Best practices for configuring Windows Defender Firewall (2023)

  • Article
  • Refers to:
    Windows 11, ✅Windows 10, ✅Windows Server 2022, ✅Windows Server 2019, ✅Windows Server 2016

Windows Defender Firewall with Advanced Security provides two-way filtering of network traffic on the host and blocks unauthorized network traffic entering and exiting your local device. By configuring Windows Firewall based on the following best practices, you can optimize the security of devices on your network. These recommendations cover a wide range of deployments, including home networking and corporate desktop/server systems.

Go ahead and open Vatrozid for WindowsStartmenu, selectStart,tipWF.mscand then selectAlright. Also seeOpen Windows vatrozid.

Keep the default settings

When you first open Windows Defender Firewall, you may see the default settings for your local computer. The dashboard shows the security settings for each type of network your device can connect to.

Best practices for configuring Windows Defender Firewall (1)

Figure 1: Windows Defender firewall

  1. Profile domain: Used in networks with an Active Directory Domain Controller-based account authentication system
  2. Private profile: Designed and best used on private networks such as a home network
  3. public profile: Designed for better security of public networks such as Wi-Fi access points, cafes, airports, hotels or shops

View detailed settings for each profile by right-clicking on the top levelWindows Defender firewall with advanced securityin the left pane, then selectproperty.

If possible, keep the default settings in Windows Defender Firewall. These settings are designed to ensure the device can be used in most network scenarios. An important example is the default blocking behavior for incoming connections.

Best practices for configuring Windows Defender Firewall (2)

Figure 2: Default input/output settings


For maximum security, do not change the default Block incoming calls setting.

For more information on configuring basic firewall settings, seeEnable Windows Firewall and configure the default behaviorandChecklist: Configure basic firewall settings.

Understanding rule precedence for inbound rules

In many cases, the next step for administrators will be to customize these profiles with rules (also known as filters) to work with user applications or other types of software. For example, an administrator or user can decide to add a rule to record a program, open a port or protocol, or allow a predefined type of traffic.

This task of adding a rule can be done by right-clickinginternal rulesLubOutbound rulesand chooseNovo rule. The interface for adding a new rule looks like this:

Best practices for configuring Windows Defender Firewall (3)

Figure 3: Rule creation wizard


This article does not provide a step-by-step guide to configuring policies. LookWindows Firewall with Advanced Security Implementation Guidefor general guidelines for policy making.

In many cases, applications must allow certain types of inbound traffic to run applications on the network. Administrators should be aware of the following policy fetch behavior when allowing these inbound exceptions.

  1. Explicitly defined allowed rules override the default block setting.
  2. Explicit blocking rules take precedence over conflicting allow rules.
  3. More specific rules take precedence over less specific rules, except when there are explicit blocking rules as specified in step 2. (For example, if rule 1's parameters refer to a range of IP addresses, while rule 2's parameters refer to 2, take precedence. )

Because of 1 and 2, when designing your ruleset, it is important to ensure that there are no other explicit blocking rules that could accidentally overlap, preventing the flow of traffic that you want to allow.

A general security best practice when creating inbound rules is to be as specific as possible. However, if you need to create new rules that use ports or IP addresses, consider using sequential ranges or subnets instead of individual addresses or ports if possible. This approach avoids creating multiple filters under the hood, reduces complexity and helps prevent performance loss.


Windows Defender Firewall does not support the traditional weighted ordering of rules assigned by an administrator. An effective set of rules with expected behavior can be created by considering some of the consistent and logical rule behaviors described above.

Create rules for new applications before the first launch

Rules that allow inbound links

During initial setup, network applications and services send a listen call, determining the protocol/port information necessary for proper operation. Since there is a default blocking action in the Windows Defender firewall, ingress exception rules must be created to allow this traffic. It is common for an application or application installer to add this firewall rule. Otherwise, the user (or a firewall administrator on behalf of the user) must manually create the rule.

If the application is not running or an administrator-defined allowed policy, a dialog box prompts you to allow or block application packets the first time you start the application or attempt to communicate over the network.

  • If you have administrative privileges, you will be prompted. If they respondBORNor cancel the query, blocking rules will be created. Usually two rules are created, one for TCP and one for UDP traffic.

  • If you are not a local administrator, you will not be prompted. In most cases, blocking rules are created.

In any of the above scenarios, you must remove these rows after adding them to generate the query again. Otherwise, traffic will remain blocked.


Default firewall settings are designed with security in mind. Allowing all incoming connections by default exposes your network to various threats. Therefore, exceptions for inbound links from third-party software should be set by trusted application developers, the user, or an administrator on behalf of the user.

Known issues with automatic rule generation

When designing a firewall rule set, it is a best practice to configure allowed rules for all network applications deployed on the host computer. Implementing these rules before the user launches the app for the first time ensures a smooth experience.

The lack of these step-by-step rules does not necessarily mean that the application will ultimately be unable to communicate over the network. However, the behavior associated with automatically creating application rules at runtime requires user interaction and administrative privileges. If the device is being used by non-administrators, please follow best practices and specify these policies before launching the application for the first time to avoid unexpected network issues.

Check the following cases to determine why some applications cannot communicate over the network:

  1. A user with sufficient permissions will receive a prompt stating that the application needs to change firewall rules. If the user does not fully understand the query, cancel or ignore the query.
  2. The user does not have sufficient permissions and is therefore not required to allow the application to make appropriate policy changes.
  3. Local rule merging is disabled, which prevents an application or network service from creating local rules.

The creation of application rules at runtime can also be prohibited by administrators through the Settings application or Group Policy.

Best practices for configuring Windows Defender Firewall (4)

Figure 4: Access dialog box

Also seeChecklist: Create inbound firewall rules.

Establish local rules for combining and applying rules

Firewall rules can be implemented:

  1. Locally using the firewall module (WF.msc)
  2. Locally using PowerShell
  3. Use Remote Group Policy if the device is a member of an Active Directory, System Center Configuration Manager, or Intune name (with Workplace Join)

Rule merge settings determine how rules from different rule sources are combined. Administrators can configure different connection behaviors for domain, private, and public profiles.

Policy merge settings allow or prevent local administrators from creating their own firewall rules in addition to those provided through Group Policy.

Best practices for configuring Windows Defender Firewall (5)

Figure 5: Setting up merge rules


In the firewallconfiguration service provider, is an equivalent settingAllow merging of local rules. This setting can be found in each corresponding profile node,Profile domain,Private profile, andpublic profile.

If local policy merging is disabled, centralized policy enforcement is required for all applications that require inbound connectivity.

Administrators can disableLocalPolicyMergein highly secure environments to maintain tighter endpoint control. This setting may affect some applications and services that automatically generate local firewall rules after installation, as noted above. For these types of applications and services to work, administrators must centrally enforce policies through Group Policy (GP), Mobile Device Management (MDM), or both (in hybrid or shared management environments).

CSP will refuseandCSP of politicsalso have settings that can affect rule merging.

As a best practice, it is important to inspect and record such applications, including the network ports used for communication. Usually on the application page you can find the ports that should be open for a particular service. More complex client application implementations may require more in-depth analysis using network packet capture tools.

In general, for maximum security, administrators should file firewall exceptions only for applications and services that serve legitimate purposes.


Using wildcard patterns likeC:*\teams.exenot supported in application rules. We currently only support rules created using the full application path.

Know how to use cloaking mode for active attacks

An important firewall feature that can be used to limit damage during an active attack is the "stealth" mode. This is a colloquial term that refers to a simple method that a firewall administrator can use to temporarily increase security when an attack is active.

Shields can be obtained by checkingBlock all incoming connections, including those on the whitelist of appsfound the setting in the Windows Settings app or in an older filevatrozid.cpl.

Best practices for configuring Windows Defender Firewall (6)

Figure 6: Windows Settings app/Windows Security/Firewall Security/Network Type

Best practices for configuring Windows Defender Firewall (7)

Figure 7: Legacy firewall.cpl file

Windows Defender Firewall blocks everything by default unless an exception rule is created. This setting overrides exceptions.

For example, the Remote Desktop feature automatically creates firewall rules when enabled. However, if there is an active exploit that uses multiple ports and services on the host, instead of disabling individual rules, Shields-enabled mode can be used to block all incoming connections, overriding previous exceptions, including Remote Desktop rules. Remote desktop rules remain intact, but remote access will not work as long as shields are enabled.

After the emergency has passed, disable the setting to restore regular network traffic.

Create outbound rules

Here are some general guidelines for configuring outbound rules.

  • In some highly secure environments, you may want to consider the default configuration of Blocked Outbound Rules. However, the ingress rule configuration should never be changed to allow traffic by default
  • Most deployments recommend Allow outbound connections by default to simplify application deployment, unless your company values ​​strict security controls over ease of use
  • In highly secure environments, an administrator or administrators must inventory and log all enterprise-level applications. Registries should specify whether the application used needs a network connection. Administrators must create new policies specific to each application that requires network connectivity and push those policies centrally, via Group Policy (GP), Mobile Device Management (MDM), or both (in hybrid or shared management environments).

For tasks related to creating output rules, seeChecklist: Create outbound firewall rules.

Document your changes

When you create an inbound or outbound rule, you must provide details about the application itself, the port range used, and important notes such as the creation date. Policies should be well documented so that they can be easily reviewed by you and other administrators. We highly recommend taking the time to make it easier to review your firewall rules later. INevercreate unnecessary holes in the firewall.


Best practices for configuring Windows Defender Firewall? ›

In general, you should follow the best practice of least privilege when configuring a firewall, which just means to block literally everything that you aren't using for a dedicated and approved business function.

What are the four 4 best practices for firewall rules configuration including allow access? ›

Best practices for firewall rules configuration
  • Block by default. Block all traffic by default and explicitly enable only specific traffic to known services. ...
  • Allow specific traffic. ...
  • Specify source IP addresses. ...
  • Specify the destination IP address. ...
  • Specify the destination port. ...
  • Examples of dangerous configurations.
Apr 16, 2020

Which of the following is the best practice for managing and configuring firewalls? ›

In general, you should follow the best practice of least privilege when configuring a firewall, which just means to block literally everything that you aren't using for a dedicated and approved business function.

How do I configure Windows Defender Firewall? ›

Go to Start and open Control Panel. Select System and Security > Windows Defender Firewall. Choose Turn Windows Firewall on or off. Select Turn on Windows Firewall for domain, private, and public network settings.

What are the 5 steps to configure a simple firewall? ›

How To Configure a Firewall
  1. Secure the Firewall. ...
  2. Establish Firewall Zones and an IP Address Structure. ...
  3. Configure Access Control Lists (ACLs) ...
  4. Configure Other Firewall Services and Logging. ...
  5. Test the Firewall Configuration. ...
  6. Manage Firewall Continually.

What are the six 6 best practices for deployment of firewalls as network security perimeter device? ›

Items associated with firewall deployment process
  • Security policy. ...
  • Set a default policy. ...
  • Do not expose private services without VPN. ...
  • Ensure non-repudiation in internal or external accesses. ...
  • Build a secure visitor access policy. ...
  • Create access policies by interest groups. ...
  • Use DMZ or private network for public services.

What are the four basic firewall rules? ›

These are described here in order of precedence:
  • The traffic can bypass the firewall completely. ...
  • It can log only. ...
  • It can force allow defined traffic (it will allow traffic defined by this rule without excluding any other traffic.)
  • It can deny traffic (it will deny traffic defined by this rule.)
Sep 12, 2022

What are two best practices when implementing firewall security policies? ›

  • #1. Harden and Properly Configure the Firewall. ...
  • #2. Plan your Firewall Deployment. ...
  • #3. Secure the Firewall. ...
  • #4. Secure User Accounts. ...
  • #5. Lock Down Zone Access to Approved Traffic. ...
  • #6. Ensure Firewall Policy and Use Complies with Standards. ...
  • #7. Test to Verify the Policy and Identify Risks. ...
  • #8.

What are 4 techniques used by firewalls to control access and enforce security policy? ›

Explanation. The four techniques used by firewalls to control access and enforce a security policy are Service control, Direction control, User control and Behavior control.

What are the default rules for Windows Defender Firewall? ›

By default, the Windows Defender Firewall will block everything unless there's an exception rule created. This setting overrides the exceptions. For example, the Remote Desktop feature automatically creates firewall rules when enabled.

What are the three categories and default Settings for Windows Defender Firewall? ›

Windows Firewall offers three firewall profiles: domain, private and public. The domain profile applies to networks where the host system can authenticate to a domain controller. The private profile is a user-assigned profile and is used to designate private or home networks.

How does Windows Defender Firewall work? ›

Feature description. Windows Defender Firewall with Advanced Security is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Defender Firewall blocks unauthorized network traffic flowing into or out of the local device.

What is firewall checklist? ›

The firewall audit checklist not only ensures that your firewall configurations and rules comply with external regulations and internal security policies. It can also help to reduce risk and improve firewall performance by optimizing the firewall rule base.

What are the 3 methods of firewall? ›

There are three types of firewalls based on how you decide to deploy them: hardware, software, and cloud-based firewalls.

What are the best practices when defining an effective firewall policy? ›

7 Firewall Best Practices for Securing Your Network
  • Block traffic by default and monitor user access. ...
  • Establish a firewall configuration change plan. ...
  • Optimize the firewall rules of your network. ...
  • Update your firewall software regularly. ...
  • Conduct regular firewall security audits.

What is level 7 firewall rule? ›

Layer 7 firewalls categorise all traffic into 'applications', and then allow you to block/allow traffic based on the application. The applications do not have to be websites - for example web-browsing, telnet & smtp are all applications.

What is first rule in firewall? ›

Firewall rules are shown as a list on the Rules page. The rules are applied from top to bottom, and the first rule that matches the traffic overrides all the other rules below. The main principle is to allow only the needed traffic and block the rest.

What are the 2 main types of firewall? ›

The most common firewall types based on methods of operation are: Packet-filtering firewalls. Proxy firewalls.

What two things are most important when first considering firewall implementation? ›

All replies
  • Answer: The two most crucial factors to take into account when first thinking about implementing a firewall are:
  • 1) Security policy: The security policy outlines the types of traffic that the firewall should allow or reject. ...
  • 2) Network topology: The network topology is the second factor to take into account.

Which ports should always be closed? ›

For those looking for a list of ports to block, the SANS Institute recommends at least blocking outbound traffic using the following ports:
  • MS RPC TCP, UDP Port 135.
  • NetBIOS/IP TCP, UDP Port 137-139.
  • SMB/IP TCP Port 445.
  • Trivial File Transfer Protocol (TFTP) UDP Port 69.
  • System log UDP Port 514.
Mar 20, 2022

What are some strategies to consider for implementing and deploying firewalls? ›

5 Best Practices for Your Firewall Deployment Architecture
  • 1) Regularly Check and Update Your Firewall Configuration Settings. ...
  • 2) Make Sure There Aren't ANY Modems in Your Internal Network. ...
  • 3) Use Defense in Depth. ...
  • 4) Using Deep Packet Inspection. ...
  • 5) Don't Just Rely on Firewalls!
Mar 20, 2018

What are the 3 types of access controls and how are they used to protect data? ›

Three main types of access control systems are: Discretionary Access Control (DAC), Role Based Access Control (RBAC), and Mandatory Access Control (MAC). DAC is a type of access control system that assigns access rights based on rules specified by users.

What are the possible methods to access firewall management? ›

Interface Management Profiles
  • HTTPS.
  • SSH.
  • Ping.
  • Telnet.
  • HTTP.
  • SNMP.
Jan 2, 2022

What is the typical processing order of firewall rules? ›

Firewall rules are ordered sequentially, from highest to lowest priority in the rules list.
FirstCustom IPS signatures
SecondIntrusion Prevention settings, traffic settings, and stealth settings
ThirdBuilt-in rules
FourthFirewall rules
2 more rows
Mar 27, 2023

What are the characteristics of a good firewall implementation? ›

Top 5 Must-Have Firewall Features
  • Features.
  • Unified Security Management.
  • Threat Prevention.
  • Inspection.
  • Hybrid Cloud.
  • Performance.
  • Resources.

What are the main rules of firewalls in security technologies? ›

Inbound firewall rules protect the network against incoming traffic, such as disallowed connections, malware, and denial-of-service (DoS) attacks. Outbound firewall rules protect against outgoing traffic, originating inside a network.

Which are two main rules categories in Windows Defender Firewall? ›

Microsoft Windows Defender Firewall, by default, contains two 'top level' rules; one that blocks all inbound connections, and the other, which allows all outbound connections.

How do I configure Windows Firewall and Defender? ›

Turn Microsoft Defender Firewall on or off
  1. Select Start , then open Settings . ...
  2. Select a network profile: Domain network, Private network, or Public network.
  3. Under Microsoft Defender Firewall, switch the setting to On. ...
  4. To turn it off, switch the setting to Off.

How to configure Windows Defender Firewall with Advanced security? ›

Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior
  1. Click the tab that corresponds to the network location type.
  2. Change Firewall state to On (recommended).
  3. Change Inbound connections to Block (default).
  4. Change Outbound connections to Allow (default).

How do I configure my firewall step by step? ›

How To Configure a Firewall
  1. Secure the Firewall. ...
  2. Establish Firewall Zones and an IP Address Structure. ...
  3. Configure Access Control Lists (ACLs) ...
  4. Configure Other Firewall Services and Logging. ...
  5. Test the Firewall Configuration. ...
  6. Manage Firewall Continually.

What is the difference between Windows Defender and Windows Defender Firewall? ›

Windows Defender (now Microsoft Defender) is an antivirus program that protects your system from various threats such as malware, viruses, etc. On the other hand, Windows Defender Firewall is responsible for monitoring network traffic and blocking hackers to prevent unauthorized access.

How do I configure Windows Defender? ›

Turn on real-time and cloud-delivered protection
  1. Select the Start menu.
  2. In the search bar, type Windows Security. ...
  3. Select Virus & threat protection.
  4. Under Virus & threat protection settings, select Manage settings.
  5. Flip each switch under Real-time protection and Cloud-delivered protection to turn them on.
Feb 20, 2023

Is Windows Defender Firewall sufficient? ›

Microsoft Defender is a good enough option for basic antivirus protection. It has a very strong firewall and a good number of features for the program and device security. However, the scanning performance is very poor, and secure browsing is only possible with Microsoft Edge.

Is Windows Defender Firewall the same as Windows Firewall? ›

Windows Firewall (officially called Microsoft Defender Firewall in Windows 10 version 2004 and later) is a firewall component of Microsoft Windows. It was first included in Windows XP SP2 and Windows Server 2003 SP1. Before the release of Windows XP Service Pack 2, it was known as the "Internet Connection Firewall."

Is Windows Defender Firewall reliable? ›

There are good points about Windows Defender: You get free protection that scores high when tested and reviewed. In a product review by AV-TEST during the first two months of 2022, Windows Defender scored 6 out of 6 on all three evaluations, including a 100% detection rate.

What are the four major areas firewall must consider? ›

Firewall architecture is built upon four primary components — network policy, advanced authentication, packet filtering, and application gateways.

What are the four general techniques of firewall? ›

Explanation. The four techniques used by firewalls to control access and enforce a security policy are Service control, Direction control, User control and Behavior control.

What are common firewall tasks? ›

Firewalls can also perform various functions, such as packet filtering, stateful inspection, proxy service, and deep packet inspection, to control and monitor the traffic between your network and the internet.

How do I audit firewall configuration? ›

How to Perform Firewall Audit?
  1. Collect Key Information. ...
  2. Assess the Change Management Process. ...
  3. Audit the OS and Physical Security. ...
  4. Declutter and Improve the Rule Base. ...
  5. Perform a Risk Assessment and Fix Issues. ...
  6. Conduct Ongoing Audits.

What tool to test firewall? ›

Common firewall pen-testing tools used are Hping and Nmap. Both tools have similar functionality with one small difference. Hping can only scan 1 IP address at a time compared to Nmap, which can scan a range of IP addresses.

What is the strongest type of firewall? ›

Proxy servers are the most secure type of firewall, as they filter packets through a protected proxy server. This is done before traffic even reaches the network perimeter.

What is the simplest type of firewall? ›

Packet-Filtering Firewalls

The first and simplest type of firewall is a packet filtering firewall. They simply verify a data packet's source and destination IP addresses, protocol, source/destination port against specified rules at the network layer to determine whether to allow or deny it.

What are the 4 different types of traffic shaping policy you can create Sophos? ›

  • Traffic shaping settings.
  • Apply to applications and application categories.
  • Apply to web categories.
  • Apply to users.
  • Apply to groups.
  • Apply to firewall rules.
  • Apply to WAF rules.
Jan 20, 2023

What four 4 methods are used to manage the Palo Alto network's next generation firewalls? ›

1) Create, update, and modify firewall and Panorama configurations. 2) Execute operational mode commands, such as restarting the system or validating configurations. 3) Retrieve reports. 4) Manage users through User-ID.

What are the three 3 functions of firewall? ›

Overall, firewalls play an important role in preventing cyber attacks, protecting sensitive data, and maintaining the privacy and security of computer systems and networks.

What are the 3 main functions of a firewall? ›

Functions of Firewall

Therefore, a firewall's primary function is to secure our network and information by controlling network traffic, preventing unwanted incoming network traffic, and validating access by assessing network traffic for malicious things such as hackers and malware.

Which 3 can be configured as objects in Sophos firewall? ›

Dynamic objects – Host, Zone, Interface and Gateway are the network objects whose configurations vary from one device to another. Administrator can configure these objects in Sophos Firewall Manager and map them to individual devices.

Which 2 types of custom zone can you create on Sophos firewall? ›

You may also create new zones; they will either be DMZ or LAN type.
  • LAN: You may create new custom LAN zones if you want to further segment your network. For example, you can have one LAN zone for sales and a separate zone for engineering.
  • DMZ: You may have up to 5 ports connected.
Jul 18, 2019

What are the 3 pillars of Palo Alto Networks strategy? ›

  • Visibility and access control.
  • Data loss protection.
  • Threat prevention.

What are the five processing modes by which a firewall can be categorized? ›

5 Types of Firewalls Categorized by Processing Mode
  • Packet filtering (which we've already talked about),
  • Proxy or application gateway,
  • Circuit gateway,
  • MAC layer, and.
  • Hybrids.
Oct 13, 2020

What are the two basic types of firewall personal and network? ›

There are two types of firewalls based on what they protect: network-based and host-based. Network-based firewalls, which are frequently hardware, protect entire networks. Host-based firewalls, which are frequently software, protect individual devices known as hosts.

What are firewall rule priorities? ›

The firewall rule priority is an integer from 0 to 65535 , inclusive. Lower integers indicate higher priorities. If you do not specify a priority when creating a rule, it is assigned a priority of 1000 . The relative priority of a firewall rule determines whether it is applicable when evaluated against others.


Top Articles
Latest Posts
Article information

Author: Rubie Ullrich

Last Updated: 20/01/2024

Views: 5249

Rating: 4.1 / 5 (52 voted)

Reviews: 91% of readers found this page helpful

Author information

Name: Rubie Ullrich

Birthday: 1998-02-02

Address: 743 Stoltenberg Center, Genovevaville, NJ 59925-3119

Phone: +2202978377583

Job: Administration Engineer

Hobby: Surfing, Sailing, Listening to music, Web surfing, Kitesurfing, Geocaching, Backpacking

Introduction: My name is Rubie Ullrich, I am a enthusiastic, perfect, tender, vivacious, talented, famous, delightful person who loves writing and wants to share my knowledge and understanding with you.