Category: At least Windows XP Professional with SP2

Prevents this computer from receiving unicast responses to its outgoing multicast or broadcast messages. If you enable this policy setting and this computer sends multicast or broadcast messages to other computers Windows Firewall blocks the unicast responses sent by those other computers. If you disable or do not configure this policy setting and this computer sends a multicast or broadcast message to other computers Windows Firewall waits as long as three seconds for unicast responses from the other computers and then blocks all later responses. Note: This policy setting has no effect if the unicast message is a response to a Dynamic Host Configuration Protocol (DHCP) broadcast message sent by this computer. Windows Firewall always permits those DHCP unicast responses. However this policy setting can interfere with the NetBIOS messages that detect name conflicts.

Allows this computer to receive unsolicited inbound Plug and Play messages sent by network devices such as routers with built-in firewalls. To do this Windows Firewall opens TCP port 2869 and UDP port 1900. If you enable this policy setting Windows Firewall opens these ports so that this computer can receive Plug and Play messages. You must specify the IP addresses or subnets from which these incoming messages are allowed. In the Windows Firewall component of Control Panel the “UPnP framework” check box is selected and administrators cannot clear it. If you disable this policy setting Windows Firewall blocks these ports which prevents this computer from receiving Plug and Play messages. If an administrator attempts to open these ports by adding them to a local port exceptions list Windows Firewall does not open the ports. In the Windows Firewall component of Control Panel the “UPnP framework” check box is cleared and administrators cannot select it. If you do not configure this policy setting Windows Firewall does not open these ports. Therefore the computer cannot receive Plug and Play messages unless an administrator uses other policy settings to open the required ports or enable the required programs. In the Windows Firewall component of Control Panel the “UPnP framework” check box is cleared. Administrators can change this check box. “

Allows this computer to receive inbound Remote Desktop requests. To do this Windows Firewall opens TCP port 3389. If you enable this policy setting Windows Firewall opens this port so that this computer can receive Remote Desktop requests. You must specify the IP addresses or subnets from which these incoming messages are allowed. In the Windows Firewall component of Control Panel the “Remote Desktop” check box is selected and administrators cannot clear it. If you disable this policy setting Windows Firewall blocks this port which prevents this computer from receiving Remote Desktop requests. If an administrator attempts to open this port by adding it to a local port exceptions list Windows Firewall does not open the port. In the Windows Firewall component of Control Panel the “Remote Desktop” check box is cleared and administrators cannot select it. If you do not configure this policy setting Windows Firewall does not open this port. Therefore the computer cannot receive Remote Desktop requests unless an administrator uses other policy settings to open the port. In the Windows Firewall component of Control Panel the “Remote Desktop” check box is cleared. Administrators can change this check box. “

Allows administrators to use the Windows Firewall component in Control Panel to define a local program exceptions list. Windows Firewall uses two program exceptions lists; the other is defined by the “Windows Firewall: Define inbound program exceptions” policy setting. If you enable this policy setting the Windows Firewall component in Control Panel allows administrators to define a local program exceptions list. If you disable this policy setting the Windows Firewall component in Control Panel does not allow administrators to define a local program exceptions list. However local administrators will still be allowed to create firewall rules in the Windows Firewall with Advanced Security snap-in. If you wish to prevent all locally created rules from applying use the Group Policy Object Editor snap-in and configure Computer Configuration -> Windows Settings -> Security Settings -> Windows Firewall with Advanced Security to specify that local firewall rules should not apply.

Turns on Windows Firewall. If you enable this policy setting Windows Firewall runs and ignores the “Computer Configuration -> Administrative Templates -> Network -> Network Connections -> Prohibit use of Internet Connection Firewall on your DNS domain network” policy setting. If you disable this policy setting Windows Firewall does not run. This is the only way to ensure that Windows Firewall does not run and administrators who log on locally cannot start it. If you do not configure this policy setting administrators can use the Windows Firewall component in Control Panel to turn Windows Firewall on or off unless the “Prohibit use of Internet Connection Firewall on your DNS domain network” policy setting overrides.

Specifies that Windows Firewall blocks all unsolicited incoming messages. This policy setting overrides all other Windows Firewall policy settings that allow such messages. If you enable this policy setting in the Windows Firewall component of Control Panel the “Block all incoming connections” check box is selected and administrators cannot clear it. You should also enable the “Windows Firewall: Protect all network connections” policy setting; otherwise administrators who log on locally can work around the “Windows Firewall: Do not allow exceptions” policy setting by turning off the firewall. If you disable this policy setting Windows Firewall applies other policy settings that allow unsolicited incoming messages. In the Windows Firewall component of Control Panel the “Block all incoming connections” check box is cleared and administrators cannot select it. If you do not configure this policy setting Windows Firewall applies other policy settings that allow unsolicited incoming messages. In the Windows Firewall component of Control Panel the “Block all incoming connections” check box is cleared by default but administrators can change it.

Allows inbound file and printer sharing. To do this Windows Firewall opens UDP ports 137 and 138 and TCP ports 139 and 445. If you enable this policy setting Windows Firewall opens these ports so that this computer can receive print jobs and requests for access to shared files. You must specify the IP addresses or subnets from which these incoming messages are allowed. In the Windows Firewall component of Control Panel the “File and Printer Sharing” check box is selected and administrators cannot clear it. If you disable this policy setting Windows Firewall blocks these ports which prevents this computer from sharing files and printers. If an administrator attempts to open any of these ports by adding them to a local port exceptions list Windows Firewall does not open the port. In the Windows Firewall component of Control Panel the “File and Printer Sharing” check box is cleared and administrators cannot select it. If you do not configure this policy setting Windows Firewall does not open these ports. Therefore the computer cannot share files or printers unless an administrator uses other policy settings to open the required ports. In the Windows Firewall component of Control Panel the “File and Printer Sharing” check box is cleared. Administrators can change this check box. Note: If any policy setting opens TCP port 445 Windows Firewall allows inbound ICMP echo requests (the message sent by the Ping utility) even if the “Windows Firewall: Allow ICMP exceptions” policy setting would block them. Policy settings that can open TCP port 445 include “Windows Firewall: Allow inbound file and printer sharing exception” “Windows Firewall: Allow inbound remote administration exception” and “Windows Firewall: Define inbound port exceptions. “

Defines the set of Internet Control Message Protocol (ICMP) message types that Windows Firewall allows. Utilities can use ICMP messages to determine the status of other computers. For example Ping uses the echo request message. If you do not enable the “Allow inbound echo request” message type Windows Firewall blocks echo request messages sent by Ping running on other computers but it does not block outbound echo request messages sent by Ping running on this computer. If you enable this policy setting you must specify which ICMP message types Windows Firewall allows this computer to send or receive. If you disable this policy setting Windows Firewall blocks all the listed incoming and outgoing ICMP message types. As a result utilities that use the blocked ICMP messages will not be able to send those messages to or from this computer. If you enable this policy setting and allow certain message types then later disable this policy setting Windows Firewall deletes the list of message types that you had enabled. If you do not configure this policy setting Windows Firewall behaves as if you had disabled it. Note: If any policy setting opens TCP port 445 Windows Firewall allows inbound echo requests even if the “Windows Firewall: Allow ICMP exceptions” policy setting would block them. Policy settings that can open TCP port 445 include “Windows Firewall: Allow file and printer sharing exception” “Windows Firewall: Allow remote administration exception” and “Windows Firewall: Define inbound port exceptions. “Note: Other Windows Firewall policy settings affect only incoming messages but several of the options of the “Windows Firewall: Allow ICMP exceptions” policy setting affect outgoing communication.

Allows Windows Firewall to record information about the unsolicited incoming messages that it receives. If you enable this policy setting Windows Firewall writes the information to a log file. You must provide the name location and maximum size of the log file. The location can contain environment variables. You must also specify whether to record information about incoming messages that the firewall blocks (drops) and information about successful incoming and outgoing connections. Windows Firewall does not provide an option to log successful incoming messages. If you are configuring the log file name ensure that the Windows Firewall service account has write permissions to the folder containing the log file. Default path for the log file is %systemroot% -> system32 -> LogFiles -> Firewall -> pfirewall. log. If you disable this policy setting Windows Firewall does not record information in the log file. If you enable this policy setting and Windows Firewall creates the log file and adds information then upon disabling this policy setting Windows Firewall leaves the log file intact. If you do not configure this policy setting Windows Firewall behaves as if the policy setting were disabled.

Prevents Windows Firewall from displaying notifications to the user when a program requests that Windows Firewall add the program to the program exceptions list. If you enable this policy setting Windows Firewall prevents the display of these notifications. If you disable this policy setting Windows Firewall allows the display of these notifications. In the Windows Firewall component of Control Panel the “Notify me when Windows Firewall blocks a new program” check box is selected and administrators cannot clear it. If you do not configure this policy setting Windows Firewall behaves as if the policy setting were disabled except that in the Windows Firewall component of Control Panel the “Notify me when Windows Firewall blocks a new program” check box is selected by default and administrators can change it.