The Windows Firewall port exceptions list should be defined by Group Policy, which allows you to centrally manage and deploy your port exceptions and ensure that local administrators do not create less secure settings. The Windows Firewall: Define port exceptions policy setting allows you to centrally manage these settings. If you enable this policy setting, you can view and change the port exceptions list defined by Group Policy. To view and modify the port exceptions list, configure the policy setting to Enabled and then click the Show button. Note that if you type an invalid definition string, Windows Firewall adds it to the list without checking for errors, which means you can accidentally create multiple entries for the same port with conflicting Scope or Status values. If you disable this policy setting, the port exceptions list defined by Group Policy is deleted but other policy settings can continue to open or block ports. Also, if a local port exceptions list exists, it is ignored unless you enable the Windows Firewall: Allow local port exceptions policy setting. Environments with nonstandard applications that require specific ports to be open should consider deploying program exceptions. This appendix recommends enabling this setting and specifying a list of port exceptions only when program exceptions cannot be defined. Program exceptions allow the Windows Firewall to accept unsolicited network traffic only while the specified program is running, and port exceptions keep the specified ports open at all times. Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (such as those sent by the Ping utility), even if the Windows Firewall: Allow ICMP exceptions policy setting would block them. Policy settings that can open TCP port 445 include Windows Firewall: Allow file and printer sharing exception, Windows Firewall: Allow remote administration exception, and Windows Firewall: Define port exceptions.