Application Compatibility: Networking: Windows Firewall Enabled by Default on Windows Server 2008
Networking: Windows Firewall Enabled by Default on Windows Server 2008
Feature Impact
Moderate
Brief Description
Windows Firewall is on by default. This setting means that the application installers need to be aware of the ports that the application uses so that these firewall ports are explicit opened, or to turn off Windows Firewall (recommended only if another firewall is installed).
On Windows Server® 2008, server roles and optional components are aware of the firewall and will plumb firewall rules automatically upon installation. Conversely, the same components and roles will remove their firewall rules when they are uninstalled.
Manifestation
Legacy application installers might break because dependent TCP/IP ports will not be open by default.
Legacy applications might break after installation because dependent TCP/IP ports will not be open by default. On Windows Vista®, client applications will prompt the user for a decision to allow or to keep blocking the application. On Windows Server 2008, there is no such prompt. Instead, a security audit event is logged to signal that an application was blocked.
Remedies
For legacy application installers, the ports need to be explicitly opened by an administrator, or turn Windows Firewall off.
Administrators can leverage:
The netsh advfirewall context to work with firewall rules from scripts.
Security Configuration Wizard templates to configure their servers only
Developers can leverage:
- The INetFwPolicy2 Firewall APIs to integrate their installers with the Windows Firewall with Advanced Security.
Links to Other Resources
Unattended Installation Settings Reference