In Windows Firewall, what is scope, and how do I use it?
Windows 7, Vista, and XP have a built-in network firewall feature. Windows Firewall works by preventing applications on your computer from communicating with other computers. By default, the firewall is set to either block or allow traffic to each program, with no additional settings. However, you can allow a program to communicate with only some computers; defining the range of allowed computers from certain IP addresses is called setting the scope of the firewall.
When Windows Firewall is on, it blocks communication by default until told to unblock it for a specific program. Such unblocked programs go into a list of exceptions in the Windows Firewall settings.
On this page:
Windows 7
- From the
Startmenu, selectControl Panel.
- In the upper right corner, next to "View by:", if you see
Category, change it to eitherLarge iconsorSmall iconsin order to reveal the Windows Firewall icon. Otherwise, continue to the next step.
- Click
Windows Firewall.
- On the left side, click
Advanced Settings.
- You are now in the
Windows Firewall with Advanced Securitywindow. Here is where you set the scope for a given program. On the left, clickInbound Rules.
- Double-click the program you want to define the scope for. If you
see multiple entries for a given program, choose the first one to
double-click.
- Click the
Scopetab, and choose the incoming scope options which best suit the application. ClickOKto return to theWindows Firewall with Advanced Securitywindow.
- If there are multiple entries for a program, double-click the next
one, and repeat step 7.
- When you're done with all the entries for your program under
Inbound Rules, clickOutbound rules. Repeat steps 6-7. Most of the time the options will be the same as your inbound rule, but that is something you must determine for your own situation. ClickOK. Repeat if there are multiple entries.
- Once you're finished setting the scopes on all your entries, close
the
Windows Firewall with Advanced Securitywindow and all of its parent windows.
Windows Vista
- From the
Startmenu, selectControl Panel.
- Double-click
Security CenterorSecurity, and then clickWindows Firewallon the left. Again on the left, clickAllow a program through Windows Firewall. If you aren't logged in with administrative rights, you will be prompted to do so.Note: At Indiana University, the University Information Security Office (UISO) recommends that you normally refrain from running your Windows computer as an administrator. For more, see What is the principle of least privilege?
- Select the program for which you wish to allow only limited
network communication, and then click
Properties.
- In the
Edit a Programwindow, chooseChange scope....
- Choose the scope options which best suit the application.
- Click
OKto close each of the three open windows.
Windows XP
- From the
Startmenu, selectControl Panel, orSettingsand thenControl Panel.
- In Category View, click
Security Center, and then clickWindows Firewall.
- On the
Generaltab, ensureDon't allow exceptionsis unchecked.
- Select the
Exceptionstab.
- Select the program for which you wish to allow only limited
network communication, and then click
Edit....
- In the
Edit a Programwindow, chooseChange scope....
- Choose the scope options which best suit the application.
- Click
OKto close each of the four open windows.
More information
To customize your firewall effectively, select the most limited scope options possible without hindering the functionality of the application. In other words, you want to block communication only with computers that the application never needs to legitimately interact with, and you want to do so with as many such computers as possible.
For example, if you wanted to secure the Remote Desktop application,
and you connect to your computer only from one other computer for
which you know the IP address, you would set the scope
option to Custom list, and then enter the IP address of the
single computer from which you want to be able to access this
computer. After you complete this, Windows will ignore Remote Desktop
requests from any IP address other than the one you specified.
Rather than a specific IP address, you can specify a subnet, a list of
IP addresses or subnets, or both. For example, if you wanted to allow
communication with all computers on the Indiana University campus, you
could choose Custom list and enter:
Although that range is not perfect, it should allow interaction with almost every IU computer while blocking access from any non-IU computer.
For more tips on securing your computer, see the appropriate Microsoft article:
- Windows Firewall - Windows 7 features
- Allow a program to communicate through Windows Firewall (Windows 7)
- Windows Firewall with Advanced Security Troubleshooting Guide (Word document; detailed information for advanced users)
- Managing the Windows Vista Firewall
-
How to
Configure Windows Firewall on a Single Computer (XP)
Note: Prior to Windows XP Service Pack 2, the Windows Firewall (formerly called Internet Connection Firewall) had much less functionality. UITS recommends that you keep your computer updated with the latest service packs; see What are patches, hotfixes, and service packs?
Last modified on September 09, 2011.







