Port Exception not showing in GUI for Windows Firewall if GPO allows same port

by Brian

Returned Peace Corps Volunteer, Systems Engineer, Papa, and eccentric individual.

I am constantly conflicted with building my LinkedIn and online persona, and my desire for privacy and anonymity.

NOTE: I have only verified this topic with Windows server 2003.  I expect the same or similar behavior from Windows XP.  It is possible that Windows Vista, 7 , server 2008 and everything after is affected if you use only the simple GUI.  I doubt this will be an issue with the “advanced config” tool.

There is a scenario with a GPO that allows traffic on lets say port UDP 8081.  You computer has the GPO applied and has been restared.  Inside the GUI you would see the GPO defined port exception listed.  And if your GPO settings allow you to add an additional local exceptions, you could add an additional local exception for UDP 8081.  Perhaps deviating from the GPO by only the scope.  The port exception will show up in the GUI in bold and all seems well.  But then you restart you computer and the newly added local exception disappears from the GUI.  When you try to re-add the exception you receive the error

“The Port ‘EXCEPTION NAME (43)’ cannot be added.  An entry for the same port ‘EXCEPTION NAME (PROTOCOL PORT)’ already exists.”

 Windows Firewall GPO Ports only showing

No it doesn’t… it’s not in the GUI!  As it turns out the rule does still exist.  As you add host-based port exceptions that operate on the same port as the GPO, you will need to look elsewhere for your disappearing rules.

You can try in the registry:

check the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\
(continued)Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List

Or you can try the command-line interface for the firewall:

  1. open a command prompt and run command “netsh”
  2. type “firewall” to switch to the firewall interface
  3. type “show portopening”
  4. if your port exceptions are already defined  you will seem them here.

Windows Firewall CLI Local Ports showing

If you like you can delete them here using the command:

type “delete portopening NAME_OF_EXCEPTION” example “delete portopening TCP 9898” and then recreate your port opening in the GUI.

Even if you do recreate your rule in the GUI it will disappear from there the next time you restart.  Become familiar with the CLI if you plan on using Windows Firewall with GPO’s and local port exceptions.

This flaw does give me a bit of pause to consider the security ramifications of this. If I were aware of this flaw it would be very easy to hide a firewall rule from the average user under the above circumstances. It’s a good thing that most people who are part of a domain using GPO’s do not use Windows Firewall as the sole mechanism blocking malicious traffic. This also shows that Linux admins are right when they talk about needing to know the CLI for your OS.

Thanks to DJ JohnnyK for helping on this!

2 comments

  1. rprice76 says:

    An interesting point on this — I’ve learned when working on ANY computer – whether it be Windows or Linux, or Unix to NEVER trust the GUI! The Systems were designed at the command line level anyway – and the GUI is usualy developed by a seperate set of people with a seperate set of principals and understandings of computers.

    Its the difference between a PERL Programmer and a FLASH Programmer.

    ALWAYS double check via CLI.

    ALWAYS
    ALWAYS
    ALWAYS

  2. brian says:

    It turns out I was wrong anyway. Even though the rule is showing in the CLI, it wasn’t added to the registry key! If it is in the REG Key, then the port is allowed.

    Let’s hear it for making administration more complicated!

Leave a Reply