In Windows Firewall, what is scope, and how do I use it?
Windows Vista and XP have a built-in network firewall feature. Windows Firewall works by preventing applications on your computer from communicating with other computers. By default, the firewall is set to either block or allow traffic to each program, with no additional settings. However, you can allow a program to communicate with only some computers; defining the range of allowed computers is called setting the scope of the firewall.
When Windows Firewall is on, it blocks communication by default until told to unblock it for a specific program. Such unblocked programs go into a list of exceptions in the Windows Firewall settings.
On this page:
Windows Vista
- From the
Startmenu, selectControl Panel.
- Double-click
Security CenterorSecurity, and then clickWindows Firewallon the left. Again on the left, clickAllow a program through Windows Firewall. If you aren't logged in with administrative rights, you will be prompted to do so.Note: At Indiana University, the University Information Security Office (UISO) recommends that you normally refrain from running your Windows computer as an administrator. For more, see What is the principle of least privilege?
- Select the program for which you wish to allow only limited
network communication, and then click
Properties.
- In the
Edit a Programwindow, chooseChange scope....
- Choose the scope options which best suit the application.
- Click
OKto close each of the three open windows.
Windows XP
- From the
Startmenu, selectControl Panel, orSettingsand thenControl Panel.
- In Category View, click
Security Center, and then clickWindows Firewall.
- On the
Generaltab, ensureDon't allow exceptionsis unchecked.
- Select the
Exceptionstab.
- Select the program for which you wish to allow only limited
network communication, and then click
Edit....
- In the
Edit a Programwindow, chooseChange scope....
- Choose the scope options which best suit the application.
- Click
OKto close each of the four open windows.
More information
To customize your firewall effectively, select the most limited scope options possible without hindering the functionality of the application. In other words, you want to block communication only with computers that the application never needs to legitimately interact with, and you want to do so with as many such computers as possible.
For example, if you wanted to secure the Remote Desktop application,
and you connect to your computer only from one other computer for
which you know the IP address, you would set the scope
option to Custom list, and then enter the IP address of the
single computer from which you want to be able to access this
computer. After you complete this, Windows will ignore Remote Desktop
requests from any IP address other than the one you specified.
Rather than a specific IP address, you can specify a subnet, a list of
IP addresses or subnets, or both. For example, if you wanted to allow
communication with all computers on the Indiana University campus, you
could choose Custom list and enter:
Although that range is not perfect, it should allow interaction with almost every IU computer while blocking access from any non-IU computer.
For more tips on securing your computer, see the appropriate Microsoft TechNet article:
- Managing the Windows Vista Firewall
-
How to
Configure Windows Firewall on a Single Computer (XP)
Note: Prior to Windows XP Service Pack 2, the Windows Firewall (formerly called Internet Connection Firewall) had much less functionality. UITS recommends that you keep your computer updated with the latest service packs; see What are service packs for Windows, and where can I get them?
Last modified on October 15, 2009.







