Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Group Policies / Configuring Windows Firewall Settings and Rules with Group Policy

August 16, 2019 Active DirectoryGroup Policies

Configuring Windows Firewall Settings and Rules with Group Policy

Windows Firewall allows to restrict inbound/outbound network traffic for a certain application, protocol or a TCP/IP port. This is an easy way to restrict network access to/from user workstations or servers. You can configure Windows Firewall rules individually on each computer or, if a user computer is joined to an Active Directory domain, an administrator can manage Windows Defender Firewall settings and rules using GPO.

In large enterprises, the port filtering rules are usually set at the level of routers, L3 switches or dedicated firewall devices. However, nothing prevents you from deploying your Windows Firewall network access restriction rules to workstations or Windows servers.

Contents:
  • Group Policy Settings to Manage Windows Defender Firewall Rules
  • How to Enable Windows Firewall Using GPO?
  • How to Create a Firewall Rule Using GPO?
  • Testing Windows Firewall Policies on Clients
  • How to Import/Export Windows Firewall Rules to/from GPO?
  • Domain and Local Windows Defender Firewall Rules
  • Tips: Managing Windows Firewall with GPOs

Group Policy Settings to Manage Windows Defender Firewall Rules

Using the domain group policy editor (Group Policy Management console – gpmc.msc), create a new GPO object (policy) with the name Firewall-Policy and switch to the edit mode.

edit firewall policy

There are two sections in the Group Policy Management console that allow you to manage firewall settings:

  1. Computer Configuration -> Administrative Templates -> Network -> Network Connections -> Windows Firewall – this GPO section was used to configure firewall rules in OS Vista/Windows Server 2008 or earlier. If you don’t have any computers with these old OS versions, use the next policy section to configure your firewall;
    setting windows firewall settings in domain via GPO
  2. Computer Configuration -> Windows Settings -> Security Settings -> Windows Firewall with Advanced Security – is the actual section to configure Windows Firewall in modern Windows OS versions, and its interface is similar to that of the local Defender Firewall management console.

How to Enable Windows Firewall Using GPO?

In order users (even having local admin permissions) cannot stop the firewall service, it is recommended to configure the automatic startup of Windows Firewall using GPO. To do it, go to Computer Configuration- > Windows Settings -> Security Settings -> System Services. Find Windows Firewall in the list of services and change the startup mode to automatic (Define this policy setting -> Service startup mode Automatic). Make sure that your users don’t have the permissions to stop the service.

Windows Firewall service strartup type - Automatic

Go to the Computer Configuration -> Windows Settings -> Security Settings section in the GPO console. Right-click Windows Firewall with Advanced Security and open the properties.

Change the Firewall state to On (recommended) in all three tabs: Domain Profile, Private Profile and Public Profile (What are network locations in Windows?). Depending on the security policies in your company, you can specify that all inbound connections are blocked by default (Inbound connections -> Block), and outbound connections are allowed (Outbound connections -> Allow). Save the changes.

windows firewall with advanced security settings via group policy

How to Create a Firewall Rule Using GPO?

Let’s try to create an allowing inbound Windows Firewall rule. For example, we want to allow the incoming RDP connection to all computers (TCP 3389 port). Right-click the Inbound Rules section and select New Rule.

create new windows defender firewall rule via gpo

The firewall rule wizard has an interface similar to that of local Windows Firewall on the user’s desktop computer.

Select the rule type. You can allow access to:

  • Program – you can select a program executable (.exe);
  • Port – you can select a TCP/UDP port or a port range;
  • Predefined – you can select one of the standard Windows rules, which already contain access rules (both executable files and ports are described) to typical services (e. g., AD, HTTP(s), DFS, BranchCache, remote restart, SNMP, KMS, etc.);
  • Custom – here you can specify a program, a protocol (protocols other than TCP or UDP, like ICMP, GRE, L2TP, IGMP, etc.), client IP addresses or entire IP subnets.

windows firewall port rule

In our case, we’ll select the Port rule. Let’s specify TCP as the protocol, and Port 3389 as the port (it is the default RDP port, but you can change it via the registry).

new inbound rule for 3389

Then you must select what to do with such a network connection: Allow the connection, allow if it is secure or Block the connection.

firewall rule - allow the connection

Then select the firewall profiles to apply the rule to. You can leave all profiles enabled (Domain, Private and Public).

select firewall profile

On the last step, specify the name and description of the rule. Click Finish, and it will appear in the list of firewall rules.

In the same way you can configure other rules for the inbound traffic to be applied to your Windows clients.Don’t forget to create rules for the inbound and outbound traffic.

configuring windows firewall inbound rules via gpo

Now just assign the Firewall Policy to the OU with user computers.

Important. Before applying the firewall policy to OU with productive computers, it is strongly recommend to try it out on some test computers. Otherwise, due to wrong firewall settings, you can paralyze you enterprise network. To diagnose how your group policy is applied, use the gpresult tool. 

Testing Windows Firewall Policies on Clients

Update the group policy settings on your clients (gpupdate /force). Make sure that the ports you have specified are available on user computers (you can use Test-NetConnection cmdlet or Portqry tool).

On a user PC, open the Control Panel -> System&Security -> Windows Defender Firewall and make sure that there is the message For your security, some settings are controlled by Group Policy and your firewall settings are used.

For your security, some firewall settings are controlled by Group Policy

Now a user cannot change firewall settings, and all rules that you have created must appear in the Inbound Rules list.

list of firewall rules

You can also display the firewall settings using this command:

netsh firewall show state

How to Import/Export Windows Firewall Rules to/from GPO?

Of course, the process of creating Windows Firewall rules is a painstaking and time consuming task (however, it is worth the effort). To make it easier, you can import/export Windows Firewall settings. To do it, it’s enough to configure local firewall settings on a reference workstation as you need. Then go to the root of Windows Firewall snap-in (Windows Firewall with Advanced Security) and select Action -> Export Policy.

export windows defender firewall rules to wfw file

The policy will be exported into a WFW file, which can be imported to the Group Policy Management Editor by selecting Import Policy option and specifying the path to the .wfw file (the current policy settings will be overwritten).

import firewall settings to the gpo

Domain and Local Windows Defender Firewall Rules

Depending on whether you want that local administrators can create their own firewall rules on their computers to be combined with the rules obtained from the group policy, you can select the rule merging option. Open the policy properties and view the settings in the Rule merging section. By default rule merging is enabled. You can force that a local administrator can create their own firewall rules: select Yes (default) in the Apply local firewall rules option.

gpo windows firewall merging rules

Tip. Blocking firewall rules have higher priority than the allowing ones. It means that a user cannot create an allowing access rule if it contradicts the blocking rule configured by an administrator using GPO. However, a user will be able to create a local blocking rule, even if the access is allowed in the policy by the administrator.

Tips: Managing Windows Firewall with GPOs

Of course, you should create separate policies to manage Windows Firewall rules for servers and workstations (you may have to create separate policies for each group of similar servers depending on their role). It means that firewall rules for the domain controller, an Exchange mail server and an SQL server will differ.

You can find what ports must be opened for each service on the vendor’s website. The process is quite painstaking and complicated at the first glance. However, you can finally get a working Windows Firewall configuration that allows only approved network connections and blocks other ones. From my experience, I’d like to note that you can quickly find the list of used TCP/UDP ports for Microsoft software.

2 comments
4
Facebook Twitter Google + Pinterest
previous post
Adding Third-Party Drivers into VMWare ESXi 6.7 ISO Image
next post
Get-ADComputer: Find Computer Details in Active Directory with PowerShell

Related Reading

Checking Windows Activation Status on Active Directory Computers

June 27, 2022

How to Disable or Enable USB Drives in...

June 24, 2022

Adding Domain Users to the Local Administrators Group...

June 23, 2022

Creating New User Accounts in Active Directory with...

June 7, 2022

Create Organizational Units (OU) Structure in Active Directory...

May 17, 2022

2 comments

Ayomide August 18, 2021 - 7:42 pm

Thanks, following your step by step process restored my firewall defender. I’ll like to ask a question, my firewall sees some of my zip as corrupt but isn’t so on my other laptop, what could be the problem?

Reply
Vita December 16, 2021 - 9:31 am

Thanks, I didn’t feel like searching for the policy much less now that I know there is a second policy that wouldn’t work and probably would long to find the reason for it only after first breaking something trying to fix it… Standard Windows Admin.

I would not, or I should say, will not set the default of blocking inbound connections and allowing out. In a domain, computers are supposed to be in trusted zones and firewall issues are common problems everpresent in TechNet back before it was replaced for the worse. Even more important than inbound rules is not the allow anything out, in fact, not allow anything out; this is how malware receives its payload after infiltrating-in, and how telemetry both third and first party is sent back, and how Windows Update is allowed to break systems, remove features and reset settings.

I’ve ran for many years DCs, an Exchange Server, and several roles of Windows Server machines that never get updates which is supposed to make them vulnerable but in fact these machines of which some are accessible over the Internet (Exchange, ADFS), that have the firewall disabled, Defender disabled, have never been compromised because they cannot connect out on their own. DCs get DNS through DNS proxies only.

Only now I’m looking into configuring the firewall in a computer. Polish security team CQURE showed that Microsoft hardcodes some of its servers, specifically telemetry, and allows traffic regardless of firewall settings at a Microsoft event no less, so I guess I’m doing this just out of curiosity or irony maybe? than practicality now that I think about it.

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows 7
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2
  • PowerShell
  • VMWare
  • Hyper-V
  • MS Office

Recent Posts

  • How to Deploy Windows 10 (11) with PXE Network Boot?

    June 27, 2022
  • Checking Windows Activation Status on Active Directory Computers

    June 27, 2022
  • Configuring Multiple VLAN Interfaces on Windows

    June 24, 2022
  • How to Disable or Enable USB Drives in Windows using Group Policy?

    June 24, 2022
  • Adding Domain Users to the Local Administrators Group in Windows

    June 23, 2022
  • Viewing a Remote User’s Desktop Session with Shadow Mode in Windows

    June 23, 2022
  • How to Create a Wi-Fi Hotspot on your Windows PC?

    June 23, 2022
  • Configuring SSH Public Key Authentication on Windows

    June 15, 2022
  • How to Run a Program as a Different User (RunAs) in Windows?

    June 15, 2022
  • FAQ: Licensing Microsoft Exchange Server 2019/2016

    June 14, 2022

Follow us

woshub.com

ad

  • Facebook
  • Twitter
  • RSS
Popular Posts
  • How to Configure Google Chrome Using Group Policy ADMX Templates?
  • Allow RDP Access to Domain Controller for Non-admin Users
  • How to Find the Source of Account Lockouts in Active Directory domain?
  • Get-ADComputer: Find Computer Details in Active Directory with PowerShell
  • Deploy PowerShell Active Directory Module without Installing RSAT
  • Managing User Photos in Active Directory Using ThumbnailPhoto Attribute
  • Changing Desktop Background Wallpaper in Windows through GPO
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top