Windows Firewall Configuration

Overview

This article explains how to configure Windows Defender Firewall (formerly Windows Firewall) on Windows Server. It covers design guidance for Domain/Private/Public profiles, optimization of inbound/outbound policies, log collection and analysis, and practical centralized administration via GPO and scripts.

Variable Conventions

Variable	Example	Description
`<<SERVER_NAME>>`	`SRV-CORE01`	Target server hostname
`<<LOG_PATH>>`	`C:\FirewallLogs\pfirewall.log`	Firewall log file path
`<<OU_NAME>>`	`Servers`	OU name

Step 1: Understand Profiles and Plan Application

Windows Defender Firewall provides three profiles:

Profile	Purpose	Typical Environment
Domain	AD-joined networks	Corporate LAN, VPN
Private	Trusted standalone network	Test environments, isolated networks
Public	Untrusted network	Public Wi-Fi, lab/VM

Each profile is independently configurable and switches automatically based on network identification.

Verification command:

# Check each profile's state and default policies
Get-NetFirewallProfile | Select-Object Name, Enabled, DefaultInboundAction, DefaultOutboundAction

Step 2: Set Baseline Policies (Default Behavior)

By default, Windows Defender Firewall blocks inbound and allows outbound traffic.
Keep this behavior, or introduce explicit outbound control when needed.

# Explicitly set default policies
Set-NetFirewallProfile -Profile Domain,Private,Public `
  -DefaultInboundAction Block `
  -DefaultOutboundAction Allow `
  -NotifyOnListen True

Note: In high-security environments, use -DefaultOutboundAction Block and then allow only necessary outbound traffic (e.g., DNS, NTP, WSUS): a whitelist approach.

Step 3: Operate and Manage Firewall Rules

List and Search Rules

# All rules
Get-NetFirewallRule

# Rules containing "RDP" in the display name
Get-NetFirewallRule | Where-Object DisplayName -Like "*RDP*"

# Only enabled rules
Get-NetFirewallRule | Where-Object Enabled -eq "True"

Create New Rules

# Allow inbound RDP (TCP/3389) on Domain profile
New-NetFirewallRule -DisplayName "Allow RDP (Domain)" `
  -Direction Inbound -Protocol TCP -LocalPort 3389 `
  -Action Allow -Profile Domain

# Allow outbound NTP (UDP/123)
New-NetFirewallRule -DisplayName "Allow NTP Outbound" `
  -Direction Outbound -Protocol UDP -LocalPort 123 `
  -Action Allow -Profile Domain,Private,Public

Parameter Reference: Examples and Formats

Item	Parameter	Example	Accepted Values/Format
Direction	`-Direction`	`Inbound` / `Outbound`	`Inbound`, `Outbound`
Action	`-Action`	`Allow` / `Block`	`Allow`, `Block`
Protocol	`-Protocol`	`TCP` / `UDP` / `ICMPv4` / `ICMPv6` / `Any`	As listed; ICMP can be refined via `-IcmpType`
Local port	`-LocalPort`	`80` / `1024-2048` / `80,443,8080`	Single, range, CSV list
Remote port	`-RemotePort`	`53` / `1000-2000` / `53,67,68`	Single, range, CSV list
Remote address	`-RemoteAddress`	`192.168.1.1` / `192.168.0.0/24` / `Any`	Single IP, CIDR, range, CSV list, `Any`
Local address	`-LocalAddress`	`10.0.0.1` / `10.0.0.0/16` / `Any`	Single IP, CIDR, range, CSV list, keywords, `Any`
Program	`-Program`	`C:\Program Files\App\App.exe`	Full path to executable
Service	`-Service`	`W32Time`	Windows service name
Profile	`-Profile`	`Domain,Private`	Combination of `Domain`, `Private`, `Public`
Interface type	`-InterfaceType`	`Ethernet` / `Wireless` / `RemoteAccess`	Supported interface types

Example: Allow HTTP Only from a Trusted IP

New-NetFirewallRule -DisplayName "Allow HTTP from Trusted IP" `
  -Direction Inbound -Protocol TCP -LocalPort 80 `
  -RemoteAddress 192.168.1.100 `
  -Action Allow -Profile Domain,Private

Example: Allow Outbound by Program

New-NetFirewallRule -DisplayName "Allow Outbound for App.exe" `
  -Direction Outbound -Program "C:\Program Files\App\App.exe" `
  -Action Allow -Profile Domain,Private,Public

Example: Allow Inbound by Service

New-NetFirewallRule -DisplayName "Allow Service XYZ Inbound" `
  -Direction Inbound -Service "W32Time" `
  -Action Allow -Profile Domain,Private

Example: Block Outbound on Wi-Fi Interface

New-NetFirewallRule -DisplayName "Block Outbound on Wireless" `
  -Direction Outbound -InterfaceType Wireless `
  -Action Block -Profile Public

Modify, (Dis)Enable, and Remove Rules

# Disable rule
Disable-NetFirewallRule -DisplayName "Allow RDP (Domain)"

# Enable rule
Enable-NetFirewallRule -DisplayName "Allow RDP (Domain)"

# Change scope (e.g., restrict to Domain and Private)
Set-NetFirewallRule -DisplayName "Allow RDP (Domain)" -Profile Domain,Private

# Remove rule
Remove-NetFirewallRule -DisplayName "Allow RDP (Domain)"

Export/Import Rule Sets

# Export firewall policy
netsh advfirewall export "C:\Backup\FirewallPolicy.wfw"

# Import firewall policy
netsh advfirewall import "C:\Backup\FirewallPolicy.wfw"

Step 4: Configure Logging and Auditing

Record allowed/blocked events and watch for anomalies.

# Enable both allowed and blocked logging; max size 32 MB
Set-NetFirewallProfile -Profile Domain,Private,Public `
  -LogAllowed True -LogBlocked True `
  -LogFileName "<<LOG_PATH>>" -LogMaxSizeKilobytes 32767

Tail logs:

Get-Content "<<LOG_PATH>>" -Tail 20 -Wait

Caution: Enabling LogAllowed=True increases log volume. In production, consider enabling allowed-traffic logging only for critical profiles (e.g., Public) and implement rotation/archiving.
The -LogMaxSizeKilobytes limit is 32767 KB; higher values cause an error.

Step 5: Centralized Management via GPO

Firewall settings can be edited and automated through GPO using the GroupPolicy module.
Key cmdlets: Set-GPRegistryValue, Get-GPO, New-GPO, New-GPLink, Set-GPInheritance.

Create a GPO and Apply Domain Profile Logging

Create or retrieve GPO
```
$gpo = New-GPO -Name "Firewall-Policy-Domain"
```
To edit an existing GPO: Get-GPO -Name "<GPO_NAME>".

Apply values via GPO Registry keys

# Enable logging for Domain profile
Set-GPRegistryValue -Name $gpo.DisplayName `
  -Key "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" `
  -ValueName "EnableLogging" -Type DWord -Value 1

# Log path and size
Set-GPRegistryValue -Name $gpo.DisplayName `
  -Key "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging" `
  -ValueName "LogFilePath" -Type String -Value "%systemroot%\system32\logfiles\firewall\pfirewall.log"

Set-GPRegistryValue -Name $gpo.DisplayName `
  -Key "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging" `
  -ValueName "LogFileSize" -Type DWord -Value 32767

These settings take effect when the GPO is linked to an OU via New-GPLink.

Link to OU (New-GPLink)

Pass the DN of the OU (or the domain DN) to -Target.

Import-Module ActiveDirectory

$gpo = Get-GPO -Name "Firewall-Policy-Domain"

# Find OU by name and get its DN
$ou = Get-ADOrganizationalUnit -LDAPFilter '(name=<<OU_NAME>>)' `
      -SearchBase (Get-ADDomain).DistinguishedName -SearchScope Subtree |
      Select-Object -First 1
$ouDn = $ou.DistinguishedName

# Link GPO to the OU (enabled; Enforced optional)
New-GPLink -Name $gpo.DisplayName -Target $ouDn -LinkEnabled Yes -Enforced No

Prerequisites: ActiveDirectory and GroupPolicy (RSAT) modules installed on the admin workstation.

Step 6: Periodic Validation and Troubleshooting

# Currently active rules
Get-NetFirewallRule | Where-Object {$_.Enabled -eq "True"} |
  Select-Object DisplayName, Direction, Action, Profile

# Port reachability test
Test-NetConnection -ComputerName <<SERVER_NAME>> -Port 3389

Summary

Windows Defender Firewall provides robust, built-in network protection on Windows Server. By combining explicit inbound/outbound control, log analysis, and centralized/automated management via GPO and PowerShell, you achieve strong visibility and security aligned with modern hardening and zero-trust practices.