One of the questions that comes up at each of our Windows Server 2003 SP1 seminars is around the new firewall, and specifically how it handles program exceptions. One of my attendees asked when the ports for a program are enumerated. Are they discovered when you add the program and click OK or is this handled later?
Well, the good news is that the ports used by the program are not enumerated and opened at the time you add the program unless the program is running.
In our seminar, we use the Windows Server 2003 DNS service as our guinea pig. So we add c:\windows\system32\dns.exe to the program exceptions list. This isn’t the greatest demo in the world, but you get the idea. In the case of DNS and the Virtual PC 2004 VM used in the seminar, the ports are opened because the service is running and responding to queries.
If you look at the screenshot below and the programs in my Windows XP firewall list, you’ll see some other interesting entries.
You first notice some greyed entries. Those entries are controlled by group policy and are pushed to my machine. As you can see, Microsoft has a number of IPsec policies in place on our network so they’ve opened the appropriate ports for that. You’ll also see an entry for the new and improved MSN Messenger v7.0. Would you rather just point to the .exe for Messenger or try and figure out all of the ports it uses for chat, pics, voice, video, etc.? I’d rather just point to the .exe as demonstrated in the screenshot below.
After you’ve added the program to the list, the Windows Firewall will dynamically open ports needed by the program while the program is running. When the program closes, all of the ports are closed as well. This is a very flexible approach for programs you trust. Never add a program to the exceptions list that you aren’t familiar with.
For more information, go to “Configuring Program Exceptions” in our beloved TechNet area. Everything you ever wanted to know about Windows Server 2003 SP1 is at http://www.microsoft.com/technet/prodtechnol/windowsserver2003/servicepack/default.mspx. Enjoy!