Best practices for configuring Windows Defender Firewall

Applies to

Windows operating systems including WindowsВ 10

Windows Server Operating Systems

Windows Defender Firewall with Advanced Security provides host-based, two-way network traffic filtering and blocks unauthorized network traffic flowing into or out of the local device. Configuring your Windows Firewall based on the following best practices can help you optimize protection for devices in your network. These recommendations cover a wide range of deployments including home networks and enterprise desktop/server systems.

To open Windows Firewall, go to theВ StartВ menu, selectВ Run, typeВ WF.msc, and then selectВ OK. See also Open Windows Firewall.

Keep default settings

When you open the Windows Defender Firewall for the first time, you can see the default settings applicable to the local computer. The Overview panel displays security settings for each type of network to which the device can connect.

Figure 1: Windows Defender Firewall

Domain profile: Used for networks where there is a system of account authentication against a domain controller (DC), such as an Azure Active Directory DC

Private profile: Designed for and best used in private networks such as a home network

Public profile: Designed with higher security in mind for public networks like Wi-Fi hotspots, coffee shops, airports, hotels, or stores

View detailed settings for each profile by right-clicking the top-level Windows Defender Firewall with Advanced Security node in the left pane and then selecting Properties.

Maintain the default settings in Windows Defender Firewall whenever possible. These settings have been designed to secure your device for use in most network scenarios. One key example is the default Block behavior for Inbound connections.

Figure 2: Default inbound/outbound settings

To maintain maximum security, do not change the default Block setting for inbound connections.

Understand rule precedence for inbound rules

In many cases, a next step for administrators will be to customize these profiles using rules (sometimes called filters) so that they can work with user apps or other types of software. For example, an administrator or user may choose to add a rule to accommodate a program, open a port or protocol, or allow a predefined type of traffic.

This can be accomplished by right-clicking either Inbound Rules or Outbound Rules, and selecting New Rule. The interface for adding a new rule looks like this:

Figure 3: Rule Creation Wizard

This article does not cover step-by-step rule configuration. See the Windows Firewall with Advanced Security Deployment Guide for general guidance on policy creation.

In many cases, allowing specific types of inbound traffic will be required for applications to function in the network. Administrators should keep the following rule precedence behaviors in mind when allowing these inbound exceptions.

Explicitly defined allow rules will take precedence over the default block setting.

Explicit block rules will take precedence over any conflicting allow rules.

More specific rules will take precedence over less specific rules, except in the case of explicit block rules as mentioned in 2. (For example, if the parameters of rule 1 includes an IP address range, while the parameters of rule 2 include a single IP host address, rule 2 will take precedence.)

Because of 1 and 2, it is important that, when designing a set of policies, you make sure that there are no other explicit block rules in place that could inadvertently overlap, thus preventing the traffic flow you wish to allow.

A general security best practice when creating inbound rules is to be as specific as possible. However, when new rules must be made that use ports or IP addresses, consider using consecutive ranges or subnets instead of individual addresses or ports where possible. This avoids creation of multiple filters under the hood, reduces complexity, and helps to avoid performance degradation.

Windows Defender Firewall does not support traditional weighted, administrator-assigned rule ordering. An effective policy set with expected behaviors can be created by keeping in mind the few, consistent, and logical rule behaviors described above.

Create rules for new applications before first launch

Inbound allow rules

When first installed, networked applications and services issue a listen call specifying the protocol/port information required for them to function properly. As there is a default block action in Windows Defender Firewall, it is necessary to create inbound exception rules to allow this traffic. It is common for the app or the app installer itself to add this firewall rule. Otherwise, the user (or firewall admin on behalf of the user) needs to manually create a rule.

If there are no active application or administrator-defined allow rule(s), a dialog box will prompt the user to either allow or block an application’s packets the first time the app is launched or tries to communicate in the network.

If the user has admin permissions, they will be prompted. If they respond No or cancel the prompt, block rules will be created. Two rules are typically created, one each for TCP and UDP traffic.

If the user is not a local admin, they will not be prompted. In most cases, block rules will be created.

In either of the scenarios above, once these rules are added they must be deleted in order to generate the prompt again. If not, the traffic will continue to be blocked.

The firewall’s default settings are designed for security. Allowing all inbound connections by default introduces the network to various threats. Therefore, creating exceptions for inbound connections from third-party software should be determined by trusted app developers, the user, or the admin on behalf of the user.

Known issues with automatic rule creation

When designing a set of firewall policies for your network, it is a best practice to configure allow rules for any networked applications deployed on the host. Having these rules in place before the user first launches the application will help ensure a seamless experience.

The absence of these staged rules does not necessarily mean that in the end an application will be unable to communicate on the network. However, the behaviors involved in the automatic creation of application rules at runtime requires user interaction.

To determine why some applications are blocked from communicating in the network, check for the following:

A user with sufficient privileges receives a query notification advising them that the application needs to make a change to the firewall policy. Not fully understanding the prompt, the user cancels or dismisses the prompt.

A user lacks sufficient privileges and is therefore not prompted to allow the application to make the appropriate policy changes.

Local Policy Merge is disabled, preventing the application or network service from creating local rules.

Figure 4: Dialog box to allow access

Establish local policy merge and application rules

Firewall rules can be deployed:

1. Locally using the Firewall snap-in (WF.msc)
2. Locally using PowerShell
3. Remotely using Group Policy if the device is a member of an Active Directory Name, System Center Configuration Manager (SCCM), or Intune (using workplace join)

Rule merging settings control how rules from different policy sources can be combined. Administrators can configure different merge behaviors for Domain, Private, and Public profiles.

The rule merging settings either allow or prevent local admins from creating their own firewall rules in addition to those obtained from Group Policy.

Figure 5: Rule merging setting

In the firewall configuration service provider, the equivalent setting is AllowLocalPolicyMerge. This setting can be found under each respective profile node, DomainProfile, PrivateProfile, and PublicProfile.

If merging of local policies is disabled, centralized deployment of rules is required for any app that needs inbound connectivity.

Admins may disable LocalPolicyMerge in high security environments to maintain tighter control over endpoints. This can impact some apps and services that automatically generate a local firewall policy upon installation as discussed above. For these types of apps and services to work, admins should push rules centrally via group policy (GP), Mobile Device Management (MDM), or both (for hybrid or co-management environments).

Firewall CSP and Policy CSP also have settings that can affect rule merging.

As a best practice, it is important to list and log such apps, including the network ports used for communications. Typically, you can find what ports must be open for a given service on the app’s website. For more complex or customer application deployments, a more thorough analysis may be needed using network packet capture tools.

In general, to maintain maximum security, admins should only push firewall exceptions for apps and services determined to serve legitimate purposes.

The use of wildcard patterns, such as C:*\teams.exe is not supported in application rules. We currently only support rules created using the full path to the application(s).

Know how to use «shields up» mode for active attacks

An important firewall feature you can use to mitigate damage during an active attack is the «shields up» mode. It is an informal term referring to an easy method a firewall administrator can use to temporarily increase security in the face of an active attack.

Shields up can be achieved by checking Block all incoming connections, including those in the list of allowed apps setting found in either the Windows Settings app or the legacy file firewall.cpl.

Figure 6: Windows settings App/Windows Security/Firewall Protection/Network Type

Figure 7: Legacy firewall.cpl

By default, the Windows Defender Firewall will block everything unless there is an exception rule created. This setting overrides the exceptions.

For example, the Remote Desktop feature automatically creates firewall rules when enabled. However, if there is an active exploit using multiple ports and services on a host, you can, instead of disabling individual rules, use the shields up mode to block all inbound connections, overriding previous exceptions, including the rules for Remote Desktop. The Remote Desktop rules remain intact but remote access will not work as long as shields up is activated.

Once the emergency is over, uncheck the setting to restore regular network traffic.

Create outbound rules

What follows are a few general guidelines for configuring outbound rules.

The default configuration of Blocked for Outbound rules can be considered for certain highly secure environments. However, the Inbound rule configuration should never be changed in a way that Allows traffic by default.

It is recommended to Allow Outbound by default for most deployments for the sake of simplification around app deployments, unless the enterprise prefers tight security controls over ease-of-use.

In high security environments, an inventory of all enterprise-spanning apps must be taken and logged by the administrator or administrators. Records must include whether an app used requires network connectivity. Administrators will need to create new rules specific to each app that needs network connectivity and push those rules centrally, via group policy (GP), Mobile Device Management (MDM), or both (for hybrid or co-management environments).

For tasks related to creating outbound rules, see Checklist: Creating Outbound Firewall Rules.

Document your changes

When creating an inbound or outbound rule, you should specify details about the app itself, the port range used, and important notes like creation date. Rules must be well-documented for ease of review both by you and other admins. We highly encourage taking the time to make the work of reviewing your firewall rules at a later date easier. AndВ neverВ create unnecessary holes in your firewall.

Configure the Windows Firewall to Allow SQL Server Access

Applies to: SQL Server (all supported versions) — Windows only Azure SQL Managed Instance

Firewall systems help prevent unauthorized access to computer resources. If a firewall is turned on but not correctly configured, attempts to connect to SQL Server might be blocked.

To access an instance of the SQL Server through a firewall, you must configure the firewall on the computer that is running SQL Server. The firewall is a component of Microsoft Windows. You can also install a firewall from another company. This article discusses how to configure the Windows firewall, but the basic principles apply to other firewall programs.

This article provides an overview of firewall configuration and summarizes information of interest to a SQL Server administrator. For more information about the firewall and for authoritative firewall information, see the firewall documentation, such as Windows Firewall security deployment guide.

Users familiar with managing the Windows Firewall, and know which firewall settings they want to configure can move directly to the more advanced articles:

Basic Firewall Information

Firewalls work by inspecting incoming packets, and comparing them against the following set of rules:

• The packet meets the standards dictated by the rules, then the firewall passes the packet to the TCP/IP protocol for more processing.
• The packet doesn’t meet the standards specified by the rules.
  • The firewall then discards the packet.- If logging is enabled, an entry is created in the firewall logging file.

The list of allowed traffic is populated in one of the following ways:

Automatically: When a computer with a firewall enabled starts communication, the firewall creates an entry in the list so that the response is allowed. The response is considered solicited traffic, and there’s nothing that needs to be configured.

Manually: An administrator configures exceptions to the firewall. It allows either access to specified programs or ports on your computer. In this case, the computer accepts unsolicited incoming traffic when acting as a server, a listener, or a peer. The configuration must be completed to connect to SQL Server.

Choosing a firewall strategy is more complex than just deciding if a given port should be open or closed. When designing a firewall strategy for your enterprise, make sure you consider all the rules and configuration options available to you. This article doesn’t review all the possible firewall options. We recommend you review the following documents:

Default Firewall Settings

The first step in planning your firewall configuration is to determine the current status of the firewall for your operating system. If the operating system was upgraded from a previous version, the earlier firewall settings may have been preserved. The Group Policy or Administrator can change the firewall settings in the domain.

Turning on the firewall will affect other programs that access this computer, such as file and print sharing, and remote desktop connections. Administrators should consider all applications that are running on the computer before adjusting the firewall settings.

Programs to Configure the Firewall

Configure the Windows Firewall settings with either Microsoft Management Console or netsh.

Microsoft Management Console (MMC)

The Windows Firewall with Advanced Security MMC snap-in lets you configure more advanced firewall settings. This snap-in presents most of the firewall options in an easy-to-use manner, and presents all firewall profiles. For more information, see Using the Windows Firewall with Advanced Security Snap-in later in this article.

netsh

The netsh.exe is an Administrator tool to configure and monitor Windows-based computers at a command prompt or using a batch file**.** By using the netsh tool, you can direct the context commands you enter to the appropriate helper, and the helper does the command. A helper is a Dynamic Link Library (.dll) file that extends the functionality. The helper provides: configuration, monitoring, and support for one or more services, utilities, or protocols for the netsh tool.

All operating systems that support SQL Server have a firewall helper. Windows Server 2008 also has an advanced firewall helper called advfirewall. Many of the configuration options described can be configured by using netsh. For example, run the following script at a command prompt to open TCP port 1433:

A similar example using the Windows Firewall for Advanced Security helper:

For more information about netsh, see the following links:

PowerShell

See the following example to open TCP port 1433 and UDP port 1434 for SQL Server default instance, and SQL Server Browser Service:

For Linux: On Linux, you also need to open the ports associated with the services you need access to. Different distributions of Linux and different firewalls have their own procedures. For two examples, see SQL Server on Red Hat, and SQL Server on SUSE.

Ports Used By SQL Server

The following tables can help you identify the ports being used by SQL Server.

Ports Used By the Database Engine

By default, the typical ports used by SQL Server and associated database engine services are: TCP 1433, 4022, 135, 1434, UDP 1434. The table below explains these ports in greater detail. A named instance uses dynamic ports.

The following table lists the ports that are frequently used by the Database Engine.

Scenario	Port	Comments
Default instance running over TCP	TCP port 1433	The most common port allowed through the firewall. It applies to routine connections to the default installation of the Database Engine, or a named instance that is the only instance running on the computer. (Named instances have special considerations. See Dynamic Ports later in this article.)
Named instances with default port	The TCP port is a dynamic port determined at the time the Database Engine starts.	See the discussion below in the section Dynamic Ports. UDP port 1434 might be required for the SQL Server Browser Service when you’re using named instances.
Named instances with fixed port	The port number configured by the administrator.	See the discussion below in the section Dynamic Ports.
Dedicated Admin Connection	TCP port 1434 for the default instance. Other ports are used for named instances. Check the error log for the port number.	By default, remote connections to the Dedicated Administrator Connection (DAC) aren’t enabled. To enable remote DAC, use the Surface Area Configuration facet. For more information, see Surface Area Configuration.
SQL Server Browser service	UDP port 1434	The SQL Server browser service listens for incoming connections to a named instance.
The service provides the client the TCP port number that corresponds to that named instance. Normally the SQL Server Browser service is started whenever named instances of the Database Engine are used. The SQL Server Browser service isn’t required if the client is configured to connect to the specific port of the named instance.
Instance with HTTP endpoint.	Can be specified when an HTTP endpoint is created. The default is TCP port 80 for CLEAR_PORT traffic and 443 for SSL_PORT traffic.	Used for an HTTP connection through a URL.
Default instance with HTTPS endpoint	TCP port 443	Used for an HTTPS connection through a URL. HTTPS is an HTTP connection that uses Transport Layer Security (TLS), previously known as Secure Sockets Layer (SSL).
Service Broker	TCP port 4022. To verify the port used, execute the following query: SELECT name, protocol_desc, port, state_desc WHERE type_desc = ‘SERVICE_BROKER’	There’s no default port for SQL ServerService Broker, Books Online examples use the conventional configuration.
Database Mirroring	Administrator chosen port. To determine the port, execute the following query: SELECT name, protocol_desc, port, state_desc FROM sys.tcp_endpoints WHERE type_desc = ‘DATABASE_MIRRORING’	There’s no default port for database mirroring however Books Online examples use TCP port 5022 or 7022. It’s important to avoid interrupting an in-use mirroring endpoint, especially in high-safety mode with automatic failover. Your firewall configuration must avoid breaking quorum. For more information, see Specify a Server Network Address (Database Mirroring).
Replication	Replication connections to SQL Server use the typical regular Database Engine ports (TCP port 1433 is the default instance) Web synchronization and FTP/UNC access for replication snapshot require more ports to be opened on the firewall. To transfer initial data and schema from one location to another, replication can use FTP (TCP port 21), or sync over HTTP (TCP port 80) or File Sharing. File sharing uses UDP port 137 and 138, and TCP port 139 if used along with NetBIOS. File Sharing uses TCP port 445.	For sync over HTTP, replication uses the IIS endpoint (configurable; port 80 default), but the IIS process connects to the backend SQL Server through the standard ports (1433 for the default instance. During Web synchronization using FTP, the FTP transfer is between IIS and the SQL Server publisher, not between subscriber and IIS.
Transact-SQL debugger	TCP port 135 The IPsec exception might also be required.	If using Visual Studio, on the Visual Studio host computer, you must also add Devenv.exe to the Exceptions list and open TCP port 135. If using Management Studio, on the Management Studio host computer, you must also add ssms.exe to the Exceptions list and open TCP port 135. For more information, see Configure firewall rules before running the TSQL Debugger.

For step-by-step instructions to configure the Windows Firewall for the Database Engine, see Configure a Windows Firewall for Database Engine Access.

Dynamic Ports

By default, named instances (including SQL Server Express) use dynamic ports. means each time Database Engine starts, it identifies an available port and uses that port number. If the named instance is the only instance of the Database Engine installed, it will probably use TCP port 1433. If other instances of the Database Engine are installed, it will probably use a different TCP port. Because the port selected might change every time that the Database Engine is started, it’s difficult to configure the firewall to enable access to the correct port number. If a firewall is used, we recommend reconfiguring the Database Engine to use the same port number every time. A fixed port or a static port is recommended. For more information, see Configure a Server to Listen on a Specific TCP Port (SQL Server Configuration Manager).

An alternative to configuring a named instance to listen on a fixed port is to create an exception in the firewall for a SQL Server program such as sqlservr.exe (for the Database Engine). The port number won’t appear in the Local Port column of the Inbound Rules page when you’re using the Windows Firewall with Advanced Security MMC snap-in. It can be difficult to audit which ports are open. Another consideration is that a service pack or cumulative update can change the path to the SQL Server executable file and invalidate the firewall rule.

To add a program exception to the firewall using Windows Defender Firewall with Advanced Security

From the start menu, type wf.msc. Press Enter or select the search result wf.msc to open Windows Defender Firewall with Advanced Security.

In the left pane, select Inbound rules.

In the right pane, under Actions, select New rule. . New Inbound Rule Wizard opens.

On Rule type, select Program. Select Next.

On Program, select This program path. Select Browse to locate your instance of SQL Server. The program is called sqlservr.exe. It’s normally located at:

C:\Program Files\Microsoft SQL Server\MSSQL15. \MSSQL\Binn\sqlservr.exe

Select Next.

On Action, select Allow the connection. Select Next.

On Profile, include all three profiles. Select Next.

On Name, type a name for the rule. Select Finish.

Ports Used By Analysis Services

By default, the typical ports used by SQL Server Analysis Services and associated services are: TCP 2382, 2383, 80, 443. The table below explains these ports in greater detail.

The following table lists the ports that are frequently used by Analysis Services.

Feature	Port	Comments
Analysis Services	TCP port 2383 for the default instance	The standard port for the default instance of Analysis Services.
SQL Server Browser service	TCP port 2382 only needed for an Analysis Services named instance	Client connection requests for a named instance of Analysis Services that don’t specify a port number are directed to port 2382, the port on which SQL Server Browser listens. SQL Server Browser then redirects the request to the port that the named instance uses.
Analysis Services configured for use through IIS/HTTP (The PivotTableВ® Service uses HTTP or HTTPS)	TCP port 80	Used for an HTTP connection through a URL.
Analysis Services configured for use through IIS/HTTPS (The PivotTableВ® Service uses HTTP or HTTPS)	TCP port 443	Used for an HTTPS connection through a URL. HTTPS is an HTTP connection that uses TLS.

If users access Analysis Services through IIS and the Internet, you must open the port on which IIS is listening. Next, specify port in the client connection string. In this case, no ports have to be open for direct access to Analysis Services. The default port 2389, and port 2382, should be restricted together with all other ports that aren’t required.

For step-by-step instructions to configure the Windows Firewall for Analysis Services, see Configure the Windows Firewall to Allow Analysis Services Access.

Ports Used By Reporting Services

By default, the typical ports used by SQL Server Reporting Services and associated services are: TCP 80, 443. The table below explains these ports in greater detail.

The following table lists the ports that are frequently used by Reporting Services.

Feature	Port	Comments
Reporting Services Web Services	TCP port 80	Used for an HTTP connection to Reporting Services through a URL. We recommend that you don’t use the preconfigured rule World Wide Web Services (HTTP). For more information, see the Interaction with Other Firewall Rules section below.
Reporting Services configured for use through HTTPS	TCP port 443	Used for an HTTPS connection through a URL. HTTPS is an HTTP connection that uses TLS. We recommend that you don’t use the preconfigured rule Secure World Wide Web Services (HTTPS). For more information, see the Interaction with Other Firewall Rules section below.

When Reporting Services connects to an instance of the Database Engine or Analysis Services, you must also open the appropriate ports for those services. For step-by-step instructions to configure the Windows Firewall for Reporting Services, Configure a Firewall for Report Server Access.

Ports Used By Integration Services

The following table lists the ports that are used by the Integration Services service.

Feature	Port	Comments
Microsoft remote procedure calls (MS RPC) Used by the Integration Services runtime.	TCP port 135 See Special Considerations for Port 135	The Integration Services service uses DCOM on port 135. The Service Control Manager uses port 135 to do tasks such as starting and stopping the Integration Services service and transmitting control requests to the running service. The port number cannot be changed. This port is only required to be open if you’re connecting to a remote instance of the Integration Services service from Management Studio or a custom application.

For step-by-step instructions to configure the Windows Firewall for Integration Services, see Integration Services Service (SSIS Service).

Another Ports and Services

The following table lists ports and services that SQL Server might depend on.

Scenario	Port	Comments
Windows Management Instrumentation For more information about Windows Management Instrumentation (WMI), see WMI Provider for Configuration Management Concepts	WMI runs as part of a shared service host with ports assigned through DCOM. WMI might be using TCP port 135. See Special Considerations for Port 135	SQL Server Configuration Manager uses WMI to list and manage services. We recommend that you use the preconfigured rule group Windows Management Instrumentation (WMI). For more information, see the Interaction with Other Firewall Rules section below.
Microsoft Distributed Transaction Coordinator (MS DTC)	TCP port 135 See Special Considerations for Port 135	If your application uses distributed transactions, you might have to configure the firewall to allow Microsoft Distributed Transaction Coordinator (MS DTC) traffic to flow between separate MS DTC instances, and between the MS DTC and resource managers such as SQL Server. We recommend that you use the preconfigured Distributed Transaction Coordinator rule group. When a single shared MS DTC is configured for the entire cluster in a separate resource group, you should add sqlservr.exe as an exception to the firewall.
The browse button in Management Studio uses UDP to connect to the SQL Server Browser Service. For more information, see SQL Server Browser Service (Database Engine and SSAS).	UDP port 1434	UDP is a connectionless protocol. The firewall has a setting (UnicastResponsesToMulticastBroadcastDisabled Property of the INetFwProfile Interface) which controls the behavior of the firewall and unicast responses to a broadcast (or multicast) UDP request. It has two behaviors: If the setting is TRUE, no unicast responses to a broadcast are permitted at all. Enumerating services will fail. If the setting is FALSE (default), unicast responses are permitted for 3 seconds. The length of time isn’t configurable. In a congested or high-latency network, or for heavily loaded servers, tries to enumerate instances of SQL Server might return a partial list, which might mislead users.
IPsec traffic	UDP port 500 and UDP port 4500	If the domain policy requires network communications to be done through IPsec, you must also add UDP port 4500 and UDP port 500 to the exception list. IPsec is an option using the New Inbound Rule Wizard in the Windows Firewall snap-in. For more information, see Using the Windows Firewall with Advanced Security Snap-in below.
Using Windows Authentication with Trusted Domains	Firewalls must be configured to allow authentication requests.	For more information, see How to configure a firewall for domains and trusts.
SQL Server and Windows Clustering	Clustering requires extra ports that aren’t directly related to SQL Server.	For more information, see Enable a network for cluster use.
URL namespaces reserved in the HTTP Server API (HTTP.SYS)	Probably TCP port 80, but can be configured to other ports. For general information, see Configuring HTTP and HTTPS.	For SQL Server specific information about reserving an HTTP.SYS endpoint using HttpCfg.exe, see About URL Reservations and Registration (SSRS Configuration Manager).

Special Considerations for Port 135

When you use RPC with TCP/IP or with UDP/IP as the transport, inbound ports are dynamically assigned to system services as required. TCP/IP and UDP/IP ports that are larger than port 1024 are used. The ports are referred to as «random RPC ports.» In these cases, RPC clients rely on the RPC endpoint mapper to tell them which dynamic ports were assigned to the server. For some RPC-based services, you can configure a specific port instead of letting RPC assign one dynamically. You can also restrict the range of ports that RPC dynamically assigns to a small range, independent of the service. Because port 135 is used for many services, it’s frequently attacked by malicious users. When opening port 135, consider restricting the scope of the firewall rule.

For more information about port 135, see the following references:

Interaction with Other Firewall Rules

The Windows Firewall uses rules and rule groups to establish its configuration. Each rule or rule group is associated with a particular program or service, and that program or service might modify or delete that rule without your knowledge. For example, the rule groups World Wide Web Services (HTTP) and World Wide Web Services (HTTPS) are associated with IIS. Enabling those rules will open ports 80 and 443, and SQL Server features that depend on ports 80 and 443 will function if those rules are enabled. However, administrators configuring IIS might modify or disable those rules. If you’re using port 80 or port 443 for SQL Server, you should create your own rule or rule group that maintains your preferred port configuration independently of the other IIS rules.

The Windows Firewall with Advanced Security MMC snap-in allows any traffic that matches any applicable allow rule. So if there are two rules that both apply to port 80 (with different parameters). Traffic that matches either rule will be permitted. So if one rule allows traffic over port 80 from local subnet and one rule allows traffic from any address, the net effect is that all traffic to port 80 is independent of the source. To effectively manage access to SQL Server, administrators should periodically review all firewall rules enabled on the server.

Overview of Firewall Profiles

Firewall profiles are used by the operating systems to identify and remember each of the networks by: connectivity, connections, and category.

There are three network location types in Windows Firewall with Advanced Security:

• Domain: Windows can authenticate access to the domain controller for the domain to which the computer is joined.
• Public: Other than domain networks, all networks are initially categorized as public. Networks that represent direct connections to the Internet or are in public locations, such as airports and coffee shops should be left public.
• Private: A network identified by a user or application as private. Only trusted networks should be identified as private networks. Users will likely want to identify home or small business networks as private.

The administrator can create a profile for each network location type, with each profile containing different firewall policies. Only one profile is applied at any time. Profile order is applied as follows:

1. The domain profile is applied if all interfaces are authenticated to the domain controller where the computer is a member.
2. If all interfaces are either authenticated to the domain controller or are connected to networks that are classified as private network locations, the private profile is applied.
3. Otherwise, the public profile is applied.

Use the Windows Firewall with Advanced Security MMC snap-in to view and configure all firewall profiles. The Windows Firewall item in Control Panel only configures the current profile.

Additional Firewall Settings Using the Windows Firewall Item in Control Panel

The added firewall can restrict the opening of the port to incoming connections from specific computers or local subnet. Limit the scope of the port opening to reduce how much your computer is exposed to malicious users.

Using the Windows Firewall item in Control Panel only configures the current firewall profile.

To change the scope of a firewall exception using the Windows Firewall item in Control Panel

In the Windows Firewall item in Control Panel, select a program or port on the Exceptions tab, and then select Properties or Edit.

In the Edit a Program or Edit a Port dialog box, select Change Scope.

Choose one of the following options:

Any computer (including computers on the Internet): Not recommended. Any computer that can address your computer to connect to the specified program or port. This setting might be necessary to allow information to be presented to anonymous users on the internet, but increases your exposure to malicious users. Enabling this setting an allow Network Address Translation (NAT) traversal, such as the Allow edge traversal option will increase exposure.

My network (subnet) only: A more secure setting than Any computer. Only computers on the local subnet of your network can connect to the program or port.

Custom list: Only computers that have the IP addresses listed can connect. A secure setting can be more secure than My network (subnet) only, however, client computers using DHCP can occasionally change their IP address; will disable the ability to connect. Another computer, which you had not intended to authorize, might accept the listed IP address and connect to it. The Custom list is appropriate for listing other servers that are configured to use a fixed IP address. IP addresses can be spoofed by an intruder. Restricting firewall rules are only as strong as your network infrastructure.

Using the Windows Firewall with Advanced Security Snap-in

Advanced firewall settings can be configured by using the Windows Firewall with Advanced Security MMC snap-in. The snap-in includes a rule wizard and settings that aren’t available in the Windows Firewall item in Control Panel. These settings include:

• Encryption settings
• Services restrictions
• Restricting connections for computers by name
• Restricting connections to specific users or profiles
• Edge traversal allowing traffic to bypass Network Address Translation (NAT) routers
• Configuring outbound rules
• Configuring security rules
• Requiring IPsec for incoming connections

To create a new firewall rule using the New Rule wizard

1. On the Start menu, select Run, type WF.msc, and then select OK.
2. In the Windows Firewall with Advanced Security, in the left pane, right-click Inbound Rules, and then select New Rule.
3. Complete the New Inbound Rule Wizard using the settings that you want.

Troubleshooting Firewall Settings

The following tools and techniques can be useful in troubleshooting firewall issues:

The effective port status is the union of all rules related to the port. It can be helpful to review all the rules that cite the port number, when trying to block access to a port. Review the rules with the Windows Firewall with Advanced Security MMC snap-in and sort the inbound and outbound rules by port number.

Review the ports that are active on the computer on which SQL Server is running. The review process includes verifying which TCP/IP ports are listening and also verifying the status of the ports.

To verify which ports are listening, display active TCP connections and IP statistics use the netstat command-line utility.

To list which TCP/IP ports are listening

Open the Command Prompt window.

At the command prompt, type netstat -n -a.

The -n switch instructs netstat to numerically display the address and port number of active TCP connections. The -a switch instructs netstat to display the TCP and UDP ports on which the computer is listening.

The PortQry utility can be used to report the status of TCP/IP ports as listening, not listening, or filtered. (The utility may not receive response from the port if it has a filtered status.) The PortQry utility is available for download from the Microsoft Download Center.