M17: Windows Firewall & Security

Windows Defender Firewall with Advanced Security provides host-based firewall protection and IPsec capabilities to protect Windows servers from network threats.

What You'll Learn

  • Firewall profiles and rules
  • Inbound and outbound filtering
  • Connection security rules (IPsec)
  • Firewall management via Group Policy
  • PowerShell firewall administration

Prerequisites

  • Windows Server administration
  • Group Policy fundamentals (M10)
  • TCP/IP networking concepts
  • Basic security principles
Defense in Depth: Windows Firewall is a critical layer in defense-in-depth strategy. Even on internal networks, host-based firewalls protect against lateral movement by attackers.
Windows Defender Firewall: every packet vettedexternalinternet, LANfirewallrules evalapps443, 3389, ICMPBuilt-in to every Windows since XP SP2Block by default; rules whitelist legitimate traffic

Firewall Profiles

Windows Firewall uses three profiles that automatically activate based on network location detection.

Profile Description Default Behavior
Domain Connected to AD domain network Allow outbound, block inbound
Private Trusted home/work network Allow outbound, block inbound
Public Untrusted public networks Most restrictive settings

Querying the profile status shows which profiles are active and their default actions for inbound and outbound traffic.

# View current firewall profile settings and default actions PS C:\> Get-NetFirewallProfile | Select Name, Enabled, DefaultInboundAction, DefaultOutboundAction
# Expected output: Name Enabled DefaultInboundAction DefaultOutboundAction ---- ------- -------------------- --------------------- Domain True Block Allow Private True Block Allow Public True Block Allow

Ensuring the firewall is enabled on all three profiles is a baseline security requirement for every Windows Server.

# Enable the firewall for all three profiles at once PS C:\> Set-NetFirewallProfile -Profile Domain,Private,Public -Enabled True
Profile Detection: On servers with multiple NICs, different profiles may apply to different interfaces. Domain profile activates when DC is reachable via that NIC.
Three profiles: domain, private, publicDomaincorp network✓ RDP allowed✓ SMB allowed✓ Remote tools✓ Network discoveryMost-permissivefor managed PCsPrivatehome / trusted✓ file sharing on✓ network discovery⚠ RDP off by default⚠ no remote mgmtMedium-permissiveuser marks "private"Publiccoffee shop Wi-Fi✗ block all inbound✗ no discovery✗ no file sharing✓ outbound onlyMost-restrictiveuntrusted networks

Firewall Rule Types

Windows Firewall supports multiple rule types for comprehensive traffic control.

Inbound Rules

  • Control incoming connections
  • Default: Block all unsolicited
  • Predefined rules for services
  • Can filter by program, port, IP

Outbound Rules

  • Control outgoing connections
  • Default: Allow all outbound
  • Used for restrictive environments
  • Block data exfiltration

Rule Criteria

  • Program: Path to executable (e.g., C:\Windows\System32\dns.exe)
  • Port: TCP/UDP port numbers (e.g., TCP 443)
  • Predefined: Built-in rules for Windows features
  • Custom: Combine multiple criteria
Inbound / Outbound / Connection SecurityRule Types

Creating Firewall Rules

PowerShell provides comprehensive cmdlets for firewall rule management.

Port-based rules are the most common type. This opens HTTP and HTTPS for a web server but only on domain and private networks.

# Allow inbound HTTP and HTTPS on Domain and Private profiles PS C:\> New-NetFirewallRule -DisplayName "Allow Web Server" -Direction Inbound -Protocol TCP -LocalPort 80,443 -Action Allow -Profile Domain,Private
# Expected output: Name DisplayName Direction Action Profile ---- ----------- --------- ------ ------- {GUID} Allow Web Server Inbound Allow Domain, Private

Program-based rules allow all traffic for a specific executable regardless of port, useful when the application uses dynamic ports.

# Allow all inbound traffic for the SQL Server process PS C:\> New-NetFirewallRule -DisplayName "Allow SQL Server" -Direction Inbound -Program "C:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\Binn\sqlservr.exe" -Action Allow
# Expected output: Name DisplayName Direction Action Profile ---- ----------- --------- ------ ------- {GUID} Allow SQL Server Inbound Allow Any

Restricting source addresses limits who can connect. This rule only allows RDP from the admin subnet, blocking all other sources.

# Allow RDP only from the 10.0.1.0/24 admin network PS C:\> New-NetFirewallRule -DisplayName "Allow RDP from Admin Network" -Direction Inbound -Protocol TCP -LocalPort 3389 -RemoteAddress 10.0.1.0/24 -Action Allow
# Expected output: Name DisplayName Direction Action RemoteAddress ---- ----------- --------- ------ ------------- {GUID} Allow RDP from Admin Network Inbound Allow 10.0.1.0/24
Program + Protocol + Port + Address + UserRule Criteria

Advanced Rule Properties

Fine-tune firewall rules with advanced properties for precise access control.

Property Description Example Values
LocalAddress Local IP addresses to match Any, 10.0.0.1, 10.0.0.0/24
RemoteAddress Remote IP addresses to match Any, LocalSubnet, Internet
LocalPort Local ports to match 80, 443, 1024-65535
RemotePort Remote ports to match Any, specific ports
LocalUser Authorized local users Domain\User, SID
InterfaceType Network interface type Wired, Wireless, RemoteAccess

Combining multiple properties creates a highly targeted rule. This one restricts WinRM to a specific subnet and authorized user SID.

# Allow WinRM only from admin subnet with user-level authorization PS C:\> New-NetFirewallRule -DisplayName "Secure Admin Access" -Direction Inbound -Protocol TCP -LocalPort 5985,5986 -RemoteAddress 10.0.1.0/24 -LocalUser "D:(A;;CC;;;S-1-5-21-...)" -Action Allow -Enabled True
# Expected output: Name DisplayName Direction Action LocalPort ---- ----------- --------- ------ --------- {GUID} Secure Admin Access Inbound Allow {5985, 5986}
New-NetFirewallRule + IIS Manager AllowCreate rules

Managing Existing Rules

Query, modify, and maintain firewall rules using PowerShell.

Listing all enabled inbound rules gives you a full picture of what traffic the server currently accepts.

# List all enabled inbound rules with their profiles and actions PS C:\> Get-NetFirewallRule -Direction Inbound -Enabled True | Select DisplayName, Profile, Action
# Expected output: DisplayName Profile Action ----------- ------- ------ Core Networking - DNS (UDP-In) Any Allow Allow Web Server Domain, Private Allow Allow RDP from Admin Network Any Allow

Wildcard searches help you find rules when you only remember part of the display name.

# Search for all firewall rules containing "RDP" in their name PS C:\> Get-NetFirewallRule -DisplayName "*RDP*"
# Expected output: Name DisplayName Enabled Direction Action ---- ----------- ------- --------- ------ {GUID} Allow RDP from Admin Network True Inbound Allow {GUID} Remote Desktop - User Mode True Inbound Allow
Service + edge traversal + IPsec requireAdvanced props

Managing Existing Rules (cont.)

Piping a rule to Get-NetFirewallPortFilter reveals which ports the rule actually targets.

# Get the port filter details for Remote Desktop rules PS C:\> Get-NetFirewallRule -DisplayName "Remote Desktop*" | Get-NetFirewallPortFilter
# Expected output: Protocol LocalPort RemotePort -------- --------- ---------- TCP 3389 Any UDP 3389 Any

Disabling a rule keeps it defined but inactive, useful for temporarily removing access without losing the configuration.

# Disable the web server rule without deleting it PS C:\> Disable-NetFirewallRule -DisplayName "Allow Web Server"

Modifying an existing rule avoids having to delete and recreate it. Here we expand the allowed source network.

# Change the allowed remote address on an existing rule PS C:\> Set-NetFirewallRule -DisplayName "Allow Web Server" -RemoteAddress 10.0.0.0/8

Removing a rule permanently deletes it from the firewall configuration.

# Permanently delete a temporary test rule PS C:\> Remove-NetFirewallRule -DisplayName "Temporary Test Rule"
Tip: Use Get-NetFirewallRule with Get-NetFirewallPortFilter, Get-NetFirewallAddressFilter, and Get-NetFirewallApplicationFilter to see all rule details.
Service + edge traversal + IPsec requireAdvanced props

Connection Security Rules (IPsec)

Connection security rules configure IPsec authentication and encryption between computers.

Authentication Methods

  • Kerberos (domain members)
  • Certificates (PKI)
  • Pre-shared keys (testing only)
  • NTLMv2

Rule Types

  • Isolation: Require auth for all connections
  • Authentication exemption: Skip auth for specific IPs
  • Server-to-server: Between specific endpoints
  • Tunnel: IPsec tunnel mode

IPsec connection security rules enforce mutual authentication between machines. Requiring security on both directions prevents unauthenticated communication.

# Require Kerberos-based IPsec authentication for all connections PS C:\> New-NetIPsecRule -DisplayName "Require Domain Authentication" -InboundSecurity Require -OutboundSecurity Require -Phase1AuthSet "ComputerKerberos"
# Expected output: DisplayName InboundSecurity OutboundSecurity Phase1AuthSet ----------- --------------- ---------------- ------------- Require Domain Authentication Require Require ComputerKerberos
Get/Set/Remove-NetFirewallRuleManage rules

Firewall Logging

Configure logging to troubleshoot and audit firewall activity.

Log Settings

  • Log dropped packets: Record blocked connections
  • Log successful connections: Record allowed connections
  • Log file size: Maximum size before rotation
  • Log file path: Default: %systemroot%\system32\LogFiles\Firewall\

Enabling logging for blocked and allowed connections gives full visibility into traffic decisions. The 4MB log size prevents disk exhaustion.

# Enable full firewall logging on the Domain profile with a 4MB cap PS C:\> Set-NetFirewallProfile -Profile Domain -LogBlocked True -LogAllowed True -LogFileName "%systemroot%\system32\LogFiles\Firewall\pfirewall.log" -LogMaxSizeKilobytes 4096

Verify the logging configuration to confirm it was applied correctly across the target profiles.

# Check the current logging settings for all profiles PS C:\> Get-NetFirewallProfile | Select Name, LogBlocked, LogAllowed, LogFileName
# Expected output: Name LogBlocked LogAllowed LogFileName ---- ---------- ---------- ----------- Domain True True %systemroot%\system32\LogFiles\Firewall\pfirewall.log Private False False %systemroot%\system32\LogFiles\Firewall\pfirewall.log Public False False %systemroot%\system32\LogFiles\Firewall\pfirewall.log
Performance Note: Logging allowed connections can generate large logs and impact performance. Enable selectively for troubleshooting.
Authenticate + encrypt + require domain credsIPsec rules

Group Policy Deployment

Deploy firewall rules across the enterprise using Group Policy.

GPO Firewall Settings Location

  • Computer Configuration > Policies > Windows Settings > Security Settings
  • Windows Defender Firewall with Advanced Security

Firewall GPO Architecture

Domain GPO
Baseline rules
Server OU GPO
Server-specific
Local Rules
If merge allowed
# GPO Settings to consider: # - Apply local firewall rules: Yes/No # - Apply local connection security rules: Yes/No # - Inbound/Outbound default actions # - Logging settings
Best Practice: Create separate GPOs for different server roles. A web server needs different rules than a file server.
Firewall log: who got blocked, who got throughC:\Windows\System32\LogFiles\Firewall\pfirewall.log#Fields: date time action protocol src-ip dst-ip src-port dst-port size info2024-03-15 10:15:00 ALLOW TCP 10.0.0.50 10.0.0.10 49152 443 02024-03-15 10:15:08 DROP TCP 198.51.100.4 10.0.0.10 51282 3389 02024-03-15 10:15:14 ALLOW UDP 10.0.0.99 10.0.0.10 53241 53 02024-03-15 10:15:21 DROP TCP 203.0.113.5 10.0.0.10 41122 445 02024-03-15 10:15:28 ALLOW TCP 10.0.0.51 10.0.0.10 49801 80 02024-03-15 10:15:34 DROP ICMP 192.0.2.99 10.0.0.10 0 0 8Feed into SIEM, Sentinel, Splunk, ELK for correlationSet-NetFirewallProfile -LogAllowed True -LogBlocked True

Common Server Ports

Reference for ports commonly required on Windows servers.

Service Protocol/Port Notes
DNS TCP/UDP 53 Domain Name System
LDAP TCP/UDP 389 Directory queries
LDAPS TCP 636 Secure LDAP
Kerberos TCP/UDP 88 Authentication
SMB TCP 445 File sharing
RDP TCP 3389 Remote Desktop
WinRM TCP 5985/5986 PowerShell Remoting
RPC TCP 135 + Dynamic Many Windows services
Security Warning: Never expose RDP (3389) directly to the internet. Use VPN or Remote Desktop Gateway for secure remote access.
Size cap, location, allowed + blockedLog settings

Troubleshooting Firewall Issues

Diagnose and resolve common firewall-related connectivity problems.

Computer Config → Windows Defender FirewallGPO deployment

Diagnostic Commands

Computer Config → Windows Defender FirewallGPO deployment

Diagnostic Commands

Diagnostic Commands

Listing active block rules reveals what the firewall is explicitly dropping, helping you identify why a connection is failing.

# Find all enabled inbound rules that are actively blocking traffic PS C:\> Get-NetFirewallRule -Direction Inbound | Where-Object { $_.Action -eq 'Block' -and $_.Enabled -eq 'True' }
# Expected output: Name DisplayName Direction Action Enabled ---- ----------- --------- ------ ------- {GUID} Block Telnet Inbound Inbound Block True {GUID} Block FTP Inbound Inbound Block True

Test-NetConnection quickly confirms whether a specific port is reachable from this server to a remote host.

# Test TCP connectivity to a remote server on port 443 PS C:\> Test-NetConnection -ComputerName server01 -Port 443
# Expected output: ComputerName : server01 RemoteAddress : 10.0.1.50 RemotePort : 443 TcpTestSucceeded : True
Computer Config → Windows Defender FirewallGPO deployment

Diagnostic Commands (cont.)

Cross-referencing port filters with enabled rules shows exactly which rules govern a specific port.

# Find all enabled inbound rules that apply to port 443 PS C:\> Get-NetFirewallRule -Direction Inbound -Enabled True | Get-NetFirewallPortFilter | Where-Object LocalPort -eq 443
# Expected output: Protocol LocalPort RemotePort InstanceID -------- --------- ---------- ---------- TCP 443 Any {GUID}

The Windows Firewall event log records every rule change and connection decision, invaluable for post-incident forensics.

# View the 20 most recent firewall events from the security log PS C:\> Get-WinEvent -LogName "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" -MaxEvents 20
# Expected output: TimeCreated Id LevelDisplayName Message ----------- -- ---------------- ------- 1/31/2026 10:15:00 AM 2004 Information A rule has been added... 1/31/2026 10:14:55 AM 2006 Information A rule has been deleted... 1/31/2026 10:14:30 AM 2003 Information A rule has been modified...

Common Issues

  • Service not reachable: Check inbound rules for required ports
  • Rules not applying: Verify GPO is linked and applied
  • Wrong profile active: Check network location awareness
Computer Config → Windows Defender FirewallGPO deployment

Lab Preview: Firewall Configuration

Practice configuring Windows Firewall rules and security settings.

GUI Lab Tasks

  • Explore firewall profiles
  • Create inbound rules
  • Configure port exceptions
  • Enable logging
  • View firewall status

PowerShell Lab Tasks

  • Manage profiles with Set-NetFirewallProfile
  • Create rules with New-NetFirewallRule
  • Query and filter rules
  • Configure logging settings
  • Test connectivity
Scenario: Secure a new web server by configuring appropriate firewall rules while maintaining administrative access for management.
Start GUI Lab Start PowerShell Lab
Both inbound + outbound rules + connection securityGPO location
Course Home