deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 10:53:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

updates

Browse Source
This commit is contained in:
Paolo Matarazzo
2023-11-17 16:04:20 -05:00
parent 99e5fe9f57
commit 3cfa8b0757
5 changed files with 20 additions and 144 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
windows/security/operating-system-security/network-security/windows-firewall/configure.md
View File

@ -7,7 +7,7 @@ ms.topic: best-practice
# Configure Windows Firewall
This article describes the available tools to configure Windows Firewall and some recommended practices.
This article describes the available tools to configure Windows Firewall, firewall rules, and some recommended practices.
## Configuration tools
@ -15,13 +15,15 @@ Windows offers different tools to view the status and configure Windows Firewall
- [Windows Security](#windows-security)
- [Control Panel](#control-panel)
- Windows Defender Firewall with Advanced Security and its integration with the [Microsoft Management Console (MMC)](#microsoft-management-console-mmc)
- [Windows Defender Firewall with Advanced Security](#windows-defender-firewall-with-advanced-security) and its integration with the Microsoft Management Console (MMC)
- [Configuration Service Provider (CSP)](#configuration-service-provider-csp)
- [Command line tools](#command-line-tools)
> [!NOTE]
> To change the configuration of Windows Firewall on a device, you must have administative rights.
#### Windows Defender Firewall with Advanced Security
:::row:::
:::column span="4":::
#### Windows Security
@ -53,12 +55,12 @@ Windows offers different tools to view the status and configure Windows Firewall
:::row-end:::
:::row:::
:::column span="4":::
#### Microsoft Management Console (MMC)
#### Windows Defender Firewall with Advanced Security
:::column-end:::
:::row-end:::
:::row:::
:::column span="3":::
The *Windows Defender Firewall with Advanced Security* MMC snap-in (`wf.msc`) provides advanced configuration functionalities. It can be used locally and in centralized group policy (GPO) management solutions.
The *Windows Defender Firewall with Advanced Security* MMC snap-in provides advanced configuration functionalities. It can be used locally (`wf.msc`) and in group policy (GPO) implementations.
:::column-end:::
:::column span="1":::
:::image type="content" source="images/mmc-advanced-security.png" alt-text="Screenshot of the Windows Defender Firewall with Advanced Security MMC snap-in." lightbox="images/mmc-advanced-security.png" border="false":::
@ -96,7 +98,7 @@ It's recommended to maintain the default Windows Firewall settings whenever poss
### Restrictions per profile
You may also wish to modify the restrictions on your firewall rules depending on which profile the rules are applied to. For applications and services that are designed to only be accessed by devices within a home or small business network, it's best to modify the remote address restriction to specify **Local Subnet** only. The same application or service wouldn't have this restriction when used in an enterprise environment. This can be done by adding the remote address restriction to rules that are added to the private and public profiles, while leaving them unrestricted in the domain profile. This remote address restriction shouldn't apply to applications or services that require global Internet connectivity.
You may need to modify the restrictions on your firewall rules depending on which profile the rules are applied to. For applications and services that are designed to only be accessed by devices within a home or small business network, it's best to modify the remote address restriction to specify **Local Subnet** only. The same application or service wouldn't have this restriction when used in an enterprise environment. This can be done by adding the remote address restriction to rules that are added to the private and public profiles, while leaving them unrestricted in the domain profile. This remote address restriction shouldn't apply to applications or services that require global Internet connectivity.
### Rule precedence for inbound rules
@ -148,7 +150,7 @@ Creation of application rules at runtime can also be prohibited by administrator
Firewall rules can be deployed:
1. Locally using the [Microsoft Management Console (MMC)](#microsoft-management-console-mmc)
1. Locally using the [Windows Defender Firewall with Advanced Security](#windows-defender-firewall-with-advanced-security) console (wf.msc`)`)
1. Locally using [command line tools](#command-line-tools)
1. Remotely using group policy (GPO) settings if the device is a member of an Active Directory domain, or managed by Configuration Manager
1. Remotely using the [Firewall CSP](/windows/client-management/mdm/firewall-csp), with a mobile device management (MDM) solution like Microsoft Intune

103
windows/security/operating-system-security/network-security/windows-firewall/create-windows-firewall-rules-in-intune.md
View File

@ -1,103 +0,0 @@
---
title: Create Windows Firewall rules in Intune
description: Learn how to use Intune to create rules in Windows Defender Firewall with Advanced Security.
ms.date: 11/07/2023
ms.topic: how-to
---
# Create Windows Firewall rules in Intune
To get started, Open the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), and then go to **Devices** > **Windows** > **Configuration profiles** > **Create profile** > Choose **Windows 10 and later** as the platform, Choose **Templates**, then **Endpoint protection** as the profile type.
Select Windows Defender Firewall.
:::image type="content" source="images/windows-firewall-intune.png" alt-text="Example of a Windows Defender Firewall policy in Microsoft Intune and the Intune admin center.":::
>[!IMPORTANT]
>A single Endpoint Protection profile may contain up to a maximum of 150 firewall rules. If a client device requires more than 150 rules, then multiple profiles must be assigned to it.
## Firewall rule components
The firewall rule configurations in Intune use the Windows CSP for Firewall. For more information, see [Firewall CSP](/windows/client-management/mdm/firewall-csp).
## Application
Control connections for an app or program.
Apps and programs can be specified either file path, package family name, or Windows service short name.
The file path of an app is its location on the client device.
For example, C:\Windows\System\Notepad.exe.
[Learn more](/windows/client-management/mdm/firewall-csp#filepath)
Package family names can be retrieved by running the Get-AppxPackage command from PowerShell.
[Learn more](https://aka.ms/intunefirewallPackageNameFromPowerShell)
Windows service short names are used in cases when a service, not an application, is sending or receiving traffic.
Default is All.
[Learn more](/windows/client-management/mdm/firewall-csp#servicename)
## Protocol
Select the protocol for this port rule. Transport layer protocols—TCP and UDP—allow you to specify ports or port ranges. For custom protocols, enter a number between 0 and 255 representing the IP protocol.
Default is Any.
[Learn more](/windows/client-management/mdm/firewall-csp#protocol)
## Local ports
Comma separated list of ranges. For example, *100-120,200,300-320*. Default is All.
[Learn more](/windows/client-management/mdm/firewall-csp#localportranges)
## Remote ports
Comma separated list of ranges. For example, *100-120,200,300-320*. Default is All.
[Learn more](/windows/client-management/mdm/firewall-csp#remoteportranges)
## Local addresses
Comma-separated list of local addresses covered by the rule. Valid tokens include:
- `*` indicates any local address. If present, this token must be the only one included
- A subnet can be specified using either the subnet mask or network prefix notation. If a subnet mask or a network prefix isn't specified, the subnet mask default is 255.255.255.255
- A valid IPv6 address
- An IPv4 address range in the format of "start address-end address" with no spaces included
- An IPv6 address range in the format of "start address-end address" with no spaces included. Default is Any address
[Learn more](/windows/client-management/mdm/firewall-csp#localaddressranges)
## Remote addresses
List of comma separated tokens specifying the remote addresses covered by the rule. Tokens are case insensitive. Valid tokens include:
- `*` indicates any remote address. If present, this token must be the only one included
- Defaultgateway
- DHCP
- DNS
- WINS
- Intranet
- RmtIntranet
- Internet
- Ply2Renders
- LocalSubnet indicates any local address on the local subnet
- A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255
- A valid IPv6 address
- An IPv4 address range in the format of "start address-end address" with no spaces included
- An IPv6 address range in the format of "start address-end address" with no spaces included
Default is Any address
[Learn more](https://aka.ms/intunefirewallremotaddressrule)
## Edge traversal
Indicates whether edge traversal is enabled or disabled for this rule. The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address. New rules have the EdgeTraversal property disabled by default.
[Learn more](/windows/client-management/mdm/firewall-csp#edgetraversal)
## Authorized users
Specifies the list of authorized local users for this rule. A list of authorized users can't be specified if the rule being authored is targeting a Windows service. Default is all users.
[Learn more](/windows/client-management/mdm/firewall-csp#localuserauthorizedlist)

40
windows/security/operating-system-security/network-security/windows-firewall/index.md
View File

@ -42,45 +42,19 @@ The default behavior of Windows Firewall is to:
### Firewall rules
*Firewall rules* identify communication to be allowed or blocked, and the conditions for this to happen. The rules offer an extensive selection of conditions to identify traffic, including:
*Firewall rules* identify allowed or blocked network traffic, and the conditions for this to happen. The rules offer an extensive selection of conditions to identify traffic, including:
- source and destination IP addresses
- can make use dynamic values, like default gateway, DHCP servers, DNS servers and local subnets
- protocol name or type
- source and destination TCP or UDP ports
- interface type
- Application, service or program name
- Source and destination IP addresses
- Can make use dynamic values, like default gateway, DHCP servers, DNS servers and local subnets
- Protocol name or type. For transport layer protocols, TCP and UDP, you can specify ports or port ranges. For custom protocols, you can use a number between 0 and 255 representing the IP protocol
- Interface type
- ICMP/ICMPv6 traffic type and code
- rules can apply to any process, any service or spoecific service
### Firewall profiles
Windows Firewall offers three network profiles: domain, private and public. The network profiles are used to assign rules. For example, you can allow a specific application to communicate on a private network, but not on a public network.
:::row:::
:::column span="1":::
#### :::image type="icon" source="images/domain-network.svg" border="false"::: Domain network
:::column-end:::
:::column span="3":::
The *domain network* profile is automatically applied to a device that is joined to an Active Directory domain, when it detects the availability of a domain controller. This network profile cannot be set manually.
:::column-end:::
:::row-end:::
:::row:::
:::column span="1":::
#### :::image type="icon" source="images/private-network.svg" border="false"::: Private network
:::column-end:::
:::column span="3":::
The *private network* profile is designed for private networks such as a home network. It can be set on a network interface by an administrator.
:::column-end:::
:::row-end:::
:::row:::
:::column span="1":::
#### :::image type="icon" source="images/public-network.svg" border="false"::: Public network
:::column-end:::
:::column span="3":::
The *public network* profile is designed with higher security in mind for public networks, like Wi-Fi hotspots, coffee shops, airports, hotels, etc. It's the default profile for unidentified networks.
:::column-end:::
:::row-end:::
#### :::image type="icon" source="images/domain-network.svg" border="false"::: Domain network
The *domain network* profile is automatically applied to a device that is joined to an Active Directory domain, when it detects the availability of a domain controller. This network profile cannot be set manually.
@ -96,7 +70,7 @@ The *public network* profile is designed with higher security in mind for public
## Next steps
> [!div class="nextstepaction"]
> Learn about the tools to configure Windows Firewall and some recommended practices:
> Learn about the tools to configure Windows Firewall, firewall rules, and some recommended practices:
>
> [Configure Windows Firewall >](configure.md)

2
windows/security/operating-system-security/network-security/windows-firewall/toc.yml
View File

@ -5,8 +5,6 @@ items:
items:
- name: Configure Windows Firewall
href: configure.md
- name: Configure rules with Microsoft Intune
href: create-windows-firewall-rules-in-intune.md
- name: Configure rules with group policy
href: configure-rules-with-gpo.md
- name: Configure with command line tools