Understanding Windows Firewall in Windows XP Service Pack 2
Understanding Windows Firewall
Windows Firewall, previously known as Internet Connection Firewall or ICF, is a protective boundary that monitors and restricts information that travels between your computer and a network or the Internet. This provides a line of defense against someone who might try to access your computer from outside the Windows Firewall without your permission.
If you're running Windows XP Service Pack 2 (SP2), Windows Firewall is turned on by default. However, some computer manufacturers and network administrators might turn it off.
To open Windows Firewall
- Click Start and then click Control Panel.
- In the control panel, click Windows Security Center.
- Click Windows Firewall.
Note You do not have to use Windows Firewall—you can install and run any firewall that you choose. Evaluate the features of other firewalls and then decide which firewall best meets your needs. If you choose to install and run another firewall, turn off Windows Firewall.
How Windows Firewall Works
When someone on the Internet or on a network tries to connect to your computer, we call that attempt an "unsolicited request." When your computer gets an unsolicited request, Windows Firewall blocks the connection. If you run a program such as an instant messaging program or a multiplayer network game that needs to receive information from the Internet or a network, the firewall asks if you want to block or unblock (allow) the connection. You should see a window like the one below.
Firewall security alert
If you choose to unblock the connection, Windows Firewall creates an exception so that the firewall won't bother you when that program needs to receive information in the future. To learn more about exceptions, see the Using the Exceptions Tab section of this article.
Tip Although you can turn off Windows Firewall for specific Internet and network connections, doing this increases the risk to your computer's security.
Top of pageTop of page
What Windows Firewall Does and Does Not Do
It does It does notHelp block computer viruses and worms from reaching your computer.
Detect or disable computer viruses and worms if they are already on your computer. For that reason, you should also install antivirus software and keep it updated to help prevent viruses, worms, and other security threats from damaging your computer or using your computer to spread viruses to others. For more information, see Frequently Asked Questions About Antivirus Software.
Ask for your permission to block or unblock certain connection requests.
Stop you from opening e-mail with dangerous attachments. Don't open e-mail attachments from senders that you don't know. Even if you know and trust the source of the e-mail you should still be cautious. If someone you know sends you an e-mail attachment, look at the subject line carefully before opening it. If the subject line is gibberish or does not make any sense to you, check with the sender before opening it.
Create a record (a security log), if you want one, that records successful and unsuccessful attempts to connect to your computer. This can be useful as a troubleshooting tool.
Block spam or unsolicited e-mail from appearing in your inbox. However, some e-mail programs can help you do this. Check the documentation for your e-mail program or see Fighting Unwanted Spam to learn more.
Adjust Your Firewall Settings
If you're running Windows XP Service Pack 2 (SP2) the new Windows Firewall is turned on by default. To help protect your computer against viruses or security threats, we recommend that you keep Windows Firewall on.
Because a firewall restricts communication between your computer and the Internet, you might need to adjust settings for some programs that prefer an open connection. These adjustments are called "exceptions." To learn more about exceptions, see the Using the Exceptions Tab section of this article.
Windows Firewall now has three settings: On, On with no exceptions, and Off.
On: Windows Firewall is turned on by default, and normally you should leave it that way. When you choose this setting, Windows Firewall blocks all unsolicited requests to connect to your computer, except for requests to programs or services selected on the Exceptions tab.
On with no exceptions: When you select the Don't allow exceptions check box, Windows Firewall blocks all unsolicited requests to connect to your computer, including requests to programs or services selected on the Exceptions tab. Use this setting when you need maximum protection for your computer, such as when you connect to a public network in a hotel or airport, or when a dangerous virus or worm is spreading over the Internet.
Tip There is no need to keep Don't allow exceptions selected all the time, because when it is, some of your programs might not work correctly, and the following services are blocked from accepting unsolicited requests:
- File and Printer Sharing
- Remote Assistance and Remote Desktop
- Discovery of network devices
- Preconfigured programs and services on the exceptions list
- Additional items that you've added to the exceptions list
Note When you select Don't allow exceptions, you can still send and receive e-mail, use an instant messaging program, or view most Web pages.
Off: This setting turns Windows Firewall off. When you choose this setting, your computer is much more vulnerable to harm from unknown intruders or viruses from the Internet. This setting should only be used by advanced users for computer administration purposes, or if your computer is protected by another firewall.
To adjust Windows Firewall settings
- Click Start and then click Control Panel.
- In the control panel, click Windows Security Center.
- Click Windows Firewall.
- In the General Tab make your selection.
Note Settings that you create when your computer is joined to a domain are stored separately from those created when your computer is not joined to a domain. These separate groups of settings are called profiles.
Using the Exceptions Tab
If you're running Windows XP Service Pack 2 (SP2) the Windows Firewall is turned on by default. This means that most programs will not be allowed to accept unsolicited communications from the Internet unless you choose to list those programs as exceptions. There are two programs that, by default, are already added to the exceptions list and can accept unsolicited communications from the Internet: Files and Settings Transfer Wizard and File and Printer Sharing.
Because firewalls restrict communication between your computer and the Internet, you might need to adjust settings for some other programs that prefer an open connection. You can make an exception for these programs, so that they can communicate through the Windows Firewall.
Allowing Exceptions—the Risks
Each time you allow an exception for a program to communicate through Windows Firewall, your computer is made more vulnerable. To allow an exception is like poking a hole through the firewall. If there are too many holes, there's not much wall left in your firewall. Hackers often use software that scans the Internet looking for computers with unprotected connections. If you have lots of exceptions and open ports, your computer can become more vulnerable.
To help decrease your security risk:
- Only allow an exception when you really need it.
- Never allow an exception for a program that you don't recognize.
- Remove an exception when you no longer need it.
Allowing Exceptions Despite the Risks
Sometimes you might want someone to be able to connect to your computer, despite the risk—such as when you expect to receive a file sent through an instant messaging program, or when you play a multiplayer game over the Internet.
For example, if you're exchanging instant messages with someone who wants to send you a file (a photo, for example), Windows Firewall will ask you if you want to unblock the connection and allow the photo to reach your computer. Or, if you want to play a multiplayer network game with friends over the Internet, you can add the game as an exception so that the firewall will allow the game information to reach your computer.
To add a program to the exceptions list
- Click Start and then click Control Panel.
- In the control panel, click Security Center, and then click Windows Firewall.
- On the Exceptions tab, under Programs and Services, select the check box for the program or service that you want to allow, and then click OK.
If the program (or service) that you want to allow is not listed
- Click Add Program.
- In the Add a Program dialog box, click the program that you want to add, and then click OK. The program will appear, selected, on the Exceptions tab, under Programs and Services.
- Click OK.
Tip If the program (or service) that you want to allow is not listed in the Add a Program dialog box click Browse, locate the program that you want to add, and then double-click it. (Programs are usually stored in the Program Files folder on your computer.) The program will appear under Programs, in the Add a Program dialog box.
As a Last Resort, Open a Port
If you still do not find the program, you can open a port instead. A port is like a small door in the firewall that allows communications to pass through. To specify which port to open, on the Exceptions tab, click Add Port. (When you open a port, remember to close it again when you are done using it.)
Adding an exception is preferable to opening a port because:
- It is easier to do.
- You do not need to know which port number to use.
- It is more secure than opening a port, because the firewall is only open while the program is waiting to receive the connection.
Advanced Options
Advanced users can open ports for, and configure the scope of, individual connections to minimize opportunities for intruders to connect to a computer or network. To do this, open Windows Firewall, click the Advanced tab, and use the settings under Network Connection Settings.
Microsoft Firewall Overall reference
If you have any virus related questions or difficulty, please contact the Help Desk for assistance at x7224 or e-mail virus@vassar.edu. (Please DO NOT send an infected e-mail. Call the Help desk)
This page was last updated on 5/15/08.