Indiana University
University Information Technology Services
  
What are archived documents?
Login>>
Login

Login is for authorized groups (e.g., UITS, OVPIT, and TCC) that need access to specialized Knowledge Base documents. Otherwise, simply use the Knowledge Base without logging in.

Close

In Windows Firewall, what is scope, and how do I use it?

Windows 7, Vista, and XP have a built-in network firewall feature. Windows Firewall works by preventing applications on your computer from communicating with other computers. By default, the firewall is set to either block or allow traffic to each program, with no additional settings. However, you can allow a program to communicate with only some computers; defining the range of allowed computers from certain IP addresses is called setting the scope of the firewall.

When Windows Firewall is on, it blocks communication by default until told to unblock it for a specific program. Such unblocked programs go into a list of exceptions in the Windows Firewall settings.

On this page:

Windows 7

  1. From the Start menu, select Control Panel.

  2. In the upper right corner, next to "View by:", if you see Category, change it to either Large icons or Small icons in order to reveal the Windows Firewall icon. Otherwise, continue to the next step.

  3. Click Windows Firewall.

  4. On the left side, click Advanced Settings.

  5. You are now in the Windows Firewall with Advanced Security window. Here is where you set the scope for a given program. On the left, click Inbound Rules.

  6. Double-click the program you want to define the scope for. If you see multiple entries for a given program, choose the first one to double-click.

  7. Click the Scope tab, and choose the incoming scope options which best suit the application. Click OK to return to the Windows Firewall with Advanced Security window.

  8. If there are multiple entries for a program, double-click the next one, and repeat step 7.

  9. When you're done with all the entries for your program under Inbound Rules, click Outbound rules. Repeat steps 6-7. Most of the time the options will be the same as your inbound rule, but that is something you must determine for your own situation. Click OK. Repeat if there are multiple entries.

  10. Once you're finished setting the scopes on all your entries, close the Windows Firewall with Advanced Security window and all of its parent windows.

Windows Vista

  1. From the Start menu, select Control Panel.

  2. Double-click Security Center or Security, and then click Windows Firewall on the left. Again on the left, click Allow a program through Windows Firewall. If you aren't logged in with administrative rights, you will be prompted to do so.

    Note: At Indiana University, the University Information Security Office (UISO) recommends that you normally refrain from running your Windows computer as an administrator. For more, see What is the principle of least privilege?

  3. Select the program for which you wish to allow only limited network communication, and then click Properties.

  4. In the Edit a Program window, choose Change scope... .

  5. Choose the scope options which best suit the application.

  6. Click OK to close each of the three open windows.

Windows XP

  1. From the Start menu, select Control Panel, or Settings and then Control Panel.

  2. In Category View, click Security Center, and then click Windows Firewall.

  3. On the General tab, ensure Don't allow exceptions is unchecked.

  4. Select the Exceptions tab.

  5. Select the program for which you wish to allow only limited network communication, and then click Edit... .

  6. In the Edit a Program window, choose Change scope... .

  7. Choose the scope options which best suit the application.

  8. Click OK to close each of the four open windows.

More information

To customize your firewall effectively, select the most limited scope options possible without hindering the functionality of the application. In other words, you want to block communication only with computers that the application never needs to legitimately interact with, and you want to do so with as many such computers as possible.

For example, if you wanted to secure the Remote Desktop application, and you connect to your computer only from one other computer for which you know the IP address, you would set the scope option to Custom list, and then enter the IP address of the single computer from which you want to be able to access this computer. After you complete this, Windows will ignore Remote Desktop requests from any IP address other than the one you specified.

Rather than a specific IP address, you can specify a subnet, a list of IP addresses or subnets, or both. For example, if you wanted to allow communication with all computers on the Indiana University campus, you could choose Custom list and enter:

156.56.0.0/255.255.0.0,149.159.0.0/255.255.0.0,129.79.0.0/255.255.0.0

Although that range is not perfect, it should allow interaction with almost every IU computer while blocking access from any non-IU computer.

For more tips on securing your computer, see the appropriate Microsoft article:

This is document auou in domain all.
Last modified on September 09, 2011.

Comments/Questions/Corrections

Use this form to offer suggestions, corrections, and additions to the Knowledge Base. We welcome your input!

If you are affiliated with Indiana University and would like assistance with a specific computing problem, please use the Ask a Consultant form, or contact your campus Support Center.

Contact Information

Note: We will reply to your comment at this address. If your message concerns a problem receiving email, please enter an alternate email address.