From 46eb5e34710edd29a7cf1bf0a25d3c6940b1ebf3 Mon Sep 17 00:00:00 2001 From: Tommy Jensen <45110146+mstojens@users.noreply.github.com> Date: Thu, 22 Jul 2021 00:08:29 -0700 Subject: [PATCH 1/3] Clarification on automatic rule creation Provided details for why network connectivity may fail because automatic rule creation did not occur as expected. The general guidance is to not rely on automatic rule creation and instead ensure rules are creates before first application launch for the best user experience. --- .../windows-firewall/best-practices-configuring.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md index 3911fccc53..719c0ca8b0 100644 --- a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md +++ b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md @@ -119,7 +119,7 @@ In either of the scenarios above, once these rules are added they must be delete When designing a set of firewall policies for your network, it is a best practice to configure allow rules for any networked applications deployed on the host. Having these rules in place before the user first launches the application will help ensure a seamless experience. -The absence of these staged rules does not necessarily mean that in the end an application will be unable to communicate on the network. However, the behaviors involved in the automatic creation of application rules at runtime requires user interaction. +The absence of these staged rules does not necessarily mean that in the end an application will be unable to communicate on the network. However, the behaviors involved in the automatic creation of application rules at runtime require user interaction and administrative privilege. If the device is expected to be used by non-administrative users, you should follow best practice and provide these rules before application first launch to avoid unexpected networking issues. To determine why some applications are blocked from communicating in the network, check for the following: @@ -129,6 +129,8 @@ To determine why some applications are blocked from communicating in the network 3. Local Policy Merge is disabled, preventing the application or network service from creating local rules. +Creation of application rules at runtime can also be prohibited by administrators using the Settings app or Group Policy. + ![Windows Firewall prompt](images/fw04-userquery.png) *Figure 4: Dialog box to allow access* @@ -207,4 +209,4 @@ For tasks related to creating outbound rules, see [Checklist: Creating Outbound ## Document your changes -When creating an inbound or outbound rule, you should specify details about the app itself, the port range used, and important notes like creation date. Rules must be well-documented for ease of review both by you and other admins. We highly encourage taking the time to make the work of reviewing your firewall rules at a later date easier. And *never* create unnecessary holes in your firewall. \ No newline at end of file +When creating an inbound or outbound rule, you should specify details about the app itself, the port range used, and important notes like creation date. Rules must be well-documented for ease of review both by you and other admins. We highly encourage taking the time to make the work of reviewing your firewall rules at a later date easier. And *never* create unnecessary holes in your firewall. From 534b1d7ec4c596255561cc8863ed64ce9a3e1f5d Mon Sep 17 00:00:00 2001 From: Tommy Jensen <45110146+mstojens@users.noreply.github.com> Date: Thu, 22 Jul 2021 08:31:19 -0700 Subject: [PATCH 2/3] editorial nit Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../windows-firewall/best-practices-configuring.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md index 719c0ca8b0..613b044d3a 100644 --- a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md +++ b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md @@ -119,7 +119,7 @@ In either of the scenarios above, once these rules are added they must be delete When designing a set of firewall policies for your network, it is a best practice to configure allow rules for any networked applications deployed on the host. Having these rules in place before the user first launches the application will help ensure a seamless experience. -The absence of these staged rules does not necessarily mean that in the end an application will be unable to communicate on the network. However, the behaviors involved in the automatic creation of application rules at runtime require user interaction and administrative privilege. If the device is expected to be used by non-administrative users, you should follow best practice and provide these rules before application first launch to avoid unexpected networking issues. +The absence of these staged rules does not necessarily mean that in the end an application will be unable to communicate on the network. However, the behaviors involved in the automatic creation of application rules at runtime require user interaction and administrative privilege. If the device is expected to be used by non-administrative users, you should follow best practices and provide these rules before the application's first launch to avoid unexpected networking issues. To determine why some applications are blocked from communicating in the network, check for the following: From 002cd3645d71fe96bd9adf4073a98659b228af13 Mon Sep 17 00:00:00 2001 From: Tommy Jensen <45110146+mstojens@users.noreply.github.com> Date: Thu, 22 Jul 2021 08:32:48 -0700 Subject: [PATCH 3/3] editorial nit (white space) Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../windows-firewall/best-practices-configuring.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md index 613b044d3a..71f0392376 100644 --- a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md +++ b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md @@ -209,4 +209,4 @@ For tasks related to creating outbound rules, see [Checklist: Creating Outbound ## Document your changes -When creating an inbound or outbound rule, you should specify details about the app itself, the port range used, and important notes like creation date. Rules must be well-documented for ease of review both by you and other admins. We highly encourage taking the time to make the work of reviewing your firewall rules at a later date easier. And *never* create unnecessary holes in your firewall. +When creating an inbound or outbound rule, you should specify details about the app itself, the port range used, and important notes like creation date. Rules must be well-documented for ease of review both by you and other admins. We highly encourage taking the time to make the work of reviewing your firewall rules at a later date easier. And *never* create unnecessary holes in your firewall.