Windows Firewall Best Practices

Windows Defender Firewall (formerly Windows Firewall with Advanced Security) is a host-based stateful firewall built into all modern Windows operating systems. When properly configured, it provides a critical layer of defense-in-depth for both workstations and servers. This page covers best practices for enterprise environments.

Core Principles

Default Deny – All inbound traffic should be blocked by default. Only explicitly required ports and protocols should be permitted.
Least Privilege – Rules should be as specific as possible: limit by port, protocol, source IP, and application path where feasible.
Profile Awareness – Windows Firewall uses three profiles (Domain, Private, Public). Ensure all three are configured — never assume Domain profile is the only one that matters.
Logging – Enable logging on all profiles. Silent failures and misconfigured rules are only discoverable through logs.

Profile Configuration

Profile	Use Case	Recommended Inbound Policy
Domain	Domain-joined machines on corp network	Block (with GPO-defined exceptions)
Private	Trusted home/lab networks	Block
Public	Untrusted networks (hotels, coffee shops)	Block (most restrictive)

All three profiles should have inbound set to Block and outbound set to Allow (with optional outbound restrictions for high-security systems).

Group Policy Management

Manage Windows Firewall centrally via GPO for consistency and auditability.

Recommended GPO path:

Computer Configuration > Windows Settings > Security Settings > Windows Defender Firewall with Advanced Security

Key GPO Settings

Firewall state: On (all profiles)
Inbound connections: Block (all profiles)
Outbound connections: Allow (default), restrict as needed
Display a notification: No (prevents end-user confusion/bypasses)
Allow local firewall rule merging: Disabled (prevents local overrides on managed systems)
Apply local connection security rule merging: Disabled

Important: Setting "Apply local firewall rules" to No in GPO means only GPO-defined rules apply. This is recommended for servers. For workstations, evaluate based on whether local admins need the ability to add exceptions.

Recommended Inbound Rules by Role

All Systems (Baseline)

Rule	Port/Protocol	Direction	Action
Block all inbound (default)	Any	Inbound	Block
Allow ICMP Echo (monitoring)	ICMPv4/ICMPv6	Inbound	Allow (from monitoring subnet only)
Allow established/related	Stateful	Inbound	Allow

Domain Controllers

Rule	Port/Protocol
Kerberos	TCP/UDP 88
LDAP	TCP/UDP 389
LDAPS	TCP 636
Global Catalog	TCP 3268, 3269
DNS	TCP/UDP 53
RPC Endpoint Mapper	TCP 135
RPC Dynamic Ports	TCP 49152–65535 (restrict to DC/management IPs)
SMB	TCP 445 (restrict to domain members only)
NetLogon	TCP/UDP 464

Member Servers (General)

Rule	Port/Protocol	Notes
RDP	TCP 3389	Restrict to jump host / management VLAN only
WinRM (HTTP)	TCP 5985	Restrict to Ansible/management IPs
WinRM (HTTPS)	TCP 5986	Preferred over HTTP
SMB	TCP 445	Restrict to authorized file server clients

Workstations

Block SMB (TCP 445) inbound — lateral movement vector
Block RDP (TCP 3389) inbound — use jump hosts instead
Allow WinRM only from management systems if using remote management
Allow monitoring agent traffic from LogicMonitor collectors

PowerShell Management

View all active inbound rules

Get-NetFirewallRule -Direction Inbound -Enabled True | 
  Select-Object DisplayName, Profile, Action, Direction |
  Sort-Object DisplayName

Create a targeted allow rule

New-NetFirewallRule `
  -DisplayName "Allow WinRM HTTPS from Management" `
  -Direction Inbound `
  -Protocol TCP `
  -LocalPort 5986 `
  -RemoteAddress 10.10.0.0/24 `
  -Action Allow `
  -Profile Domain `
  -Enabled True

Block a specific port across all profiles

New-NetFirewallRule `
  -DisplayName "Block SMB Inbound" `
  -Direction Inbound `
  -Protocol TCP `
  -LocalPort 445 `
  -Action Block `
  -Profile Any `
  -Enabled True

Export current rules for auditing

Get-NetFirewallRule | Export-Csv -Path "C:\Audit\FirewallRules_$(Get-Date -Format yyyyMMdd).csv" -NoTypeInformation

Enable firewall logging via PowerShell

Set-NetFirewallProfile -Profile Domain,Private,Public `
  -LogBlocked True `
  -LogAllowed True `
  -LogMaxSizeKilobytes 32767 `
  -LogFileName "%systemroot%\system32\LogFiles\Firewall\pfirewall.log"

Logging & Monitoring

Enable Logging

Enable logging on all profiles via GPO:

Windows Defender Firewall Properties > [Profile Tab] > Logging
  - Log dropped packets: Yes
  - Log successful connections: Yes
  - Size limit: 32,767 KB (max)
  - Log file path: %systemroot%\system32\LogFiles\Firewall\pfirewall.log

Windows Event Log Integration

Key Event IDs to monitor in Security and Microsoft-Windows-Windows Firewall With Advanced Security/Firewall logs:

Event ID	Description
2004	Firewall rule added
2005	Firewall rule modified
2006	Firewall rule deleted
2033	Firewall rule list cleared
5025	Firewall service stopped
5157	Connection blocked
5156	Connection allowed

Forward these events to your SIEM or LogicMonitor for centralized alerting.

Common Hardening Mistakes to Avoid

Mistake	Risk	Remediation
Disabling Windows Firewall entirely	No host-level protection	Re-enable, configure via GPO
Allowing "Any" as source IP	Exposes services to all hosts	Restrict by IP/subnet
Allowing RDP from Any	Lateral movement / brute force	Restrict to jump host IPs only
Leaving SMB 445 open on workstations	WannaCry/ransomware propagation	Block inbound 445 on all workstations
Not logging dropped packets	No visibility into blocked attempts	Enable logging on all profiles
Allowing local rule merging on servers	Users/apps create unauthorized exceptions	Disable local rule merging via GPO

Auditing & Compliance

Verify firewall is enabled on all profiles

Get-NetFirewallProfile | Select-Object Name, Enabled, DefaultInboundAction, DefaultOutboundAction

Expected output for a hardened system:

Name     Enabled  DefaultInboundAction  DefaultOutboundAction
----     -------  --------------------  ---------------------
Domain   True     Block                 Allow
Private  True     Block                 Allow
Public   True     Block                 Allow

List rules allowing inbound Any source (risk review)

Get-NetFirewallRule -Direction Inbound -Action Allow -Enabled True |
  Get-NetFirewallAddressFilter |
  Where-Object { $_.RemoteAddress -eq "Any" }

Review the output and determine if each rule has a legitimate business justification.

Windows Defender Firewall with Advanced Security (WFAS) Overview
GPO Baseline Templates
WinRM & Remote Management Configuration
Network Segmentation and VLAN Strategy

Last reviewed: April 2026 | Applies to: Windows Server 2019, 2022, 2025 / Windows 10, 11

Windows Firewall Best Practices

Windows Firewall Best Practices

Core Principles

Profile Configuration

Group Policy Management

Key GPO Settings

Recommended Inbound Rules by Role

All Systems (Baseline)

Domain Controllers

Member Servers (General)

Workstations

PowerShell Management

View all active inbound rules

Create a targeted allow rule

Block a specific port across all profiles

Export current rules for auditing

Enable firewall logging via PowerShell

Logging & Monitoring

Enable Logging

Windows Event Log Integration

Common Hardening Mistakes to Avoid

Auditing & Compliance

Verify firewall is enabled on all profiles

List rules allowing inbound Any source (risk review)

Related Pages