1.2.1.1.1.1.4 Configure 'Windows Firewall: Allow local program exceptions'

Information

Microsoft recommends that you avoid the use of this setting, unless required by your environment and your organization's business requirements. This policy setting controls whether administrators can use the Windows Firewall component in Control Panel to define a local program exceptions list. Granting program exeptions could expose the computer to network-based attacks, however not allowing any exceptions is likely to break some applications such as computer management tools

Solution

Configure the following Group Policy setting in a manner that is consistent with the security and operational requirements of your organization-

Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Standard Profile\Windows Firewall- Allow local program exceptions

Impact- If you disable this policy setting, administrators will not be able to define a local program exceptions list; also, this configuration ensures that program exceptions only come from Group Policy. If this policy setting is enabled, local administrators are allowed to use Control Panel to define program exceptions locally. For enterprise client computers, there may be conditions that justify local program exceptions. These conditions may include applications that were not analyzed when the organization's firewall policy was created or new applications that require nonstandard port configuration. If you choose to enable the Windows Firewall- Allow local program exceptions setting for such situations, remember that the attack surface of the affected computers is increased.

See Also

https://workbench.cisecurity.org/files/42

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(5), CCE|CCE-16712-2

Plugin: Windows

Control ID: 7356fa983218af9ea88b379bea06c45e7496f8b5f2c4b8f61591e627cfaea674