deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 22:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Edit best practices doc for fw

Browse Source
This commit is contained in:
schmurky 2020-09-21 16:56:07 +08:00
parent f40e25b767
commit d5634c5a70
1 changed files with 40 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

100
windows/security/threat-protection/windows-firewall/best-practices-configuring.md
View File

@ -34,13 +34,11 @@ network. These recommendations cover a wide range of deployments including home
networks and enterprise desktop/server systems. networks and enterprise desktop/server systems.
To open Windows Firewall, go to the **Start** menu, click **Run**, To open Windows Firewall, go to the **Start** menu, click **Run**,
type **WF.msc**, and then click **OK**. type **WF.msc**, and then click **OK**. See also [Open Windows Firewall](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security).
## Understanding default settings ## Keep default settings
When you open the Windows Defender Firewall for the first time, you can see the When you open the Windows Defender Firewall for the first time, you can see the default settings applicable to the local computer. The Overview panel displays security settings for each type of network to which the device can connect.
default settings applicable to the local computer. The Overview panel displays
security settings for each type of network to which the device can connect.
![Windows Defender Firewall with Advanced Security first time opening](images/fw01-profiles.png) ![Windows Defender Firewall with Advanced Security first time opening](images/fw01-profiles.png)
@ -57,25 +55,23 @@ security settings for each type of network to which the device can connect.
for public networks like Wi-Fi hotspots, coffee shops, airports, hotels, and for public networks like Wi-Fi hotspots, coffee shops, airports, hotels, and
stores. stores.
You can view detailed settings for each profile by right-clicking (or selecting View detailed settings for each profile by right-clicking (or selecting
and holding) the top-level **Windows Defender Firewall with Advanced Security** and holding) the top-level **Windows Defender Firewall with Advanced Security**
node in the left pane and then selecting **Properties**. node in the left pane and then selecting **Properties**.
You should maintain the default settings shipped with the Windows Defender Maintain the default settings in Windows Defender
Firewall whenever possible. These settings have been designed to safeguard your Firewall whenever possible. These settings have been designed to secure your device for use in most network scenarios. One key example is the default Block behavior for Inbound connections.
computer for use in most common network scenarios.
One key example is the default Block behavior for Inbound connections. In order to maintain maximum security, changing this setting is highly
discouraged.
![A screenshot of a cell phone Description automatically generated](images/fw03-defaults.png) ![A screenshot of a cell phone Description automatically generated](images/fw03-defaults.png)
*Figure 2: Default Inbound/Outbound connection behavior* *Figure 2: Default Inbound/Outbound connection behavior*
## Creating firewall rules > [!IMPORTANT]
> To maintain maximum security, do not change the default Block setting for inbound connections.
In many cases, a next step for administrators will be to customize these ## Understand rule precedence
profiles using rules (sometimes called filters) so that they can work with user apps or other types of software. For example, an administrator or user may choose to add a rule to accommodate a
In many cases, a next step for administrators will be to customize these profiles using rules (sometimes called filters) so that they can work with user apps or other types of software. For example, an administrator or user may choose to add a rule to accommodate a
program, open a port or protocol, or allow a predefined type of traffic. program, open a port or protocol, or allow a predefined type of traffic.
This can be accomplished by right-clicking (or selecting and holding) either **Inbound Rules** or **Outbound Rules**, and selecting **New Rule**. The interface for adding a new rule looks like this: This can be accomplished by right-clicking (or selecting and holding) either **Inbound Rules** or **Outbound Rules**, and selecting **New Rule**. The interface for adding a new rule looks like this:
@ -91,11 +87,6 @@ Guide](https://docs.microsoft.com/windows/security/threat-protection/windows-fir
for general guidance on policy creation. for general guidance on policy creation.
### Rule precedence in creating inbound rules
In many cases, allowing specific types of inbound traffic will be required for In many cases, allowing specific types of inbound traffic will be required for
applications to function in the network. Administrators should keep the following rule precedence behaviors in mind when applications to function in the network. Administrators should keep the following rule precedence behaviors in mind when
allowing these inbound exceptions. allowing these inbound exceptions.
@ -119,40 +110,29 @@ performance degradation.
> [!NOTE] > [!NOTE]
Windows Defender Firewall does not support traditional weighted, administrator-assigned rule ordering. An effective policy set with expected behaviors can be created by keeping in mind the few, consistent, and logical rule behaviors described above. Windows Defender Firewall does not support traditional weighted, administrator-assigned rule ordering. An effective policy set with expected behaviors can be created by keeping in mind the few, consistent, and logical rule behaviors described above.
### Creating rules for new applications at first launch ## Create rules for new applications before first launch
When first installed, networked applications and services issue a listen call ### Inbound allow rules
specifying the protocol/port information required for them to function properly.
As there is a default block action in place on the Windows Defender Firewall, it
is necessary to create inbound exception rules to allow this traffic. In such a
scenario it is common for the app or the app-installer itself to add this
firewall rule. Failing that, the responsibility falls to the user (or firewall
admin on behalf of the user) to manually create them.
Assuming there are no active application or administratively defined allow When first installed, networked applications and services issue a 'listen call' specifying the protocol/port information required for them to function properly. As there is a default block action in place on the Windows Defender Firewall, it
rule(s) already present to allow the traffic, creation will have to be dealt is necessary to create inbound exception rules to allow this traffic. In such a scenario it is common for the app or the app installer itself to add this firewall rule. Failing that, the responsibility falls to the user (or firewall admin on behalf of the user) to manually create a rule.
with the first time the application is launched or otherwise tries to
communicate on the network. In such a case a query popup will be triggered
prompting the user to either allow or block the packets.
- If the user has admin level permissions, they will be prompted. If they Assuming there are no active application or administrator-defined allow rule(s) already present, creation will have to be dealt with the first time the application is launched or otherwise tries to communicate on the network. In such a case a dialog box will prompt the user to either allow or block the packets.
respond no or otherwise cancel the prompt, block rules will be created
(typically two; one for TCP traffic and one for UDP traffic).
- If the user is not a local admin they will not be prompted and, in most - If the user has admin permissions, they will be prompted. If they respond no or otherwise cancel the prompt, block rules will be created (typically two; one for TCP traffic and one for UDP traffic).
cases, block rules will be created.
In either of the scenarios above, once these rules are added they must be - If the user is not a local admin they will not be prompted and, in most cases, block rules will be created.
deleted in order to generate the prompt again. If not, the traffic will continue
to be blocked.
As regards third-party software. Microsoft cannot know in advance [and should In either of the scenarios above, once these rules are added they must be deleted in order to generate the prompt again. If not, the traffic will continue to be blocked.
> [!NOTE]
> As regards third-party software. Microsoft cannot know in advance [and should
not even assume] whether we should let all packets for the application just come not even assume] whether we should let all packets for the application just come
into the machine. Hence, it is up to the developer of the app, the user (or the into the machine. Hence, it is up to the developer of the app, the user (or the
admin acting on behalf of the user) to allow appropriate inbound firewall admin acting on behalf of the user) to allow appropriate inbound firewall
exceptions. exceptions.
#### Known issues with user query behaviors ### Known issues with user query behaviors
When designing a set of firewall policies for your network, it is a best When designing a set of firewall policies for your network, it is a best
practice to configure allow rules for any networked applications deployed on the practice to configure allow rules for any networked applications deployed on the
@ -180,26 +160,26 @@ around this process can typically be boiled down to a few primary causes:
*Figure 4: User query notification* *Figure 4: User query notification*
### Local Policy Merge and Application Rules ## Establish local policy merge and application rules
Firewall rules can be deployed locally using the Firewall snap-in (wf.msc) or Firewall rules can be deployed:
PowerShell, or remotely using Group Policy (if member of an Active Directory 1. Locally using the Firewall snap-in (**WF.msc**)
Name, SCCM, or Intune (if Workplace joined). Rule merging settings can be used 2. Locally using PowerShell
to control how rules from these two policy sources can be combined. 3. Remotely using Group Policy if the device is a member of:
Administrators can configure different merge behaviors for Domain, Private, and 1. an Active Directory Name
Public profiles. 2. SCCM
3. Intune (using workplace join)
The setting is used if you want to allow/disallow local administrators the Rule merging settings control how rules from different policy sources can be combined. Administrators can configure different merge behaviors for Domain, Private, and Public profiles.
ability to create their own firewall rules in addition to those obtained from
Group Policy.
![A screenshot of a cell phone Description automatically generated](images/fw05-rulemerge.png) The rule merging settings either allow or prevent local admins from creating their own firewall rules in addition to those obtained from Group Policy.
*Figure 5: Rule merge setting* ![Customize settings](images/fw05-rulemerge.png)
The equivalent setting *AllowLocalPolicyMerge* is used when configuring the *Figure 5: Rule merging setting*
firewall using the Firewall CSP and is exposed under each respective profile
node, DomainProfile, PrivateProfile, PublicProfile. The equivalent setting *AllowLocalPolicyMerge* is used when configuring using the firewall [configuration service provider](https://docs.microsoft.com/windows/client-management/mdm/firewall-csp) and is exposed under each respective profile
node, *DomainProfile*, *PrivateProfile*, and *PublicProfile*.
In a case where the merging of local policies is disabled, centralized In a case where the merging of local policies is disabled, centralized
deployment of rules will be required for any app that needs inbound deployment of rules will be required for any app that needs inbound
@ -225,7 +205,7 @@ Currently the use of wildcard patterns, such as C:\*\\teams.exe is not
supported in application rules. Currently we only support created using the full supported in application rules. Currently we only support created using the full
path to an application(s). path to an application(s).
### **Shields Up Mode** ## Know how to use "shields up" mode for active attacks
A discussion of inbound connections presents a good time to discuss a firewall A discussion of inbound connections presents a good time to discuss a firewall
option that can be used to help mitigate damage in the face of an active attack. option that can be used to help mitigate damage in the face of an active attack.
@ -259,7 +239,7 @@ nature of the setting.
One the emergency is over, uncheck the setting to resume normal operations. One the emergency is over, uncheck the setting to resume normal operations.
### Creating outbound rules ## Create outbound rules
What follows are a few general guidelines for configuring outbound filters. What follows are a few general guidelines for configuring outbound filters.