Configuring Windows Firewall Rules Using Group Policy |

Microsoft Defender Firewall is built into all modern versions of Windows and Windows Server and allows you to configure rules to filter incoming and/or outgoing network traffic on your computer. Windows Firewall rules can be configured locally on the user’s computer (using wf.msc console, the netsh command, or the built-in NetSecurity PowerShell module). On Windows computers connected to an Active Directory domain, you can centrally manage Microsoft Defender firewall rules and settings by using Group Policies.

In enterprise networks, port filtering rules are typically set at the level of the router, L3 switch, or dedicated firewall device. However, nothing prevents you from deploying your Windows Firewall network access rules to workstations or Windows servers.

Enable Microsoft Defender Firewall via GPO

Open the Domain Group Policy Management Console (gpmc.msc), create a new GPO object (Policy) with the name gpoFirewallDefault, and switch to edit mode.

To prevent users (even with local administrator permissions) to stop the Firewall service, it is recommended to configure automatic startup of Windows Firewall using GPO. To do this, go to Computer Configuration-> Windows Settings -> Security Settings -> System Services. find Windows Firewall In the list of services and change the Startup type to Automatic (Define this policy setting -> Service startup mode Automatic). Make sure your users do not have permission to stop the service.

Windows Firewall Service Startup Type - Automatic

then go to Computer Configuration -> Policies -> Administrative Templates -> Network -> Network Connections -> Windows Defender -> Firewall -> Domain Profile and enable policy Windows Defender Firewall: Protect All Network Connections,

Enable GPO: Windows Defender Firewall: Protect all network connections.

go to Computer Configuration -> Windows Settings -> Security Settings section in the GPO console. right click Windows Firewall with Advanced Security And open Properties.

change firewall status on (recommended) In all three tabs: Domain Profile, Private Profile, and Public Profile (What are network profiles (locations) in Windows?) Depending on the security policies in your company, you can specify that all inbound connections are blocked by default (inbound Connections -> Block), and outbound connections are allowed (Outbound Connections -> Allow). save Changes.

Windows Firewall with Advanced Security Settings via Group Policy

You can debug your Windows Defender Firewall rules on the client’s computer by enabling Login %systemroot%\system32\logfiles\firewall\pfirewall.log, By default, network connection logging is disabled in Windows. You can only log rejected packets (log dropped packets) or packets that were allowed by firewall rules (log successful connection,

enable log in windows defender firewall

How to Create Windows Firewall Rule with GPO?

Now let us see how to create Microsoft Defender Firewall rules through Group Policy. To configure your rules, go to Computer Configuration -> Windows Settings -> Security Settings -> Windows Firewall with Advanced Security.

The following sections are available in the Firewall GPO:

  • inbound rules
  • outbound rules
  • connection security rules

Let’s try to create an allowed inbound firewall rule. For example, we want to allow incoming RDP connections on Windows (the default RDP port is TCP 3389). right-click inbound rules section and select New Rules, The New Firewall Rule Wizard starts.

The Firewall Rules Wizard has the same interface as the local Windows Firewall on the user’s desktop computer.

gpo.  Create new windows defender firewall rule via

Select the rule type. You can allow access to:

  • Program – You can select a program executable (.exe);
  • port – You can select TCP/UDP port or port range;
  • pre planned – Select one of the standard Windows rules, which already include access rules (executable files and ports) for specific services (eg, AD, HTTP), DFS, Branch Cache, Remote Restart, SNMP, KMS, WinRM, etc. both are described). ,
  • custom – Here you can specify a program, a protocol (protocols other than TCP or UDP, such as ICMP, GRE, L2TP, IGMP, etc.), client IP address or an entire IP network (subnet).

windows firewall port rules

In our case, we will select Port Rule. let’s specify tcp as protocol, and 3389 as the local port number.

3389.  new inbound rule for

Then you need to choose what to do with such network connections: allow connection, allow connections when secureeither block the connection,

Firewall Rules - Allow Connections

Then select the network profile to apply the firewall rule. You can leave all profiles enabled (domain, private and public).

Choose Firewall Profile

In the last step, specify the name and description of the rule. Click Finish, and it will appear in the list of firewall rules.

Modern versions of Windows also use UDP port 3389 for Remote Desktop (RDP) traffic. Therefore, create another Microsoft Defender rule for that port as well.

In the same way, you can configure other inbound firewall rules to apply to your Windows clients. You can create rules for both inbound and outbound traffic.

gpo.  Configuring Windows Firewall Inbound Rules Via

Above, we saw how to use the graphical wizard to create Windows Defender Firewall rules. You can also create a list of rules in plain text form and add a large number of exceptions to the Defender Firewall GPO.

Go to Computer Configuration -> Policies -> Administrative Templates -> Network -> Network Connections -> Windows Defender Profiles -> Domain Profiles and open Windows Defender Firewall: Define Inbound Port Exceptions Policy. Here you can create a list of firewall rules with simple text strings.

Below is a list of inbound firewall rules that I want to add to Group Policy:


press performance Click the button and copy your rules line by line define port exceptions Form.

gpo.  List Firewall Rules for Windows Defender via

This method allows you to quickly create a large number of inbound rules for Windows Firewall.

Applying Microsoft Defender Firewall Rules to Windows Computers

Now it remains to entrust the firewall-policy policy to the OU (organizational unit) with the user’s computers. Locate the desired OU in the Group Policy Management Console, right-click on it, and select Link an existing GPO, Select your firewall policy from the list.

Link Firewall Policy to Active Directory Computer

important, It is strongly recommended to try it out on some test computers, before applying the firewall policy to the OU with production computers. Otherwise, due to incorrect firewall settings, you can completely block network access to the computer. Use the gpresult tool to diagnose how your Group Policy is applied,

Update Group Policy settings on your customers (gpupdate /force). Verify that the ports you specified are open on the user’s computer (you can use the Test-NetConnection cmdlet or the portcurie tool to check for open ports).

On the user’s computer, open Control Panel -> System and Security -> Windows Defender Firewall and make sure the message is For your safety, some settings are controlled by Group Policy And your firewall settings are used.

For your safety, some firewall settings are controlled by Group Policy

A user can no longer change firewall settings, and all rules you create should appear in the Inbound Rules list. Note that by default, new rules from GPOs are added to existing local firewall rules.

GPO list of new inbound rules in Defender Firewall

You can also display the current Windows Defender settings with the command:

netsh firewall show state

Or you can get the list of inbound rules in a table form using a powershell script:

Get-NetFirewallRule -Action Allow -Enabled True -Direction Inbound |
Format-Table -Property Name,
@{Name="Protocol";Expression={($PSItem | Get-NetFirewallPortFilter).Protocol}},
@{Name="LocalPort";Expression={($PSItem | Get-NetFirewallPortFilter).LocalPort}},
@{Name="RemotePort";Expression={($PSItem | Get-NetFirewallPortFilter).RemotePort}},
@{Name="RemoteAddress";Expression={($PSItem | Get-NetFirewallAddressFilter).RemoteAddress}},

List Defender Firewall Inbound Rules Using PowerShell

How to Export and Import Firewall Rules on Windows?

Windows Defender Firewall Console allows you to export and import current firewall settings to a text file. You can configure firewall rules on the reference computer and export them to the Group Policy console.

Configure the rules you need, then go to the root of the Firewall snap-in (Windows Defender Firewall Monitor with Advanced Security) and choose Action -> export policy

export windows defender firewall rules to wfw file

Your firewall rules will be exported to a WFW file, which can be imported into the Group Policy Management Editor by selecting import policy options and specifying the path to the .wfw file (the current policy settings will be overwritten).

Import Firewall Settings to GPO

Merging domain and local Microsoft Defender firewall rules

In the GPO, you can specify whether you want to allow local administrators to create their own firewall rules on their computers, and how these rules should be combined with the rules specified through the GPO.

Open Windows Firewall Policy Properties in the GPO, select the tab with the profile (domain) and click Customize switch. check the settings in merging rules section. By default, rule merging is enabled. You can force a local administrator to create their own firewall rules: Select yes (default) In Apply local firewall rules alternative.

gpio windows firewall merge rule

tip, Blocking firewall rules have a higher priority than allowing. This means that if a user denies a deny rule configured by an administrator using a GPO, he cannot create a permission access rule. However, a user will be able to create local blocking rules, even if access has been granted in the policy by the administrator.

Some tips for managing Windows Firewall using GPO:

  • Create separate GPOs with firewall rules for servers and workstations (you may need to create your own policies for each group of similar servers depending on their role. This means domain controllers, exchange servers, one server with remote Firewall rules for the Desktop Services Host (RDSH) role, or Microsoft SQL Server will be different;
  • You can use WMI GPO filters to more precisely target policies to clients (for example, you can apply policies to hosts on a specific IP subnet);
  • You can find out in the documentation on the vendor’s website which ports should be opened for each service. At first glance the process is quite laborious and complicated. However, you can eventually get a working Windows Firewall configuration that allows only approved network connections and blocks the rest. From my own experience, I would like to note that you can quickly get a list of TCP/UDP ports used for most Microsoft services.

Leave a Comment