Best practices for configuring Windows Defender Firewall - Windows Security (2023)

Windows Defender Firewall with Advanced Security provides host-based bi-directional network traffic filtering and blocks unauthorized network traffic going to and from your on-premises device. Configuring Windows Firewall based on the following best practices can help you improve device protection on your network. These recommendations cover a wide range of deployments, including home networks and corporate desktop/server systems.

To open Windows Firewall, go toBeginningselect menuStart,typWF.msc, then selectOK. See alsoOpen Windows Firewall.

Keep the default settings

When you open Windows Defender Firewall for the first time, you may see the default settings for your local computer. The overview area shows the security settings for each type of network that your device can connect to.

Figure 1: Windows Defender Firewall

1. domain profile: Used on networks that have an Active Directory domain controller-based account authentication system
2. private profile: Designed and best used for private networks such as a home network
3. public profile: Designed for higher security of public networks such as WiFi hotspots, coffee shops, airports, hotels or shops

View detailed settings for each profile by right-clicking on the top levelWindows Defender Firewall with advanced securityNodes in the left pane, and then selectproperty.

If possible, keep the default settings in Windows Defender Firewall. These settings are intended to secure the device for use in most network scenarios. An important example is the default blocking behavior for incoming connections.

Figure 2: Default settings for inbound/outbound traffic

For more information on configuring basic firewall settings, seeEnable Windows Firewall and configure the default behaviorIChecklist: Configure basic firewall settings.

Understand rule priority for incoming rules

In many cases, the next step for administrators is to customize these profiles with rules (sometime called filters) so they can work with user applications or other types of software. For example, an administrator or user might decide to add a rule to include a program, open a port or protocol, or allow a predefined type of traffic.

This add rule task can be performed by right-clickinginternal rulesLubOutgoing Rulesand chooseNew rule. The interface for adding a new rule looks like this:

Figure 3: Rule creation wizard

In many cases, applications must allow certain types of inbound traffic in order for applications to run on the network. Administrators should consider the following rule precedence behaviors when allowing these incoming exceptions.

1. Explicitly defined allow rules take precedence over the default block setting.
2. Explicit blocking rules take precedence over any conflicting allow rules.
3. More specific rules take precedence over less specific rules unless there are explicit blocking rules as mentioned in step 2. (For example, if the parameters of rule 1 cover a range of IP addresses while the parameters of rule 2 cover a single IP host address, rule 2 takes precedence.)

Because of 1 and 2, when designing your ruleset, it's important to ensure that there aren't any other explicit blocking rules that could inadvertently overlap and thus prevent the flow of traffic that you want to allow.

The general security best practice when creating inbound rules is to be as specific as possible. However, if you need to create new rules that use ports or IP addresses, consider using consecutive ranges or subnets instead of individual addresses or ports whenever possible. This approach avoids creating multiple filters under the hood, reducing complexity and helping to avoid performance degradation.

Create rules for new applications before the first launch

Rules that allow incoming connections

On initial installation, network applications and services send a listening call, providing the protocol/port information needed for proper operation. Because there is a default blocking action in Windows Defender Firewall, inbound exception rules must be created to allow this traffic. It is not uncommon for an application or application installer to add this firewall rule. Otherwise, the user (or the firewall administrator on behalf of the user) must create the rule manually.

If there is no active application or administrator-defined allow rules, a dialog box prompts you to allow or block application packages when you first start the application or try to communicate over the network.

• If you have administrator rights, you will be prompted to do so. when they reactNOor cancel the prompt, blocking rules will be created. Usually two rules are created, one each for TCP and UDP traffic.

• If you are not a local administrator, you will not be prompted. In most cases, blocking rules are created.

In any of the above scenarios, you must remove these rules after adding them to regenerate the prompt. Otherwise, traffic will continue to be blocked.

Known issues with automatic rule creation

When designing a firewall policy set, the best practice is to configure allow rules for all network applications deployed on the host. Implementing these rules before the user launches the app for the first time helps ensure a smooth experience.

The absence of these step-by-step rules does not necessarily mean that the application will ultimately be unable to communicate over the network. However, behaviors related to the automatic creation of application rules at runtime require user interaction and administrative privileges. If the device is intended to be used by non-admin users, please follow best practices and deploy these rules before running the application for the first time to avoid unexpected network issues.

To determine why some applications cannot communicate over the network, check the following cases:

1. A user with sufficient privileges will receive a query notification stating that the application needs to make a firewall policy change. The user does not fully understand the prompt and cancels or rejects the prompt.
2. The user does not have sufficient permissions and is therefore not prompted to allow the app to make the appropriate policy changes.
3. Local policy merging is disabled, which prevents an application or network service from creating local rules.

Admins can also disallow creating application rules at runtime via the Settings app or Group Policy.

Figure 4: Allow Access dialog box.

See alsoChecklist: Create firewall rules for inbound traffic.

Defining local rules for combining and applying rules

Firewall rules can be implemented:

1. Locally using the Firewall snap-in (WF.msc)
2. Lokal mit PowerShell
3. Use Group Policy remotely if the device is a member of an Active Directory, System Center Configuration Manager, or Intune name (using Workplace Join).

Rule merging settings control how rules from different policy sources are combined. Administrators can configure different merging behaviors for domain, private, and public profiles.

Rule merging settings allow or prevent local administrators from creating their own firewall rules in addition to the firewall rules obtained from Group Policy.

Figure 5: Rule merging setting

When local policy merging is disabled, centralized policy deployment is required for each application that requires inbound connectivity.

Administrators can disable the featureLocalPolicyMergein high-security environments to maintain tighter endpoint control. This setting may affect some applications and services that automatically generate local firewall policies after installation, as described above. For these types of apps and services to work, administrators should centrally enforce rules via Group Policy (GP), Mobile Device Management (MDM), or both (in hybrid or co-management environments).

CSP ZaporyICSP PolicyThey also have settings that can affect rule merging.

As a best practice, it is important to view and record such applications, including the network ports used for communication. Usually on the application page you can find the ports that need to be open for a specific service. More complex client application deployments may require more thorough analysis using network packet capture tools.

In general, to ensure maximum security, administrators should only submit firewall exceptions for applications and services that serve legitimate purposes.

Learn how to use covert mode for active attacks

An important firewall feature that can be used to mitigate the damage of an active attack is "cover-up" mode. This is an informal term that refers to a simple method that a firewall administrator can use to temporarily increase security in the event of an active attack.

Shields can be obtained by checkingBlock all incoming connections, including those in the allowed applications lista setting found in the Windows Settings app or an older filefirewall.cpl.

Figure 6: Windows Settings "Application/Windows Security/Firewall Protection/Network Type".

Figure 7: Legacy-Firewall.cpl file

By default, Windows Defender Firewall blocks everything unless an exception rule is created. This setting overrides exceptions.

For example, the remote desktop feature automatically creates firewall rules when enabled. However, if there is an active exploit using multiple ports and services on a host, instead of disabling individual rules, Shields-enabled mode can be used to block all incoming connections and override previous exceptions, including remote desktop rules. Remote Desktop Rules are preserved, but remote access will not work while shields are enabled.

Once the emergency is over, disable the setting to restore regular network traffic.

Create outbound rules

Here are some general guidelines for configuring outbound rules.

• In some very secure environments, you might consider the default configuration of outbound blocking rules. However, the configuration of the inbound rules should never be changed to allow traffic by default
• For most deployments, it is recommended that egress be allowed by default to simplify application deployment unless the organization prioritizes tight security controls over ease of use
• In high-security environments, one or more administrators must create and record an inventory of all enterprise-wide applications. The registers must contain whether the application used requires a network connection. Administrators must create new rules for each application that requires network connectivity and centrally push those rules through Group Policy (GP), Mobile Device Management (MDM), or both (in hybrid or co-management environments).

For tasks related to creating outbound rules, seeChecklist: Create outbound firewall rules.

Document your changes

When creating an inbound or outbound rule, include details about the application itself, the port range used, and important notes such as the creation date. Policies must be well documented so that you and other administrators can easily see them. We strongly encourage you to take the time to facilitate the review of firewall rules at a later time. ANDNeverCreate unnecessary holes in the firewall.