Personalizing Windows 8 : Protecting Yourself with Windows Firewall - Making Exceptions to Firewall Protection

When Windows Firewall is turned on and running, you don’t really have to do anything special to use it. It will be on constant vigil, automatically protecting your computer from hackers and worms trying to sneak in through unprotected ports. Ports for common Internet tasks such as e-mail and the web will be open and monitored so that you can easily use those programs safely.

Internet programs that don’t use standard e-mail and web ports may require that you create an exception to the default firewall rules for incoming traffic. Examples include instant messaging programs and some online games. When you try to use such a program, Windows Firewall displays a security alert like the one in Figure 1.

FIGURE 1 Windows Firewall security alert

The message doesn’t mean that the program is “bad.” It just means that to use the program, the Firewall has to open a port. If you don’t recognize the program name and publisher shown, click Cancel. If you want to use the program, first decide for which networks the exception will be allowed. For example, if the traffic is coming from another computer on your local network, select the Private Networks option. For traffic coming from the Internet, select Public Networks (you can select either or both, as needed). Then, click Allow Access. Allowing access for a program doesn’t leave the associated port wide open. It just creates a new rule that allows that one program to use the port. You’re still protected because the port is closed when you’re not using that specific program. The port is also closed to programs other than the one for which you unblocked the port. Should you change your mind in the future, you can always reblock the port, as described in the next section.

Manually configuring firewall exceptions (allowed apps and programs)

Normally, when you try to use a program (or an app) that needs to work through the firewall, you get a message like the example shown in Figure 1. Occasionally, you might need, or want, to manually allow or block a program through the firewall. If you have administrative privileges, you can do that via the Allowed Apps page shown in Figure 2. To open that page, click Allow An App Or Program Through Windows Firewall in System And Security (by the Windows Firewall item in Control Panel).

FIGURE 2 Windows Firewall Allowed Apps And Features

Items on the list with a checkmark beside them represent apps and features that work through the firewall. You’ll also see any exceptions you created in response to a security alert. For example, Trillian isn’t a Windows 8 feature, so you might not see that one. It shows in Figure 2 because we chose to allow access for it in response to the security alert shown back in Figure 1.

You probably aren’t familiar with most of the apps and programs listed in the Allowed Apps And Features list, so you should not select or deselect a box just by guessing. But you don’t need to guess, either. If you just leave things as they are, everything will be fine. If you later decide to use one of the listed features, you’ll be prompted at that point to allow access for the app or program if it’s necessary to do so.

Adding an app exception

You can unblock ports for apps and programs that aren’t listed under Allowed Apps And Features. You would do this only if specifically instructed to do so by an app or program manufacturer you know and trust.

If the app or program for which you want to create an exception isn’t listed under Allowed Apps And Features, you can do the following:

1. Click Change Settings and then click the Allow Another App button. When you do so, you see a list of installed programs that might require Internet access, as shown in Figure 3.

FIGURE 3 Add An App dialog box

2. Click the app or program that you want to add to the list. Optionally, if the program isn’t listed, but you know where it’s installed, you can use the Browse button to get to the main executable for that program (typically the .exe file).

3. Clicking the Network Location Types button lets you define the addresses from which any unsolicited traffic is expected to originate. For example, if you’re using a program that provides communications among programs within your local network only, you wouldn’t want to accept unsolicited traffic coming to that port from the Internet. You’d want to accept unsolicited traffic coming only from computers within your own network. When you click Network Location Types, you see the options shown in Figure 4. Your options are as follows:

FIGURE 4. The Choose Network Location Types dialog box.

• Private: For home or workplace networks. If the program in question has nothing to do with the Internet, and is for your home or business network only, choose this option to block Internet access, but allow programs within your own network to communicate with each other through the program.
• Public: For public networks, such as those in an airport or coffee shop. If you want the program to be able to connect to the Internet, choose this option.

4. Click OK to save your settings.

Disabling, changing, and deleting exceptions

The check boxes in the Allowed Apps And Features list indicate whether the exception is enabled or disabled. When you clear a check box, the exception is disabled and traffic for that program is rejected. This makes it relatively easy to enable and disable a rule for a program on an as-needed basis because the program name always remains in the list of exceptions.

To change the scope of an exception in your exceptions list, click the check box in the Private or Public column, as needed. To remove a program from the exceptions list, and stop accepting unsolicited traffic through its port, click the program name and then click the Remove button.