Home / Windows 10

Making Exceptions to Firewall Protection

When Windows Firewall is turned on and running, you don't have to do anything special to use it. It remains on constant vigil, automatically protecting your computer from hackers and worms trying to sneak in through unprotected ports. Ports for common Internet protocols, such as e-mail and web browsing, remain open and monitored so that you can easily use protocols safely.

Internet protocols that don't use standard e-mail and web ports may require that you create an exception to the default firewall rules for incoming traffic. Examples include instant messaging programs and some online games. When you try to use such a program, Windows Firewall displays a security alert.

The message doesn't mean the program is "bad." It means that to use the program, Firewall has to open a port. If you don't recognize the program name and publisher shown, click Cancel. If you want to use the program, decide for which networks the exception should be allowed. For example, if the traffic is coming from another computer on your local network, select the Private Networks option. For traffic coming from the Internet, select Public Networks (you can select either or both, as needed). Then click Allow Access. Allowing access for a program doesn't leave the associated port wide open; it only creates a new rule that allows that one program to use the port. You're still protected because the port is closed when you aren't using that program. The port is also closed to programs other than the one for which you unblocked the port. If you change your mind in the future, you can reblock the port, as described in the next section.

Manually configuring firewall exceptions (allowed apps and features)

Normally, when you try to use a program also referred to in Windows 10 Firewall as an app) that needs to work through the firewall, you get a security alert message. Occasionally, you may want, to manually allow or block an app through the firewall. If you have administrative privileges, you can do that through the Allowed Apps page. To open that page, click Allow an App through Windows Firewall in System and Security (near the Windows Firewall item in the Control Panel).

Items on the list with a check mark beside them represent apps that work through the firewall. You also see any exceptions you created in response to a security alert.

You probably aren't familiar with most of the apps listed in the Allowed Apps and Features list, so you shouldn't guess which ones to select or deselect. Leave the selections as they are. If you later decide to use one of the listed features, you're prompted at that point to allow access for the app or program if necessary.

Adding an app exception

You can unblock ports for apps that aren't listed under Allowed Apps and Features. Do this only if specifically instructed to do so by an app manufacturer you know and trust.

If the app for which you want to create an exception isn't listed under Allowed Apps and Features, you can do the following:

  1. Click Change Settings and then click the Allow Another App button. When you do so, you see a list of installed apps that might require Internet access.
  2. Click the app that you want to add to the list. Optionally, if the program isn't listed, but you know where it's installed, you can use the Browse button to get to the main executable for that program (typically the .exe file).
  3. Clicking the Network Types button lets you define the addresses from which any unsolicited traffic is expected to originate. For example, if you're using an app that provides communications among programs within your local network only, you don't want to accept unsolicited traffic coming to that port from the Internet. You want to accept unsolicited traffic coming only from computers in your own network. When you click Network Types. Your options are as follows:
    • Private:
      Use this for home or workplace networks. If the program in question has nothing to do with the Internet and is for your home or business network only, choose this option to block Internet access, but allow apps within your own network to communicate with each other through the program.
    • Public:
      Use this option for public networks, such as those in an airport or coffee shop. If you want the app to be able to connect to the Internet, choose this option.
  4. Click OK to save your settings.
Tip:
You can choose the scope for the program within the Allowed Programs and Features list by placing a check mark in the Private or Public columns for the program.

IP Addresses on Home/Office Networks
When you set up a network using the Network Setup Wizard, each computer is automatically assigned a 192.168.0.x IP address (the x represents a number that is unique to each computer). For example, if the computers are sharing a single Internet connection, the first computer may receive the address 192.168.0.1, and the subsequent computers will have addresses in that same address space.

All computers on the network have the same subnet mask of 255.255.255.0. The subnet mask tells the computer that the first three numbers are part of the network address (the address of your network as a whole), and the last number refers to a specific host (computer) on that network. The 192.168... addresses are often referred to as private addresses because they can't be accessed directly from the Internet.

To see the IP address of a computer on your local network:

  1. Go to that computer, display the desktop, press Windows+X, and choose Command Prompt.
  2. At the command prompt, type ipconfig /all and press Enter. You see the computer's IP address and subnet mask listed along with other Internet protocol data.

Disabling, changing, and deleting exceptions

The check boxes in the Allowed Apps and Features list indicate whether the exception is enabled or disabled. When you clear a check box, the exception is disabled and traffic for that program is rejected. You can easily enable or disable a rule for a program as needed because the program name always remains in the list of exceptions.

To change the scope of an exception in the exceptions list, click the check box in the Private or Public column. To remove a program from the exceptions list and stop accepting unsolicited traffic through its port, click the program name and then click the Remove button.

Tip:
You can't remove the default programs from the list - only those you've added.

Advanced Firewall Configuration

It's for advanced users and network and security administrators who need to configure Windows Firewall to comply with an organization's security policy. All these options require administrative privileges. We don't go into great detail about what the options mean because we assume you're working to comply with an existing policy.

Caution
If you aren't a professional administrator, stay out of this area altogether. Don't guess and hack your way through these settings to see what happens. Doing so could leave you unable to connect to the Internet or exposed to attacks by hackers.

Open Windows Firewall with Advanced Security

To get to the advanced configuration options for Windows Firewall, open Windows Firewall from the System and Security item in the Control Panel. Then click the Advanced Settings link in the left pane. The firewall console opens.

You have three independently configurable profiles to work with:

  • Domain Profile is active when the computer is logged in to a network domain, such as in a corporation or business setting.
  • Private Profile applies to computers within a local, private network.
  • Public Profile protects your computer from the public Internet.

Changing firewall profile properties

Clicking the Windows Firewall Properties link near the bottom of the console takes you to the dialog box shown. You can use tabs at the top of the dialog box to configure the Domain, Private, and Public settings. The fourth option applies to IPsec (IP Security), commonly used with virtual private networks (VPNs), which are described later in this section. By default, Inbound Connections are set to Block and Outbound Connections are set to Allow. You can change either setting by clicking its button.

Firewall alerts, unicast responses, local administrator control

Each profile tab has a Customize button in its Settings section. Clicking that button provides an option to turn off firewall notifications for that profile. Administrators can also use options on that tab to allow or prevent unicast responses to multicast and broadcast traffic. You also have an option to merge local administrator rules with rules defined through group policy.

Security logging

Each profile tab offers a Logging section with a Customize button. Click the Customize button to set a name and location for the log file, to set a maximum size, and to choose whether you want to log dropped packets, successful connections, or both. You can use the log file to review firewall activity and to troubleshoot connection problems caused by the firewall configuration.

Customizing IPsec settings

The IPsec Settings tab in the firewall properties provides a way to configure IPsec (IP Security). Clicking the Customize button under IPsec Defaults reveals the options. The Default settings in each case cause settings to be inherited from a higher-level group policy object (GPO). To override the GPO, choose the options you want to apply to the current Windows Firewall instance. When you override the default, you can choose key exchange and data integrity algorithms. You can fine-tune Kerberos V5 authentication through those settings.

Clicking OK or Cancel in the Customize IPsec Defaults dialog box takes you back to the IPsec Settings tab. There you can use the IPsec Exemptions section to exempt ICMP from IPsec, which may help with connection problems caused by ICMP rules.

Note:
IPsec is a set of cryptographic protocols for securing communications across untrusted networks. It is commonly associated with tunneling and VPNs.

That covers the main firewall properties. You can configure plenty more outside the Properties dialog box, but. most of these go far beyond anything the average home user needs to be concerned with. Advanced users needing more information can find plenty of information in Firewall's Help section.

Inbound and outbound rules

In the left column of the main Windows Firewall with Advanced Security window, you see Inbound Rules and Outbound Rules links. These provide very precise control over Windows Firewall rules for incoming and outgoing connections. Here is small part of the possibilities there. Scroll up or down to see more.

The settings in this window should be a simple matter for most professional administrators. Options (and the Help link) in the Actions column on the right provide additional information to assist you. You can also change any exception in the center column by rightclicking and choosing Properties.