deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

fix errors

Browse Source
This commit is contained in:
Paolo Matarazzo 2023-11-13 12:41:23 -05:00
parent ab64854b5a
commit 4a2bcda691
8 changed files with 158 additions and 270 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
windows/security/operating-system-security/network-security/windows-firewall/create-an-inbound-program-or-service-rule.md
View File

@ -7,41 +7,30 @@ ms.date: 09/07/2021
# Create an Inbound Program or Service Rule # Create an Inbound Program or Service Rule
To allow inbound network traffic to a specified program or service, use the Windows Defender Firewall with Advanced Securitynode in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows the program to listen and receive inbound network traffic on any port. To allow inbound network traffic to a specified program or service, use the Windows Defender Firewall with Advanced Securitynode in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows the program to listen and receive inbound network traffic on any port.
>**Note:**  This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. To combine the program and port rule types into a single rule, follow the steps in the [Create an Inbound Port Rule](create-an-inbound-port-rule.md) procedure in addition to the steps in this procedure. > [!NOTE]
> This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. To combine the program and port rule types into a single rule, follow the steps in the [Create an Inbound Port Rule](create-an-inbound-port-rule.md) procedure in addition to the steps in this procedure.
**Administrative credentials**
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
To create an inbound firewall rule for a program or service To create an inbound firewall rule for a program or service
1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). 1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
2. In the navigation pane, click **Inbound Rules**
2. In the navigation pane, click **Inbound Rules**. 3. Click **Action**, and then click **New rule**
4. On the **Rule Type** page of the New Inbound Rule Wizard, click **Custom**, and then click **Next**
3. Click **Action**, and then click **New rule**.
4. On the **Rule Type** page of the New Inbound Rule Wizard, click **Custom**, and then click **Next**.
>**Note:**  Although you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules. >**Note:**  Although you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules.
5. On the **Program** page, click **This program path**. 5. On the **Program** page, click **This program path**
6. Type the path to the program in the text box. Use environment variables, where applicable, to ensure that programs installed in different locations on different computers work correctly. 6. Type the path to the program in the text box. Use environment variables, where applicable, to ensure that programs installed in different locations on different computers work correctly.
7. Do one of the following: 7. Do one of the following:
- If the executable file contains a single program, click **Next**. - If the executable file contains a single program, click **Next**.
- If the executable file is a container for multiple services that must all be allowed to receive inbound network traffic, click **Customize**, select **Apply to services only**, click **OK**, and then click **Next**. - If the executable file is a container for multiple services that must all be allowed to receive inbound network traffic, click **Customize**, select **Apply to services only**, click **OK**, and then click **Next**.
- If the executable file is a container for a single service or contains multiple services but the rule only applies to one of them, click **Customize**, select **Apply to this service**, and then select the service from the list. If the service does not appear in the list, click **Apply to service with this service short name**, and then type the short name for the service in the text box. Click **OK**, and then click **Next**. - If the executable file is a container for a single service or contains multiple services but the rule only applies to one of them, click **Customize**, select **Apply to this service**, and then select the service from the list. If the service does not appear in the list, click **Apply to service with this service short name**, and then type the short name for the service in the text box. Click **OK**, and then click **Next**.
**Important**   > [!IMPORTANT]
To use the **Apply to this service** or **Apply to service with this service short name** options, the service must be configured with a security identifier (SID) with a type of **RESTRICTED** or **UNRESTRICTED**. To check the SID type of a service, run the following command: > To use the **Apply to this service** or **Apply to service with this service short name** options, the service must be configured with a security identifier (SID) with a type of **RESTRICTED** or **UNRESTRICTED**. To check the SID type of a service, run the following command:
**sc** **qsidtype** *<ServiceName>* **sc** **qsidtype** *<ServiceName>*
@ -53,12 +42,8 @@ To create an inbound firewall rule for a program or service
In the preceding command, the value of *<Type>* can be **UNRESTRICTED** or **RESTRICTED**. Although the command also permits the value of **NONE**, that setting means the service cannot be used in a firewall rule as described here. By default, most services in Windows are configured as **UNRESTRICTED**. If you change the SID type to **RESTRICTED**, the service might fail to start. We recommend that you change the SID type only on services that you want to use in firewall rules, and that you change the SID type to **UNRESTRICTED**. In the preceding command, the value of *<Type>* can be **UNRESTRICTED** or **RESTRICTED**. Although the command also permits the value of **NONE**, that setting means the service cannot be used in a firewall rule as described here. By default, most services in Windows are configured as **UNRESTRICTED**. If you change the SID type to **RESTRICTED**, the service might fail to start. We recommend that you change the SID type only on services that you want to use in firewall rules, and that you change the SID type to **UNRESTRICTED**.
8. It is a best practice to restrict the firewall rule for the program to only the ports it needs to operate. On the **Protocols and Ports** page, you can specify the port numbers for the allowed traffic. If the program tries to listen on a port different from the one specified here, it is blocked. For more information about protocol and port options, see [Create an Inbound Port Rule](create-an-inbound-port-rule.md). After you have configured the protocol and port options, click **Next**. 8. It is a best practice to restrict the firewall rule for the program to only the ports it needs to operate. On the **Protocols and Ports** page, you can specify the port numbers for the allowed traffic. If the program tries to listen on a port different from the one specified here, it is blocked. For more information about protocol and port options, see [Create an Inbound Port Rule](create-an-inbound-port-rule.md). After you have configured the protocol and port options, click **Next**
9. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**
9. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**. 10. On the **Action** page, select **Allow the connection**, and then click **Next**
11. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**
10. On the **Action** page, select **Allow the connection**, and then click **Next**. 12. On the **Name** page, type a name and description for your rule, and then click **Finish**
11. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**.
12. On the **Name** page, type a name and description for your rule, and then click **Finish**.

77
windows/security/operating-system-security/network-security/windows-firewall/create-inbound-rules-to-support-rpc.md
View File

@ -7,76 +7,45 @@ ms.date: 09/07/2021
# Create Inbound Rules to Support RPC # Create Inbound Rules to Support RPC
To allow inbound remote procedure call (RPC) network traffic, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create two firewall rules. The first rule allows incoming network packets on TCP port 135 to the RPC Endpoint Mapper service. The incoming traffic consists of requests to communicate with a specified network service. The RPC Endpoint Mapper replies with a dynamically assigned port number that the client must use to communicate with the service. The second rule allows the network traffic that is sent to the dynamically assigned port number. Using the two rules configured as described in this topic helps to protect your device by allowing network traffic only from devices that have received RPC dynamic port redirection and to only those TCP port numbers assigned by the RPC Endpoint Mapper. To allow inbound remote procedure call (RPC) network traffic, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create two firewall rules. The first rule allows incoming network packets on TCP port 135 to the RPC Endpoint Mapper service. The incoming traffic consists of requests to communicate with a specified network service. The RPC Endpoint Mapper replies with a dynamically assigned port number that the client must use to communicate with the service. The second rule allows the network traffic that is sent to the dynamically assigned port number. Using the two rules configured as described in this topic helps to protect your device by allowing network traffic only from devices that have received RPC dynamic port redirection and to only those TCP port numbers assigned by the RPC Endpoint Mapper.
**Administrative credentials**
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
This topic describes how to create rules that allow inbound RPC network traffic. For other inbound port rule types, see: This topic describes how to create rules that allow inbound RPC network traffic. For other inbound port rule types, see:
- [Create an Inbound Port Rule](create-an-inbound-port-rule.md) - [Create an Inbound Port Rule](create-an-inbound-port-rule.md)
- [Create an Inbound ICMP Rule](create-an-inbound-icmp-rule.md) - [Create an Inbound ICMP Rule](create-an-inbound-icmp-rule.md)
In this topic: In this topic:
- [To create a rule to allow inbound network traffic to the RPC Endpoint Mapper service](#to-create-a-rule-to-allow-inbound-network-traffic-to-the-rpc-endpoint-mapper-service) - [To create a rule to allow inbound network traffic to the RPC Endpoint Mapper service](#to-create-a-rule-to-allow-inbound-network-traffic-to-the-rpc-endpoint-mapper-service)
- [To create a rule to allow inbound network traffic to RPC-enabled network services](#to-create-a-rule-to-allow-inbound-network-traffic-to-rpc-enabled-network-services) - [To create a rule to allow inbound network traffic to RPC-enabled network services](#to-create-a-rule-to-allow-inbound-network-traffic-to-rpc-enabled-network-services)
## To create a rule to allow inbound network traffic to the RPC Endpoint Mapper service ## To create a rule to allow inbound network traffic to the RPC Endpoint Mapper service
1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). 1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
1. In the navigation pane, click **Inbound Rules**.
2. In the navigation pane, click **Inbound Rules**. 1. Click **Action**, and then click **New rule**.
1. On the **Rule Type** page of the New Inbound Rule Wizard, click **Custom**, and then click **Next**.
3. Click **Action**, and then click **New rule**. 1. On the **Program** page, click **This Program Path**, and then type **%systemroot%\\system32\\svchost.exe**.
1. Click **Customize**.
4. On the **Rule Type** page of the New Inbound Rule Wizard, click **Custom**, and then click **Next**. 1. In the **Customize Service Settings** dialog box, click **Apply to this service**, select **Remote Procedure Call (RPC)** with a short name of **RpcSs**, click **OK**, and then click **Next**.
1. On the warning about Windows service-hardening rules, click **Yes**.
5. On the **Program** page, click **This Program Path**, and then type **%systemroot%\\system32\\svchost.exe**. 1. On the **Protocol and Ports** dialog box, for **Protocol type**, select **TCP**.
1. For **Local port**, select **RPC Endpoint Mapper**, and then click **Next**.
6. Click **Customize**. 1. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**.
1. On the **Action** page, select **Allow the connection**, and then click **Next**.
7. In the **Customize Service Settings** dialog box, click **Apply to this service**, select **Remote Procedure Call (RPC)** with a short name of **RpcSs**, click **OK**, and then click **Next**. 1. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**.
1. On the **Name** page, type a name and description for your rule, and then click **Finish**.
8. On the warning about Windows service-hardening rules, click **Yes**.
9. On the **Protocol and Ports** dialog box, for **Protocol type**, select **TCP**.
10. For **Local port**, select **RPC Endpoint Mapper**, and then click **Next**.
11. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**.
12. On the **Action** page, select **Allow the connection**, and then click **Next**.
13. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**.  
14. On the **Name** page, type a name and description for your rule, and then click **Finish**.
## To create a rule to allow inbound network traffic to RPC-enabled network services ## To create a rule to allow inbound network traffic to RPC-enabled network services
1. On the same GPO you edited in the preceding procedure, click **Action**, and then click **New rule**. 1. On the same GPO you edited in the preceding procedure, click **Action**, and then click **New rule**.
1. On the **Rule Type** page of the New Inbound Rule Wizard, click **Custom**, and then click **Next**.
2. On the **Rule Type** page of the New Inbound Rule Wizard, click **Custom**, and then click **Next**. 1. On the **Program** page, click **This Program Path**, and then type the path to the executable file that hosts the network service. Click **Customize**.
1. In the **Customize Service Settings** dialog box, click **Apply to this service**, and then select the service that you want to allow. If the service doesn't appear in the list, then click **Apply to service with this service short name**, and then type the short name of the service in the text box.
3. On the **Program** page, click **This Program Path**, and then type the path to the executable file that hosts the network service. Click **Customize**. 1. Click **OK**, and then click **Next**.
1. On the **Protocol and Ports** dialog box, for **Protocol type**, select **TCP**.
4. In the **Customize Service Settings** dialog box, click **Apply to this service**, and then select the service that you want to allow. If the service doesn't appear in the list, then click **Apply to service with this service short name**, and then type the short name of the service in the text box. 1. For **Local port**, select **RPC Dynamic Ports**, and then click **Next**.
1. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**.
5. Click **OK**, and then click **Next**. 1. On the **Action** page, select **Allow the connection**, and then click **Next**.
1. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**.
6. On the **Protocol and Ports** dialog box, for **Protocol type**, select **TCP**. 1. On the **Name** page, type a name and description for your rule, and then click **Finish**.
7. For **Local port**, select **RPC Dynamic Ports**, and then click **Next**.
8. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**.
9. On the **Action** page, select **Allow the connection**, and then click **Next**.
10. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**.
11. On the **Name** page, type a name and description for your rule, and then click **Finish**.

4
windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall.md
View File

@ -55,8 +55,8 @@ The output contains the following values:
|--|--| |--|--|
| `Enabled` (True/False) | True if Hyper-V Firewall is enabled for WSL VMs. | | `Enabled` (True/False) | True if Hyper-V Firewall is enabled for WSL VMs. |
| `DefaultInboundAction`, `DefaultOutboundAction` | These are default rule policies applied to packets entering or leaving the WSL container. The rule policies can be modified, as described in this article. | | `DefaultInboundAction`, `DefaultOutboundAction` | These are default rule policies applied to packets entering or leaving the WSL container. The rule policies can be modified, as described in this article. |
| `LoopbackEnabled` | Tracks if loopback traffic between the host and the container is allowed, without requiring any Hyper-V Firewall rules. WSL enables it by default, to allow the Windows Host to talk to WSL, and WSL to talk to the Windows Host. | | `LoopbackEnabled` | Tracks if loopback traffic between the host and the container is allowed, without requiring any Hyper-V Firewall rules. WSL enables it by default, to allow the Windows Host to talk to WSL, and WSL to talk to the Windows Host.|
| `AllowHostPolicyMerge` | Determines how Windows Host Firewall Enterprise Settings (GPO), Hyper-V Firewall Enterprise Settings (CSP), Windows Host Firewall Enterprise Settings (CSP), local Hyper-V Firewall settings, and local Host Firewall settings interact.<br>This setting is detailed with the [Set-NetFirewallHyperVVMSetting][PS-2] cmdlet. | | `AllowHostPolicyMerge` | Determines how Windows Host Firewall Enterprise Settings (GPO), Hyper-V Firewall Enterprise Settings (CSP), Windows Host Firewall Enterprise Settings (CSP), local Hyper-V Firewall settings, and local Host Firewall settings interact.<br>This setting is detailed with the [Set-NetFirewallHyperVVMSetting][PS-2] cmdlet.|
### Configure Hyper-V firewall settings ### Configure Hyper-V firewall settings

200
windows/security/operating-system-security/network-security/windows-firewall/isolating-apps-on-your-network.md
View File

@ -7,7 +7,6 @@ ms.date: 09/08/2021
# Isolating Microsoft Store Apps on Your Network # Isolating Microsoft Store Apps on Your Network
When you add new devices to your network, you may want to customize your Windows Defender Firewall with Advanced Security configuration to isolate the network access of the new Microsoft Store apps that run on them. Developers who build Microsoft Store apps can declare certain app capabilities that enable different classes of network access. A developer can decide what kind of network access the app requires and configure this capability for the app. When the app is installed on a device, appropriate firewall rules are automatically created to enable access. You can then customize the firewall configuration to further fine-tune this access if they desire more control over the network access for the app. When you add new devices to your network, you may want to customize your Windows Defender Firewall with Advanced Security configuration to isolate the network access of the new Microsoft Store apps that run on them. Developers who build Microsoft Store apps can declare certain app capabilities that enable different classes of network access. A developer can decide what kind of network access the app requires and configure this capability for the app. When the app is installed on a device, appropriate firewall rules are automatically created to enable access. You can then customize the firewall configuration to further fine-tune this access if they desire more control over the network access for the app.
For example, a developer can decide that their app should only connect to trusted local networks (such as at home or work), and not to the Internet. In this way, developers can define the scope of network access for their app. This network isolation prevents an app from accessing a network and a connection type (inbound or outbound) if the connection has not been configured for the app. Then the network administrator can customize the firewall to further restrict the resources that the app can access. For example, a developer can decide that their app should only connect to trusted local networks (such as at home or work), and not to the Internet. In this way, developers can define the scope of network access for their app. This network isolation prevents an app from accessing a network and a connection type (inbound or outbound) if the connection has not been configured for the app. Then the network administrator can customize the firewall to further restrict the resources that the app can access.
@ -16,59 +15,50 @@ The ability to set and enforce these network boundaries ensures that apps that g
When creating new Microsoft Store apps, a developer can define the following network capabilities for their app: When creating new Microsoft Store apps, a developer can define the following network capabilities for their app:
- **Home\\Work Networking** ## Home\Work Networking
Provides inbound and outbound access to intranet networks that the user has designated as a home or a work network, or if the network has an authenticated domain controller. Provides inbound and outbound access to intranet networks that the user has designated as a home or a work network, or if the network has an authenticated domain controller.
- **Internet (Client)** ## Internet (Client)
Provides outbound access to the Internet and untrusted networks, such as airports and coffee shops (for example, intranet networks where the user has designated the network as Public). Most apps that require Internet access should use this capability. Provides outbound access to the Internet and untrusted networks, such as airports and coffee shops (for example, intranet networks where the user has designated the network as Public). Most apps that require Internet access should use this capability.
- **Internet (Client and Server)** ## Internet (Client and Server)
Provides inbound and outbound access to the Internet and untrusted networks, such as airports and coffee shops. This capability is a superset of the **Internet (Client)** capability, and **Internet (Client)** does not need to be enabled if this capability is enabled. Provides inbound and outbound access to the Internet and untrusted networks, such as airports and coffee shops. This capability is a superset of the **Internet (Client)** capability, and **Internet (Client)** does not need to be enabled if this capability is enabled.
- **Proximity** ## Proximity
Provides near-field communication (NFC) with devices that are in close proximity to the device. Proximity may be used to send files or connect with an application on a proximate device. Provides near-field communication (NFC) with devices that are in close proximity to the device. Proximity may be used to send files or connect with an application on a proximate device.
**In this topic** ## In this topic
To isolate Microsoft Store apps on your network, you need to use Group Policy to define your network isolation settings and create custom Microsoft Store app firewall rules. To isolate Microsoft Store apps on your network, you need to use Group Policy to define your network isolation settings and create custom Microsoft Store app firewall rules.
- [Prerequisites](#prerequisites) - [Prerequisites](#prerequisites)
- [Step 1: Define your network](#step-1-define-your-network) - [Step 1: Define your network](#step-1-define-your-network)
- [Step 2: Create custom firewall rules](#step-2-create-custom-firewall-rules) - [Step 2: Create custom firewall rules](#step-2-create-custom-firewall-rules)
## Prerequisites ## Prerequisites
- A domain controller is installed on your network, and your devices are joined to the Windows domain. - A domain controller is installed on your network, and your devices are joined to the Windows domain.
- Your Microsoft Store app is installed on the client device. - Your Microsoft Store app is installed on the client device.
- The Remote Server Administration Tools (RSAT) are installed on your client device. When you perform the following steps from your client device, you can select your Microsoft Store app when you create Windows Defender Firewall rules. - The Remote Server Administration Tools (RSAT) are installed on your client device. When you perform the following steps from your client device, you can select your Microsoft Store app when you create Windows Defender Firewall rules.
>**Note:**  You can install the RSAT on your device running Windows from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). > [!NOTE]
> Information the user should notice even if skimmingYou can install the RSAT on your device running Windows from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
 
## Step 1: Define your network ## Step 1: Define your network
The **Home\\Work Networking** capability enables access to intranet resources. Administrators can use Group Policy settings to define the scope of the intranet. This ensures that Microsoft Store apps can access intranet resources appropriately. The **Home\Work Networking** capability enables access to intranet resources. Administrators can use Group Policy settings to define the scope of the intranet. This ensures that Microsoft Store apps can access intranet resources appropriately.
A network endpoint is considered part of the **Home\\Work Network** if: A network endpoint is considered part of the **Home\\Work Network** if:
- It is part of the local subnet of a trusted network. - It is part of the local subnet of a trusted network.
For example, home users generally flag their network as Trusted. Local devices will be designated as such. For example, home users generally flag their network as Trusted. Local devices will be designated as such.
- A device is on a network, and it is authenticated to a domain controller. - A device is on a network, and it is authenticated to a domain controller.
- Endpoints within the intranet address space are considered private. - Endpoints within the intranet address space are considered private.
- Endpoints within the local subnet are considered private. - Endpoints within the local subnet are considered private.
- The device is configured for DirectAccess, and the endpoint is part of the intranet address space. - The device is configured for DirectAccess, and the endpoint is part of the intranet address space.
The intranet address space is composed of configured Active Directory sites and subnets, and it is configured for Windows network isolation specifically by using Group Policy. You can disable the usage of Active Directory sites and subnets by using Group Policy by declaring that your subnet definitions are authoritative. The intranet address space is composed of configured Active Directory sites and subnets, and it is configured for Windows network isolation specifically by using Group Policy. You can disable the usage of Active Directory sites and subnets by using Group Policy by declaring that your subnet definitions are authoritative.
@ -77,28 +67,21 @@ Any proxies that you configure or that are automatically configured with proxy a
All other endpoints that do not meet the previously stated criteria are considered endpoints on the Internet. All other endpoints that do not meet the previously stated criteria are considered endpoints on the Internet.
**To configure a GPO that defines your intranet address space** ### To configure a GPO that defines your intranet address space
1. Open the Group Policy Management snap-in (gpmc.msc), right click on the Group Policy you want to use to define your address space, and select **Edit**. 1. Open the Group Policy Management snap-in (gpmc.msc), right click on the Group Policy you want to use to define your address space, and select **Edit**.
1. From the Group Policy Management Editor, expand **Computer Configuration**, expand **Policies**, expand **Administrative Templates**, expand **Network**, and click **Network Isolation**.
2. From the Group Policy Management Editor, expand **Computer Configuration**, expand **Policies**, expand **Administrative Templates**, expand **Network**, and click **Network Isolation**. 1. In the right pane, double-click **Private network ranges for apps**.
1. In the **Private network ranges for apps** dialog box, click **Enabled**. In the **Private subnets** text box, type the private subnets for your intranet, separated by commas if necessary.
3. In the right pane, double-click **Private network ranges for apps**.
4. In the **Private network ranges for apps** dialog box, click **Enabled**. In the **Private subnets** text box, type the private subnets for your intranet, separated by commas if necessary.
For example, if the Contoso intranet is defined as 10.0.0.0 with a subnet mask of 255.255.255.0, you would type 10.0.0.0/24 in the **Private subnets** text box. For example, if the Contoso intranet is defined as 10.0.0.0 with a subnet mask of 255.255.255.0, you would type 10.0.0.0/24 in the **Private subnets** text box.
1. Double-click **Subnet definitions are authoritative**.
5. Double-click **Subnet definitions are authoritative**.
If you want the subnet definitions that you previously created to be the single source for your subnet definition, click **Enabled**. Otherwise, leave the **Not Configured** default so that you can add additional subnets by using local settings or network isolation heuristics. If you want the subnet definitions that you previously created to be the single source for your subnet definition, click **Enabled**. Otherwise, leave the **Not Configured** default so that you can add additional subnets by using local settings or network isolation heuristics.
**To configure the proxy addresses for the intranet and Internet** ### To configure the proxy addresses for the intranet and Internet
1. Double-click **Internet proxy servers for apps**. Click **Enabled**, and then in the **Domain Proxies** text box, type the IP addresses of your Internet proxy servers, separated by semicolons. 1. Double-click **Internet proxy servers for apps**. Click **Enabled**, and then in the **Domain Proxies** text box, type the IP addresses of your Internet proxy servers, separated by semicolons.
2. Double-click **Intranet proxy servers for apps**. Click **Enabled**, and then in the IP address text box, type the IP addresses of your intranet proxy servers, separated by semicolons. 2. Double-click **Intranet proxy servers for apps**. Click **Enabled**, and then in the IP address text box, type the IP addresses of your intranet proxy servers, separated by semicolons.
3. Double-click **Proxy definitions are authoritative**. 3. Double-click **Proxy definitions are authoritative**.
If you want the proxy definitions that you previously created to be the single source for your proxy definition, click **Enabled**. Otherwise, leave the **Not Configured** default so that you can add additional proxies by using local settings or network isolation heuristics. If you want the proxy definitions that you previously created to be the single source for your proxy definition, click **Enabled**. Otherwise, leave the **Not Configured** default so that you can add additional proxies by using local settings or network isolation heuristics.
@ -112,7 +95,7 @@ The following table provides a complete list of the possible app capabilities.
| Capability | Name | Description | | Capability | Name | Description |
| - | - | - | | - | - | - |
| **Internet (Client)** | internetClient | Your outgoing Internet connection.| | **Internet (Client)** | internetClient | Your outgoing Internet connection.|
| **Internet (Client &amp; Server)** | internetClientServer| Your Internet connection, including incoming unsolicited connections from the Internet The app can send information to or from your device through a firewall. You do not need to declare **internetClient** if this capability is declared. | **Internet (Client &amp; Server)** | internetClientServer| Your Internet connection, including incoming unsolicited connections from the Internet The app can send information to or from your device through a firewall. You do not need to declare **internetClient** if this capability is declared.|
| **Home\Work Networking** |privateNetworkClientServer| A home or work network. The app can send information to or from your device and other devices on the same network.| | **Home\Work Networking** |privateNetworkClientServer| A home or work network. The app can send information to or from your device and other devices on the same network.|
| **Document Library Access**| documentsLibrary| Your Documents library, including the capability to add, change, or delete files. The package can only access file types that are declared in the manifest.| | **Document Library Access**| documentsLibrary| Your Documents library, including the capability to add, change, or delete files. The package can only access file types that are declared in the manifest.|
| **Picture Library Access**| picturesLibrary| Your Pictures library, including the capability to add, change, or delete files.| | **Picture Library Access**| picturesLibrary| Your Pictures library, including the capability to add, change, or delete files.|
@ -132,112 +115,69 @@ You can create a Windows Defender Firewall policy that is scoped to a set of app
For example, you could create a Windows Defender Firewall policy to block Internet access for any apps on your network that have the Documents Library capability. For example, you could create a Windows Defender Firewall policy to block Internet access for any apps on your network that have the Documents Library capability.
**To block Internet access for any apps on your network that have the Documents Library capability** ### To block Internet access for any apps on your network that have the Documents Library capability
1. Open the Group Policy Management snap-in (gpmc.msc). 1. Open the Group Policy Management snap-in (gpmc.msc).
1. In the left pane, right-click your domain name and click **Create a GPO in this domain, and link it here**.
2. In the left pane, right-click your domain name and click **Create a GPO in this domain, and link it here**. 1. Type a name for the GPO in the **Name** text box, and then click **OK**.
1. Right-click the new GPO, and then click **Edit**.
3. Type a name for the GPO in the **Name** text box, and then click **OK**. 1. In the Group Policy Management Editor, expand **Computer Configuration**, expand **Policies**, expand **Windows Settings**, expand **Security Settings**, expand **Windows Defender Firewall with Advanced Security**, and click **Windows Defender Firewall - LDAP://…**
1. Right-click **Outbound Rules**, and then click **New Rule**.
4. Right-click the new GPO, and then click **Edit**. 1. Click **Custom**, and then click **Next**.
1. Click **Next** on the **Program** page, the **Protocols and Ports** page, and the **Scope** page.
5. In the Group Policy Management Editor, expand **Computer Configuration**, expand **Policies**, expand **Windows Settings**, expand **Security Settings**, expand **Windows Defender Firewall with Advanced Security**, and click **Windows Defender Firewall LDAP://…** 1. On the **Action** page, ensure that **Block the Connection** is selected, and then click **Next**.
1. On the **Profile** page, click **Next**.
6. Right-click **Outbound Rules**, and then click **New Rule**. 1. On the **Name** page, type a name for your rule, and then click **Finish**.
1. In the right pane, right-click your new rule and click **Properties**.
7. Click **Custom**, and then click **Next**. 1. Click the **Local Principals** tab, select the **Only allow connections from these users** check box, and then click **Add**.
1. Click **Application Package Properties**, and then click **OK**.
8. Click **Next** on the **Program** page, the **Protocols and Ports** page, and the **Scope** page. 1. In the **Choose Capabilities** dialog box, click **APPLICATION PACKAGE AUTHORITY\\Your documents library**, and then click **OK**.
1. Click the **Scope** tab under **Remote IP addresses**, and then click **Add**.
9. On the **Action** page, ensure that **Block the Connection** is selected, and then click **Next**. 1. Click **Predefined set of computers**, select **Internet**, and click **OK**.
10. On the **Profile** page, click **Next**.
11. On the **Name** page, type a name for your rule, and then click **Finish**.
12. In the right pane, right-click your new rule and click **Properties**.
13. Click the **Local Principals** tab, select the **Only allow connections from these users** check box, and then click **Add**.
14. Click **Application Package Properties**, and then click **OK**.
15. In the **Choose Capabilities** dialog box, click **APPLICATION PACKAGE AUTHORITY\\Your documents library**, and then click **OK**.
16. Click the **Scope** tab under **Remote IP addresses**, and then click **Add**.
17. Click **Predefined set of computers**, select **Internet**, and click **OK**.
This scopes the rule to block traffic to Internet devices. This scopes the rule to block traffic to Internet devices.
18. Click the **Programs and Services** tab, and in the **Application Packages** area, click **Settings**. 1. Click the **Programs and Services** tab, and in the **Application Packages** area, click **Settings**.
1. Click **Apply to application packages only**, and then click **OK**.
19. Click **Apply to application packages only**, and then click **OK**. > [!IMPORTANT]
> You must do this to ensure that the rule applies only to Microsoft Store apps and not to other apps. Desktop apps declare all capabilities by default, and this rule would apply to them if you do not configure it this way.
>**Important:**  You must do this to ensure that the rule applies only to Microsoft Store apps and not to other apps. Desktop apps declare all capabilities by default, and this rule would apply to them if you do not configure it this way. 1. Click **OK** to close the **Properties** dialog box.
1. Close the Group Policy Management Editor.
20. Click **OK** to close the **Properties** dialog box. 1. In the Group Policy Management snap-in, ensure that your new GPO is selected, and in the right pane under **Security Filtering**, select **Authenticated Users**. Click **Remove**, and then click **OK**.
1. Under **Security Filtering**, click **Add**.
21. Close the Group Policy Management Editor. 1. Type **domain computers** in the text box, and then click **OK**.
1. Close the Group Policy Management snap-in.
22. In the Group Policy Management snap-in, ensure that your new GPO is selected, and in the right pane under **Security Filtering**, select **Authenticated Users**. Click **Remove**, and then click **OK**.
23. Under **Security Filtering**, click **Add**.
24. Type **domain computers** in the text box, and then click **OK**.
25. Close the Group Policy Management snap-in.
Use the following procedure if you want to block intranet access for a specific media sharing app on your network. Use the following procedure if you want to block intranet access for a specific media sharing app on your network.
**To block intranet access for a specific media sharing app on your network** ### To block intranet access for a specific media sharing app on your network
1. Open the Group Policy Management snap-in (gpmc.msc). 1. Open the Group Policy Management snap-in (gpmc.msc).
1. In the left pane, right-click your domain name, and then click **Create a GPO in this domain, and link it here**.
2. In the left pane, right-click your domain name, and then click **Create a GPO in this domain, and link it here**. 1. Type a name for your GPO in the **Name** text box, and then click **OK**.
1. Right-click your new GPO, and then click **Edit**.
3. Type a name for your GPO in the **Name** text box, and then click **OK**. 1. From the Group Policy Management Editor, expand **Computer Configuration**, expand **Policies**, expand **Windows Settings**, expand **Security Settings**, expand **Windows Defender Firewall**, and then click **Windows Defender Firewall LDAP://**
1. Right-click **Outbound Rules**, and then click **New Rule**.
4. Right-click your new GPO, and then click **Edit**. 1. Click **Custom**, and then click **Next**.
1. Click **Next** on the **Program** page, the **Protocols and Ports** page, and the **Scope** page.
5. From the Group Policy Management Editor, expand **Computer Configuration**, expand **Policies**, expand **Windows Settings**, expand **Security Settings**, expand **Windows Defender Firewall**, and then click **Windows Defender Firewall LDAP://** 1. On the **Action** page, ensure **Block the Connection** is selected, and then click **Next**.
1. On the **Profile** page, click **Next**.
6. Right-click **Outbound Rules**, and then click **New Rule**. 1. On the **Name** page, type a name for your rule, and then click **Finish**.
1. In the right pane, right-click your new rule, and then click **Properties**.
7. Click **Custom**, and then click **Next**. 1. Click the **Local Principals** tab, select the **Only allow connections from these users** check box, and then click **Add**.
1. Click **Application Package Properties**, and then click **OK**.
8. Click **Next** on the **Program** page, the **Protocols and Ports** page, and the **Scope** page. 1. In the **Choose Capabilities** dialog box, click **APPLICATION PACKAGE AUTHORITY\\A home or work network**, and then click **OK**.
1. Click the **Programs and Services** tab under **Application Packages**, and then click **Settings**.
9. On the **Action** page, ensure **Block the Connection** is selected, and then click **Next**. 1. Click **Apply to this application package**, select the app in the text box, and then click **OK**.
1. Click **OK** to close the **Properties** dialog box.
10. On the **Profile** page, click **Next**. 1. Close the Group Policy Management Editor.
1. In Group Policy Management, ensure that your new GPO is selected, and in the right pane under **Security Filtering**, select **Authenticated Users**, click **Remove**, and then click **OK**.
11. On the **Name** page, type a name for your rule, and then click **Finish**. 1. Under **Security Filtering**, click **Add**.
1. Type **domain computers** in the text box and click **OK**.
12. In the right pane, right-click your new rule, and then click **Properties**. 1. Close Group Policy Management.
13. Click the **Local Principals** tab, select the **Only allow connections from these users** check box, and then click **Add**.
14. Click **Application Package Properties**, and then click **OK**.
15. In the **Choose Capabilities** dialog box, click **APPLICATION PACKAGE AUTHORITY\\A home or work network**, and then click **OK**.
16. Click the **Programs and Services** tab under **Application Packages**, and then click **Settings**.
17. Click **Apply to this application package**, select the app in the text box, and then click **OK**.
18. Click **OK** to close the **Properties** dialog box.
19. Close the Group Policy Management Editor.
20. In Group Policy Management, ensure that your new GPO is selected, and in the right pane under **Security Filtering**, select **Authenticated Users**, click **Remove**, and then click **OK**.
21. Under **Security Filtering**, click **Add**.
22. Type **domain computers** in the text box and click **OK**.
23. Close Group Policy Management.
## See also ## See also
- [Windows Defender Firewall with Advanced Security Overview](windows-firewall-with-advanced-security.md) - [Windows Defender Firewall with Advanced Security Overview](index.md)

12
windows/security/operating-system-security/network-security/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md
View File

@ -146,17 +146,11 @@ Follow these procedures to verify and troubleshoot your IKEv2 IPsec connections:
**Use netsh to capture IPsec events.** **Use netsh to capture IPsec events.**
1. Open an elevated command prompt. 1. Open an elevated command prompt.
2. At the command prompt, type **netsh wfp capture start**. 2. At the command prompt, type **netsh wfp capture start**.
3. Reproduce the error event so that it can be captured. 3. Reproduce the error event so that it can be captured.
4. At the command prompt, type **netsh wfp capture stop**. 4. At the command prompt, type **netsh wfp capture stop**.
A wfpdiag.cab file is created in the current folder. A wfpdiag.cab file is created in the current folder.
5. Open the cab file, and then extract the wfpdiag.xml file. 5. Open the cab file, and then extract the wfpdiag.xml file.
6. Open the wfpdiag.xml file with your an XML viewer program or Notepad, and then examine the contents. There will be a lot of data in this file. One way to narrow down where to start looking is to search the last "errorFrequencyTable" at the end of the file. There might be many instances of this table, so make sure that you look at the last table in the file. For example, if you have a certificate problem, you might see the following entry in the last table at the end of the file: 6. Open the wfpdiag.xml file with your an XML viewer program or Notepad, and then examine the contents. There will be a lot of data in this file. One way to narrow down where to start looking is to search the last "errorFrequencyTable" at the end of the file. There might be many instances of this table, so make sure that you look at the last table in the file. For example, if you have a certificate problem, you might see the following entry in the last table at the end of the file:
```xml ```xml
@ -165,13 +159,11 @@ Follow these procedures to verify and troubleshoot your IKEv2 IPsec connections:
<frequency>32</frequency> <frequency>32</frequency>
</item> </item>
``` ```
In this example, there are 32 instances of the **ERROR\_IPSEC\_IKE\_NO\_CERT** error. So now you can search for **ERROR\_IPSEC\_IKE\_NO\_CERT** to get more details regarding this error. In this example, there are 32 instances of the **ERROR\_IPSEC\_IKE\_NO\_CERT** error. So now you can search for **ERROR\_IPSEC\_IKE\_NO\_CERT** to get more details regarding this error.
You might not find the exact answer for the issue, but you can find good hints. For example, you might find that there seems to be an issue with the certificates, so you can look at your certificates and the related cmdlets for possible issues. You might not find the exact answer for the issue, but you can find good hints. For example, you might find that there seems to be an issue with the certificates, so you can look at your certificates and the related cmdlets for possible issues.
## See also ## See also
- [Windows Defender Firewall with Advanced Security](windows-firewall-with-advanced-security.md) - [Windows Defender Firewall with Advanced Security](index.md)

6
windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
View File

@ -4,14 +4,16 @@ description: Windows Defender Firewall with Advanced Security Administration wit
ms.topic: conceptual ms.topic: conceptual
ms.date: 09/08/2021 ms.date: 09/08/2021
--- ---
# Windows Defender Firewall with Advanced Security Administration with
# Windows Defender Firewall with Advanced Security Administration with PowerShell
The Windows Defender Firewall with Advanced Security Administration with Windows PowerShell Guide provides essential scriptlets for automating Windows Defender Firewall management. It's designed for IT pros, system administrators, IT managers, and others who use and need to automate Windows Defender Firewall management in Windows. The Windows Defender Firewall with Advanced Security Administration with Windows PowerShell Guide provides essential scriptlets for automating Windows Defender Firewall management. It's designed for IT pros, system administrators, IT managers, and others who use and need to automate Windows Defender Firewall management in Windows.
You can use Windows PowerShell to manage your firewall and IPsec deployments. This object-oriented scripting environment will make it easier for you to manage policies and monitor network conditions than was possible in netsh. Windows PowerShell allows network settings to be self-discoverable through the syntax and parameters in each of the cmdlets. This guide demonstrates how common tasks were performed in netsh and how you can use Windows PowerShell to accomplish them. You can use Windows PowerShell to manage your firewall and IPsec deployments. This object-oriented scripting environment will make it easier for you to manage policies and monitor network conditions than was possible in netsh. Windows PowerShell allows network settings to be self-discoverable through the syntax and parameters in each of the cmdlets. This guide demonstrates how common tasks were performed in netsh and how you can use Windows PowerShell to accomplish them.
In future versions of Windows, Microsoft might remove the netsh functionality for Windows Defender Firewall. Microsoft recommends that you transition to Windows PowerShell if you currently use netsh to configure and manage Windows Defender Firewall. In future versions of Windows, Microsoft might remove the netsh functionality for Windows Defender Firewall. Microsoft recommends that you transition to Windows PowerShell if you currently use netsh to configure and manage Windows Defender Firewall.
Windows PowerShell and netsh command references are at the following locations. Windows PowerShell and netsh command references are at the following locations.
- [Netsh Commands for Windows Defender Firewall](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771920(v=ws.10)) - [Netsh Commands for Windows Defender Firewall](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771920(v=ws.10))
## Scope ## Scope
This guide doesn't teach you the fundamentals of Windows Defender Firewall, which can be found in [Windows Defender Firewall](windows-firewall-with-advanced-security.md). It doesn't teach the fundamentals of Windows PowerShell, and it assumes that you're familiar with the Windows PowerShell language and the basic concepts of Windows PowerShell. For more info about Windows PowerShell concepts and usage, see the reference topics in the [Additional resources](#other-resources) section of this guide. This guide doesn't teach you the fundamentals of Windows Defender Firewall, which can be found in [Windows Firewall](index.md). It doesn't teach the fundamentals of Windows PowerShell, and it assumes that you're familiar with the Windows PowerShell language and the basic concepts of Windows PowerShell. For more info about Windows PowerShell concepts and usage, see the reference topics in the [Additional resources](#other-resources) section of this guide.
## Audience and user requirements ## Audience and user requirements
This guide is intended for IT pros, system administrators, and IT managers, and it assumes that you're familiar with Windows Defender Firewall, the Windows PowerShell language, and the basic concepts of Windows PowerShell. This guide is intended for IT pros, system administrators, and IT managers, and it assumes that you're familiar with Windows Defender Firewall, the Windows PowerShell language, and the basic concepts of Windows PowerShell.
## In this topic ## In this topic

2
windows/security/operating-system-security/system-security/windows-defender-security-center/wdsc-firewall-network-protection.md
View File

@ -7,7 +7,7 @@ ms.topic: article
# Firewall and network protection # Firewall and network protection
The **Firewall & network protection** section contains information about the firewalls and network connections used by the machine, including the status of Windows Defender Firewall and any other third-party firewalls. IT administrators and IT pros can get configuration guidance from the [Windows Defender Firewall with Advanced Security documentation library](../../network-security/windows-firewall/windows-firewall-with-advanced-security.md). The **Firewall & network protection** section contains information about the firewalls and network connections used by the machine, including the status of Windows Defender Firewall and any other third-party firewalls. IT administrators and IT pros can get configuration guidance from the [Windows Defender Firewall with Advanced Security documentation library](../../network-security/windows-firewall/index.md).
This section can be hidden from users of the machine. This information is useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section. This section can be hidden from users of the machine. This information is useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.

2
windows/security/threat-protection/index.md
View File

@ -26,7 +26,7 @@ See the following articles to learn more about the different areas of Windows th
- [Network Protection](/microsoft-365/security/defender-endpoint/network-protection) - [Network Protection](/microsoft-365/security/defender-endpoint/network-protection)
- [Virtualization-Based Protection of Code Integrity](../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) - [Virtualization-Based Protection of Code Integrity](../hardware-security/enable-virtualization-based-protection-of-code-integrity.md)
- [Web Protection](/microsoft-365/security/defender-endpoint/web-protection-overview) - [Web Protection](/microsoft-365/security/defender-endpoint/web-protection-overview)
- [Windows Firewall](../operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security.md) - [Windows Firewall](../operating-system-security/network-security/windows-firewall/index.md)
- [Windows Sandbox](../application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md) - [Windows Sandbox](../application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md)
## Next-generation protection ## Next-generation protection