On a Windows Vista-based computer, Windows Firewall applies local program and port exceptions in the private and public profiles even when the Windows Firewall standard profile settings indicate that these exceptions should not be allowed

On a Windows Vista-based client computer, Windows Firewall applies local program exceptions and port exceptions in the private profile and in the public profile. This behavior occurs even when the Windows Firewall standard profile settings indicate that these exceptions are not allowed.

This behavior may cause the following problems.


Problem 1

On the client computer, you may unexpectedly receive a Windows Firewall notification.


Problem 2

A local administrator can unblock a program even though the Windows Firewall: Allow local program exceptions Group Policy setting is disabled.


Problem 3

A local administrator can add program exceptions and port exceptions through the Windows Firewall Control Panel program even though the following Group Policy settings are disabled:

Windows Firewall: Allow local program exceptions
Windows Firewall: Allow local port exceptions


CAUSE

This issue occurs because the following two Group Policy settings are not applied to the public profile and to the private profile on the Windows Vista-based client computer:

Windows Firewall: Allow local program exceptions
Windows Firewall: Allow local port exceptions


WORKAROUND

If you have to restrict local administrators from creating exceptions when the private profile or the public profile is applied, follow these steps:

1. On the domain controller, create a new Group Policy object (GPO) to manage Windows Vista-based client computers.
2. On the original GPO that contains the Windows Firewall Administrative Template policy, use a Windows Management Instrumentation (WMI) filter to restrict applying this original GPO to the computers that are running Windows Vista or later versions.
3. On the new GPO, use a Windows Management Instrumentation (WMI) filter to restrict applying the new GPO to the computers that are running earlier operating systems.
4. In the new GPO, open the Windows Firewall with Advanced Security Microsoft Management Console (MMC) snap-in.
5. In the Advanced Security MMC snap-in, configure the following security settings:

Click Windows Firewall Properties in the middle pane, and then configure the desired properties for Windows Vista-based computers.
Click Inbound Rules, and then configure the necessary inbound rules.


MORE INFORMATION

In earlier Windows operating systems, the Windows Firewall supported two profiles, the domain profile and the standard profile. In Windows Vista, the Windows Firewall supports three profiles, the domain profile, the public profile, and the private profile. In order to enable a Windows Vista-based client computer to work in an environment where Windows Firewall policy has been configured through the Windows Firewall Administrative Template, the standard profile’s settings from the Administrative Template apply both to the private profile and to the public profile.

When the following two Group Policy settings are disabled in the domain profile, and the domain profile is active, program exceptions and port exceptions are not enabled.

Windows Firewall: Allow local program exceptions
Windows Firewall: Allow local port exceptions

In this case, you cannot add any new program or new port to the exception list through the Windows Firewall Control Panel program. Existing program exceptions or port exceptions that are locally created are not applied. Additionally, if the Windows Firewall: Allow local program exceptions Group Policy setting is disabled, the Windows Firewall notification dialog box is not displayed when a program requests to be added to the exceptions list. In this situation, the program is not added to the list. However, local administrators are still able to use the Windows Firewall with Advanced Security snap-in to create more complex firewall rules if you have not restricted usage of this snap-in. For more information about how to restrict the usage of the snap-in, visit the following Microsoft Web site:

http://msdn2.microsoft.com/en-us/library/ms812991.aspx (http://msdn2.microsoft.com/en-us/library/ms812991.aspx)

All the other Group Policy settings for the standard profile in the Windows Firewall Administrative Template are applied both to the private profile and to the public profile on the client computer. The following list shows these settings:

Windows Firewall: Allow inbound file and printer sharing exception
Windows Firewall: Allow ICMP exceptions
Windows Firewall: Define inbound program exceptions
Windows Firewall: Define inbound port exceptions
Windows Firewall: Allow inbound remote administration exception
Windows Firewall: Allow inbound Remote Desktop exceptions
Windows Firewall: Allow inbound UPnP framework exceptions
Windows Firewall: Protect all network connections
Windows Firewall: Allow logging
Windows Firewall: Prohibit unicast response to multicast or broadcast requests
Windows Firewall: Prohibit notifications
Windows Firewall: Do not allow exceptions

If you configure a policy in the Windows Firewall with Advanced Security snap-in through a Group Policy setting, the standard profile settings from the Windows Firewall Administrative Template are ignored. However, any program exceptions and port exceptions that are specified in the standard profile through the Windows Firewall: Define inbound port exceptions or the Windows Firewall: Define inbound program exceptions settings will continue to be applied.


REFERENCES

For more information about how to use the WMI filter, visit the following Microsoft Web sites:

http://technet2.microsoft.com/windowsserver2008/en/library/68308870-5d17-423a-bcb5-aa1108933cdf1033.mspx?mfr=true (http://technet2.microsoft.com/windowsserver2008/en/library/68308870-5d17-423a-bcb5-aa1108933cdf1033.mspx?mfr=true)

http://technet2.microsoft.com/WindowsServer/en/library/6237b9b2-4a21-425e-8976-2065d28b31471033.mspx?mfr=true (http://technet2.microsoft.com/WindowsServer/en/library/6237b9b2-4a21-425e-8976-2065d28b31471033.mspx?mfr=true)

For more information about how to use the Advanced Security MMC snap-in to configure the properties and the inbound rules in Windows Firewall, visit the following Microsoft Web site:

http://technet2.microsoft.com/windowsserver2008/en/library/9428d113-ade8-4dbe-ac05-6ef10a6dd7a51033.mspx?mfr=true (http://technet2.microsoft.com/windowsserver2008/en/library/9428d113-ade8-4dbe-ac05-6ef10a6dd7a51033.mspx?mfr=true)



APPLIES TO
Windows Vista Enterprise 64-bit Edition
Windows Vista Ultimate 64-bit Edition
Windows Vista Business
Windows Vista Business 64-bit Edition
Windows Vista Enterprise
Windows Vista Ultimate

——————————————–

Microsoft Knowledge Base Article

This article contents is Microsoft Copyrighted material.
Microsoft Corporation. All rights reserved. Terms of Use | Trademarks

 


You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

AddThis Social Bookmark Button

Leave a Reply

*
To prove that you're not a bot, enter this code
Anti-Spam Image