Prevents this computer from receiving unicast responses to its outgoing multicast or broadcast messages. If you enable this policy setting and this computer sends multicast or broadcast messages to other computers Windows Firewall blocks the unicast responses sent by those other computers. If you disable or do not configure this policy setting and this computer sends a multicast or broadcast message to other computers Windows Firewall waits as long as three seconds for unicast responses from the other computers and then blocks all later responses. Note: This policy setting has no effect if the unicast message is a response to a Dynamic Host Configuration Protocol (DHCP) broadcast message sent by this computer. Windows Firewall always permits those DHCP unicast responses. However this policy setting can interfere with the NetBIOS messages that detect name conflicts.

Allows this computer to receive inbound Remote Desktop requests. To do this Windows Firewall opens TCP port 3389. If you enable this policy setting Windows Firewall opens this port so that this computer can receive Remote Desktop requests. You must specify the IP addresses or subnets from which these incoming messages are allowed. In the Windows Firewall component of Control Panel the “Remote Desktop” check box is selected and administrators cannot clear it. If you disable this policy setting Windows Firewall blocks this port which prevents this computer from receiving Remote Desktop requests. If an administrator attempts to open this port by adding it to a local port exceptions list Windows Firewall does not open the port. In the Windows Firewall component of Control Panel the “Remote Desktop” check box is cleared and administrators cannot select it. If you do not configure this policy setting Windows Firewall does not open this port. Therefore the computer cannot receive Remote Desktop requests unless an administrator uses other policy settings to open the port. In the Windows Firewall component of Control Panel the “Remote Desktop” check box is cleared. Administrators can change this check box. “

Allows remote administration of this computer using administrative tools such as the Microsoft Management Console (MMC) and Windows Management Instrumentation (WMI). To do this Windows Firewall opens TCP ports 135 and 445. Services typically use these ports to communicate using remote procedure calls (RPC) and Distributed Component Object Model (DCOM). Additionally on Windows XP Professional with at least SP2 and Windows Server 2003 with at least SP1 this policy setting also allows SVCHOST. EXE and LSASS. EXE to receive unsolicited incoming messages and allows hosted services to open additional dynamically-assigned ports typically in the range of 1024 to 1034. On Windows Vista this policy setting does not control connections to SVCHOST. EXE and LSASS. EXE. If you enable this policy setting Windows Firewall allows the computer to receive the unsolicited incoming messages associated with remote administration. You must specify the IP addresses or subnets from which these incoming messages are allowed. If you disable or do not configure this policy setting Windows Firewall does not open TCP port 135 or 445. Also on Windows XP Professional with at least SP2 and Windows Server 2003 with at least SP1 Windows Firewall prevents SVCHOST. EXE and LSASS. EXE from receiving unsolicited incoming messages and prevents hosted services from opening additional dynamically-assigned ports. Because disabling this policy setting does not block TCP port 445 it does not conflict with the “Windows Firewall: Allow file and printer sharing exception” policy setting. Note: Malicious users often attempt to attack networks and computers using RPC and DCOM. We recommend that you contact the manufacturers of your critical programs to determine if they are hosted by SVCHOST. exe or LSASS. exe or if they require RPC and DCOM communication. If they do not then do not enable this policy setting. Note: If any policy setting opens TCP port 445 Windows Firewall allows inbound ICMP echo request messages (the message sent by the Ping utility) even if the “Windows Firewall: Allow ICMP exceptions” policy setting would block them. Policy settings that can open TCP port 445 include “Windows Firewall: Allow inbound file and printer sharing exception” “Windows Firewall: Allow inbound remote administration exception” and “Windows Firewall: Define inbound port exceptions. “

Allows administrators to use the Windows Firewall component in Control Panel to define a local port exceptions list. Windows Firewall uses two port exceptions lists; the other is defined by the “Windows Firewall: Define inbound port exceptions” policy setting. If you enable this policy setting the Windows Firewall component in Control Panel allows administrators to define a local port exceptions list. If you disable this policy setting the Windows Firewall component in Control Panel does not allow administrators to define a local port exceptions list. However local administrators will still be allowed to create firewall rules in the Windows Firewall with Advanced Security snap-in. If you wish to prevent all locally created rules from applying use the Group Policy Object Editor snap-in and configure Computer Configuration -> Windows Settings -> Security Settings -> Windows Firewall with Advanced Security to specify that local firewall rules should not apply.

Allows you to view and change the inbound port exceptions list defined by Group Policy. Windows Firewall uses two port exception lists: one is defined by Group Policy settings and the other is defined by the Windows Firewall component in Control Panel. If you enable this policy setting you can view and change the inbound port exceptions list defined by Group Policy. To view this port exceptions list enable the policy setting and then click the Show button. To add a port enable the policy setting note the syntax click the Show button. In the Show Contents dialog box type a definition string that uses the syntax format. To remove a port click its definition and then press the DELETE key. To edit a definition remove the current definition from the list and add a new one with different parameters. To allow administrators to add ports to the local port exceptions list that is defined by the Windows Firewall component in Control Panel also enable the “Windows Firewall: Allow local port exceptions” policy setting. If you disable this policy setting the port exceptions list defined by Group Policy is deleted but other policy settings can continue to open or block ports. Also if a local port exceptions list exists it is ignored unless you enable the “Windows Firewall: Allow local port exceptions” policy setting. If you do not configure this policy setting Windows Firewall uses only the local port exceptions list that administrators define by using the Windows Firewall component in Control Panel. Other policy settings can continue to open or block ports. Note: If you type an invalid definition string Windows Firewall adds it to the list without checking for errors and therefore you can accidentally create multiple entries for the same port with conflicting Scope or Status values. Scope parameters are combined for multiple entries. If entries have different Status values any definition with the Status set to “disabled” overrides all definitions with the Status set to “enabled” and the port does not receive messages. Therefore if you set the Status of a port to “disabled” you can prevent administrators from using the Windows Firewall component in Control Panel to enable the port. Note: The only effect of setting the Status value to “disabled” is that Windows Firewall ignores other definitions for that port that set the Status to “enabled. ” If another policy setting opens a port or if a program in the program exceptions list asks Windows Firewall to open a port Windows Firewall opens the port. Note: If any policy setting opens TCP port 445 Windows Firewall allows inbound ICMP echo request messages (the message sent by the Ping utility) even if the “Windows Firewall: Allow ICMP exceptions” policy setting would block them. Policy settings that can open TCP port 445 include “Windows Firewall: Allow inbound file and printer sharing exception” “Windows Firewall: Allow inbound remote administration exception” and “Windows Firewall: Define inbound port exceptions. “

Prevents Windows Firewall from displaying notifications to the user when a program requests that Windows Firewall add the program to the program exceptions list. If you enable this policy setting Windows Firewall prevents the display of these notifications. If you disable this policy setting Windows Firewall allows the display of these notifications. In the Windows Firewall component of Control Panel the “Notify me when Windows Firewall blocks a new program” check box is selected and administrators cannot clear it. If you do not configure this policy setting Windows Firewall behaves as if the policy setting were disabled except that in the Windows Firewall component of Control Panel the “Notify me when Windows Firewall blocks a new program” check box is selected by default and administrators can change it.