You ask — we answer!

How to use Windows Server firewall

#windows #server #firewall #rules
How to use Windows Server firewall main illustration

Before proceeding directly to configuring the firewall, a few words about its default behavior. Unlike Ubuntu, where the default UFW firewall is initially inactive, in Windows Server the firewall is initially enabled. The following logic is implemented inside: block all incoming connections except those explicitly allowed (for example, RDP is allowed by default). Outgoing connections are allowed, except those explicitly prohibited.

Windows Firewall allows you to create several profiles with different rules and, if necessary, quickly switch between them. By default, three profiles are created:

  • Domain profile,
  • Private profile,
  • Public profile.

Domain profile is intended for computers and servers operating within AD (Active Directory) domain. Private profile is suitable for systems located in a protected network segment. Public profile is applicable for working in public networks with the maximum level of external threads.

The system administrator can pre-select a set of rules for each profile that will be most effective for each of the listed scenarios. This will help to protect the server from attack by simply switching the firewall profile. Please note that the set of rules for each profile may be different depending on the current role of the server.

There are several ways to manage firewall rules. The easiest way to do this is by using the WF (Windows Firewall with Advanced Security) console. Management is also possible using GPMC (Group Policy Management Console) or through Powershell commands. Let’s start with the last method.

Rules management via Powershell

Many guides on setting up a firewall using PowerShell include the netsh firewall and netsh advfirewall firewall commands. Both of these commands have been in deprecated status for a long time, so we recommend using a more modern method. Powershell, starting with version 5.1, has a built-in NetSecurity module containing many cmdlets (native Powershell commands). You can list them using the following command:

Get-Command -Module NetSecurity

Each of the listed cmdlets helps you flexibly manage all parameters of the firewall. First, let’s look at which command you can use to enable or disable the firewall:

Set-NetFirewallProfile -All -Enabled True

In this command, the -All argument means to apply all available profiles. Instead, you can set a specific profile, for example, -Profile Private. To completely disable the firewall, use the same command; just change -Enabled value to False:

Set-NetFirewallProfile -All -Enabled False

When the firewall is enabled, all rules apply to all network interfaces in the system. In this case, it’s possible to disable a profile for a specific interface using the Set-NetFirewallProfile cmdlet:

Set-NetFirewallProfile -Name Public -DisabledInterfaceAliases "Ethernet0"

The same cmdlet will help you change other profile settings, in particular, enable logging and configure its parameters, such as the size and path to the log file.

Cmdlets with NetFirewallRule in their name are responsible for managing firewall rules. In this case, a separate cmdlet works for each action. For example, to create a new rule, you need to use the New-NetFirewallRule command, and to delete a rule, use Remove-NetFirewallRule. It’s easy to remember and generally very logical.

Let’s assume you want to limit the ability to RDP connect to a server from one specific IP address (for example, 10.0.0.2):

New-NetFirewallRule -DisplayName "AllowRDP" -RemoteAddress 10.0.0.2 -Direction Inbound -Protocol TCP -LocalPort 3389 -Action Allow

But what if you need to allow connections to the server not from a specific address, but from a range of addresses? In this case, you need to proceed as follows: first define a variable and assign it the values of the address range, and then specify a variable instead of a specific address. Let’s assign the $allowedips variable the range 10.0.0.2-10.0.0.254:

$allowedips = @("10.0.0.2-10.0.0.254")

Now you can apply the rule:

New-NetFirewallRule -DisplayName "AllowRDP" -RemoteAddress $allowedips -Direction Inbound -Protocol TCP -LocalPort 3389 -Action Allow

Let’s imagine that you do not have some address range, but a dedicated registry of addresses that need to be provided with an unhindered RDP connection to the server. To avoid creating rules one at a time, you can load them into a text file (one address per line) and then put all the values into a variable. And also, as in the previous rule, specify this variable as the value -RemoteAddress. For example, we downloaded the list of addresses to the file C:\Users\Administrator\Downloads\AllowedIPs.txt

Read the file and put its contents in the $allowedlist variable:

$allowedlist = Get-Content C:\Users\Administrator\Downloads\AllowedIPs.txt

Create a rule:

New-NetFirewallRule -DisplayName "AllowRDP" -RemoteAddress $allowedlist -Direction Inbound -Protocol TCP -LocalPort 3389 -Action Allow

This is a very convenient way to automate the Windows firewall with other systems. For example, you can automatically collect a list of IP addresses issued to legitimate users and only allow connections to corporate systems from these addresses. Such solutions make life much easier and significantly less time is spent managing permissions.

Powershell has powerful tools for easily displaying data. If you would like to see what firewall rules are currently enabled for incoming connections, you can use this command:

Get-NetFirewallRule -Action Allow -Enabled True -Direction Inbound |
Format-Table -Property Name,
@{Name='Protocol';Expression={($PSItem | Get-NetFirewallPortFilter).Protocol}},
@{Name='LocalPort';Expression={($PSItem | Get-NetFirewallPortFilter).LocalPort}},
@{Name='RemotePort';Expression={($PSItem | Get-NetFirewallPortFilter).RemotePort}},
@{Name='RemoteAddress';Expression={($PSItem | Get-NetFirewallAddressFilter).RemoteAddress}},
Enabled,Profile,Direction,Action

Rules management via WF

The second way to configure the firewall is the standard Windows Defender Firewall with Advanced Security console. To use it, just press Win + R key sequence and enter the command wf.msc

The console window that opens can be divided into three sections. The left section allows the system administrator to select to edit outgoing or incoming traffic rules, connection security rules and monitoring settings. The middle section will display the rules or settings themselves. The right section displays the available actions depending on what rules or settings were selected.

WF main window

By default, the global firewall settings are displayed, in particular the active profiles and brief information about the current logic of the firewall. If you create a set of settings once, you can easily clone it to another server or even apply it to many controlled servers at once, for example, within a domain. To do this, you can use the settings import and export options.

When you click on the Export policy, the system downloads all the rules into a special file with WFW extension. This file can be imported on another server into the same console. Also, the rules from this file can be merged with the current set of rules as part of Group Policy settings, through the corresponding system console. But first, let’s take a look at the interface and create a single rule for incoming traffic.

Right-click on Inbound Rules and select New Rule:

WF New Rule

Next, there are 4 possible options for the rule to work. The Windows firewall can be configured to work with a specific application. This is very convenient when an application can open random ports within a certain range. So, instead of restricting traffic to port ranges, you can choose a specific application and the firewall will take care of ensuring that the applied rules are followed.

The second option is suitable for allowing or denying access on a specific port or range of ports. The simplest option, but it will not take into account which application will use the specified port. The third option (Predefined) will unlock a drop-down list with typical sets of settings. This can save a lot of time when performing typical tasks.

And finally, the last option (Custom), gives the administrator the opportunity to create an arbitrary rule with any combination of available parameters. However, you should be very careful not to accidentally block your remote access to the server. As an example, we’ll show how to create a rule that allows connections on port 7777, on which a pre-launched service is running. Select the Port item:

New Rule Select Port

In the next dialog box, you can select which protocol the rule will use, and also specify the numbers of both individual ports and ranges:

New Rule Select Protocol

Next, you need to tell the system what to do with connections coming to the previously specified ports. You can either allow or deny the connection. Separately, it’s possible to allow the connection if it protected by IPsec:

New Rule Connection Action

Then you need to select which security profile the rule you are creating should be added to. You can select one or several profiles:

New Rule Select Profile

There remains the last step where you can set a specific name and description for the new rule, after which you need to click the Finish button:

New Rule Select Name

The created rule can be enabled or disabled in the right section using the Enable Rule and Disable Rule elements:

New Rule Enable

Rules management via GPMC

This method works well if the same firewall settings need to be distributed across several servers. In this case, of course, you need to take into account that the server must act as a domain controller. To get started, you need to open the Group Policy Management Console by pressing the Win + R key combination and entering the gpmc.msc command. Open a domain tree, then right click on Default Domain Policy > Edit

Group Policy Edit

In the section on the left, select Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Defender > Firewall > Domain profile

Group Policy Enable Protection

Set the Windows Defender Firewall: Protect all network connections policy to Enabled status:

Group Policy Turn on Firewall

Go to Computer Configuration > Windows Settings > Security Settings and open the properties of Windows Firewall with Advanced Security:

Group Policy Change Security Settings

For each of the three default profile tabs (Domain, Private, and Public), change the Firewall state to On (recommended). There you can change the logic of the profiles to the desired one:

Group Policy Change Firewall State

In the same dialog box, you can enable the logging option, which is disabled by default. This allows you to track which packets were rejected by the firewall or, for example, connections that were allowed by the firewall rules and were successfully established. Unless otherwise specified, the log file is saved here:

%SYSTEMROOT%\System32\logfiles\firewall\pfirewall.log
Group Policy Logging Settings

Having expanded the list of available options in the Windows Defender Firewall with Advanced Security you’ll see the already familiar structure of the console described above. Here you can manage rules for incoming and outgoing traffic, as well as import and export rules in WFW format:

Group Policy Summary

See also:


Updated: 28.03.2025

Published: 22.07.2024

Still have questions? Write to us!

By clicking «I Accept» you confirm that you have read and accepted the website Terms and Conditions, Privacy Policy, and Moneyback Policy.