In Windows 11 pare-feu par défaut setting, why are there two identical rules for ICMP, and what does (restrictive) in rule names mean?

Je suis actuellement looking invers le par défaut firewall configuration après a fresh installer of Windows 11 Enterprise 25H2 avec all disponible patches applied at the time of writing. Il n’y a pas de other logiciel installé that could changez le firewall configuration.

Maintenant J’ai deux questions:

Pourquoi two (or more) rules that have the same content (i.e., the same sécurité paramètres) exist under different names?

Par exemple, il y a File and Printer Sharing (Echo Request - ICMPv4-In), File and Printer Sharing (Restrictive) (Echo Request - ICMPv4-In) and Core Networking Diagnostics - ICMP Echo Request (ICMPv4-In). J’ai thoroughly compared these three rules, and Je suis sure that il n’y a pas de difference entre them, except their name, the name duir rule group, their description and their status (activé or désactivé).

For the sake of completeness, J’ai used the firewall GUI to investigate the rules’ contents. If il y a rule properties that are accessible seulement by Powershell, but not the GUI, I may have missed quelque chose, and the rules’ content may en fait differ. Cependant, Je suis actuellement convinced that c’est not the case.

Que fait the part "(restrictive)" dans le rules mean, and pourquoi the same rule in many cases exist under two different names, one containing that name part and the other not containing it?

Par exemple, il y a File and Printer Sharing (Echo Request - ICMPv4-In), File and Printer Sharing (Restrictive) (Echo Request - ICMPv4-In). Both rules have the identical content except name, group name, description and activation status (this has déjà been mentioned above).

Cependant, il y a au moins seven other rules that follow the same pattern: Identical paramètres (except name, description, group, status), but different names, one time avec "(restrictive)" as part du name and the second time sans it.

I jamais have seen those "(restrictive)" rules in Windows 10 firewall paramètres, so they doit être nouveau in Windows 11.

Could somebody veuillez explain qu’est-ce que going sur lere?

In case you encore wonder what the “restrictive” tag means, it means this nouveau rule no longer allows inbound ports 137-139, which was used for the legacy SMB 1 protocol. SMB 1 has no longer been activé par défaut for quite some time, and this recent firewall ruleset change reflects that. The old ruleset is preserved for backward compatibility si vous somehow encore need the old, insecure protocol.

C’était explained in a Microsoft Tech Community blogpost by Ned Pyle. To quote directly:

Avant

Previously, creating a share automatiquement configuré the firewall to activer the rules dans le “Fichier and Printer Sharing” group for the given firewall profiles. This began in Windows XP SP2 avec the introduction du ensuite-nouveau built in firewall, and the rule was designed for both SMB1 and ease of deployment of a wide array of SMB-using technology, including printing, legacy stratégie de groupe, and others.

Maintenant

Windows maintenant automatiquement configures the nouveau “Fichier and Printer Sharing (Restrictive)” group when you créer an SMB share, which no longer contains inbound NetBIOS ports 137-139. Those ports ne sont pas used by SMB2 or later and are an artifact of SMB1. Si vous reinstall SMB1 server for some legacy compatibility reason, vous allez need to ensure that those firewall ports are reopened.

This change enforces a higher degree of par défaut of réseau sécurité ainsi que bringing SMB firewall rules closer vers le Windows Server “Fichier Server” role behavior, which seulement opens the minimum ports needed to connect and manage sharing. Administrators can encore configurer the “Fichier and Printer Sharing” group if necessary ainsi que modify this nouveau firewall group, these are just par défaut behaviors.