Have discovered that Windows server 2008 automatically enables the firewall, and automatically enables firewall rules according the installed server roles and features. Unfortunately, most of all these rules have a scope of "any", that means that a lot of well known ports on Windows 2008 server are not protected from attacks from other networks.We would like to keep all these exceptions that Windows 2008 has automatically configured, but restrict the scope of all these exceptions so that access to the open ports is only possible from the local intranet, or the company intranet which consist multiple networks (10.0.0.0/16 as an example). Is there any possibility to do this without a lot of work (manually editing and maintaining each exception)?Thank you all in advance for any hints!Franz

That's definitely a great best practice to follow. On a single computer, manually updating each rule is your only choice, I'm afraid. In Windows Firewall with Advanced Security, open each rule's Property Page, and then on the Scope tab, enter the IP address range that should be used. Remember to set IPv6 ranges as well, if your organization has an address range assigned, to prevent having to do this again in the future.For many computers, use Group Policy. You can populate the GPO with "Predefined" rules (similar to the ones included in the OS). Add scopes to them, and then check the boxes that tell the client computers to ignore any locally defined rules and just use the GPO provided rules.For a good step-by-step on how to do just this, see the Step-by-Step Guide: Deploying Windows Firewall Policies (includes IPSec rules) at http://technet.microsoft.com/en-us/library/cc732400(WS.10).aspx.Dave Bishop Senior Technical Writer Windows Server Networking User Assistance

Thank you for your tips.We have a Windows 2003 domain, so it's probably not possible to use advanced firewall GPO's for our 2008 servers.Try to do it with "netsh" scripts, but it's obviously impossible.There are predefined rule sets that can be enabled like "Netsh advfirewall firewall set rule group="remote administration" new enable=yes". But since I have googled and found thousands of pages describing these commands, but not one of them that enabled such a rule with a limited scope (access only from local subnet, for example), I assume that it's not possible to enable such rule sets with a limited scope.Thank you all in advance for any help on this subject.Franz

You definitely can use 2008 GPOs in a 2003 domain. You have to edit the GPO from a computer that understands the new features though, so install the Group Policy tools on your 2008 server or a Vista client computer and edit the policy from there.You can add a scope to the predefined rules. You can't do it to an entire group at a time however, you must do it individually to each rule.Dave Bishop Senior Technical Writer Windows Server Networking User Assistance

Thank you very much for your help Dave! I didn't know that it's possible touse Windows Server 2008 GPO's in a Windows 2003 AD without 2008 Schema extensions. With such GPO's, firewall rules with limited scopes are manageable.best regards,Franz

There will be some things you can't do in a 2003 domain without upgrading the schema. I'm not a Group Policy expert, so I don't know exactly what those things are. If you have any questions about that, ask on the Group Policy forum at http://social.technet.microsoft.com/Forums/en-US/winserverGP/threads.Dave Bishop Senior Technical Writer Windows Server Networking User Assistance