1.2.1.1.1.1.12 Configure 'Windows Firewall: Do not allow exceptions'

Information

This policy setting caused Windows Firewall to block all unsolicited incoming messages. It overrides all other Windows Firewall settings that allow such messages. If you enable this policy setting in the Windows Firewall item in Control Panel, the Don't allow exceptions check box is selected and administrators cannot clear it. This policy setting provides a strong defense against external attackers and should be set to Enabled in situations in which you require complete protection from external attacks, such as the outbreak of a new network worm. If you set this policy setting to Disabled, Windows Firewall will be able to apply other policy settings that allow unsolicited incoming messages.

Solution

Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization-

Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile\Windows Firewall- Do not allow exceptions

Impact- Many environments contain applications and services that must be allowed to receive inbound unsolicited communications as part of their normal operation. Such environments may need to configure the Windows Firewall- Do not allow exceptions setting to Disabled to allow those applications and services to run properly. However, before you configure this policy setting, you should test the environment to determine exactly what communications need to be allowed.

See Also

https://workbench.cisecurity.org/files/42

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(5), CCE|CCE-16593-6

Plugin: Windows

Control ID: a5e9229106d0f6611c9b2b975e9481b9f21f1527b8995870271aaf716a4c1114