Windows Firewall Best Practices
Windows Firewall Best Practices
Windows Defender Firewall (formerly Windows Firewall with Advanced Security) is a host-based stateful firewall built into all modern Windows operating systems. When properly configured, it provides a critical layer of defense-in-depth for both workstations and servers. This page covers best practices for enterprise environments.
⛔ CRITICAL: Never Disable the Windows Firewall Service
Microsoft explicitly states that the Windows Defender Firewall service (mpssvc) must never be disabled. Stopping or disabling the service — rather than managing firewall profiles — breaks IPsec/connection security rules, disrupts dependent services, and leaves the host completely unprotected at the kernel level, even if a third-party firewall is present.
If you need to allow traffic that is being blocked: create a specific firewall rule to permit it. If troubleshooting, disable the relevant profile temporarily via GPO or Set-NetFirewallProfile -Enabled False — never stop the service itself.
Core Principles
- Default Deny – All inbound traffic should be blocked by default. Only explicitly required ports and protocols should be permitted.
- Least Privilege – Rules should be as specific as possible: limit by port, protocol, source IP, and application path where feasible.
- Profile Awareness – Windows Firewall uses three profiles (Domain, Private, Public). Ensure all three are configured — never assume Domain profile is the only one that matters.
- Logging – Enable logging on all profiles. Silent failures and misconfigured rules are only discoverable through logs.
Profile Configuration
| Profile | Use Case | Recommended Inbound Policy |
|---|---|---|
| Domain | Domain-joined machines on corp network | Block (with GPO-defined exceptions) |
| Private | Trusted home/lab networks | Block |
| Public | Untrusted networks (hotels, coffee shops) | Block (most restrictive) |
All three profiles should have inbound set to Block and outbound set to Allow (with optional outbound restrictions for high-security systems).
Group Policy Management
Manage Windows Firewall centrally via GPO for consistency and auditability.
Recommended GPO path:
Computer Configuration > Windows Settings > Security Settings > Windows Defender Firewall with Advanced Security
Key GPO Settings
- Firewall state: On (all profiles)
- Inbound connections: Block (all profiles)
- Outbound connections: Allow (default), restrict as needed
- Display a notification: No (prevents end-user confusion/bypasses)
- Allow local firewall rule merging: Disabled (prevents local overrides on managed systems)
- Apply local connection security rule merging: Disabled
Important: Setting "Apply local firewall rules" to No in GPO means only GPO-defined rules apply. This is recommended for servers. For workstations, evaluate based on whether local admins need the ability to add exceptions.
Recommended Inbound Rules by Role
All Systems (Baseline)
| Rule | Port/Protocol | Direction | Action |
|---|---|---|---|
| Block all inbound (default) | Any | Inbound | Block |
| Allow ICMP Echo (monitoring) | ICMPv4/ICMPv6 | Inbound | Allow (from monitoring subnet only) |
| Allow established/related | Stateful | Inbound | Allow |
Domain Controllers
| Rule | Port/Protocol |
|---|---|
| Kerberos | TCP/UDP 88 |
| LDAP | TCP/UDP 389 |
| LDAPS | TCP 636 |
| Global Catalog | TCP 3268, 3269 |
| DNS | TCP/UDP 53 |
| RPC Endpoint Mapper | TCP 135 |
| RPC Dynamic Ports | TCP 49152–65535 (restrict to DC/management IPs) |
| SMB | TCP 445 (restrict to domain members only) |
| NetLogon | TCP/UDP 464 |
Member Servers (General)
| Rule | Port/Protocol | Notes |
|---|---|---|
| RDP | TCP 3389 | Restrict to jump host / management VLAN only |
| WinRM (HTTP) | TCP 5985 | Restrict to Ansible/management IPs |
| WinRM (HTTPS) | TCP 5986 | Preferred over HTTP |
| SMB | TCP 445 | Restrict to authorized file server clients |
Workstations
- Block SMB (TCP 445) inbound — lateral movement vector
- Block RDP (TCP 3389) inbound — use jump hosts instead
- Allow WinRM only from management systems if using remote management
- Allow monitoring agent traffic from LogicMonitor collectors
PowerShell Management
View all active inbound rules
Get-NetFirewallRule -Direction Inbound -Enabled True |
Select-Object DisplayName, Profile, Action, Direction |
Sort-Object DisplayName
Create a targeted allow rule
New-NetFirewallRule `
-DisplayName "Allow WinRM HTTPS from Management" `
-Direction Inbound `
-Protocol TCP `
-LocalPort 5986 `
-RemoteAddress 10.10.0.0/24 `
-Action Allow `
-Profile Domain `
-Enabled True
Block a specific port across all profiles
New-NetFirewallRule `
-DisplayName "Block SMB Inbound" `
-Direction Inbound `
-Protocol TCP `
-LocalPort 445 `
-Action Block `
-Profile Any `
-Enabled True
Export current rules for auditing
Get-NetFirewallRule | Export-Csv -Path "C:\Audit\FirewallRules_$(Get-Date -Format yyyyMMdd).csv" -NoTypeInformation
Enable firewall logging via PowerShell
Set-NetFirewallProfile -Profile Domain,Private,Public `
-LogBlocked True `
-LogAllowed True `
-LogMaxSizeKilobytes 32767 `
-LogFileName "%systemroot%\system32\LogFiles\Firewall\pfirewall.log"
Logging & Monitoring
Enable Logging
Enable logging on all profiles via GPO:
Windows Defender Firewall Properties > [Profile Tab] > Logging
- Log dropped packets: Yes
- Log successful connections: Yes
- Size limit: 32,767 KB (max)
- Log file path: %systemroot%\system32\LogFiles\Firewall\pfirewall.log
Windows Event Log Integration
Key Event IDs to monitor in Security and Microsoft-Windows-Windows Firewall With Advanced Security/Firewall logs:
| Event ID | Description |
|---|---|
| 2004 | Firewall rule added |
| 2005 | Firewall rule modified |
| 2006 | Firewall rule deleted |
| 2033 | Firewall rule list cleared |
| 5025 | Firewall service stopped |
| 5157 | Connection blocked |
| 5156 | Connection allowed |
Forward these events to your SIEM or LogicMonitor for centralized alerting.
Common Hardening Mistakes to Avoid
| Mistake | Risk | Remediation |
|---|---|---|
| Disabling Windows Firewall entirely | No host-level protection | Re-enable, configure via GPO |
| Allowing "Any" as source IP | Exposes services to all hosts | Restrict by IP/subnet |
| Allowing RDP from Any | Lateral movement / brute force | Restrict to jump host IPs only |
| Leaving SMB 445 open on workstations | WannaCry/ransomware propagation | Block inbound 445 on all workstations |
| Not logging dropped packets | No visibility into blocked attempts | Enable logging on all profiles |
| Allowing local rule merging on servers | Users/apps create unauthorized exceptions | Disable local rule merging via GPO |
Auditing & Compliance
Verify firewall is enabled on all profiles
Get-NetFirewallProfile | Select-Object Name, Enabled, DefaultInboundAction, DefaultOutboundAction
Expected output for a hardened system:
Name Enabled DefaultInboundAction DefaultOutboundAction
---- ------- -------------------- ---------------------
Domain True Block Allow
Private True Block Allow
Public True Block Allow
List rules allowing inbound Any source (risk review)
Get-NetFirewallRule -Direction Inbound -Action Allow -Enabled True |
Get-NetFirewallAddressFilter |
Where-Object { $_.RemoteAddress -eq "Any" }
Review the output and determine if each rule has a legitimate business justification.
Related Pages
- Windows Defender Firewall with Advanced Security (WFAS) Overview
- GPO Baseline Templates
- WinRM & Remote Management Configuration
- Network Segmentation and VLAN Strategy
Last reviewed: April 2026 | Applies to: Windows Server 2019, 2022, 2025 / Windows 10, 11
No comments to display
No comments to display