Tag: Computer Configuration

Allows unsolicited incoming messages from specified systems that authenticate using the IPsec transport. If you enable this policy setting you must type a security descriptor containing a list of computers or groups of computers. If a computer on that list authenticates using IPsec Windows Firewall does not block its unsolicited messages. This policy setting overrides other policy settings that would block those messages. If you disable or do not configure this policy setting Windows Firewall makes no exception for messages sent by computers that authenticate using IPsec. If you enable this policy setting and add systems to the list upon disabling this policy Windows Firewall deletes the list. Note: You define entries in this list by using Security Descriptor Definition Language (SDDL) strings. For more information about the SDDL format see the Windows Firewall deployment information at the Microsoft Web site (http://go. microsoft. com/fwlink/?LinkId=25131).

Allows you to view and change the program exceptions list defined by Group Policy. Windows Firewall uses two program exception lists: one is defined by Group Policy settings and the other is defined by the Windows Firewall component in Control Panel. If you enable this policy setting you can view and change the program exceptions list defined by Group Policy. If you add a program to this list and set its status to Enabled that program can receive unsolicited incoming messages on any port that it asks Windows Firewall to open even if that port is blocked by another policy setting such as the “Windows Firewall: Define inbound port exceptions” policy setting. To view the program list enable the policy setting and then click the Show button. To add a program enable the policy setting note the syntax click the Show button. In the Show Contents dialog box type a definition string that uses the syntax format. To remove a program click its definition and then press the DELETE key. To edit a definition remove the current definition from the list and add a new one with different parameters. To allow administrators to add programs to the local program exceptions list that is defined by the Windows Firewall component in Control Panel also enable the “Windows Firewall: Allow local program exceptions” policy setting. If you disable this policy setting the program exceptions list defined by Group Policy is deleted. If a local program exceptions list exists it is ignored unless you enable the “Windows Firewall: Allow local program exceptions” policy setting. If you do not configure this policy setting Windows Firewall uses only the local program exceptions list that administrators define by using the Windows Firewall component in Control Panel. Note: If you type an invalid definition string Windows Firewall adds it to the list without checking for errors. This allows you to add programs that you have not installed yet but be aware that you can accidentally create multiple entries for the same program with conflicting Scope or Status values. Scope parameters are combined for multiple entries. Note: If you set the Status parameter of a definition string to “disabled” Windows Firewall ignores port requests made by that program and ignores other definitions that set the Status of that program to “enabled. ” Therefore if you set the Status to “disabled” you prevent administrators from allowing the program to ask Windows Firewall to open additional ports. However even if the Status is “disabled” the program can still receive unsolicited incoming messages through a port if another policy setting opens that port. Note: Windows Firewall opens ports for the program only when the program is running and “listening” for incoming messages. If the program is not running or is running but not listening for those messages Windows Firewall does not open its ports.

Allows administrators to use the Windows Firewall component in Control Panel to define a local program exceptions list. Windows Firewall uses two program exceptions lists; the other is defined by the “Windows Firewall: Define inbound program exceptions” policy setting. If you enable this policy setting the Windows Firewall component in Control Panel allows administrators to define a local program exceptions list. If you disable this policy setting the Windows Firewall component in Control Panel does not allow administrators to define a local program exceptions list. However local administrators will still be allowed to create firewall rules in the Windows Firewall with Advanced Security snap-in. If you wish to prevent all locally created rules from applying use the Group Policy Object Editor snap-in and configure Computer Configuration -> Windows Settings -> Security Settings -> Windows Firewall with Advanced Security to specify that local firewall rules should not apply.

Turns on Windows Firewall. If you enable this policy setting Windows Firewall runs and ignores the “Computer Configuration -> Administrative Templates -> Network -> Network Connections -> Prohibit use of Internet Connection Firewall on your DNS domain network” policy setting. If you disable this policy setting Windows Firewall does not run. This is the only way to ensure that Windows Firewall does not run and administrators who log on locally cannot start it. If you do not configure this policy setting administrators can use the Windows Firewall component in Control Panel to turn Windows Firewall on or off unless the “Prohibit use of Internet Connection Firewall on your DNS domain network” policy setting overrides.