Microsoft Defender Firewall is built into all modern versions of Windows and Windows Server and allows you to configure rules to filter incoming and/or outgoing network traffic on your computer. Windows Firewall rules can be configured locally on the user’s computer (using wf.msc console, the netsh command, or the built-in NetSecurity PowerShell module). On Windows computers connected to an Active Directory domain, you can centrally manage Microsoft Defender firewall rules and settings by using Group Policies.
In enterprise networks, port filtering rules are typically set at the level of the router, L3 switch, or dedicated firewall device. However, nothing prevents you from deploying your Windows Firewall network access rules to workstations or Windows servers.
Enable Microsoft Defender Firewall via GPO
Open the Domain Group Policy Management Console (gpmc.msc), create a new GPO object (Policy) with the name gpoFirewallDefault, and switch to edit mode.
To prevent users (even with local administrator permissions) to stop the Firewall service, it is recommended to configure automatic startup of Windows Firewall using GPO. To do this, go to Computer Configuration-> Windows Settings -> Security Settings -> System Services. find Windows Firewall In the list of services and change the Startup type to Automatic (Define this policy setting -> Service startup mode Automatic). Make sure your users do not have permission to stop the service.
then go to Computer Configuration -> Policies -> Administrative Templates -> Network -> Network Connections -> Windows Defender -> Firewall -> Domain Profile and enable policy Windows Defender Firewall: Protect All Network Connections,
go to Computer Configuration -> Windows Settings -> Security Settings section in the GPO console. right click Windows Firewall with Advanced Security And open Properties.
change firewall status on (recommended) In all three tabs: Domain Profile, Private Profile, and Public Profile (What are network profiles (locations) in Windows?) Depending on the security policies in your company, you can specify that all inbound connections are blocked by default (inbound Connections -> Block), and outbound connections are allowed (Outbound Connections -> Allow). save Changes.
You can debug your Windows Defender Firewall rules on the client’s computer by enabling Login %systemroot%\system32\logfiles\firewall\pfirewall.log, By default, network connection logging is disabled in Windows. You can only log rejected packets (log dropped packets) or packets that were allowed by firewall rules (log successful connection,
How to Create Windows Firewall Rule with GPO?
Now let us see how to create Microsoft Defender Firewall rules through Group Policy. To configure your rules, go to Computer Configuration -> Windows Settings -> Security Settings -> Windows Firewall with Advanced Security.
The following sections are available in the Firewall GPO:
- inbound rules
- outbound rules
- connection security rules
Let’s try to create an allowed inbound firewall rule. For example, we want to allow incoming RDP connections on Windows (the default RDP port is TCP 3389). right-click inbound rules section and select New Rules, The New Firewall Rule Wizard starts.
The Firewall Rules Wizard has the same interface as the local Windows Firewall on the user’s desktop computer.
Select the rule type. You can allow access to:
- Program – You can select a program executable (.exe);
- port – You can select TCP/UDP port or port range;
- pre planned – Select one of the standard Windows rules, which already include access rules (executable files and ports) for specific services (eg, AD, HTTP), DFS, Branch Cache, Remote Restart, SNMP, KMS, WinRM, etc. both are described). ,
- custom – Here you can specify a program, a protocol (protocols other than TCP or UDP, such as ICMP, GRE, L2TP, IGMP, etc.), client IP address or an entire IP network (subnet).
In our case, we will select Port Rule. let’s specify tcp as protocol, and 3389 as the local port number.
Then you need to choose what to do with such network connections: allow connection, allow connections when secureeither block the connection,
Then select the network profile to apply the firewall rule. You can leave all profiles enabled (domain, private and public).
In the last step, specify the name and description of the rule. Click Finish, and it will appear in the list of firewall rules.
In the same way, you can configure other inbound firewall rules to apply to your Windows clients. You can create rules for both inbound and outbound traffic.
Above, we saw how to use the graphical wizard to create Windows Defender Firewall rules. You can also create a list of rules in plain text form and add a large number of exceptions to the Defender Firewall GPO.
Go to Computer Configuration -> Policies -> Administrative Templates -> Network -> Network Connections -> Windows Defender Profiles -> Domain Profiles and open Windows Defender Firewall: Define Inbound Port Exceptions Policy. Here you can create a list of firewall rules with simple text strings.
Below is a list of inbound firewall rules that I want to add to Group Policy:
3389:UDP:localsubnet:enabled:In_RDP_UDP_3389 445:TCP:localsubnet:enabled:In_SMB_TCP_443 443:TCP:192.168.110.11:enabled:In_HTTP_TCP_445
press performance Click the button and copy your rules line by line define port exceptions Form.
This method allows you to quickly create a large number of inbound rules for Windows Firewall.
Applying Microsoft Defender Firewall Rules to Windows Computers
Now it remains to entrust the firewall-policy policy to the OU (organizational unit) with the user’s computers. Locate the desired OU in the Group Policy Management Console, right-click on it, and select Link an existing GPO, Select your firewall policy from the list.
Update Group Policy settings on your customers (gpupdate /force). Verify that the ports you specified are open on the user’s computer (you can use the Test-NetConnection cmdlet or the portcurie tool to check for open ports).
On the user’s computer, open Control Panel -> System and Security -> Windows Defender Firewall and make sure the message is For your safety, some settings are controlled by Group Policy And your firewall settings are used.
A user can no longer change firewall settings, and all rules you create should appear in the Inbound Rules list. Note that by default, new rules from GPOs are added to existing local firewall rules.
You can also display the current Windows Defender settings with the command:
netsh firewall show state
Or you can get the list of inbound rules in a table form using a powershell script:
Get-NetFirewallRule -Action Allow -Enabled True -Direction Inbound |
Format-Table -Property Name,
@{Name="Protocol";Expression={($PSItem | Get-NetFirewallPortFilter).Protocol}},
@{Name="LocalPort";Expression={($PSItem | Get-NetFirewallPortFilter).LocalPort}},
@{Name="RemotePort";Expression={($PSItem | Get-NetFirewallPortFilter).RemotePort}},
@{Name="RemoteAddress";Expression={($PSItem | Get-NetFirewallAddressFilter).RemoteAddress}},
Enabled,Profile,Direction,Action
How to Export and Import Firewall Rules on Windows?
Windows Defender Firewall Console allows you to export and import current firewall settings to a text file. You can configure firewall rules on the reference computer and export them to the Group Policy console.
Configure the rules you need, then go to the root of the Firewall snap-in (Windows Defender Firewall Monitor with Advanced Security) and choose Action -> export policy
Your firewall rules will be exported to a WFW file, which can be imported into the Group Policy Management Editor by selecting import policy options and specifying the path to the .wfw file (the current policy settings will be overwritten).
Merging domain and local Microsoft Defender firewall rules
In the GPO, you can specify whether you want to allow local administrators to create their own firewall rules on their computers, and how these rules should be combined with the rules specified through the GPO.
Open Windows Firewall Policy Properties in the GPO, select the tab with the profile (domain) and click Customize switch. check the settings in merging rules section. By default, rule merging is enabled. You can force a local administrator to create their own firewall rules: Select yes (default) In Apply local firewall rules alternative.
tip, Blocking firewall rules have a higher priority than allowing. This means that if a user denies a deny rule configured by an administrator using a GPO, he cannot create a permission access rule. However, a user will be able to create local blocking rules, even if access has been granted in the policy by the administrator.
Some tips for managing Windows Firewall using GPO:
- Create separate GPOs with firewall rules for servers and workstations (you may need to create your own policies for each group of similar servers depending on their role. This means domain controllers, exchange servers, one server with remote Firewall rules for the Desktop Services Host (RDSH) role, or Microsoft SQL Server will be different;
- You can use WMI GPO filters to more precisely target policies to clients (for example, you can apply policies to hosts on a specific IP subnet);
- You can find out in the documentation on the vendor’s website which ports should be opened for each service. At first glance the process is quite laborious and complicated. However, you can eventually get a working Windows Firewall configuration that allows only approved network connections and blocks the rest. From my own experience, I would like to note that you can quickly get a list of TCP/UDP ports used for most Microsoft services.
Leave a Comment