Best practices for configuring Windows Defender Firewall - Windows Security (2023)

  • Article
  • Refers to:
    Windows 11, ✅Windows 10, ✅Windows Server 2022, ✅Windows Server 2019, ✅Windows Server 2016

Windows Defender Firewall with Advanced Security provides host-based bi-directional network traffic filtering and blocks unauthorized network traffic going to and from your on-premises device. Configuring Windows Firewall based on the following best practices can help you improve device protection on your network. These recommendations cover a wide range of deployments, including home networks and corporate desktop/server systems.

To open Windows Firewall, go toBeginningselect menuStart,typWF.msc, then selectOK. See alsoOpen Windows Firewall.

Keep the default settings

When you open Windows Defender Firewall for the first time, you may see the default settings for your local computer. The overview area shows the security settings for each type of network that your device can connect to.

Best practices for configuring Windows Defender Firewall - Windows Security (1)

Figure 1: Windows Defender Firewall

  1. domain profile: Used on networks that have an Active Directory domain controller-based account authentication system
  2. private profile: Designed and best used for private networks such as a home network
  3. public profile: Designed for higher security of public networks such as WiFi hotspots, coffee shops, airports, hotels or shops

View detailed settings for each profile by right-clicking on the top levelWindows Defender Firewall with advanced securityNodes in the left pane, and then selectproperty.

If possible, keep the default settings in Windows Defender Firewall. These settings are intended to secure the device for use in most network scenarios. An important example is the default blocking behavior for incoming connections.

Best practices for configuring Windows Defender Firewall - Windows Security (2)

Figure 2: Default settings for inbound/outbound traffic


For maximum security, do not change the default incoming call blocking setting.

(Video) Configuring Windows Defender Firewall

For more information on configuring basic firewall settings, seeEnable Windows Firewall and configure the default behaviorIChecklist: Configure basic firewall settings.

Understand rule priority for incoming rules

In many cases, the next step for administrators is to customize these profiles with rules (sometime called filters) so they can work with user applications or other types of software. For example, an administrator or user might decide to add a rule to include a program, open a port or protocol, or allow a predefined type of traffic.

This add rule task can be performed by right-clickinginternal rulesLubOutgoing Rulesand chooseNew rule. The interface for adding a new rule looks like this:

Best practices for configuring Windows Defender Firewall - Windows Security (3)

Figure 3: Rule creation wizard


This article does not provide step-by-step instructions for configuring rules. SeekWindows Firewall with Advanced Security Deployment Guidefor general political decision-making aids.

In many cases, applications must allow certain types of inbound traffic in order for applications to run on the network. Administrators should consider the following rule precedence behaviors when allowing these incoming exceptions.

  1. Explicitly defined allow rules take precedence over the default block setting.
  2. Explicit blocking rules take precedence over any conflicting allow rules.
  3. More specific rules take precedence over less specific rules unless there are explicit blocking rules as mentioned in step 2. (For example, if the parameters of rule 1 cover a range of IP addresses while the parameters of rule 2 cover a single IP host address, rule 2 takes precedence.)

Because of 1 and 2, when designing your ruleset, it's important to ensure that there aren't any other explicit blocking rules that could inadvertently overlap and thus prevent the flow of traffic that you want to allow.

The general security best practice when creating inbound rules is to be as specific as possible. However, if you need to create new rules that use ports or IP addresses, consider using consecutive ranges or subnets instead of individual addresses or ports whenever possible. This approach avoids creating multiple filters under the hood, reducing complexity and helping to avoid performance degradation.


Windows Defender Firewall does not support the traditional administrator-assigned weighted order of rules. By considering some of the consistent and logical rule behaviors described above, an effective rule set with expected behavior can be created.

(Video) 61. Configure Windows Defender Firewall with Advanced Security | Server 2019

Create rules for new applications before the first launch

Rules that allow incoming connections

On initial installation, network applications and services send a listening call, providing the protocol/port information needed for proper operation. Because there is a default blocking action in Windows Defender Firewall, inbound exception rules must be created to allow this traffic. It is not uncommon for an application or application installer to add this firewall rule. Otherwise, the user (or the firewall administrator on behalf of the user) must create the rule manually.

If there is no active application or administrator-defined allow rules, a dialog box prompts you to allow or block application packages when you first start the application or try to communicate over the network.

  • If you have administrator rights, you will be prompted to do so. when they reactNOor cancel the prompt, blocking rules will be created. Usually two rules are created, one each for TCP and UDP traffic.

  • If you are not a local administrator, you will not be prompted. In most cases, blocking rules are created.

In any of the above scenarios, you must remove these rules after adding them to regenerate the prompt. Otherwise, traffic will continue to be blocked.


The default firewall settings are designed for security. If you allow all incoming connections by default, your network is exposed to various threats. Therefore, exceptions for inbound connections from third-party software should be set by trusted application developers, the user, or an administrator on behalf of the user.

Known issues with automatic rule creation

When designing a firewall policy set, the best practice is to configure allow rules for all network applications deployed on the host. Implementing these rules before the user launches the app for the first time helps ensure a smooth experience.

The absence of these step-by-step rules does not necessarily mean that the application will ultimately be unable to communicate over the network. However, behaviors related to the automatic creation of application rules at runtime require user interaction and administrative privileges. If the device is intended to be used by non-admin users, please follow best practices and deploy these rules before running the application for the first time to avoid unexpected network issues.

To determine why some applications cannot communicate over the network, check the following cases:

  1. A user with sufficient privileges will receive a query notification stating that the application needs to make a firewall policy change. The user does not fully understand the prompt and cancels or rejects the prompt.
  2. The user does not have sufficient permissions and is therefore not prompted to allow the app to make the appropriate policy changes.
  3. Local policy merging is disabled, which prevents an application or network service from creating local rules.

Admins can also disallow creating application rules at runtime via the Settings app or Group Policy.

Best practices for configuring Windows Defender Firewall - Windows Security (4)

Figure 4: Allow Access dialog box.

(Video) Best Settings For Windows Defender (Windows Security) For Maximum Protection and Maximum Security

See alsoChecklist: Create firewall rules for inbound traffic.

Defining local rules for combining and applying rules

Firewall rules can be implemented:

  1. Locally using the Firewall snap-in (WF.msc)
  2. Lokal mit PowerShell
  3. Use Group Policy remotely if the device is a member of an Active Directory, System Center Configuration Manager, or Intune name (using Workplace Join).

Rule merging settings control how rules from different policy sources are combined. Administrators can configure different merging behaviors for domain, private, and public profiles.

Rule merging settings allow or prevent local administrators from creating their own firewall rules in addition to the firewall rules obtained from Group Policy.

Best practices for configuring Windows Defender Firewall - Windows Security (5)

Figure 5: Rule merging setting


In der Firewallconfiguration service provider, which is the appropriate settingAllow local policies to be merged. This setting can be found in each corresponding profile node.domain profile,private profile, Ipublic profile.

When local policy merging is disabled, centralized policy deployment is required for each application that requires inbound connectivity.

Administrators can disable the featureLocalPolicyMergein high-security environments to maintain tighter endpoint control. This setting may affect some applications and services that automatically generate local firewall policies after installation, as described above. For these types of apps and services to work, administrators should centrally enforce rules via Group Policy (GP), Mobile Device Management (MDM), or both (in hybrid or co-management environments).

CSP ZaporyICSP PolicyThey also have settings that can affect rule merging.

As a best practice, it is important to view and record such applications, including the network ports used for communication. Usually on the application page you can find the ports that need to be open for a specific service. More complex client application deployments may require more thorough analysis using network packet capture tools.

In general, to ensure maximum security, administrators should only submit firewall exceptions for applications and services that serve legitimate purposes.

(Video) Take Full Control Of Windows Firewall


Using wildcard patterns such asC:*\teams.exenot supported in application rules. Currently we only support rules created with the full path to the application.

Learn how to use covert mode for active attacks

An important firewall feature that can be used to mitigate the damage of an active attack is "cover-up" mode. This is an informal term that refers to a simple method that a firewall administrator can use to temporarily increase security in the event of an active attack.

Shields can be obtained by checkingBlock all incoming connections, including those in the allowed applications lista setting found in the Windows Settings app or an older filefirewall.cpl.

Best practices for configuring Windows Defender Firewall - Windows Security (6)

Figure 6: Windows Settings "Application/Windows Security/Firewall Protection/Network Type".

Best practices for configuring Windows Defender Firewall - Windows Security (7)

Figure 7: Legacy-Firewall.cpl file

By default, Windows Defender Firewall blocks everything unless an exception rule is created. This setting overrides exceptions.

For example, the remote desktop feature automatically creates firewall rules when enabled. However, if there is an active exploit using multiple ports and services on a host, instead of disabling individual rules, Shields-enabled mode can be used to block all incoming connections and override previous exceptions, including remote desktop rules. Remote Desktop Rules are preserved, but remote access will not work while shields are enabled.

Once the emergency is over, disable the setting to restore regular network traffic.

Create outbound rules

Here are some general guidelines for configuring outbound rules.

  • In some very secure environments, you might consider the default configuration of outbound blocking rules. However, the configuration of the inbound rules should never be changed to allow traffic by default
  • For most deployments, it is recommended that egress be allowed by default to simplify application deployment unless the organization prioritizes tight security controls over ease of use
  • In high-security environments, one or more administrators must create and record an inventory of all enterprise-wide applications. The registers must contain whether the application used requires a network connection. Administrators must create new rules for each application that requires network connectivity and centrally push those rules through Group Policy (GP), Mobile Device Management (MDM), or both (in hybrid or co-management environments).

For tasks related to creating outbound rules, seeChecklist: Create outbound firewall rules.

(Video) Configuring Windows Firewall - CompTIA A+ 220-1102 - 1.6

Document your changes

When creating an inbound or outbound rule, include details about the application itself, the port range used, and important notes such as the creation date. Policies must be well documented so that you and other administrators can easily see them. We strongly encourage you to take the time to facilitate the review of firewall rules at a later time. ANDNeverCreate unnecessary holes in the firewall.


What are the four 4 best practices for firewall rules configuration including allow access? ›

Best practices for firewall rules configuration
  • Block by default. Block all traffic by default and explicitly enable only specific traffic to known services. ...
  • Allow specific traffic. ...
  • Specify source IP addresses. ...
  • Specify the destination IP address. ...
  • Specify the destination port. ...
  • Examples of dangerous configurations.
Apr 16, 2020

Which of the following is the best practice for managing and configuring firewalls? ›

In general, you should follow the best practice of least privilege when configuring a firewall, which just means to block literally everything that you aren't using for a dedicated and approved business function.

How do I configure Windows Firewall and Defender? ›

Turn Microsoft Defender Firewall on or off
  1. Select Start , then open Settings . ...
  2. Select a network profile: Domain network, Private network, or Public network.
  3. Under Microsoft Defender Firewall, switch the setting to On. ...
  4. To turn it off, switch the setting to Off.

What are the 5 steps to configure a simple firewall? ›

How To Configure a Firewall
  1. Secure the Firewall. ...
  2. Establish Firewall Zones and an IP Address Structure. ...
  3. Configure Access Control Lists (ACLs) ...
  4. Configure Other Firewall Services and Logging. ...
  5. Test the Firewall Configuration. ...
  6. Manage Firewall Continually.

What are 4 techniques used by firewalls to control access and enforce security policy? ›

Explanation. The four techniques used by firewalls to control access and enforce a security policy are Service control, Direction control, User control and Behavior control.

What are the six 6 best practices for deployment of firewalls as network security perimeter device? ›

Items associated with firewall deployment process
  • Security policy. ...
  • Set a default policy. ...
  • Do not expose private services without VPN. ...
  • Ensure non-repudiation in internal or external accesses. ...
  • Build a secure visitor access policy. ...
  • Create access policies by interest groups. ...
  • Use DMZ or private network for public services.

What are two best practices when implementing firewall security policies? ›

7 Firewall Best Practices for Securing Your Network
  • Block traffic by default and monitor user access. ...
  • Establish a firewall configuration change plan. ...
  • Optimize the firewall rules of your network. ...
  • Update your firewall software regularly. ...
  • Conduct regular firewall security audits.

Which is the best configuration for a firewall? ›

What are Best Practices for Firewall Rules Configuration?
  • Design the Firewall Deployment.
  • Set Firewall Rules.
  • Set Explicit Drop Rules.
  • Keep Audit Logs.
  • Block Default Traffic.
  • Restrict Zone Access.
  • Create Secure User Accounts.
  • Specify Source and Destination IP Addresses.

What are the default rules for Windows Defender Firewall? ›

By default, the Windows Defender Firewall will block everything unless there's an exception rule created. This setting overrides the exceptions. For example, the Remote Desktop feature automatically creates firewall rules when enabled.

How to configure Windows Defender? ›

Turn on real-time and cloud-delivered protection
  1. Select the Start menu.
  2. In the search bar, type Windows Security. ...
  3. Select Virus & threat protection.
  4. Under Virus & threat protection settings, select Manage settings.
  5. Flip each switch under Real-time protection and Cloud-delivered protection to turn them on.
Feb 20, 2023

What are the three categories and default settings for Windows Defender Firewall? ›

Windows Firewall offers three firewall profiles: domain, private and public. The domain profile applies to networks where the host system can authenticate to a domain controller. The private profile is a user-assigned profile and is used to designate private or home networks.

What are the four basic firewall rules? ›

These are described here in order of precedence:
  • The traffic can bypass the firewall completely. ...
  • It can log only. ...
  • It can force allow defined traffic (it will allow traffic defined by this rule without excluding any other traffic.)
  • It can deny traffic (it will deny traffic defined by this rule.)
Sep 12, 2022

What are the four major areas firewall must consider? ›

Firewall architecture is built upon four primary components — network policy, advanced authentication, packet filtering, and application gateways.

What are the four 4 primary methods of security providing computer system protection? ›

These include firewalls, data encryption, passwords and biometrics.

What are the two basic security functions performed by firewalls? ›

A firewall is a protective measure that safeguards an individual's or company's computer network. It provides two basic security functions, including packet filtering, which inspects traffic at the packet level, and acting as an application proxy, providing security measures at the application level.

What are the 3 types of access controls and how are they used to protect data? ›

Three main types of access control systems are: Discretionary Access Control (DAC), Role Based Access Control (RBAC), and Mandatory Access Control (MAC). DAC is a type of access control system that assigns access rights based on rules specified by users.

What are the five 5 practices to ensure security for enterprise networks? ›

These five steps, however, will help to form the foundations of a secure network:
  • Perform a network audit. ...
  • Update anti-virus/anti-malware software. ...
  • Invest in a VPN. ...
  • Set up a firewall. ...
  • Establish a network security maintenance system.
Mar 2, 2022

What two things are most important when first considering firewall implementation? ›

Expert Answer
  • Answer: The two most crucial factors to take into account when first thinking about implementing a firewall are:
  • 1) Security policy: The security policy outlines the types of traffic that the firewall should allow or reject. ...
  • 2) Network topology:

What are firewall rules and implementation? ›

A firewall policy defines how an organization's firewalls should handle inbound and outbound network traffic for specific IP addresses and address ranges, protocols, applications, and content types based on the organization's information security policies.

What are some strategies to consider for implementing and deploying firewalls? ›

5 Best Practices for Your Firewall Deployment Architecture
  • 1) Regularly Check and Update Your Firewall Configuration Settings. ...
  • 2) Make Sure There Aren't ANY Modems in Your Internal Network. ...
  • 3) Use Defense in Depth. ...
  • 4) Using Deep Packet Inspection. ...
  • 5) Don't Just Rely on Firewalls!
Mar 20, 2018

What is firewall checklist? ›

The firewall audit checklist not only ensures that your firewall configurations and rules comply with external regulations and internal security policies. It can also help to reduce risk and improve firewall performance by optimizing the firewall rule base.

What are the 8 items that are suggested in securing your network? ›

What are the main types of network security?
  • Firewalls.
  • Access Control.
  • Anti-malware Software.
  • Application Security.
  • Data Loss Prevention.
  • Email Security.
  • Security Information and Event Management.
  • Mobile Device Security.
Sep 5, 2019

How do I configure Windows firewall settings? ›

Go to Start and open Control Panel. Select System and Security > Windows Defender Firewall. Choose Turn Windows Firewall on or off. Select Turn on Windows Firewall for domain, private, and public network settings.

Which three options can be configured using Windows 10 firewall? ›

You can turn Microsoft Defender Firewall on or off and access advanced Microsoft Defender Firewall options for the following network types:
  • Domain (workplace) networks.
  • Private (discoverable) networks.
  • Public (non-discoverable) networks.

Which firewall configuration is more secure and why? ›

Proxy servers are the most secure type of firewall, as they filter packets through a protected proxy server. This is done before traffic even reaches the network perimeter.

Which are two main rules categories in Windows Defender Firewall? ›

Microsoft Windows Defender Firewall, by default, contains two 'top level' rules; one that blocks all inbound connections, and the other, which allows all outbound connections.

What should you do from Windows Defender Firewall with advanced security? ›

Windows Defender Firewall with Advanced Security is a host firewall that helps secure the device in two ways. First, it can filter the network traffic permitted to enter the device from the network, and also control what network traffic the device is allowed to send to the network.

How to use Windows Defender effectively? ›

Turn Microsoft Defender Antivirus real-time protection on or off
  1. Select Start > Settings > Update & Security > Windows Security and then Virus & threat protection > Manage settings. ...
  2. Switch the Real-time protection setting to Off and choose Yes to verify.

Is Windows Defender considered a firewall? ›

Because Windows Defender Firewall is a host-based firewall that is included with the operating system, there's no other hardware or software required. Windows Defender Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API).

How to configure Windows Defender exploit protection in Windows 10? ›

Open the Windows Security app by selecting the shield icon in the task bar or searching the start menu for Windows Security. Select the App & browser control tile (or the app icon on the left menu bar) and then select Exploit protection. Go to Program settings and choose the app you want to apply mitigations to.

How do I configure my firewall step by step? ›

How To Configure a Firewall
  1. Secure the Firewall. ...
  2. Establish Firewall Zones and an IP Address Structure. ...
  3. Configure Access Control Lists (ACLs) ...
  4. Configure Other Firewall Services and Logging. ...
  5. Test the Firewall Configuration. ...
  6. Manage Firewall Continually.

What is the difference between Windows Defender and Windows Defender Firewall? ›

Windows Defender (now Microsoft Defender) is an antivirus program that protects your system from various threats such as malware, viruses, etc. On the other hand, Windows Defender Firewall is responsible for monitoring network traffic and blocking hackers to prevent unauthorized access.

What type of firewall is Windows Defender Firewall? ›

Because Windows Defender Firewall is a host-based firewall that is included with the operating system, there's no other hardware or software required. Windows Defender Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API).

What is level 7 firewall rule? ›

Layer 7 firewalls categorise all traffic into 'applications', and then allow you to block/allow traffic based on the application. The applications do not have to be websites - for example web-browsing, telnet & smtp are all applications.

What should the last rule in any firewall rule set be? ›

The main principle is to allow only the needed traffic and block the rest. Therefore, the last rule of a security level is the Deny rest rule. It blocks all the traffic that the rules above it do not specifically allow.

What is a firewall rule example? ›

Here are some examples of firewall rules for common use cases: Enable internet access for only one computer in the local network and block access for all others.

What is the most important feature of a firewall? ›

Having access to logs on a firewall gives you up-to-the-minute information about what is happening on your network. Sought after firewall features include being able to give graphs in real time and show you what vulnerabilities or attacks are happening.

What makes a good firewall? ›

A good firewall should be sufficient enough to deal with both internal and external threats and be able to deal with malicious software such as worms from acquiring access to the network. It also provisions your system to stop forwarding unlawful data to another system.

What are the 4 common architectural implementations of firewalls? ›

There are four common architectural implementations of firewalls widely in use. They are packet filtering routers, screened host firewalls, dual-homed firewalls and screened subnet firewalls.

What are the 4 different types of traffic shaping policy you can create Sophos? ›

  • Traffic shaping settings.
  • Apply to applications and application categories.
  • Apply to web categories.
  • Apply to users.
  • Apply to groups.
  • Apply to firewall rules.
  • Apply to WAF rules.
Jan 20, 2023

What are the 3 main functions of a firewall? ›

Functions of Firewall

Therefore, a firewall's primary function is to secure our network and information by controlling network traffic, preventing unwanted incoming network traffic, and validating access by assessing network traffic for malicious things such as hackers and malware.

What are the 3 methods of firewall? ›

There are three types of firewalls based on how you decide to deploy them: hardware, software, and cloud-based firewalls.

What is the best firewall architecture? ›

The true DMZ is generally considered the most secure of firewall architectures. With this design, there is an external and internal firewall. Between the two is sandwiched any Internet accessible devices (see Figure 2.3).

What are the four 4 basic characteristics of reliable network architecture? ›

Network Architecture

Fault Tolerance. Scalability. Quality of Service (QoS) Security.

Which 2 types of custom zone can you create on Sophos firewall? ›

  • Site-to-site VPN.
  • Remote access VPN.
Mar 11, 2022

Which 3 can be configured as objects in Sophos firewall? ›

Dynamic objects – Host, Zone, Interface and Gateway are the network objects whose configurations vary from one device to another. Administrator can configure these objects in Sophos Firewall Manager and map them to individual devices.

What is the order of firewall rules? ›

Firewall rules have a priority order that determines the order in which the rules are applied to network traffic. Firewall rules are shown as a list on the Rules page. The rules are applied from top to bottom, and the first rule that matches the traffic overrides all the other rules below.


1. Best practice Windows computers - increase security - speed up computer - Windows Firewall
2. How to manage the Windows Firewall using Group Policy
(Danny Moran)
3. Windows Security Tips
(CyberCPU Tech)
4. Configure Windows Firewall
(SysAdmin, DevOps Engineering, Tips & Labs)
5. How to Manage Windows 10 Security Including Windows Defender and Windows Firewall
(Simon Sez IT)
6. How to Disable Windows Defender on Windows 7, 8, 10, and 11 | Step-by-Step Guide
(M Circle)


Top Articles
Latest Posts
Article information

Author: Pres. Carey Rath

Last Updated: 08/19/2023

Views: 6083

Rating: 4 / 5 (41 voted)

Reviews: 88% of readers found this page helpful

Author information

Name: Pres. Carey Rath

Birthday: 1997-03-06

Address: 14955 Ledner Trail, East Rodrickfort, NE 85127-8369

Phone: +18682428114917

Job: National Technology Representative

Hobby: Sand art, Drama, Web surfing, Cycling, Brazilian jiu-jitsu, Leather crafting, Creative writing

Introduction: My name is Pres. Carey Rath, I am a faithful, funny, vast, joyous, lively, brave, glamorous person who loves writing and wants to share my knowledge and understanding with you.