As of Server 2008 R2 I’m now leaving the firewall switched on for all servers, and adding inbound rules (exceptions) where necessary during application installation. Outbound connections are all allowed by default and I’m not changing this. Note that some software created inbound rules for itself when you install it, which is handy.
I prefer adding exceptions to Windows Firewall by executable rather than by port. It means that if you reconfigure the software to talk on a different port, it just works – no firewall changes necessary. It also means that if something kills your application and tries to pretend to be it by listening on the same port, it’s less likely to work.
You can identify the executable that you need to add a rule for by a few different methods:
- The application vendor will tell you
- You can identify the executable from the port number
- You can identify the executable from the service name
- From Server Manager, expand Configuration, Windows Firewall with Advanced Security
- Right-click Inbound Rules, choose New Rule…
- Choose Program:
- Choose This program path: and enter the file path.
Note that paths with spaces should not be enclosed within double quotes.
- Choose Allow the connection:
- Choose what type of networks you want the rule to be activated for. Personally I only choose Domain:
- Give the rule a name, ideally including the name of the application and the executable. You can give it a description too if necessary.
- The new rule will be listed at the top of the Inbound Rules list: