deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-17 19:33:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
Files
5bcf431e39e0338adc04929fec955b5a6a7fc5a0
windows-itpro-docs/windows/security/operating-system-security/network-security/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md
Paolo Matarazzo 5bcf431e39 updates
2023-05-23 08:23:54 -04:00

3.3 KiB
Raw Blame History

title, description, ms.prod, ms.topic, ms.date
title description ms.prod ms.topic ms.date
Designing a Windows Defender Firewall Strategy (Windows) Answer the question in this article to design an effective Windows Defender Firewall with Advanced Security Strategy. windows-client conceptual 09/07/2021

Designing a Windows Defender Firewall with Advanced Security Strategy

To select the most effective design for helping to protect the network, you must spend time collecting key information about your current computer environment. You must have a good understanding of what tasks the devices on the network perform, and how they use the network to accomplish those tasks. You must understand the network traffic generated by the programs running on the devices.

The information that you gather will help you answer the following questions. The answers will help you understand your security requirements and select the design that best matches those requirements. The information will also help you when it comes time to deploy your design, by helping you to build a deployment strategy that is cost effective and resource efficient. It will help you project and justify the expected costs associated with implementing the design.

  • What traffic must always be allowed? What are characteristics of the network traffic generated and consumed by the business programs?

  • What traffic must always be blocked? Does your organization have policies that prohibit the use of specific programs? If so, what are the characteristics of the network traffic generated and consumed by the prohibited programs?

  • What traffic on the network can't be protected by IPsec because the devices or devices sending or receiving the traffic don't support IPsec?

  • For each type of network traffic, does the default configuration of the firewall (block all unsolicited inbound network traffic, allow all outbound traffic) allow or block the traffic as required?

  • Do you have an Active Directory domain (or forest of trusted domains) to which all your devices are joined? If you don't, then you can't use Group Policy for easy mass deployment of your firewall and connection security rules. You also can't easily take advantage of Kerberos V5 authentication that all domain clients can use.

  • Which devices must be able to accept unsolicited inbound connections from devices that aren't part of the domain?

  • Which devices contain data that must be encrypted when exchanged with another computer?

  • Which devices contain sensitive data to which access must be restricted to authorized users and devices?

  • Does your organization have specific network troubleshooting devices or devices (such as protocol analyzers) that must be granted unlimited access to the devices on the network, essentially bypassing the firewall?

This guide describes how to plan your groups and GPOs for an environment with a mix of operating systems. Details can be found in the section Planning Group Policy Deployment for Your Isolation Zones later in this guide.

Next: Gathering the Information You Need