In the Windows Vista and Windows XP SP2 Firewall, what is scope and how do I use it?

Windows Vista and Windows XP (Service Pack 2) have a built-in network firewall feature. Windows Firewall works by preventing applications on your computer from communicating with other computers. By default, the firewall is set to either block or allow traffic to each program, with no additional settings. However, you can allow a program to communicate with only some computers; defining the range of allowed computers is called setting the scope of the firewall.

When the Windows Firewall is on, by default it blocks communication until told to unblock it for a specific program. Such unblocked programs go into a list of exceptions in the Windows Firewall settings.

On this page:

• Windows Vista
• Windows XP
• More information

Windows Vista

1. From the Start menu, select Control Panel.
   
   
2. Double-click Security Center, and then click Windows Firewall on the left. Again on the left, click Allow a program through Windows Firewall. If you aren't logged in with administrative rights, you will be prompted to do so.
   
   
3. Select the program for which you wish to allow only limited network communication, and click Properties.
   
   
4. In the Edit a Program window, choose Change scope... .
   
   
5. Choose the scope options which best suit the application.
   
   
6. Click OK to close each of the three open windows.

Windows XP

1. From the Start menu, select Control Panel, or Settings and then Control Panel.
   
   
2. Double-click Network Connections.
   
   
3. Right-click the icon for your Internet connection (probably Local Area Connection).
   
   
4. Select the Advanced tab.
   
   
5. On the right side of the box labeled "Windows Firewall", choose Settings... .
   
   
6. On the General tab, ensure that Don't allow exceptions is not checked.
   
   
7. Select the Exceptions tab.
   
   
8. Select the program for which you wish to allow only limited network communication, and click Edit... .
   
   
9. In the Edit a Program window, choose Change scope... .
   
   
10. Choose the scope options which best suit the application.
    
    
11. Click OK to close each of the four open windows.

More information

To customize your firewall effectively, select the most limited scope options possible without hindering the functionality of the application. In other words, you want to block communication only with computers that the application never needs to legitimately interact with, and you want to do so with as many such computers as possible.

For example, if you wanted to secure the Remote Desktop application, and you connect to your computer only from one other computer for which you know the IP address, you would set the scope option to Custom list, and then enter the IP address of the single computer from which you want to be able to access this computer. After you click OK through all of the remaining windows, Windows will ignore Remote Desktop requests from any IP address other than the one you specified.

Rather than a specific IP address, you can specify a subnet, a list of IP addresses or subnets, or both. For example, if you wanted to allow communication with all computers on the Indiana University campus, you could choose Custom list and enter:

Although that range is not perfect, it should allow interaction with almost every IU computer while blocking access from any non-IU computer.

For more tips on securing your Windows XP computer, including images of the dialog windows discussed in this document, visit the Microsoft knowledge base article "How to Configure Windows XP SP2 Network Protection Technologies on a Single Computer" at:

Also see:

• In Windows XP, how do I configure the firewall to allow pings?
• In Windows XP, how do I configure the firewall to allow UISO vulnerability scanning?
• At IU, after installing Windows XP SP2, how do I configure the Windows Firewall to allow Symantec AntiVirus to be controlled through the Symantec System Center?