deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

updates

Browse Source
This commit is contained in:
Paolo Matarazzo 2023-11-20 15:33:15 -05:00
parent 41e5a88aa4
commit 97eca53267
5 changed files with 306 additions and 303 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

178
windows/security/operating-system-security/network-security/windows-firewall/configure-rules-with-wfas.md
View File

@ -1,178 +0,0 @@
---
title: Configure firewall rules with WFAS console
description: Learn how to configure firewall rules using group policy with the Windows Firewall with Advanced Security console.
ms.topic: how-to
ms.date: 11/14/2023
---
# Configure rules with WFAS console
This article contains examples how to configure Windows Firewall rules using the *Windows Firewall with Advanced Security* console.
## Access the Windows Firewall with Advanced Security console
If you're configuring devices joined to an Active Directory domain, to complete these procedures you must be a member of the Domain Administrators group, or otherwise have delegated permissions to modify the GPOs in the domain. To access the *Windows Firewall with Advanced Security* console, [create or edit](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc754740(v=ws.11)) a group policy object (GPO) and expand the nodes **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Windows Firewall with Advanced Security**.
If you are configuring a single device, you must have administrative rights on the device. In which case, to access the *Windows Firewall with Advanced Security* console, select <kbd>START</kbd>, type `wf.msc`, and press <kbd>ENTER</kbd>.
## Create an inbound ICMP rule
This type of rule allows ICMP requests and responses to be received by devices on the network. To create an inbound ICMP rule:
1. Open the *Windows Firewall with Advanced Security* console
1. In the navigation pane, select**Inbound Rules**
1. Select **Action**, and then select**New rule**
1. On the **Rule Type** page of the New Inbound Rule Wizard, select**Custom**, and then select**Next**
1. On the **Program** page, select**All programs**, and then select**Next**
1. On the **Protocol and Ports** page, select **ICMPv4** or **ICMPv6** from the **Protocol type** list. If you use both IPv4 and IPv6 on your network, you must create a separate ICMP rule for each
1. Select **Customize**
1. In the **Customize ICMP Settings** dialog box, do one of the following:
- To allow all ICMP network traffic, select**All ICMP types**, and then select**OK**
- To select one of the predefined ICMP types, select**Specific ICMP types**, and then select each type in the list that you want to allow. Select **OK**
- To select an ICMP type that does not appear in the list, select**Specific ICMP types**, select the **Type** number from the list, select the **Code** number from the list, select**Add**, and then select the newly created entry from the list. Select **OK**
1. Select **Next**
1. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then select**Next**
1. On the **Action** page, select **Allow the connection**, and then select**Next**
1. On the **Profile** page, select the network location types to which this rule applies, and then select**Next**
1. On the **Name** page, type a name and description for your rule, and then select**Finish**
## Create an inbound port rule
This type of rule allows any program that listens on a specified TCP or UDP port to receive network traffic sent to that port. To create an inbound port rule:
1. Open the *Windows Firewall with Advanced Security* console
1. In the navigation pane, select**Inbound Rules**
1. Select **Action**, and then select**New rule**
1. On the **Rule Type** page of the New Inbound Rule Wizard, select**Custom**, and then select**Next**
> [!NOTE]
> Although you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules.
1. On the **Program** page, select**All programs**, and then select**Next**
> [!NOTE]
> This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The specified program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. If you choose to do this, follow the steps in the [Create an Inbound Program or Service Rule](#create-an-inbound-program-or-service-rule) procedure in addition to the steps in this procedure to create a single rule that filters network traffic using both program and port criteria.
1. On the **Protocol and Ports** page, select the protocol type that you want to allow. To restrict the rule to a specified port number, you must select either **TCP** or **UDP**. Because this is an incoming rule, you typically configure only the local port number
If you select another protocol, then only packets whose protocol field in the IP header match this rule are permitted through the firewall.\
To select a protocol by its number, select **Custom** from the list, and then type the number in the **Protocol number** box.\
When you have configured the protocols and ports, select**Next**.
1. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then select**Next**
1. On the **Action** page, select **Allow the connection**, and then select**Next**
1. On the **Profile** page, select the network location types to which this rule applies, and then select**Next**
> [!NOTE]
> If this GPO is targeted at server computers running Windows Server 2008 that never move, consider modifying the rules to apply to all network location type profiles. This prevents an unexpected change in the applied rules if the network location type changes due to the installation of a new network card or the disconnection of an existing network card's cable. A disconnected network card is automatically assigned to the Public network location type.
1. On the **Name** page, type a name and description for your rule, and then select**Finish**
## Create an outbound port rule
By default, Windows Firewall allows all outbound network traffic, unless it matches a rule that prohibits the traffic. This type of rule blocks any outbound network traffic that matches the specified TCP or UDP port numbers. To create an outbound port rule:
1. Open the *Windows Firewall with Advanced Security* console
1. In the navigation pane, select **Outbound Rules**
1. Select **Action**, and then select **New rule**
1. On the **Rule Type** page of the New Outbound Rule wizard, select **Custom**, and then select **Next**
> [!NOTE]
> Although you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules.
1. On the **Program** page, select **All programs**, and then select **Next**
1. On the **Protocol and Ports** page, select the protocol type that you want to block. To restrict the rule to a specified port number, you must select either **TCP** or **UDP**. Because this rule is an outbound rule, you typically configure only the remote port number
If you select another protocol, then only packets whose protocol field in the IP header matches this rule are blocked by Windows Defender Firewall. Network traffic for protocols is allowed as long as other rules that match don't block it. To select a protocol by its number, select **Custom** from the list, and then type the number in the **Protocol number** box. When you've configured the protocols and ports, select **Next**
1. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then select **Next**
1. On the **Action** page, select **Block the connection**, and then select **Next**
1. On the **Profile** page, select the network location types to which this rule applies, and then select **Next**
1. On the **Name** page, type a name and description for your rule, and then select **Finish**
## Create an inbound program or service rule
This type of rule allows the program to listen and receive inbound network traffic on any port.
> [!NOTE]
> This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. To combine the program and port rule types into a single rule, follow the steps in the [Create an Inbound Port Rule](#create-an-inbound-port-rule) procedure in addition to the steps in this procedure.
To create an inbound firewall rule for a program or service:
1. Open the *Windows Firewall with Advanced Security* console
1. In the navigation pane, select**Inbound Rules**
1. Select **Action**, and then select**New rule**
1. On the **Rule Type** page of the New Inbound Rule Wizard, select**Custom**, and then select**Next**
> [!NOTE]
> Information the user should notice even if skimmingAlthough you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules.
1. On the **Program** page, select**This program path**
1. Type the path to the program in the text box. Use environment variables, where applicable, to ensure that programs installed in different locations on different computers work correctly.
1. Do one of the following:
- If the executable file contains a single program, select**Next**
- If the executable file is a container for multiple services that must all be allowed to receive inbound network traffic, select**Customize**, select **Apply to services only**, select**OK**, and then select**Next**
- If the executable file is a container for a single service or contains multiple services but the rule only applies to one of them, select**Customize**, select **Apply to this service**, and then select the service from the list. If the service does not appear in the list, select**Apply to service with this service short name**, and then type the short name for the service in the text box. Select **OK**, and then select**Next**
> [!IMPORTANT]
> To use the **Apply to this service** or **Apply to service with this service short name** options, the service must be configured with a security identifier (SID) with a type of **RESTRICTED** or **UNRESTRICTED**. To check the SID type of a service, run the following command: `sc qsidtype <ServiceName>`
>
> If the result is `NONE`, then a firewall rule cannot be applied to that service.
To set a SID type on a service, run the following command: `sc sidtype <ServiceName> <Type>`
In the preceding command, the value of `<Type>` can be `UNRESTRICTED` or `RESTRICTED`. Although the command also permits the value of `NONE`, that setting means the service cannot be used in a firewall rule as described here. By default, most services in Windows are configured as `UNRESTRICTED`. If you change the SID type to `RESTRICTED`, the service might fail to start. We recommend that you change the SID type only on services that you want to use in firewall rules, and that you change the SID type to `UNRESTRICTED`.
1. It is a best practice to restrict the firewall rule for the program to only the ports it needs to operate. On the **Protocols and Ports** page, you can specify the port numbers for the allowed traffic. If the program tries to listen on a port different from the one specified here, it is blocked. For more information about protocol and port options, see [Create an Inbound Port Rule](#create-an-inbound-port-rule). After you have configured the protocol and port options, select**Next**
1. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then select**Next**
1. On the **Action** page, select **Allow the connection**, and then select**Next**
1. On the **Profile** page, select the network location types to which this rule applies, and then select**Next**
1. On the **Name** page, type a name and description for your rule, and then select**Finish**
## Create an outbound program or service rule
By default, Windows Defender Firewall allows all outbound network traffic unless it matches a rule that prohibits the traffic. This type of rule prevents the program from sending any outbound network traffic on any port. To create an outbound firewall rule for a program or service:
1. Open the *Windows Firewall with Advanced Security* console
1. In the navigation pane, select **Outbound Rules**
1. Select **Action**, and then select **New rule**
1. On the **Rule Type** page of the New Outbound Rule Wizard, select **Custom**, and then select **Next**
> [!NOTE]
> Although you can create many rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules.
1. On the **Program** page, select **This program path**
1. Type the path to the program in the text box. Use environment variables as appropriate to ensure that programs installed in different locations on different computers work correctly
1. Do one of the following:
- If the executable file contains a single program, select **Next**
- If the executable file is a container for multiple services that must all be blocked from sending outbound network traffic, select **Customize**, select **Apply to services only**, select **OK**, and then select **Next**
- If the executable file is a container for a single service or contains multiple services but the rule only applies to one of them, select **Customize**, select **Apply to this service**, and then select the service from the list. If the service does not appear in the list, then select **Apply to service with this service short name**, and type the short name for the service in the text box. Select **OK**, and then select **Next**
1. If you want the program to be allowed to send on some ports, but blocked from sending on others, then you can restrict the firewall rule to block only the specified ports or protocols. On the **Protocols and Ports** page, you can specify the port numbers or protocol numbers for the blocked traffic. If the program tries to send to or from a port number different from the one specified here, or by using a protocol number different from the one specified here, then the default outbound firewall behavior allows the traffic. For more information about the protocol and port options, see [Create an Outbound Port Rule](#create-an-outbound-port-rule). When you have configured the protocol and port options, select **Next**
1. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then select **Next**
1. On the **Action** page, select **Block the connection**, and then select **Next**
1. On the **Profile** page, select the network location types to which this rule applies, and then select **Next**
1. On the **Name** page, type a name and description for your rule, and then select **Finish**
## Create inbound rules to support RPC
To allow inbound remote procedure call (RPC) network traffic, you must create two firewall rules:
- the first rule allows incoming network packets on TCP port 135 to the RPC Endpoint Mapper service. The incoming traffic consists of requests to communicate with a specified network service. The RPC Endpoint Mapper replies with a dynamically assigned port number that the client must use to communicate with the service
- the second rule allows the network traffic that is sent to the dynamically assigned port number
Using the two rules configured as described in this topic helps to protect your device by allowing network traffic only from devices that have received RPC dynamic port redirection and to only those TCP port numbers assigned by the RPC Endpoint Mapper.
### RPC Endpoint Mapper service
1. Open the *Windows Firewall with Advanced Security* console
1. In the navigation pane, select**Inbound Rules**
1. Select **Action**, and then select**New rule**
1. On the **Rule Type** page of the New Inbound Rule Wizard, select**Custom**, and then select**Next**
1. On the **Program** page, select**This Program Path**, and then type `%systemroot%\system32\svchost.exe`
1. Select **Customize**.
1. In the **Customize Service Settings** dialog box, select**Apply to this service**, select **Remote Procedure Call (RPC)** with a short name of **RpcSs**, select**OK**, and then select**Next**
1. On the warning about Windows service-hardening rules, select**Yes**
1. On the **Protocol and Ports** dialog box, for **Protocol type**, select **TCP**
1. For **Local port**, select **RPC Endpoint Mapper**, and then select**Next**
1. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then select**Next**
1. On the **Action** page, select **Allow the connection**, and then select**Next**
1. On the **Profile** page, select the network location types to which this rule applies, and then select**Next**
1. On the **Name** page, type a name and description for your rule, and then select**Finish**
### RPC-enabled network services
1. On the same GPO you edited in the preceding procedure, select**Action**, and then select**New rule**
1. On the **Rule Type** page of the New Inbound Rule Wizard, select**Custom**, and then select**Next**
1. On the **Program** page, select**This Program Path**, and then type the path to the executable file that hosts the network service. Select **Customize**
1. In the **Customize Service Settings** dialog box, select**Apply to this service**, and then select the service that you want to allow. If the service doesn't appear in the list, then select**Apply to service with this service short name**, and then type the short name of the service in the text box
1. Select **OK**, and then select**Next**
1. On the **Protocol and Ports** dialog box, for **Protocol type**, select **TCP**
1. For **Local port**, select **RPC Dynamic Ports**, and then select**Next**
1. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then select**Next**
1. On the **Action** page, select **Allow the connection**, and then select**Next**
1. On the **Profile** page, select the network location types to which this rule applies, and then select**Next**
1. On the **Name** page, type a name and description for your rule, and then select**Finish**

271
windows/security/operating-system-security/network-security/windows-firewall/configure.md
View File

@ -1,145 +1,178 @@
--- ---
title: Configure Windows Firewall title: Configure firewall rules with WFAS console
description: Learn about the available tools to configure Windows Firewall and firewall rules. description: Learn how to configure firewall rules using group policy with the Windows Firewall with Advanced Security console.
ms.date: 11/15/2023 ms.topic: how-to
ms.topic: best-practice ms.date: 11/14/2023
--- ---
# Configure Windows Firewall # Configure rules with WFAS console
This article describes the available tools to configure Windows Firewall and firewall rules. This article contains examples how to configure Windows Firewall rules using the *Windows Firewall with Advanced Security* console.
## Configuration tools ## Access the Windows Firewall with Advanced Security console
Windows offers different tools to view the status and configure Windows Firewall. All tools interact with the same underlying services, but provide different levels of control over those services: If you're configuring devices joined to an Active Directory domain, to complete these procedures you must be a member of the Domain Administrators group, or otherwise have delegated permissions to modify the GPOs in the domain. To access the *Windows Firewall with Advanced Security* console, [create or edit](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc754740(v=ws.11)) a group policy object (GPO) and expand the nodes **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Windows Firewall with Advanced Security**.
- [Windows Security](#windows-security) If you are configuring a single device, you must have administrative rights on the device. In which case, to access the *Windows Firewall with Advanced Security* console, select <kbd>START</kbd>, type `wf.msc`, and press <kbd>ENTER</kbd>.
- [Control Panel](#control-panel)
- [Windows Defender Firewall with Advanced Security](#windows-defender-firewall-with-advanced-security) (WFAS) ## Create an inbound ICMP rule
- [Configuration Service Provider (CSP)](#configuration-service-provider-csp)
- [Command line tools](#command-line-tools) This type of rule allows ICMP requests and responses to be received by devices on the network. To create an inbound ICMP rule:
1. Open the *Windows Firewall with Advanced Security* console
1. In the navigation pane, select**Inbound Rules**
1. Select **Action**, and then select**New rule**
1. On the **Rule Type** page of the New Inbound Rule Wizard, select**Custom**, and then select**Next**
1. On the **Program** page, select**All programs**, and then select**Next**
1. On the **Protocol and Ports** page, select **ICMPv4** or **ICMPv6** from the **Protocol type** list. If you use both IPv4 and IPv6 on your network, you must create a separate ICMP rule for each
1. Select **Customize**
1. In the **Customize ICMP Settings** dialog box, do one of the following:
- To allow all ICMP network traffic, select**All ICMP types**, and then select**OK**
- To select one of the predefined ICMP types, select**Specific ICMP types**, and then select each type in the list that you want to allow. Select **OK**
- To select an ICMP type that does not appear in the list, select**Specific ICMP types**, select the **Type** number from the list, select the **Code** number from the list, select**Add**, and then select the newly created entry from the list. Select **OK**
1. Select **Next**
1. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then select**Next**
1. On the **Action** page, select **Allow the connection**, and then select**Next**
1. On the **Profile** page, select the network location types to which this rule applies, and then select**Next**
1. On the **Name** page, type a name and description for your rule, and then select**Finish**
## Create an inbound port rule
This type of rule allows any program that listens on a specified TCP or UDP port to receive network traffic sent to that port. To create an inbound port rule:
1. Open the *Windows Firewall with Advanced Security* console
1. In the navigation pane, select**Inbound Rules**
1. Select **Action**, and then select**New rule**
1. On the **Rule Type** page of the New Inbound Rule Wizard, select**Custom**, and then select**Next**
> [!NOTE]
> Although you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules.
1. On the **Program** page, select**All programs**, and then select**Next**
> [!NOTE]
> This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The specified program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. If you choose to do this, follow the steps in the [Create an Inbound Program or Service Rule](#create-an-inbound-program-or-service-rule) procedure in addition to the steps in this procedure to create a single rule that filters network traffic using both program and port criteria.
1. On the **Protocol and Ports** page, select the protocol type that you want to allow. To restrict the rule to a specified port number, you must select either **TCP** or **UDP**. Because this is an incoming rule, you typically configure only the local port number
If you select another protocol, then only packets whose protocol field in the IP header match this rule are permitted through the firewall.\
To select a protocol by its number, select **Custom** from the list, and then type the number in the **Protocol number** box.\
When you have configured the protocols and ports, select**Next**.
1. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then select**Next**
1. On the **Action** page, select **Allow the connection**, and then select**Next**
1. On the **Profile** page, select the network location types to which this rule applies, and then select**Next**
> [!NOTE]
> If this GPO is targeted at server computers running Windows Server 2008 that never move, consider modifying the rules to apply to all network location type profiles. This prevents an unexpected change in the applied rules if the network location type changes due to the installation of a new network card or the disconnection of an existing network card's cable. A disconnected network card is automatically assigned to the Public network location type.
1. On the **Name** page, type a name and description for your rule, and then select**Finish**
## Create an outbound port rule
By default, Windows Firewall allows all outbound network traffic, unless it matches a rule that prohibits the traffic. This type of rule blocks any outbound network traffic that matches the specified TCP or UDP port numbers. To create an outbound port rule:
1. Open the *Windows Firewall with Advanced Security* console
1. In the navigation pane, select **Outbound Rules**
1. Select **Action**, and then select **New rule**
1. On the **Rule Type** page of the New Outbound Rule wizard, select **Custom**, and then select **Next**
> [!NOTE]
> Although you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules.
1. On the **Program** page, select **All programs**, and then select **Next**
1. On the **Protocol and Ports** page, select the protocol type that you want to block. To restrict the rule to a specified port number, you must select either **TCP** or **UDP**. Because this rule is an outbound rule, you typically configure only the remote port number
If you select another protocol, then only packets whose protocol field in the IP header matches this rule are blocked by Windows Defender Firewall. Network traffic for protocols is allowed as long as other rules that match don't block it. To select a protocol by its number, select **Custom** from the list, and then type the number in the **Protocol number** box. When you've configured the protocols and ports, select **Next**
1. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then select **Next**
1. On the **Action** page, select **Block the connection**, and then select **Next**
1. On the **Profile** page, select the network location types to which this rule applies, and then select **Next**
1. On the **Name** page, type a name and description for your rule, and then select **Finish**
## Create an inbound program or service rule
This type of rule allows the program to listen and receive inbound network traffic on any port.
> [!NOTE] > [!NOTE]
> To change the configuration of Windows Firewall on a device, you must have administative rights. > This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. To combine the program and port rule types into a single rule, follow the steps in the [Create an Inbound Port Rule](#create-an-inbound-port-rule) procedure in addition to the steps in this procedure.
:::row::: To create an inbound firewall rule for a program or service:
:::column span="4":::
#### Windows Security
:::column-end:::
:::row-end:::
:::row:::
:::column span="3":::
The *Windows Security* app can be used to view the Windows Firewall status and access advanced tools to configure it. Select <kbd>START</kbd>, type `Windows Security`, and press <kbd>ENTER</kbd>. Once Windows Security is open, select the tab **Firewall & network protection**. Or use the following shortcut:
> [!div class="nextstepaction"]
> [Open Firewall & network protection][SEC-1]
:::column-end::: 1. Open the *Windows Firewall with Advanced Security* console
:::column span="1"::: 1. In the navigation pane, select**Inbound Rules**
:::image type="content" source="images/windows-security.png" alt-text="Screenshot showing the Windows Security app." lightbox="images/windows-security.png" border="false"::: 1. Select **Action**, and then select**New rule**
:::column-end::: 1. On the **Rule Type** page of the New Inbound Rule Wizard, select**Custom**, and then select**Next**
:::row-end::: > [!NOTE]
:::row::: > Information the user should notice even if skimmingAlthough you can create rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules.
:::column span="4"::: 1. On the **Program** page, select**This program path**
#### Control Panel 1. Type the path to the program in the text box. Use environment variables, where applicable, to ensure that programs installed in different locations on different computers work correctly.
:::column-end::: 1. Do one of the following:
:::row-end::: - If the executable file contains a single program, select**Next**
:::row::: - If the executable file is a container for multiple services that must all be allowed to receive inbound network traffic, select**Customize**, select **Apply to services only**, select**OK**, and then select**Next**
:::column span="3"::: - If the executable file is a container for a single service or contains multiple services but the rule only applies to one of them, select**Customize**, select **Apply to this service**, and then select the service from the list. If the service does not appear in the list, select**Apply to service with this service short name**, and then type the short name for the service in the text box. Select **OK**, and then select**Next**
The *Windows Defender Firewall* Control Panel applet provides basic functionalities to configure Windows Firewall. Select <kbd>START</kbd>, type `firewall.cpl`, and press <kbd>ENTER</kbd>.
:::column-end:::
:::column span="1":::
:::image type="content" source="images/control-panel.png" alt-text="Screenshot showing the Windows Defender Firewall control panel applet." lightbox="images/control-panel.png" border="false":::
:::column-end:::
:::row-end:::
:::row:::
:::column span="4":::
#### Windows Defender Firewall with Advanced Security
:::column-end:::
:::row-end:::
:::row:::
:::column span="3":::
The *Windows Defender Firewall with Advanced Security* (WFAS) is a Microsoft Management Console (MMC) snap-in that provides advanced configuration functionalities. It can be used locally and in group policy (GPO) implementations.
- If you are configuring a single device, select <kbd>START</kbd>, type `wf.msc`, and press <kbd>ENTER</kbd> > [!IMPORTANT]
- If you're configuring devices joined to an Active Directory domain, [create or edit](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc754740(v=ws.11)) a group policy object (GPO) and expand the nodes **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Windows Firewall with Advanced Security** > To use the **Apply to this service** or **Apply to service with this service short name** options, the service must be configured with a security identifier (SID) with a type of **RESTRICTED** or **UNRESTRICTED**. To check the SID type of a service, run the following command: `sc qsidtype <ServiceName>`
>
> If the result is `NONE`, then a firewall rule cannot be applied to that service.
:::column-end::: To set a SID type on a service, run the following command: `sc sidtype <ServiceName> <Type>`
:::column span="1":::
:::image type="content" source="images/wfas.png" alt-text="Screenshot of the Windows Defender Firewall with Advanced Security MMC snap-in." lightbox="images/wfas.png" border="false":::
:::column-end:::
:::row-end:::
:::row:::
:::column span="4":::
#### Configuration Service Provider (CSP)
:::column-end:::
:::row-end:::
:::row:::
:::column span="4":::
The [Firewall CSP][CSP] provides an interface to configure and query the status of Windows Firewall, which can be used with a mobile device management (MDM) solution like Microsoft Intune.
To learn more about the CSP options, follow these links: In the preceding command, the value of `<Type>` can be `UNRESTRICTED` or `RESTRICTED`. Although the command also permits the value of `NONE`, that setting means the service cannot be used in a firewall rule as described here. By default, most services in Windows are configured as `UNRESTRICTED`. If you change the SID type to `RESTRICTED`, the service might fail to start. We recommend that you change the SID type only on services that you want to use in firewall rules, and that you change the SID type to `UNRESTRICTED`.
- [Configure Windows Firewall settings][SETTINGS]: to configure the settings 1. It is a best practice to restrict the firewall rule for the program to only the ports it needs to operate. On the **Protocols and Ports** page, you can specify the port numbers for the allowed traffic. If the program tries to listen on a port different from the one specified here, it is blocked. For more information about protocol and port options, see [Create an Inbound Port Rule](#create-an-inbound-port-rule). After you have configured the protocol and port options, select**Next**
- [Configure Windows Firewall rules][RULE]: to configure the rules 1. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then select**Next**
1. On the **Action** page, select **Allow the connection**, and then select**Next**
1. On the **Profile** page, select the network location types to which this rule applies, and then select**Next**
1. On the **Name** page, type a name and description for your rule, and then select**Finish**
:::column-end::: ## Create an outbound program or service rule
:::row-end:::
:::row:::
:::column span="4":::
#### Command line tools
:::column-end:::
:::row-end:::
:::row:::
:::column span="4":::
The `NetSecurity` PowerShell module and `Network Command Shell (netsh.exe)` are command line utilities that can be used to query the status and configure Windows Firewall.
:::column-end:::
:::row-end:::
## Group policy processing considerations By default, Windows Defender Firewall allows all outbound network traffic unless it matches a rule that prohibits the traffic. This type of rule prevents the program from sending any outbound network traffic on any port. To create an outbound firewall rule for a program or service:
The Windows Firewall policy settings are stored in the registry. By default, group policies are refreshed in the background every 90 minutes, with a random offset between 0 and 30 minutes. 1. Open the *Windows Firewall with Advanced Security* console
1. In the navigation pane, select **Outbound Rules**
1. Select **Action**, and then select **New rule**
1. On the **Rule Type** page of the New Outbound Rule Wizard, select **Custom**, and then select **Next**
> [!NOTE]
> Although you can create many rules by selecting **Program** or **Port**, those choices limit the number of pages presented by the wizard. If you select **Custom**, you see all of the pages, and have the most flexibility in creating your rules.
1. On the **Program** page, select **This program path**
1. Type the path to the program in the text box. Use environment variables as appropriate to ensure that programs installed in different locations on different computers work correctly
1. Do one of the following:
- If the executable file contains a single program, select **Next**
- If the executable file is a container for multiple services that must all be blocked from sending outbound network traffic, select **Customize**, select **Apply to services only**, select **OK**, and then select **Next**
- If the executable file is a container for a single service or contains multiple services but the rule only applies to one of them, select **Customize**, select **Apply to this service**, and then select the service from the list. If the service does not appear in the list, then select **Apply to service with this service short name**, and type the short name for the service in the text box. Select **OK**, and then select **Next**
1. If you want the program to be allowed to send on some ports, but blocked from sending on others, then you can restrict the firewall rule to block only the specified ports or protocols. On the **Protocols and Ports** page, you can specify the port numbers or protocol numbers for the blocked traffic. If the program tries to send to or from a port number different from the one specified here, or by using a protocol number different from the one specified here, then the default outbound firewall behavior allows the traffic. For more information about the protocol and port options, see [Create an Outbound Port Rule](#create-an-outbound-port-rule). When you have configured the protocol and port options, select **Next**
1. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then select **Next**
1. On the **Action** page, select **Block the connection**, and then select **Next**
1. On the **Profile** page, select the network location types to which this rule applies, and then select **Next**
1. On the **Name** page, type a name and description for your rule, and then select **Finish**
Windows Firewall monitors the registry for changes, and if something is written to the registry it notifies the *Windows Filtering Platform (WFP)*, which performs the following actions: ## Create inbound rules to support RPC
1. Reads all firewall rules and settings To allow inbound remote procedure call (RPC) network traffic, you must create two firewall rules:
1. Applies any new filters
1. Removes the old filters
> [!NOTE] - the first rule allows incoming network packets on TCP port 135 to the RPC Endpoint Mapper service. The incoming traffic consists of requests to communicate with a specified network service. The RPC Endpoint Mapper replies with a dynamically assigned port number that the client must use to communicate with the service
> The actions are triggered whenever something is written to, or deleted from the registry location the GPO settings are stored, regardless if there's really a configuration change. During the process, IPsec connections are disconnected. - the second rule allows the network traffic that is sent to the dynamically assigned port number
Many policy implementations specify that they're updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it. To control the behavior of the registry group policy processing, you can use the policy **Computer Configuration** > **Administrative Templates** > **System** > **Group Policy** > **Configure registry policy processing**. The **Process even if the Group Policy objects haven't changed** option updates and reapplies the policies even if the policies haven't changed. This option is disabled by default. Using the two rules configured as described in this topic helps to protect your device by allowing network traffic only from devices that have received RPC dynamic port redirection and to only those TCP port numbers assigned by the RPC Endpoint Mapper.
If you enable the option **Process even if the Group Policy objects haven't changed**, the WFP filters get reapplied at **every** background refresh. In case you have 10 group policies, the WFP filters get reapplied 10 times during the refresh interval. If an error happens during policy processing, the applied settings might be incomplete, resulting in issues like: ### RPC Endpoint Mapper service
- Windows Firewall blocks inbound or outbound traffic allowed by group policies 1. Open the *Windows Firewall with Advanced Security* console
- Local Firewall settings are applied instead of group policy settings 1. In the navigation pane, select**Inbound Rules**
- IPsec connections can't establish 1. Select **Action**, and then select**New rule**
1. On the **Rule Type** page of the New Inbound Rule Wizard, select**Custom**, and then select**Next**
1. On the **Program** page, select**This Program Path**, and then type `%systemroot%\system32\svchost.exe`
1. Select **Customize**.
1. In the **Customize Service Settings** dialog box, select**Apply to this service**, select **Remote Procedure Call (RPC)** with a short name of **RpcSs**, select**OK**, and then select**Next**
1. On the warning about Windows service-hardening rules, select**Yes**
1. On the **Protocol and Ports** dialog box, for **Protocol type**, select **TCP**
1. For **Local port**, select **RPC Endpoint Mapper**, and then select**Next**
1. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then select**Next**
1. On the **Action** page, select **Allow the connection**, and then select**Next**
1. On the **Profile** page, select the network location types to which this rule applies, and then select**Next**
1. On the **Name** page, type a name and description for your rule, and then select**Finish**
The temporary solution is to refresh the group policy settings, using the command `gpupdate.exe /force`, which requires connectivity to a domain controller. ### RPC-enabled network services
To avoid the issue, leave the policy **Configure registry policy processing** to the default value of **Not Configured** or, if already configured, configure it **Disabled**. 1. On the same GPO you edited in the preceding procedure, select**Action**, and then select**New rule**
1. On the **Rule Type** page of the New Inbound Rule Wizard, select**Custom**, and then select**Next**
> [!IMPORTANT] 1. On the **Program** page, select**This Program Path**, and then type the path to the executable file that hosts the network service. Select **Customize**
> The checkbox next to **Process even if the Group Policy objects have not changed** must be unchecked. If you leave it unchecked, WFP filters are written only in case there's a configuration change. 1. In the **Customize Service Settings** dialog box, select**Apply to this service**, and then select the service that you want to allow. If the service doesn't appear in the list, then select**Apply to service with this service short name**, and then type the short name of the service in the text box
> 1. Select **OK**, and then select**Next**
> If there's a requirement to force registry deletion and rewrite, then disable background processing by checking the checkbox next to **Do not apply during periodic background processing**. 1. On the **Protocol and Ports** dialog box, for **Protocol type**, select **TCP**
1. For **Local port**, select **RPC Dynamic Ports**, and then select**Next**
## *Shields up* mode for active attacks 1. On the **Scope** page, you can specify that the rule applies only to network traffic to or from the IP addresses entered on this page. Configure as appropriate for your design, and then select**Next**
1. On the **Action** page, select **Allow the connection**, and then select**Next**
An important Windows Firewall feature you can use to mitigate damage during an active attack is the *shields up* mode. It's an informal term referring to an easy method a firewall administrator can use to temporarily increase security in the face of an active attack. 1. On the **Profile** page, select the network location types to which this rule applies, and then select**Next**
1. On the **Name** page, type a name and description for your rule, and then select**Finish**
Shields up can be achieved by checking **Block all incoming connections, including those in the list of allowed apps** setting found in either the Windows Settings app or Control Panel.
![Incoming connections.](images/fw06-block.png)
:::image type="content" alt-text="Firewall cpl." source="images/fw07-legacy.png":::
By default, the Windows Firewall blocks everything unless there's an exception rule created. The *shield up* option overrides the exceptions. For example, the Remote Desktop feature automatically creates firewall rules when enabled. However, if there's an active exploit using multiple ports and services on a host, you can, instead of disabling individual rules, use the shields up mode to block all inbound connections, overriding previous exceptions, including the rules for Remote Desktop. The Remote Desktop rules remain intact but remote access won't work as long as shields up is activated.
Once the emergency is over, uncheck the setting to restore regular network traffic.
<!--links-->
[SEC-1]: windowsdefender://network/
[CSP]: /windows/client-management/mdm/firewall-csp

8
windows/security/operating-system-security/network-security/windows-firewall/rules.md
View File

@ -35,14 +35,14 @@ When first installed, network applications and services issue a *listen call* sp
- If the user has admin permissions, they're prompted. If they respond *No* or cancel the prompt, block rules are created. Two rules are typically created, one each for TCP and UDP traffic - If the user has admin permissions, they're prompted. If they respond *No* or cancel the prompt, block rules are created. Two rules are typically created, one each for TCP and UDP traffic
- If the user isn't a local admin, they won't be prompted. In most cases, block rules are created - If the user isn't a local admin, they won't be prompted. In most cases, block rules are created
In either of these scenarios, once the rules are added, they must be deleted to generate the prompt again. If not, the traffic continues to be blocked.
:::column-end::: :::column-end:::
:::column span="2"::: :::column span="2":::
:::image type="content" source="images/uac.png" alt-text="Screenshot showing the User Account Control (UAC) prompt to allow Microsoft Teams." border="false"::: :::image type="content" source="images/uac.png" alt-text="Screenshot showing the User Account Control (UAC) prompt to allow Microsoft Teams." border="false":::
:::column-end::: :::column-end:::
:::row-end::: :::row-end:::
In either of these scenarios, once the rules are added, they must be deleted to generate the prompt again. If not, the traffic continues to be blocked.
> [!NOTE] > [!NOTE]
> The firewall's default settings are designed for security. Allowing all inbound connections by default introduces the network to various threats. Therefore, creating exceptions for inbound connections from third-party software should be determined by trusted app developers, the user, or the admin on behalf of the user. > The firewall's default settings are designed for security. Allowing all inbound connections by default introduces the network to various threats. Therefore, creating exceptions for inbound connections from third-party software should be determined by trusted app developers, the user, or the admin on behalf of the user.
@ -99,7 +99,7 @@ To determine why some applications are blocked from communicating in the network
1. A user with sufficient privileges receives a query notification advising them that the application needs to make a change to the firewall policy. Not fully understanding the prompt, the user cancels or dismisses the prompt 1. A user with sufficient privileges receives a query notification advising them that the application needs to make a change to the firewall policy. Not fully understanding the prompt, the user cancels or dismisses the prompt
1. A user lacks sufficient privileges and is therefore not prompted to allow the application to make the appropriate policy changes 1. A user lacks sufficient privileges and is therefore not prompted to allow the application to make the appropriate policy changes
1. *Local Policy Merge* is disabled, preventing the application or network service from creating local rules 1. [Local policy merge](#local-policy-merge-and-application-rules) is disabled, preventing the application or network service from creating local rules
Creation of application rules at runtime can also be prohibited by administrators using the Settings app or policy settings. Creation of application rules at runtime can also be prohibited by administrators using the Settings app or policy settings.
@ -124,4 +124,4 @@ Firewall rules can be configure with the following tools:
> [!div class="nextstepaction"] > [!div class="nextstepaction"]
> Learn about the tools to configure Windows Firewall and firewall rules: > Learn about the tools to configure Windows Firewall and firewall rules:
> >
> [Configure Windows Firewall >](configure.md) > [Configuration tools >](tools.md)

4
windows/security/operating-system-security/network-security/windows-firewall/toc.yml
View File

@ -5,10 +5,10 @@ items:
href: rules.md href: rules.md
- name: Configure and manage Windows Firewall - name: Configure and manage Windows Firewall
items: items:
- name: Configuration tools
href: tools.md
- name: Configure Windows Firewall - name: Configure Windows Firewall
href: configure.md href: configure.md
- name: Configure firewall rules with WFAS console
href: configure-rules-with-wfas.md
- name: Configure with command line tools - name: Configure with command line tools
href: configure-with-command-line.md href: configure-with-command-line.md
- name: Configure with Microsoft Intune 🔗 - name: Configure with Microsoft Intune 🔗

148
windows/security/operating-system-security/network-security/windows-firewall/tools.md Normal file
View File

@ -0,0 +1,148 @@
---
title: Windows Firewall tools
description: Learn about the available tools to configure Windows Firewall and firewall rules.
ms.date: 11/15/2023
ms.topic: best-practice
---
# Windows Firewall tools
Windows offers different tools to view the status and configure Windows Firewall. All tools interact with the same underlying services, but provide different levels of control over those services:
- [Windows Security](#windows-security)
- [Control Panel](#control-panel)
- [Windows Defender Firewall with Advanced Security](#windows-defender-firewall-with-advanced-security) (WFAS)
- [Configuration Service Provider (CSP)](#configuration-service-provider-csp)
- [Command line tools](#command-line-tools)
> [!NOTE]
> To change the configuration of Windows Firewall on a device, you must have administative rights.
:::row:::
:::column span="4":::
#### Windows Security
:::column-end:::
:::row-end:::
:::row:::
:::column span="3":::
The *Windows Security* app can be used to view the Windows Firewall status and access advanced tools to configure it. Select <kbd>START</kbd>, type `Windows Security`, and press <kbd>ENTER</kbd>. Once Windows Security is open, select the tab **Firewall & network protection**. Or use the following shortcut:
> [!div class="nextstepaction"]
> [Open Firewall & network protection][SEC-1]
:::column-end:::
:::column span="1":::
:::image type="content" source="images/windows-security.png" alt-text="Screenshot showing the Windows Security app." lightbox="images/windows-security.png" border="false":::
:::column-end:::
:::row-end:::
:::row:::
:::column span="4":::
#### Control Panel
:::column-end:::
:::row-end:::
:::row:::
:::column span="3":::
The *Windows Defender Firewall* Control Panel applet provides basic functionalities to configure Windows Firewall. Select <kbd>START</kbd>, type `firewall.cpl`, and press <kbd>ENTER</kbd>.
:::column-end:::
:::column span="1":::
:::image type="content" source="images/control-panel.png" alt-text="Screenshot showing the Windows Defender Firewall control panel applet." lightbox="images/control-panel.png" border="false":::
:::column-end:::
:::row-end:::
:::row:::
:::column span="4":::
#### Windows Defender Firewall with Advanced Security
:::column-end:::
:::row-end:::
:::row:::
:::column span="3":::
The *Windows Defender Firewall with Advanced Security* (WFAS) is a Microsoft Management Console (MMC) snap-in that provides advanced configuration functionalities. It can be used locally and in group policy (GPO) implementations.
- If you are configuring a single device, select <kbd>START</kbd>, type `wf.msc`, and press <kbd>ENTER</kbd>
- If you're configuring devices joined to an Active Directory domain, [create or edit](/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc754740(v=ws.11)) a group policy object (GPO) and expand the nodes **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Windows Firewall with Advanced Security**
:::column-end:::
:::column span="1":::
:::image type="content" source="images/wfas.png" alt-text="Screenshot of the Windows Defender Firewall with Advanced Security MMC snap-in." lightbox="images/wfas.png" border="false":::
:::column-end:::
:::row-end:::
:::row:::
:::column span="4":::
#### Configuration Service Provider (CSP)
:::column-end:::
:::row-end:::
:::row:::
:::column span="4":::
The [Firewall CSP][CSP] provides an interface to configure and query the status of Windows Firewall, which can be used with a mobile device management (MDM) solution like Microsoft Intune.
To learn more about the CSP options, follow these links:
- [Configure Windows Firewall settings][SETTINGS]: to configure the settings
- [Configure Windows Firewall rules][RULE]: to configure the rules
:::column-end:::
:::row-end:::
:::row:::
:::column span="4":::
#### Command line tools
:::column-end:::
:::row-end:::
:::row:::
:::column span="4":::
The `NetSecurity` PowerShell module and `Network Command Shell (netsh.exe)` are command line utilities that can be used to query the status and configure Windows Firewall.
:::column-end:::
:::row-end:::
## Group policy processing considerations
The Windows Firewall policy settings are stored in the registry. By default, group policies are refreshed in the background every 90 minutes, with a random offset between 0 and 30 minutes.
Windows Firewall monitors the registry for changes, and if something is written to the registry it notifies the *Windows Filtering Platform (WFP)*, which performs the following actions:
1. Reads all firewall rules and settings
1. Applies any new filters
1. Removes the old filters
> [!NOTE]
> The actions are triggered whenever something is written to, or deleted from the registry location the GPO settings are stored, regardless if there's really a configuration change. During the process, IPsec connections are disconnected.
Many policy implementations specify that they're updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it. To control the behavior of the registry group policy processing, you can use the policy **Computer Configuration** > **Administrative Templates** > **System** > **Group Policy** > **Configure registry policy processing**. The **Process even if the Group Policy objects haven't changed** option updates and reapplies the policies even if the policies haven't changed. This option is disabled by default.
If you enable the option **Process even if the Group Policy objects haven't changed**, the WFP filters get reapplied at **every** background refresh. In case you have 10 group policies, the WFP filters get reapplied 10 times during the refresh interval. If an error happens during policy processing, the applied settings might be incomplete, resulting in issues like:
- Windows Firewall blocks inbound or outbound traffic allowed by group policies
- Local Firewall settings are applied instead of group policy settings
- IPsec connections can't establish
The temporary solution is to refresh the group policy settings, using the command `gpupdate.exe /force`, which requires connectivity to a domain controller.
To avoid the issue, leave the policy **Configure registry policy processing** to the default value of **Not Configured** or, if already configured, configure it **Disabled**.
> [!IMPORTANT]
> The checkbox next to **Process even if the Group Policy objects have not changed** must be unchecked. If you leave it unchecked, WFP filters are written only in case there's a configuration change.
>
> If there's a requirement to force registry deletion and rewrite, then disable background processing by checking the checkbox next to **Do not apply during periodic background processing**.
## *Shields up* mode for active attacks
An important Windows Firewall feature you can use to mitigate damage during an active attack is the *shields up* mode. It's an informal term referring to an easy method a firewall administrator can use to temporarily increase security in the face of an active attack.
Shields up can be achieved by checking **Block all incoming connections, including those in the list of allowed apps** setting found in either the Windows Settings app or Control Panel.
![Incoming connections.](images/fw06-block.png)
:::image type="content" alt-text="Firewall cpl." source="images/fw07-legacy.png":::
By default, the Windows Firewall blocks everything unless there's an exception rule created. The *shield up* option overrides the exceptions. For example, the Remote Desktop feature automatically creates firewall rules when enabled. However, if there's an active exploit using multiple ports and services on a host, you can, instead of disabling individual rules, use the shields up mode to block all inbound connections, overriding previous exceptions, including the rules for Remote Desktop. The Remote Desktop rules remain intact but remote access won't work as long as shields up is activated.
Once the emergency is over, uncheck the setting to restore regular network traffic.
## Next steps
> [!div class="nextstepaction"]
> Learn about the tools to configure Windows Firewall and firewall rules:
>
> [Configure Windows Firewall >](configure.md)
<!--links-->
[SEC-1]: windowsdefender://network/
[CSP]: /windows/client-management/mdm/firewall-csp