windows-itpro-docs/windows/security/threat-protection/windows-firewall/TOC.md

Windows Firewall with Advanced Security

Isolating Microsoft Store Apps on Your Network

Securing IPsec

PowerShell

Design Guide

Design Process

Deployment Goals

Protect Devices from Unwanted Network Traffic

Restrict Access to Only Trusted Devices

Require Encryption

Restrict Access

Mapping Goals to a Design

Basic Design

Domain Isolation Design

Server Isolation Design

Certificate-based Isolation Design

Evaluating Design Examples

Basic Design Example

Domain Isolation Design Example

Server Isolation Design Example

Certificate-based Isolation Design Example

Designing a Strategy

Gathering the Info You Need

Network

Active Directory

Computers

Other Relevant Information

Determining the Trusted State of Your Computers

Planning Your Design

Planning Settings for a Basic Firewall Policy

Planning Domain Isolation Zones

Exemption List

Isolated Domain

Boundary Zone

Encryption Zone

Planning Server Isolation Zones

Planning Certificate-based Authentication

Documenting the Zones

Planning Group Policy Deployment for Your Isolation Zones

Planning Isolation Groups for the Zones

Planning Network Access Groups

Planning the GPOs

####### Firewall GPOs ######## GPO_DOMISO_Firewall ####### Isolated Domain GPOs ######## GPO_DOMISO_IsolatedDomain_Clients ######## GPO_DOMISO_IsolatedDomain_Servers ####### Boundary Zone GPOs ######## GPO_DOMISO_Boundary ####### Encryption Zone GPOs ######## GPO_DOMISO_Encryption ####### Server Isolation GPOs

Planning GPO Deployment

Appendix A: Sample GPO Template Files for Settings Used in this Guide

Deployment Guide

Planning to Deploy

Implementing Your Plan

Checklist: Creating Group Policy Objects

Checklist: Implementing a Basic Firewall Policy Design

Checklist: Configuring Basic Firewall Settings

Checklist: Creating Inbound Firewall Rules

Checklist: Creating Outbound Firewall Rules

Checklist: Implementing a Domain Isolation Policy Design

Checklist: Configuring Rules for the Isolated Domain

Checklist: Configuring Rules for the Boundary Zone

Checklist: Configuring Rules for the Encryption Zone

Checklist: Configuring Rules for an Isolated Server Zone

Checklist: Implementing a Standalone Server Isolation Policy Design

Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone

Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone

Checklist: Implementing a Certificate-based Isolation Policy Design

Procedures Used in This Guide

Add Production Devices to the Membership Group for a Zone

Add Test Devices to the Membership Group for a Zone

Assign Security Group Filters to the GPO

Change Rules from Request to Require Mode

Configure Authentication Methods

Configure Data Protection (Quick Mode) Settings

Configure Group Policy to Autoenroll and Deploy Certificates

Configure Key Exchange (Main Mode) Settings

Configure the Rules to Require Encryption

Configure the Windows Firewall Log

Configure the Workstation Authentication Certificate Template

Configure Windows Firewall to Suppress Notifications When a Program Is Blocked

Confirm That Certificates Are Deployed Correctly

Copy a GPO to Create a New GPO

Create a Group Account in Active Directory

Create a Group Policy Object

Create an Authentication Exemption List Rule

Create an Authentication Request Rule

Create an Inbound ICMP Rule

Create an Inbound Port Rule

Create an Inbound Program or Service Rule

Create an Outbound Port Rule

Create an Outbound Program or Service Rule

Create Inbound Rules to Support RPC

Create WMI Filters for the GPO

Create Windows Firewall rules in Intune

Enable Predefined Inbound Rules

Enable Predefined Outbound Rules

Exempt ICMP from Authentication

Link the GPO to the Domain

Modify GPO Filters

Open IP Security Policies

Open Group Policy

Open Group Policy

Open Windows Firewall

Restrict Server Access

Enable Windows Firewall

Verify Network Traffic