In Windows Firewall, what is scope, and how do I use it?

Windows Vista and XP have a built-in network firewall feature. Windows Firewall works by preventing applications on your computer from communicating with other computers. By default, the firewall is set to either block or allow traffic to each program, with no additional settings. However, you can allow a program to communicate with only some computers; defining the range of allowed computers is called setting the scope of the firewall.

When Windows Firewall is on, it blocks communication by default until told to unblock it for a specific program. Such unblocked programs go into a list of exceptions in the Windows Firewall settings.

On this page:

• Windows Vista
• Windows XP
• More information

Windows Vista

1. From the Start menu, select Control Panel.
   
   
2. Double-click Security Center or Security, and then click Windows Firewall on the left. Again on the left, click Allow a program through Windows Firewall. If you aren't logged in with administrative rights, you will be prompted to do so.

   Note: At Indiana University, the University Information Security Office (UISO) recommends that you normally refrain from running your Windows computer as an administrator. For more, see What is the principle of least privilege?

3. Select the program for which you wish to allow only limited network communication, and then click Properties.
   
   
4. In the Edit a Program window, choose Change scope... .
   
   
5. Choose the scope options which best suit the application.
   
   
6. Click OK to close each of the three open windows.

Windows XP

1. From the Start menu, select Control Panel, or Settings and then Control Panel.
   
   
2. In Category View, click Security Center, and then click Windows Firewall.
   
   
3. On the General tab, ensure Don't allow exceptions is unchecked.
   
   
4. Select the Exceptions tab.
   
   
5. Select the program for which you wish to allow only limited network communication, and then click Edit... .
   
   
6. In the Edit a Program window, choose Change scope... .
   
   
7. Choose the scope options which best suit the application.
   
   
8. Click OK to close each of the four open windows.

More information

To customize your firewall effectively, select the most limited scope options possible without hindering the functionality of the application. In other words, you want to block communication only with computers that the application never needs to legitimately interact with, and you want to do so with as many such computers as possible.

For example, if you wanted to secure the Remote Desktop application, and you connect to your computer only from one other computer for which you know the IP address, you would set the scope option to Custom list, and then enter the IP address of the single computer from which you want to be able to access this computer. After you complete this, Windows will ignore Remote Desktop requests from any IP address other than the one you specified.

Rather than a specific IP address, you can specify a subnet, a list of IP addresses or subnets, or both. For example, if you wanted to allow communication with all computers on the Indiana University campus, you could choose Custom list and enter:

Although that range is not perfect, it should allow interaction with almost every IU computer while blocking access from any non-IU computer.

For more tips on securing your computer, see the appropriate Microsoft TechNet article:

• Managing the Windows Vista Firewall
• How to Configure Windows Firewall on a Single Computer (XP)

  Note: Prior to Windows XP Service Pack 2, the Windows Firewall (formerly called Internet Connection Firewall) had much less functionality. UITS recommends that you keep your computer updated with the latest service packs; see What are service packs for Windows, and where can I get them?

Comments/Questions/Corrections