On a Windows Vista-based computer, Windows Firewall applies local program and port exceptions in the private and public profiles even when the Windows Firewall standard profile settings indicate that these exceptions should not be allowed

Article translations Article translations
Article ID: 947229 - View products that this article applies to.
Expand all | Collapse all

On This Page

SYMPTOMS

On a Windows Vista-based client computer, Windows Firewall applies local program exceptions and port exceptions in the private profile and in the public profile. This behavior occurs even when the Windows Firewall standard profile settings indicate that these exceptions are not allowed.

This behavior may cause the following problems.

Problem 1

On the client computer, you may unexpectedly receive a Windows Firewall notification.

Problem 2

A local administrator can unblock a program even though the Windows Firewall: Allow local program exceptions Group Policy setting is disabled.

Problem 3

A local administrator can add program exceptions and port exceptions through the Windows Firewall Control Panel program even though the following Group Policy settings are disabled:
  • Windows Firewall: Allow local program exceptions
  • Windows Firewall: Allow local port exceptions

CAUSE

This issue occurs because the following two Group Policy settings are not applied to the public profile and to the private profile on the Windows Vista-based client computer:
  • Windows Firewall: Allow local program exceptions
  • Windows Firewall: Allow local port exceptions

WORKAROUND

If you have to restrict local administrators from creating exceptions when the private profile or the public profile is applied, follow these steps:
  1. On the domain controller, create a new Group Policy object (GPO) to manage Windows Vista-based client computers.
  2. On the original GPO that contains the Windows Firewall Administrative Template policy, use a Windows Management Instrumentation (WMI) filter to restrict applying this original GPO to the computers that are running Windows Vista or later versions.
  3. On the new GPO, use a Windows Management Instrumentation (WMI) filter to restrict applying the new GPO to the computers that are running earlier operating systems.
  4. In the new GPO, open the Windows Firewall with Advanced Security Microsoft Management Console (MMC) snap-in.
  5. In the Advanced Security MMC snap-in, configure the following security settings:
    • Click Windows Firewall Properties in the middle pane, and then configure the desired properties for Windows Vista-based computers.
    • Click Inbound Rules, and then configure the necessary inbound rules.

MORE INFORMATION

In earlier Windows operating systems, the Windows Firewall supported two profiles, the domain profile and the standard profile. In Windows Vista, the Windows Firewall supports three profiles, the domain profile, the public profile, and the private profile. In order to enable a Windows Vista-based client computer to work in an environment where Windows Firewall policy has been configured through the Windows Firewall Administrative Template, the standard profile's settings from the Administrative Template apply both to the private profile and to the public profile.

When the following two Group Policy settings are disabled in the domain profile, and the domain profile is active, program exceptions and port exceptions are not enabled.
  • Windows Firewall: Allow local program exceptions
  • Windows Firewall: Allow local port exceptions
In this case, you cannot add any new program or new port to the exception list through the Windows Firewall Control Panel program. Existing program exceptions or port exceptions that are locally created are not applied. Additionally, if the Windows Firewall: Allow local program exceptions Group Policy setting is disabled, the Windows Firewall notification dialog box is not displayed when a program requests to be added to the exceptions list. In this situation, the program is not added to the list. However, local administrators are still able to use the Windows Firewall with Advanced Security snap-in to create more complex firewall rules if you have not restricted usage of this snap-in. For more information about how to restrict the usage of the snap-in, visit the following Microsoft Web site:
http://msdn2.microsoft.com/en-us/library/ms812991.aspx
All the other Group Policy settings for the standard profile in the Windows Firewall Administrative Template are applied both to the private profile and to the public profile on the client computer. The following list shows these settings:
  • Windows Firewall: Allow inbound file and printer sharing exception
  • Windows Firewall: Allow ICMP exceptions
  • Windows Firewall: Define inbound program exceptions
  • Windows Firewall: Define inbound port exceptions
  • Windows Firewall: Allow inbound remote administration exception
  • Windows Firewall: Allow inbound Remote Desktop exceptions
  • Windows Firewall: Allow inbound UPnP framework exceptions
  • Windows Firewall: Protect all network connections
  • Windows Firewall: Allow logging
  • Windows Firewall: Prohibit unicast response to multicast or broadcast requests
  • Windows Firewall: Prohibit notifications
  • Windows Firewall: Do not allow exceptions
If you configure a policy in the Windows Firewall with Advanced Security snap-in through a Group Policy setting, the standard profile settings from the Windows Firewall Administrative Template are ignored. However, any program exceptions and port exceptions that are specified in the standard profile through the Windows Firewall: Define inbound port exceptions or the Windows Firewall: Define inbound program exceptions settings will continue to be applied.

REFERENCES

For more information about how to use the WMI filter, visit the following Microsoft Web sites:
http://technet2.microsoft.com/windowsserver2008/en/library/68308870-5d17-423a-bcb5-aa1108933cdf1033.mspx?mfr=true
http://technet2.microsoft.com/WindowsServer/en/library/6237b9b2-4a21-425e-8976-2065d28b31471033.mspx?mfr=true
For more information about how to use the Advanced Security MMC snap-in to configure the properties and the inbound rules in Windows Firewall, visit the following Microsoft Web site:
http://technet2.microsoft.com/windowsserver2008/en/library/9428d113-ade8-4dbe-ac05-6ef10a6dd7a51033.mspx?mfr=true

Properties

Article ID: 947229 - Last Review: February 8, 2008 - Revision: 1.1
APPLIES TO
  • Windows Vista Enterprise 64-bit Edition
  • Windows Vista Ultimate 64-bit Edition
  • Windows Vista Business
  • Windows Vista Business 64-bit Edition
  • Windows Vista Enterprise
  • Windows Vista Ultimate
Keywords: 
kbexpertiseadvanced kbprb KB947229

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com