Windows XP Service Pack 2 (Part 6): Windows Firewall


This article is Part 6 of the Windows XP Service Pack 2 - Step by Step guide. This article describes the new Windows Firewall in Microsoft Windows XP Service Pack 2 (SP2).

To view the other articles in the Windows XP Service Pack 2 - Step by Step guide, see the Microsoft Knowledge Base articles that are listed in the "References" section.

The Windows XP Service Pack 2 - Step by Step guide includes the following topics:
Part 1:  Better security with Service Pack 2

Part 2: Installing Service Pack 2

Part 3: The new Security Center

Part 4: Automatic Updates

Part 5: Virus protection

Part 6: Windows Firewall

Part 7: Protecting against buffer overflows

Part 8: Improvements in Internet Explorer and Outlook Express

Part 9: Uninstalling Service Pack 2

More Information

Part 6: Windows Firewall

Internet users do not always realize that an Internet connection is bidirectional. In the same manner that you can access other computers when you are online, other computers can access yours. This means that there is a constant threat of attack. That is why computers should never connect to the Internet without the protection of a firewall.

When you install Windows XP SP2, the new Windows Firewall is automatically activated for all network connections, regardless of whether there is already another desktop firewall on the computer. Windows Firewall blocks all unsolicited traffic and lets desired network traffic to pass as normal.

The firewall lets you surf the Internet, send e-mail, download files, and communicate with other computers in a small, private network. If the computer receives an unsolicited request, Windows Firewall blocks the connection. Rules are created so that the firewall can identify which connections should be allowed and which should be blocked. Some programs, such as Internet Explorer, set the rules internally. In other cases, you must define exceptions manually.

Modifying firewall settings

You can modify the firewall settings at any time. To modify firewall settings, use the following methods:
  • Click Start, point to Control Panel, and then click Windows Firewall.
    Windows Firewall icon
  • Click Security Center in Control Panel, and then click Windows Firewall under Manage security settings for.
    Manage security settings for:

Activating and deactivating the firewall

  1. Open Windows Firewall.

  2. Click the General tab.
    Windows Firewall window, General tab
  3. Select your preferred option, and then click OK.
    • On (recommended)
      This is the default setting. This setting blocks all unsolicited attempts to establish a connection with the computer. It only allows programs or tools that were specified automatically or manually as exceptions.

    • Don't allow exceptions
      The exceptions specified on the Exceptions tab are ignored. This setting is recommended when you are on the move and require a high level of protection. For example, use this setting when you connect using a WLAN connection that is categorized as nonsecure, such as a WLAN connection in a hotel or in an airport.

    • Off (not recommended)
      Disables the firewall. You should only select this setting if you are installing another firewall.

Installing another firewall

If you want to use another desktop firewall, you must deactivate the Windows Firewall. If two firewalls are activated at the same time, neither will operate correctly. The Security Center will note this conflict and notify you accordingly.
Security Center - Firewall ON (green)
  1. Deactivate Windows Firewall as described earlier in this article.

    Windows Firewall window, General tab - Firewall off
    The Security Center will probably warn you that the firewall has been deactivated.
    Security Center - Firewall OFF (red)
  2. In this case, click Recommendations, click I have a firewall solution that I'll monitor myself, and then click OK.
    Security Center Recommendation - I have a firewall solution...
  3. You must now monitor the correct operation of the firewall.
    Security Center - Firewall NOT MONITORED (yellow)

Setting exceptions

Some programs and games need to exchange information to operate correctly. If you wish to play a game against other users on the Internet, or use a chat service, this information is transmitted through incoming ports on the computer. However, this only works if these ports are open.

To prevent Windows Firewall from blocking all traffic, you must specify trusted programs in the list of exceptions. There are several methods of doing this.
Defining exceptions "on the fly"
Windows notifies you that it is blocking a program. You then have three options:
  • Keep blocking
    The program will also be blocked in the future.
  • Unblock
    The program will be able to receive data or additional requests in the future.
  • Ask Me Later
    The program will be unable to receive data. However, you will be prompted to block it or allow it at the next attempt.
    Windows Security Alert - Do you want to keep blocking this program?
    If you select Unblock, Windows Firewall creates an exception. Otherwise it will continue to block the program.
Creating exceptions manually
  1. Open Windows Firewall.

  2. Click the Exceptions tab.
    Windows Firewall window, Exceptions tab
  3. Click Add Program. Select the program that you want to add to the list of exceptions, and then click OK.
    Exceptions - Add a Program window
  4. The program is now added to the list and checked.
    Exceptions tab - Program added to list
NoteYou can define a corresponding port as an exception instead of defining a program. However, to do this, you must know the port number.
  1. Open Windows Firewall.

  2. Click the Exceptions tab.
  3. Click Add Port. Specify a name for the type of connection that uses this port, and then enter the port number. (You can find the port number in system documentation or on the Internet.) Specify whether the connection is through TCP or UDP, and then click OK.

    Exceptions - Add a Port window
  4. If you open a port, it is not assigned to a program. However, it remains open even when you are not using the program. If this is the case, you should close the port to help secure the computer. (To close the port, remove the check mark in the list of exceptions.)
Automatic exceptions
For some programs, such as Windows Messenger, Windows automatically creates rules. These are then automatically added to the list of exceptions.
Modifying the scope
If you set an exception for the firewall, this automatically applies to all computers worldwide. However, you can limit the exceptions by changing the scope.
  1. Open Windows Firewall.

  2. Click the Exceptions tab.
  3. Select the exceptions that you want to limit, and then click Edit. Select the port, if available, and then click Change scope. (If no port is listed, click Change scope.)

  4. Select the option that you want to apply, and then click OK.
    Exceptions - Add a Port - Change Scope window
Problems with file and printer sharing

By default, if you work at a stand-alone computer, file sharing and printer sharing are blocked. This section does not apply to you. However, if an Internet-enabled computer is connected to a network, file sharing and printer sharing is set as an exception for the subnet scope during installation of Windows XP SP2.

Important This setting makes file and printer sharing visible worldwide, even when Windows Firewall is activated.
File and Printer sharing openly accessible
The computer must only be available for internal LAN sharing and must establish a direct connection to the Internet through a modem, ISDN, or DSL. In addition, ICS (Internet Connection Sharing) must be deactivated on this computer. This does not apply to DSL users who already have a firewall integrated in their DSL modem or who use a DSL router.

There is a workaround for this problem by setting a custom configuration for file and printer sharing.
  1. Open Windows Firewall.
  2. Click the Exceptions tab.
  3. Select File and Printer Sharing, and then click Edit.
    Windows Firewall window, Exceptions tab, File and Printer Sharing
  4. Select TCP port 139, and then click Change scope.
    Edit Port window (Subnet scope)
  5. Click Custom list, and then enter the network range that you want to use for file and printer sharing. This is usually the range that has the subnet mask Use the following format:
    Change scope window - Custom list
  6. Click OK. Repeat this process for the three other ports, and then close the window by clicking OK.
    Edit Port window (Custom scope)
  7. Your file and printer sharing should no longer be openly available.
    File and Printer Sharing not openly accessible


For more information about the other topics in the Windows XP Service Pack 2 - Step by Step guide, click the following article numbers to view the articles in the Microsoft Knowledge Base:

889735 Windows XP Service Pack 2 (Part 1)

889736 Installing Service Pack 2 (Part 2)

889737 The new Security Center (Part 3)

889738 Automatic Updates (Part 4)

889739 Virus protection (Part 5)

889741 Protecting against buffer overflows (Part 7)

889742 Improvements in Internet Explorer and Outlook Express (Part 8)

889743 Uninstalling Service Pack 2 (Part 9)
This article is a translation from German. Any subsequent changes or additions to the original German article may not be reflected in this translation. The information that is contained in this article is based on the German-language versions of this product. The accuracy of this information relative to other language versions of this product is not tested within the framework of this translation. Microsoft makes this information available without warranty of its accuracy or functionality and without warranty of the completeness or accuracy of the translation.

Article ID: 889740 - Last Review: 23 Oct 2008 - Revision: 1