deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-11 21:07:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

updates

Browse Source
This commit is contained in:
Paolo Matarazzo 2023-11-14 07:14:54 -05:00
parent 6f600e8620
commit 65d5845a12
7 changed files with 150 additions and 115 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
.openpublishing.redirection.windows-security.json
View File

@ -6927,7 +6927,7 @@
},
{
"source_path": "windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall",
"redirect_document_id": false
},
{
@ -7954,6 +7954,46 @@
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/determining-the-trusted-state-of-your-devices.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc753540(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/create-inbound-rules-to-support-rpc.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/configure-rules-with-gpo",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/create-an-outbound-program-or-service-rule.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/configure-rules-with-gpo",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/create-an-outbound-port-rule.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/configure-rules-with-gpo",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/create-an-inbound-program-or-service-rule.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/configure-rules-with-gpo",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/create-an-inbound-port-rule.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/configure-rules-with-gpo",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/create-an-inbound-icmp-rule.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/configure-rules-with-gpo",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall-with-advanced-security-administration-with-windows-powershell.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/configure-with-powershell",
"redirect_document_id": false
}
]
}

2
includes/configure/gpo-settings-1.md
View File

@ -6,4 +6,4 @@ ms.topic: include
ms.prod: windows-client
---
To configure a device using group policy, use the [Local Group Policy Editor](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc731745(v=ws.10)). To configure multiple devices joined to Active Directory, [create](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc754740(v=ws.11)) or [edit](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc730903(v=ws.10)) a group policy object (GPO) and use the following settings:
To configure a device using group policy, use the [Local Group Policy Editor](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc731745(v=ws.10)). To configure multiple devices joined to Active Directory, [create or edit](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc754740(v=ws.11)) a group policy object (GPO) and use the following settings:

2
windows/security/application-security/application-isolation/microsoft-defender-application-guard/faq-md-app-guard.yml
View File

@ -121,7 +121,7 @@ sections:
answer: |
This issue is a known one. To mitigate this issue, you need to create two firewall rules. For information about creating a firewall rule by using Group Policy, see the following resources:
- [Create an inbound icmp rule](../../../operating-system-security/network-security/windows-firewall/create-an-inbound-icmp-rule.md)
- [Create an inbound icmp rule](../../../operating-system-security/network-security/windows-firewall/configure-rules.md)
- [Open Group Policy management console for Microsoft Defender Firewall](../../../operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
### First rule (DHCP Server)

171
windows/security/operating-system-security/network-security/windows-firewall/configure-rules.md → windows/security/operating-system-security/network-security/windows-firewall/configure-rules-with-gpo.md
View File

@ -1,75 +1,70 @@
---
title: Configure Firewall rules
description: Learn how to configure Windows Firewall rules with group policy.
ms.topic: conceptual
ms.date: 09/07/2021
title: Configure Windows Firewall rules with group policy
description: Learn how to configure firewall rules using group policy with the Windows Firewall with Advanced Security console.
ms.topic: how-to
ms.date: 11/14/2023
---
# Configure Firewall rules
# Configure Firewall rules with group policy
This article contains examples how to configure Windows Firewall rules using group policy. The examples are based on the *Windows Firewall with Advanced Security* Group Policy Management MMC snap-in.
This article contains examples how to configure Windows Firewall rules using group policy (GPO), with the *Windows Firewall with Advanced Security* console.
> [!NOTE]
> To complete these procedures, you must be a member of the Domain Administrators group, or otherwise have delegated permissions to modify the GPOs in the Active Directory domain.
>
> To configure a device using the Local Group Policy editor, you must have administrative rights on the device.
## Access the Windows Firewall with Advanced Security console
If you're configuring devices joined to an Active Directory domain, to complete these procedures you must be a member of the Domain Administrators group, or otherwise have delegated permissions to modify the GPOs in the domain. To access the *Windows Firewall with Advanced Security* console, [create or edit](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc754740(v=ws.11)) a group policy object (GPO) and expand the nodes **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Windows Firewall with Advanced Security**.
If you are configuring a single device, you must have administrative rights on the device. In which case, to access the *Windows Firewall with Advanced Security* console, select <kbd>START</kbd>, type `wf.msc`, and press <kb>ENTER</kbd>.
## Create an inbound ICMP rule
This type of rule allows ICMP requests and responses to be received by devices on the network.
This type of rule allows ICMP requests and responses to be received by devices on the network. To create an inbound ICMP rule:
To create an inbound ICMP rule:
1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
1. In the navigation pane, click **Inbound Rules**
1. Click **Action**, and then click **New rule**
1. On the **Rule Type** page of the New Inbound Rule Wizard, click **Custom**, and then click **Next**
1. On the **Program** page, click **All programs**, and then click **Next**
1. Open the *Windows Firewall with Advanced Security* console
1. In the navigation pane, select**Inbound Rules**
1. Select **Action**, and then select**New rule**
1. On the **Rule Type** page of the New Inbound Rule Wizard, select**Custom**, and then select**Next**
1. On the **Program** page, select**All programs**, and then select**Next**
1. On the **Protocol and Ports** page, select **ICMPv4** or **ICMPv6** from the **Protocol type** list. If you use both IPv4 and IPv6 on your network, you must create a separate ICMP rule for each
1. Click **Customize**
1. Select **Customize**
1. In the **Customize ICMP Settings** dialog box, do one of the following:
- To allow all ICMP network traffic, click **All ICMP types**, and then click **OK**
- To select one of the predefined ICMP types, click **Specific ICMP types**, and then select each type in the list that you want to allow. Click **OK**
- To select an ICMP type that does not appear in the list, click **Specific ICMP types**, select the **Type** number from the list, select the **Code** number from the list, click **Add**, and then select the newly created entry from the list. Click **OK**
1. Click **Next**
1. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**
1. On the **Action** page, select **Allow the connection**, and then click **Next**
1. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**
1. On the **Name** page, type a name and description for your rule, and then click **Finish**
- To allow all ICMP network traffic, select**All ICMP types**, and then select**OK**
- To select one of the predefined ICMP types, select**Specific ICMP types**, and then select each type in the list that you want to allow. Select **OK**
- To select an ICMP type that does not appear in the list, select**Specific ICMP types**, select the **Type** number from the list, select the **Code** number from the list, select**Add**, and then select the newly created entry from the list. Select **OK**
1. Select **Next**
1. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then select**Next**
1. On the **Action** page, select **Allow the connection**, and then select**Next**
1. On the **Profile** page, select the network location types to which this rule applies, and then select**Next**
1. On the **Name** page, type a name and description for your rule, and then select**Finish**
## Create an inbound port rule
This type of rule allows any program that listens on a specified TCP or UDP port to receive network traffic sent to that port.
This type of rule allows any program that listens on a specified TCP or UDP port to receive network traffic sent to that port. To create an inbound port rule:
To create an inbound port rule:
1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
1. In the navigation pane, click **Inbound Rules**
1. Click **Action**, and then click **New rule**
1. On the **Rule Type** page of the New Inbound Rule Wizard, click **Custom**, and then click **Next**
> [!Note]
1. Open the *Windows Firewall with Advanced Security* console
1. In the navigation pane, select**Inbound Rules**
1. Select **Action**, and then select**New rule**
1. On the **Rule Type** page of the New Inbound Rule Wizard, select**Custom**, and then select**Next**
> [!NOTE]
> Although you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules.
1. On the **Program** page, click **All programs**, and then click **Next**
> [!Note]
> This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The specified program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. If you choose to do this, follow the steps in the [Create an Inbound Program or Service Rule](create-an-inbound-program-or-service-rule.md) procedure in addition to the steps in this procedure to create a single rule that filters network traffic using both program and port criteria.
1. On the **Program** page, select**All programs**, and then select**Next**
> [!NOTE]
> This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The specified program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. If you choose to do this, follow the steps in the [Create an Inbound Program or Service Rule](#create-an-inbound-program-or-service-rule) procedure in addition to the steps in this procedure to create a single rule that filters network traffic using both program and port criteria.
1. On the **Protocol and Ports** page, select the protocol type that you want to allow. To restrict the rule to a specified port number, you must select either **TCP** or **UDP**. Because this is an incoming rule, you typically configure only the local port number
If you select another protocol, then only packets whose protocol field in the IP header match this rule are permitted through the firewall.\
To select a protocol by its number, select **Custom** from the list, and then type the number in the **Protocol number** box.\
When you have configured the protocols and ports, click **Next**.
1. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**
1. On the **Action** page, select **Allow the connection**, and then click **Next**
1. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**
> [!Note]
When you have configured the protocols and ports, select**Next**.
1. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then select**Next**
1. On the **Action** page, select **Allow the connection**, and then select**Next**
1. On the **Profile** page, select the network location types to which this rule applies, and then select**Next**
> [!NOTE]
> If this GPO is targeted at server computers running Windows Server 2008 that never move, consider modifying the rules to apply to all network location type profiles. This prevents an unexpected change in the applied rules if the network location type changes due to the installation of a new network card or the disconnection of an existing network card's cable. A disconnected network card is automatically assigned to the Public network location type.
1. On the **Name** page, type a name and description for your rule, and then click **Finish**
1. On the **Name** page, type a name and description for your rule, and then select**Finish**
## Create an outbound port rule
By default, Windows Firewall allows all outbound network traffic, unless it matches a rule that prohibits the traffic. This type of rule blocks any outbound network traffic that matches the specified TCP or UDP port numbers.
By default, Windows Firewall allows all outbound network traffic, unless it matches a rule that prohibits the traffic. This type of rule blocks any outbound network traffic that matches the specified TCP or UDP port numbers. To create an outbound port rule:
To create an outbound port rule:
1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
1. Open the *Windows Firewall with Advanced Security* console
1. In the navigation pane, select **Outbound Rules**
1. Select **Action**, and then select **New rule**
1. On the **Rule Type** page of the New Outbound Rule wizard, select **Custom**, and then select **Next**
@ -92,18 +87,18 @@ This type of rule allows the program to listen and receive inbound network traff
To create an inbound firewall rule for a program or service:
1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
1. In the navigation pane, click **Inbound Rules**
1. Click **Action**, and then click **New rule**
1. On the **Rule Type** page of the New Inbound Rule Wizard, click **Custom**, and then click **Next**
1. Open the *Windows Firewall with Advanced Security* console
1. In the navigation pane, select**Inbound Rules**
1. Select **Action**, and then select**New rule**
1. On the **Rule Type** page of the New Inbound Rule Wizard, select**Custom**, and then select**Next**
> [!NOTE]
> Information the user should notice even if skimmingAlthough you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules.
1. On the **Program** page, click **This program path**
1. On the **Program** page, select**This program path**
1. Type the path to the program in the text box. Use environment variables, where applicable, to ensure that programs installed in different locations on different computers work correctly.
1. Do one of the following:
- If the executable file contains a single program, click **Next**
- If the executable file is a container for multiple services that must all be allowed to receive inbound network traffic, click **Customize**, select **Apply to services only**, click **OK**, and then click **Next**
- If the executable file is a container for a single service or contains multiple services but the rule only applies to one of them, click **Customize**, select **Apply to this service**, and then select the service from the list. If the service does not appear in the list, click **Apply to service with this service short name**, and then type the short name for the service in the text box. Click **OK**, and then click **Next**
- If the executable file contains a single program, select**Next**
- If the executable file is a container for multiple services that must all be allowed to receive inbound network traffic, select**Customize**, select **Apply to services only**, select**OK**, and then select**Next**
- If the executable file is a container for a single service or contains multiple services but the rule only applies to one of them, select**Customize**, select **Apply to this service**, and then select the service from the list. If the service does not appear in the list, select**Apply to service with this service short name**, and then type the short name for the service in the text box. Select **OK**, and then select**Next**
> [!IMPORTANT]
> To use the **Apply to this service** or **Apply to service with this service short name** options, the service must be configured with a security identifier (SID) with a type of **RESTRICTED** or **UNRESTRICTED**. To check the SID type of a service, run the following command: `sc qsidtype <ServiceName>`
@ -114,19 +109,17 @@ To create an inbound firewall rule for a program or service:
In the preceding command, the value of `<Type>` can be `UNRESTRICTED` or `RESTRICTED`. Although the command also permits the value of `NONE`, that setting means the service cannot be used in a firewall rule as described here. By default, most services in Windows are configured as `UNRESTRICTED`. If you change the SID type to `RESTRICTED`, the service might fail to start. We recommend that you change the SID type only on services that you want to use in firewall rules, and that you change the SID type to `UNRESTRICTED`.
1. It is a best practice to restrict the firewall rule for the program to only the ports it needs to operate. On the **Protocols and Ports** page, you can specify the port numbers for the allowed traffic. If the program tries to listen on a port different from the one specified here, it is blocked. For more information about protocol and port options, see [Create an Inbound Port Rule](create-an-inbound-port-rule.md). After you have configured the protocol and port options, click **Next**
1. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**
1. On the **Action** page, select **Allow the connection**, and then click **Next**
1. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**
1. On the **Name** page, type a name and description for your rule, and then click **Finish**
1. It is a best practice to restrict the firewall rule for the program to only the ports it needs to operate. On the **Protocols and Ports** page, you can specify the port numbers for the allowed traffic. If the program tries to listen on a port different from the one specified here, it is blocked. For more information about protocol and port options, see [Create an Inbound Port Rule](#create-an-inbound-port-rule). After you have configured the protocol and port options, select**Next**
1. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then select**Next**
1. On the **Action** page, select **Allow the connection**, and then select**Next**
1. On the **Profile** page, select the network location types to which this rule applies, and then select**Next**
1. On the **Name** page, type a name and description for your rule, and then select**Finish**
## Create an outbound program or service rule
By default, Windows Defender Firewall allows all outbound network traffic unless it matches a rule that prohibits the traffic. This type of rule prevents the program from sending any outbound network traffic on any port.
By default, Windows Defender Firewall allows all outbound network traffic unless it matches a rule that prohibits the traffic. This type of rule prevents the program from sending any outbound network traffic on any port. To create an outbound firewall rule for a program or service:
To create an outbound firewall rule for a program or service:
1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
1. Open the *Windows Firewall with Advanced Security* console
1. In the navigation pane, select **Outbound Rules**
1. Select **Action**, and then select **New rule**
1. On the **Rule Type** page of the New Outbound Rule Wizard, select **Custom**, and then select **Next**
@ -138,7 +131,7 @@ To create an outbound firewall rule for a program or service:
- If the executable file contains a single program, select **Next**
- If the executable file is a container for multiple services that must all be blocked from sending outbound network traffic, select **Customize**, select **Apply to services only**, select **OK**, and then select **Next**
- If the executable file is a container for a single service or contains multiple services but the rule only applies to one of them, select **Customize**, select **Apply to this service**, and then select the service from the list. If the service does not appear in the list, then select **Apply to service with this service short name**, and type the short name for the service in the text box. Select **OK**, and then select **Next**
1. If you want the program to be allowed to send on some ports, but blocked from sending on others, then you can restrict the firewall rule to block only the specified ports or protocols. On the **Protocols and Ports** page, you can specify the port numbers or protocol numbers for the blocked traffic. If the program tries to send to or from a port number different from the one specified here, or by using a protocol number different from the one specified here, then the default outbound firewall behavior allows the traffic. For more information about the protocol and port options, see [Create an Outbound Port Rule](create-an-outbound-port-rule.md). When you have configured the protocol and port options, select **Next**
1. If you want the program to be allowed to send on some ports, but blocked from sending on others, then you can restrict the firewall rule to block only the specified ports or protocols. On the **Protocols and Ports** page, you can specify the port numbers or protocol numbers for the blocked traffic. If the program tries to send to or from a port number different from the one specified here, or by using a protocol number different from the one specified here, then the default outbound firewall behavior allows the traffic. For more information about the protocol and port options, see [Create an Outbound Port Rule](#create-an-outbound-port-rule). When you have configured the protocol and port options, select **Next**
1. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then select **Next**
1. On the **Action** page, select **Block the connection**, and then select **Next**
1. On the **Profile** page, select the network location types to which this rule applies, and then select **Next**
@ -155,31 +148,31 @@ Using the two rules configured as described in this topic helps to protect your
### RPC Endpoint Mapper service
1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
1. In the navigation pane, click **Inbound Rules**
1. Click **Action**, and then click **New rule**
1. On the **Rule Type** page of the New Inbound Rule Wizard, click **Custom**, and then click **Next**
1. On the **Program** page, click **This Program Path**, and then type `%systemroot%\system32\svchost.exe`
1. Click **Customize**.
1. In the **Customize Service Settings** dialog box, click **Apply to this service**, select **Remote Procedure Call (RPC)** with a short name of **RpcSs**, click **OK**, and then click **Next**
1. On the warning about Windows service-hardening rules, click **Yes**
1. Open the *Windows Firewall with Advanced Security* console
1. In the navigation pane, select**Inbound Rules**
1. Select **Action**, and then select**New rule**
1. On the **Rule Type** page of the New Inbound Rule Wizard, select**Custom**, and then select**Next**
1. On the **Program** page, select**This Program Path**, and then type `%systemroot%\system32\svchost.exe`
1. Select **Customize**.
1. In the **Customize Service Settings** dialog box, select**Apply to this service**, select **Remote Procedure Call (RPC)** with a short name of **RpcSs**, select**OK**, and then select**Next**
1. On the warning about Windows service-hardening rules, select**Yes**
1. On the **Protocol and Ports** dialog box, for **Protocol type**, select **TCP**
1. For **Local port**, select **RPC Endpoint Mapper**, and then click **Next**
1. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**
1. On the **Action** page, select **Allow the connection**, and then click **Next**
1. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**
1. On the **Name** page, type a name and description for your rule, and then click **Finish**
1. For **Local port**, select **RPC Endpoint Mapper**, and then select**Next**
1. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then select**Next**
1. On the **Action** page, select **Allow the connection**, and then select**Next**
1. On the **Profile** page, select the network location types to which this rule applies, and then select**Next**
1. On the **Name** page, type a name and description for your rule, and then select**Finish**
### RPC-enabled network services
1. On the same GPO you edited in the preceding procedure, click **Action**, and then click **New rule**
1. On the **Rule Type** page of the New Inbound Rule Wizard, click **Custom**, and then click **Next**
1. On the **Program** page, click **This Program Path**, and then type the path to the executable file that hosts the network service. Click **Customize**
1. In the **Customize Service Settings** dialog box, click **Apply to this service**, and then select the service that you want to allow. If the service doesn't appear in the list, then click **Apply to service with this service short name**, and then type the short name of the service in the text box
1. Click **OK**, and then click **Next**
1. On the same GPO you edited in the preceding procedure, select**Action**, and then select**New rule**
1. On the **Rule Type** page of the New Inbound Rule Wizard, select**Custom**, and then select**Next**
1. On the **Program** page, select**This Program Path**, and then type the path to the executable file that hosts the network service. Select **Customize**
1. In the **Customize Service Settings** dialog box, select**Apply to this service**, and then select the service that you want to allow. If the service doesn't appear in the list, then select**Apply to service with this service short name**, and then type the short name of the service in the text box
1. Select **OK**, and then select**Next**
1. On the **Protocol and Ports** dialog box, for **Protocol type**, select **TCP**
1. For **Local port**, select **RPC Dynamic Ports**, and then click **Next**
1. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then click **Next**
1. On the **Action** page, select **Allow the connection**, and then click **Next**
1. On the **Profile** page, select the network location types to which this rule applies, and then click **Next**
1. On the **Name** page, type a name and description for your rule, and then click **Finish**
1. For **Local port**, select **RPC Dynamic Ports**, and then select**Next**
1. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then select**Next**
1. On the **Action** page, select **Allow the connection**, and then select**Next**
1. On the **Profile** page, select the network location types to which this rule applies, and then select**Next**
1. On the **Name** page, type a name and description for your rule, and then select**Finish**

22
windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md → windows/security/operating-system-security/network-security/windows-firewall/configure-with-powershell.md
View File

@ -5,7 +5,7 @@ ms.topic: conceptual
ms.date: 09/08/2021
---
# Windows Defender Firewall with Advanced Security Administration with PowerShell
# Manage Windows Firewall with PowerShell
The Windows Defender Firewall with Advanced Security Administration with Windows PowerShell Guide provides essential scriptlets for automating Windows Defender Firewall management. It's designed for IT pros, system administrators, IT managers, and others who use and need to automate Windows Defender Firewall management in Windows.
You can use Windows PowerShell to manage your firewall and IPsec deployments. This object-oriented scripting environment will make it easier for you to manage policies and monitor network conditions than was possible in netsh. Windows PowerShell allows network settings to be self-discoverable through the syntax and parameters in each of the cmdlets. This guide demonstrates how common tasks were performed in netsh and how you can use Windows PowerShell to accomplish them.
@ -16,19 +16,15 @@ Windows PowerShell and netsh command references are at the following locations.
This guide doesn't teach you the fundamentals of Windows Defender Firewall, which can be found in [Windows Firewall](index.md). It doesn't teach the fundamentals of Windows PowerShell, and it assumes that you're familiar with the Windows PowerShell language and the basic concepts of Windows PowerShell. For more info about Windows PowerShell concepts and usage, see the reference topics in the [Additional resources](#other-resources) section of this guide.
## Audience and user requirements
This guide is intended for IT pros, system administrators, and IT managers, and it assumes that you're familiar with Windows Defender Firewall, the Windows PowerShell language, and the basic concepts of Windows PowerShell.
## In this topic
| Section | Description |
| - | - |
| [Set profile global defaults](#bkmk-profileglobaldefaults) | Enable and control firewall behavior|
| [Deploy basic firewall rules](#deploy-basic-firewall-rules)| How to create, modify, and delete firewall rules|
| [Manage Remotely](#manage-remotely) | Remote management by using `-CimSession`|
| [Deploy basic IPsec rule settings](#deploy-basic-ipsec-rule-settings) | IPsec rules and associated parameters|
| [Deploy secure firewall rules with IPsec](#deploy-secure-firewall-rules-with-ipsec) | Domain and server isolation|
| [Other resources](#other-resources) | More information about Windows PowerShell|
## Set profile global defaults
Global defaults set the device behavior in a per-profile basis. Windows Defender Firewall supports Domain, Private, and Public profiles.
### Enable Windows Defender Firewall with Advanced Security
Windows Defender Firewall drops traffic that doesn't correspond to allowed unsolicited traffic, or traffic that is sent in response to a request by the device. If you find that the rules you create aren't being enforced, you may need to enable Windows Defender Firewall. Here's how to enable Windows Defender Firewall on a local domain device:
Windows Defender Firewall drops traffic that doesn't correspond to
allowed unsolicited traffic, or traffic that is sent in response to a request by the device. If you find that the rules you create aren't being enforced, you may need to enable Windows Defender Firewall. Here's how to enable Windows Defender Firewall on a local domain device:
**Netsh**
``` cmd
netsh.exe advfirewall set allprofiles state on
@ -37,10 +33,14 @@ netsh.exe advfirewall set allprofiles state on
```powershell
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True
```
### Control Windows Defender Firewall with Advanced Security behavior
The global default settings can be defined through the command-line interface. These modifications are also available through the Windows Defender Firewall with Advanced Security console.
The following scriptlets set the default inbound and outbound actions, specifies protected network connections, and allows notifications to be displayed to the user when a program is blocked from receiving inbound connections. It allows unicast response to multicast or broadcast network traffic, and it specifies logging settings for troubleshooting.
**Netsh**
```cmd
netsh advfirewall set allprofiles firewallpolicy blockinbound,allowoutbound
netsh advfirewall set allprofiles settings inboundusernotification enable

24
windows/security/operating-system-security/network-security/windows-firewall/toc.yml
View File

@ -1,22 +1,24 @@
items:
- name: Overview
href: index.md
- name: Configure Windows firewall
href: best-practices-configuring.md
- name: Configure Hyper-V firewall
- name: Configure and manage Windows Firewall
items:
- name: Configure Windows firewall
href: best-practices-configuring.md
- name: Configure Windows Firewall rules with group policy
href: configure-rules-with-gpo.md
- name: Configure the Windows Firewall log
href: configure-the-windows-firewall-log.md
- name: Manage Windows Firewall with PowerShell
href: configure-with-powershell.md
- name: Configure firewall rules with Microsoft Intune
href: create-windows-firewall-rules-in-intune.md
- name: Hyper-V firewall
href: hyper-v-firewall.md
- name: Configure the Windows Firewall log
href: configure-the-windows-firewall-log.md
- name: Secure connections with IPsec
href: securing-end-to-end-ipsec-connections-by-using-ikev2.md
- name: Configure Windows Firewall with PowerShell
href: windows-firewall-with-advanced-security-administration-with-windows-powershell.md
- name: Isolate Microsoft Store apps on your network
href: isolating-apps-on-your-network.md
- name: Configure Windows Firewall rules
href: configure-rules.md
- name: Create firewall rules with Microsoft Intune
href: create-windows-firewall-rules-in-intune.md
- name: Troubleshoot
items:
- name: Troubleshoot UWP app connectivity issues in Windows Firewall

2
windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md
View File

@ -70,7 +70,7 @@ For more information about each section, options for configuring the sections, a
>
> Microsoft Defender Antivirus will be [disabled automatically when a third-party antivirus product is installed and kept up to date](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility).
>
> Disabling the Windows Security Center Service won't disable Microsoft Defender Antivirus or [Windows Defender Firewall](../../network-security/windows-firewall/windows-firewall-with-advanced-security.md).
> Disabling the Windows Security Center Service won't disable Microsoft Defender Antivirus or [Windows Defender Firewall](../../network-security/windows-firewall/index.md).
> [!WARNING]
> If you disable the Windows Security Center Service, or configure its associated group policy settings to prevent it from starting or running, **Windows Security** may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.