Understanding Firewall Profiles

Applies To: Windows 7, Windows Server 2008 R2

A firewall profile is a way of grouping settings, such as firewall rules and connection security rules, which are applied to the computer depending on where the computer is connected. On computers running this version of Windows, there are three profiles for Windows Firewall with Advanced Security:

Profile Description

Domain

Applied to a network adapter when it is connected to a network on which it can detect a domain controller of the domain to which the computer is joined.

Private

Applied to a network adapter when it is connected to a network that is identified by the user or administrator as a private network. A private network is one that is not connected directly to the Internet, but is behind some kind of security device, such as a network address translation (NAT) router or hardware firewall. For example, this could be a home network, or a business network that does not include a domain controller. The Private profile settings should be more restrictive than the Domain profile settings.

Public

Applied to a network adapter when it is connected to a public network such as those available in airports and coffee shops. When the profile is not set to Domain or Private, the default profile is Public. The Public profile settings should be the most restrictive because the computer is connected to a public network where the security cannot be controlled. For example, a program that accepts inbound connections from the Internet (like a file sharing program) may not work in the Public profile because the Windows Firewall default setting will block all inbound connections to programs that are not on the list of allowed programs.

Each network adapter is assigned the firewall profile that matches the detected network type. For example, if a network adapter is connected to a public network, then all traffic going to or from that network is filtered by the firewall rules associated with the Public profile.

Important

Windows Server 2008 R2 and Windows 7 provide support for multiple active per-network adapter profiles. In Windows Vista and Windows Server 2008, only one profile can be active on the computer at a time. If there are multiple network adapters connected to different networks, then the profile with the most restrictive profile settings is applied to all adapters on the computer. The Public profile is considered to be the most restrictive, followed by the Private profile; the Domain profile is considered to be the least restrictive.

If you do not alter the settings for a profile, then its default values are applied whenever Windows Firewall with Advanced Security uses the profile. We recommend that you enable Windows Firewall with Advanced Security for all three profiles.

To configure these profiles, in the Windows Firewall with Advanced Security MMC snap-in, right-click Windows Firewall with Advanced Security, and then click Properties. You can also access the properties from the Action menu, the Action pane, or the center pane, when Windows Firewall with Advanced Security is highlighted.

To configure these profiles using netsh, open an elevated command prompt (run as Administrator) and type netsh advfirewall set to see the commands available in this context. For example, to turn the firewall on when the private profile is active, type:

netsh advfirewall set privateprofile state on

Additional references