This article describes the relationship between Windows Firewall and Windows Security Center in Windows Vista.
Windows Security Center displays the status of the Windows Firewall. The status is green when Windows Firewall is enabled and when Windows Firewall is using the recommended settings. The status is red when Windows Firewall is disabled or when Windows Firewall is not using the recommended settings.
The following settings are the recommended Windows Firewall settings:
- Windows Firewall service is enabled.
- Windows Firewall state is on for all profiles.
- Windows Firewall is enabled on all interfaces.
- By default, the incoming action for the firewall is set to Block for all profiles. Or, the incoming action for the firewall is set to Allow on any profile, and at least one block rule is present.
The recommended settings that are discussed here are the minimum settings that we recommend to help maintain a balance between functionality and increased security.
To be recognized as recommended settings, these settings must exist in local policy and in any policy that is implemented through Group Policy. For example, Windows Security Center indicates a red status if the local policy states that the firewall is off for the domain profile. This occurs even if Group Policy states that the firewall is on for the domain profile. This is true even though Group Policy has precedence over local policy so that the effective Windows Firewall state is enabled for the domain profile.
When Windows Firewall does not use the recommended settings, a banner appears on the Windows Firewall Control Panel icon to indicate that the recommended settings are not used. Local administrators have the option to update the settings to change all the settings back to the recommended settings if it is possible. If the policy comes from Group Policy and contains settings that are not the recommended firewall settings, a message indicates that the settings could not be updated. The Windows Firewall Control Panel icon also displays a yellow information banner to indicate that the policy comes from Group Policy.
If you use a Windows Firewall policy that we do not recommend when you configure Group Policy, you may also consider disabling Windows Security Center. For example, you may set incoming connections to be allowed by default. In this case, disabling Windows Security Center prevents it from displaying warning notifications and reporting the firewall status as red. This can result in fewer help desk calls.
You can use Group Policy to centrally manage the Windows Security Center feature for computers in a Windows domain. To access the Turn on Security Center (Domain PCs only)
policy setting, locate the Computer Configuration\Administrative Templates\Windows Components\Security Center
node in the Group Policy Object Editor (Gpedit.msc).
If you use a third-party firewall that is registered with Windows Security Center, the Windows Security Center firewall indicator will be green unless the third-party firewall reports that it is disabled. For example, if you turn off Windows Firewall because a different firewall is enabled, and that third-party firewall reports to Windows Security Center that it is on, the Windows Security Center firewall indicator will be green.
For more information about settings that we recommend for Windows Security Center and for Windows Firewall in Windows Vista, visit the following Microsoft Web sites: