Adding a Program as a New Exception
If you don’t see the program or port you want to work with, you can add it by hand. Here’s how:
1. | Select Start, type firewall, and then click Allow a Program Through Windows Firewall in the search results. The Allowed Programs window appears.
|
2. | Click Change Settings. Windows Firewall enables the exceptions.
|
3. | Click Allow Another Program. The Add a Program dialog box appears.
|
4. | If
you see your program in the list, click it. Otherwise, click Browse,
use the Browse dialog box to select the program’s executable file, and
then click Open.
|
5. | Click Add. Windows Firewall adds the program to the list.
|
6. | Activate the Home/Work (Private) check box.
|
7. | If
you also connect to public networks (such as wireless hot spots) and
you want the program allowed through on those networks, activate the
Public check box.
|
8. | Click OK to put the exception into effect.
|
Tip
You
can prevent computers on your network from adding program exceptions if
you’re worried about security. On the other computer, log on as an
administrator, open the Group Policy Editor , and open the following
branch: Computer Configuration, Administrative Templates, Network,
Network Connections, Windows Firewall, Standard Profile. Enable the
Windows Firewall: Do Not Allow Exceptions policy and the Windows
Firewall: Protect All Network Connections policies.
Adding a Port as a New Exception
If
you need to open a port on your computer, you can’t do it via the
Allowed Programs windows. Instead, you need to work with a Microsoft
Management Console snap-in called Windows Firewall with Advanced
Security (WFAS). To load it, select Start, wf.msc, and then press Enter User Account Control credentials. Figure 3 shows the WFAS snap-in.
The
home page of the snap-in presents an overview of the current firewall
settings, as well as a number of links to configure and learn about
WFAS. This snap-in configures the firewall by setting policies and
storing them in three profiles. The domain profile is used when your
computer is connected to a network domain, the private profile is used
when your computer is connected to a private network, and the public
profile is used when your computer is connected to a public network. To
change the settings for the profiles, click the Windows Firewall
Properties link, and then use the Domain Profile, Private Profile, and
Public Profile tabs to modify the settings (although the defaults
should be fine for most people).
The scope pane contains four main sub-branches:
Inbound Rules—
This branch presents a list of defined rules for inbound connections.
In most cases, the rules aren’t enabled. To enable a rule, you
right-click it and then click Enable Rule (or you can click the rule
and then click Enable Rule in the Action pane). You can create your own
rule (as you’ll soon see) by right-clicking Inbound Rules and then
clicking New Rule (or clicking New Rule in the Action pane). This
launches the New Inbound Rule Wizard.
Outbound Rules—
This branch presents a list of defined rules for outbound connections.
As with inbound connections, you can enable the rules you want to use
and create your own rules. Note, too, that you can customize any rule
by double-clicking it to display its property sheet. With this property
sheet, you can change the program executable to which the exception is
applied, allow or block a connection, set the computer and user
authorization, change the ports and protocols, and specify the
interface types and services.
Connection Security Rules— This branch is where you create and manage authentication rules,
which determine the restrictions and requirements that apply to
connections with remote computers. Right-click Computer Connection
Security and then click New Rule (or click New Rule in the Action pane)
to launch the New Connection Security Rule Wizard.
Monitoring—
This branch shows the enabled firewall settings. For example, the
Firewall sub-branch shows the enabled inbound and outbound firewall
rules, and the Connection Security Rules sub-branch shows the enabled
authentication rules.
Here are the steps to follow to use WFAS to create a port exception:
1. | Click Inbound Rules.
|
2. | In the Actions pane, click New Rule to launch the New Inbound Rule Wizard.
|
3. | Click Port and then click Next. The Protocol and Ports dialog box appears.
|
4. | Click the data protocol you want the exception to use: TCP or UDP. (If you’re not sure, choose TCP.)
|
5. | Activate the Specific Local Ports option and use the text box to type the port you want to set up as an exception.
|
6. | Click Next. The Action dialog box appears.
|
7. | Click Allow the Connection and then click Next. The Profile dialog box appears.
|
8. | Activate
the check box beside each profile you use (Domain, Private, or Public),
and then click Next. The Name dialog box appears.
|
9. | Use
the Name text box to make up a name for this exception. This is the
name that appears in the Exceptions tab, so make it reasonably
descriptive (for example, Port 80 for Web Server).
|
10. | Click Finish to put the exception into effect.
|
Tip
If
you’re worried about someone on your network adding a port as an
exception and possibly opening up a security hole (for example, by
forgetting to change the scope to something local), you can disable new
port exceptions on that computer. Log on as an administrator, open the
Group Policy Editor,
and open the following branch: Computer Configuration, Administrative
Templates, Network, Network Connections, Windows Firewall, Standard
Profile. Disable the Windows Firewall: Allow Local Port Exceptions
policy.
