Best practices for configuring Windows Defender Firewall (2023)

Windows Defender Firewall with Advanced Security provides two-way filtering of network traffic on the host and blocks unauthorized network traffic entering and exiting your local device. By configuring Windows Firewall based on the following best practices, you can optimize the security of devices on your network. These recommendations cover a wide range of deployments, including home networking and corporate desktop/server systems.

Go ahead and open Vatrozid for WindowsStartmenu, selectStart,tipWF.mscand then selectAlright. Also seeOpen Windows vatrozid.

Keep the default settings

When you first open Windows Defender Firewall, you may see the default settings for your local computer. The dashboard shows the security settings for each type of network your device can connect to.

Figure 1: Windows Defender firewall

1. Profile domain: Used in networks with an Active Directory Domain Controller-based account authentication system
2. Private profile: Designed and best used on private networks such as a home network
3. public profile: Designed for better security of public networks such as Wi-Fi access points, cafes, airports, hotels or shops

View detailed settings for each profile by right-clicking on the top levelWindows Defender firewall with advanced securityin the left pane, then selectproperty.

If possible, keep the default settings in Windows Defender Firewall. These settings are designed to ensure the device can be used in most network scenarios. An important example is the default blocking behavior for incoming connections.

Figure 2: Default input/output settings

For more information on configuring basic firewall settings, seeEnable Windows Firewall and configure the default behaviorandChecklist: Configure basic firewall settings.

Understanding rule precedence for inbound rules

In many cases, the next step for administrators will be to customize these profiles with rules (also known as filters) to work with user applications or other types of software. For example, an administrator or user can decide to add a rule to record a program, open a port or protocol, or allow a predefined type of traffic.

This task of adding a rule can be done by right-clickinginternal rulesLubOutbound rulesand chooseNovo rule. The interface for adding a new rule looks like this:

Figure 3: Rule creation wizard

In many cases, applications must allow certain types of inbound traffic to run applications on the network. Administrators should be aware of the following policy fetch behavior when allowing these inbound exceptions.

1. Explicitly defined allowed rules override the default block setting.
2. Explicit blocking rules take precedence over conflicting allow rules.
3. More specific rules take precedence over less specific rules, except when there are explicit blocking rules as specified in step 2. (For example, if rule 1's parameters refer to a range of IP addresses, while rule 2's parameters refer to 2, take precedence. )

Because of 1 and 2, when designing your ruleset, it is important to ensure that there are no other explicit blocking rules that could accidentally overlap, preventing the flow of traffic that you want to allow.

A general security best practice when creating inbound rules is to be as specific as possible. However, if you need to create new rules that use ports or IP addresses, consider using sequential ranges or subnets instead of individual addresses or ports if possible. This approach avoids creating multiple filters under the hood, reduces complexity and helps prevent performance loss.

Create rules for new applications before the first launch

Rules that allow inbound links

During initial setup, network applications and services send a listen call, determining the protocol/port information necessary for proper operation. Since there is a default blocking action in the Windows Defender firewall, ingress exception rules must be created to allow this traffic. It is common for an application or application installer to add this firewall rule. Otherwise, the user (or a firewall administrator on behalf of the user) must manually create the rule.

If the application is not running or an administrator-defined allowed policy, a dialog box prompts you to allow or block application packets the first time you start the application or attempt to communicate over the network.

• If you have administrative privileges, you will be prompted. If they respondBORNor cancel the query, blocking rules will be created. Usually two rules are created, one for TCP and one for UDP traffic.

• If you are not a local administrator, you will not be prompted. In most cases, blocking rules are created.

In any of the above scenarios, you must remove these rows after adding them to generate the query again. Otherwise, traffic will remain blocked.

Known issues with automatic rule generation

When designing a firewall rule set, it is a best practice to configure allowed rules for all network applications deployed on the host computer. Implementing these rules before the user launches the app for the first time ensures a smooth experience.

The lack of these step-by-step rules does not necessarily mean that the application will ultimately be unable to communicate over the network. However, the behavior associated with automatically creating application rules at runtime requires user interaction and administrative privileges. If the device is being used by non-administrators, please follow best practices and specify these policies before launching the application for the first time to avoid unexpected network issues.

Check the following cases to determine why some applications cannot communicate over the network:

1. A user with sufficient permissions will receive a prompt stating that the application needs to change firewall rules. If the user does not fully understand the query, cancel or ignore the query.
2. The user does not have sufficient permissions and is therefore not required to allow the application to make appropriate policy changes.
3. Local rule merging is disabled, which prevents an application or network service from creating local rules.

The creation of application rules at runtime can also be prohibited by administrators through the Settings application or Group Policy.

Figure 4: Access dialog box

Also seeChecklist: Create inbound firewall rules.

Establish local rules for combining and applying rules

Firewall rules can be implemented:

1. Locally using the firewall module (WF.msc)
2. Locally using PowerShell
3. Use Remote Group Policy if the device is a member of an Active Directory, System Center Configuration Manager, or Intune name (with Workplace Join)

Rule merge settings determine how rules from different rule sources are combined. Administrators can configure different connection behaviors for domain, private, and public profiles.

Policy merge settings allow or prevent local administrators from creating their own firewall rules in addition to those provided through Group Policy.

Figure 5: Setting up merge rules

If local policy merging is disabled, centralized policy enforcement is required for all applications that require inbound connectivity.

Administrators can disableLocalPolicyMergein highly secure environments to maintain tighter endpoint control. This setting may affect some applications and services that automatically generate local firewall rules after installation, as noted above. For these types of applications and services to work, administrators must centrally enforce policies through Group Policy (GP), Mobile Device Management (MDM), or both (in hybrid or shared management environments).

CSP will refuseandCSP of politicsalso have settings that can affect rule merging.

As a best practice, it is important to inspect and record such applications, including the network ports used for communication. Usually on the application page you can find the ports that should be open for a particular service. More complex client application implementations may require more in-depth analysis using network packet capture tools.

In general, for maximum security, administrators should file firewall exceptions only for applications and services that serve legitimate purposes.

Know how to use cloaking mode for active attacks

An important firewall feature that can be used to limit damage during an active attack is the "stealth" mode. This is a colloquial term that refers to a simple method that a firewall administrator can use to temporarily increase security when an attack is active.

Shields can be obtained by checkingBlock all incoming connections, including those on the whitelist of appsfound the setting in the Windows Settings app or in an older filevatrozid.cpl.

Figure 6: Windows Settings app/Windows Security/Firewall Security/Network Type

Figure 7: Legacy firewall.cpl file

Windows Defender Firewall blocks everything by default unless an exception rule is created. This setting overrides exceptions.

For example, the Remote Desktop feature automatically creates firewall rules when enabled. However, if there is an active exploit that uses multiple ports and services on the host, instead of disabling individual rules, Shields-enabled mode can be used to block all incoming connections, overriding previous exceptions, including Remote Desktop rules. Remote desktop rules remain intact, but remote access will not work as long as shields are enabled.

After the emergency has passed, disable the setting to restore regular network traffic.

Create outbound rules

Here are some general guidelines for configuring outbound rules.

• In some highly secure environments, you may want to consider the default configuration of Blocked Outbound Rules. However, the ingress rule configuration should never be changed to allow traffic by default
• Most deployments recommend Allow outbound connections by default to simplify application deployment, unless your company values ​​strict security controls over ease of use
• In highly secure environments, an administrator or administrators must inventory and log all enterprise-level applications. Registries should specify whether the application used needs a network connection. Administrators must create new policies specific to each application that requires network connectivity and push those policies centrally, via Group Policy (GP), Mobile Device Management (MDM), or both (in hybrid or shared management environments).

For tasks related to creating output rules, seeChecklist: Create outbound firewall rules.

Document your changes

When you create an inbound or outbound rule, you must provide details about the application itself, the port range used, and important notes such as the creation date. Policies should be well documented so that they can be easily reviewed by you and other administrators. We highly recommend taking the time to make it easier to review your firewall rules later. INevercreate unnecessary holes in the firewall.