tags:

views:

256

answers:

1
+1  Q: 

Best practice for adding firewall exception: program or port exception?

For a distributed production client-server WCF application (self-hosted as a Windows Service with NetTcpBinding), I am adding logic to add expception to Windows Firewall during the installation via netsh command.

I have noticed that the remote communication seems to work fine whether the firewall exception is for the program (the executable) or port. In our case, the port will very rarely be something other than the default and if it is then user can manually alter config files and firewall accordingly.

My question is, whether it is better to add the exception for program OR port OR both. Are there any security considerations making one approach more desirable than the other? Virtually all of the examples for WCF show port exceptions.

Any insight would be appreciated, thanks.

+1  A: 

Here is my summary of how I think they function:

Application exception --> grants the specified application to open any ports

Port exception --> grants any application to open the specified port

As such, which one is better suited depends on the situation. Generally, the application exception would be preferred. At the time an application attempts to open a port, the Windows Firewall (if enabled) essentially would do a check to determine if that application or the port itself has been granted an exception.

MSDN states: "[Application exception] is more secure than opening a port, because the firewall is only open while the program is waiting to receive the connection."

More detailed MSDN summary and technical articles: http://technet.microsoft.com/en-us/network/bb545423.aspx

Ultimately, the system admin for the deployed software should be aware of and/or be the one who makes the changes to the firewall. What we plan on doing is having a step in the installer where the customer can opt-out of the firewall exception but explaining that remote clients will not be able to communicate without it. And of course the manual documentation will also outline the required ports for scenarios if other software or hardware firewalls are in place and need to be manually configured.

AaronM  2009-11-05 15:27:24

related questions

ec2: cannot open port 5080 on windows instance
ClickOnce applications and Windows Firewall
Does a firewall on a machine only block stuff from outside the machine or also from processes on the machine?
TCP packet interception and redirection under windows
Asmx webservice IP Address change issue due to hosting in internet.
Win 7 : Need Help with the netsh firewall add portopening
How can I open up Windows Firewall (VISTA) for outbound traffic to allow computer to see networked drives?
Windows server 2003, remote way to bypass windows firewall
How do you add firewall permission to an app during installation?
Restrict RDP port based on a Dynamic DNS
How to approach whitelisting an app/exe
Programmatically modify Firewall rules in Windows Server 2008 R2
Trace Routing for a Certain port
Remote login to SQL Server Express 2008
Active FTP client blocked by Windows Firewall on Windows 7
help needed on developing Fire wall
What API calls are involved in opening a port in the Windows Firewall?
What causes Windows Firewall to block an application?
How to detect a firewall in Windows?
WCF security problem
WCF Security - A list of what I dont understand
Disable the programs ability to add exceptions to windows firewall via the API
Implementing Claims-Based Security (WCF/Asp.NET)
Can't connect to MySQL server on 'localhost' (10061)